Try our new research platform with insights from 80,000+ expert users
Ivo Dias - PeerSpot reviewer
Sales Engineer at M3Corp
Reseller
Top 10
Helps with shift-left, saving on remediation costs by finding issues earlier, keeping them out of production
Pros and Cons
  • "To me, the principal feature is the CLI (command-line interface) because I put together a lot of implementations using it. Another important aspect is the low false-positive rate because the solution is very configurable. It is as low as 1 percent and that is a huge difference compared to competitors."
  • "In the last month or so, I had a problem with the APIs when doing some implementations. The Veracode support team could be more specific and give me more examples. They shouldn't just copy the URL for a doc and send it to me."

What is our primary use case?

I currently work for a Veracode distributor here in Brazil. I work in both presales and post-sales, and I do implementations as well.

How has it helped my organization?

We talk a lot about shift-left and this is very important because, when you find problems near the beginning of the process, it costs less to resolve them. In addition, Veracode provides information on how to handle issues and that saves time for the developers. It's also good for a company's image because the problems are found before deployment to production. 

When it comes to developer confidence, the low false-positive rate is very important. If they use a tool with a lot of false positives, they won't believe the reports they get. And that's important because if the teams don't like a tool, they won't use it. Also, we don't have a tool in Veracode for tuning policies because it is an automated process. In most cases, we don't have many problems that require tuning. We just review the model and usually find it's fine.

What is most valuable?

To me, the principal feature is the CLI (command-line interface) because I put together a lot of implementations using it. Another important aspect is the low false-positive rate because the solution is very configurable. It is as low as 1 percent and that is a huge difference compared to competitors.

And Veracode's ability to prevent vulnerable code from going into production is the main selling point that we talk about with our customers. It is one of the most important features. 

I have also used the Software Bill of Materials (SBOM) feature in some implementations. It's important because in modern software development, people always use third-party components but they don't necessarily see the problems that they may contain. If you don't use the SBOM tool, you won't know the status of all these third-party pieces. And it's very easy to create a report using this feature because it is made in the Veracode portal with a graphical interface or, in the CLI, it's just one line of code.

Another important factor is the policy reporting for ensuring compliance with industry standards. We generally work with big companies in Brazil and, for them, maintaining the required standards is imperative. The policies can help achieve those standards.

We can also involve Veracode at every stage of the development process. It has a lot of tools to help with security.

Veracode has a new tool to automate the fixing of flaws, but we don't use it. Generally, the orientation that Veracode provides for resolving problems is good and developers can use it to handle the problems and make things work.

What needs improvement?

In the last month or so, I had a problem with the APIs when doing some implementations. The Veracode support team could be more specific and give me more examples. They shouldn't just copy the URL for a doc and send it to me. I am a distributor and a Veracode solutions expert, so if I create a ticket that means I have read the documentation. It would be better if they sent me more examples instead.

Buyer's Guide
Veracode
March 2025
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
844,944 professionals have used our research since 2012.

For how long have I used the solution?

I have been using Veracode for two and a half years.

What do I think about the stability of the solution?

It has great stability. It uses AWS and I don't recall any downtime.

What do I think about the scalability of the solution?

The license provides for scalability, so it's just a matter of connecting more users. We don't need to think about it, which is good.

How was the initial setup?

Veracode is a SaaS solution. We just connect it to the customer's environment. It's very simple. We have plugins for the most popular CI/CD tools and, for other tools, it's one or two lines of code to implement. Generally, we just need one person who has edit access to the pipeline. So one or two people are sufficient to implement it.

There is no maintenance of the solution because it's SaaS.

What's my experience with pricing, setup cost, and licensing?

The commercial guys take care of the pricing, it's not something I'm involved in. But the licensing is simple. The SAST product has some rules that some customers have found a little confusing, but overall, the licensing is simple. 

What other advice do I have?

The impact that Veracode has on security posture depends on the size of the company. Usually, large companies have standards in place, and that makes code development more secure than it is in small companies. For small companies, Veracode can really make a huge improvement to the SDLC.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
Naushath Raja - PeerSpot reviewer
Senior Director at a tech vendor with 10,001+ employees
MSP
The solution's static analysis has streamlined our DevSecOps process, which previously involved a lot of manual work
Pros and Cons
  • "Veracode enables us to build a strong data security layer in our platforms. We can increase customer confidence in data security. Some PCI/HIPAA compliance issues were impossible to resolve without Veracode."
  • "Veracode's ease of use could be improved. I would also like to see more online videos and tutorials that could help us understand the product better. It would also be helpful if Veracode created a certification program for DevSecOps staff to learn about their product and get certified. This kind of training would raise the company's profile within the industry."

What is our primary use case?

We use Veracode to scan our products for code security. Our company also uses Veracode's data security module.

How has it helped my organization?

Veracode enables us to build a strong data security layer in our platforms. We can increase customer confidence in data security. Some PCI/HIPAA compliance issues were impossible to resolve without Veracode. I rate Veracode's compliance features a nine out of ten because it provides detailed reports after each scan about potential regulatory violations. 

The solution's static analysis streamlined our DevSecOps process, which previously involved a lot of manual work to trace code vulnerabilities. Veracode reduced our DevSecOps team's time on these tasks by around 20 to 30 percent while drastically improving code quality. 

In the past, we also performed a scan using third-party vendor partners that took days to complete. Veracode conducts a quick dynamic scan each time a new iteration of code is built and deployed into the environment. It gives us an immediate result. We can deploy our products much faster, and there are no delays or surprises after the product is built. We aren't wasting time from development to deployment.

Our overall security posture improved, but we've only been using Veracode in production for less than two months. We expect a massive improvement in the next six to eight months.

The false positive rate is typically less than five percent. False positives can affect how developers use a solution. If we see too many false positives, we might start ignoring alerts. Sometimes the developers lose confidence and may take the work lightly. It isn't an issue currently because the rate is under five percent. 

What is most valuable?

Dynamic scanning is the most useful feature.

What needs improvement?

Veracode's ease of use could be improved. I would also like to see more online videos and tutorials that could help us understand the product better. It would also be helpful if Veracode created a certification program for DevSecOps staff to learn about their product and get certified. This kind of training would raise the company's profile within the industry. 

For how long have I used the solution?

We have used Veracode for about three months. We did a proof of concept for one month, and it has been in production for two. 

What do I think about the stability of the solution?

I rate Veracode a ten out of ten for stability. We haven't had any issues.

What do I think about the scalability of the solution?

Veracode is scalable, but we haven't scaled it up. However, I expect it will work well when we do.

How are customer service and support?

I rate Veracode support a nine out of ten. Their support system is excellent and highly engaged.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We tried some Indian solutions and used third-party scans for static analysis, but Veracode is the first time we have fully integrated an enterprise code security solution.

How was the initial setup?

Veracode is a SaaS solution. Setting it up isn't simple, but it isn't too complex. We deployed Veracode with a three-person in-house team. Veracode requires a decent amount of maintenance. You must perform periodic validation checks on how the engine is performing. 

What was our ROI?

You have to compare the price to the potential cost of data security threats, which could devastate your reputation and revenue overall. We do not doubt that the investment is worth it. It's too early to calculate an ROI, but we anticipate a reduction in overall DevSecOps costs. 

What's my experience with pricing, setup cost, and licensing?

Veracode is priced competitively for our market. 

Which other solutions did I evaluate?

We evaluated a few other vendor partners and decided to go with Veracode because of the various features they offered.

What other advice do I have?

I rate Veracode a nine out of ten. If you plan to implement Veracode, your DevSecOps should adopt modularized-based code segregation for better visibility into how this ecosystem works. It's crucial to be clear about the solutions you are procuring. There are multiple options, and not everything will work for you. Understanding your requirements, what your customer needs, and what will work best for your product is essential. Purchase the solution most suitable for your product and your company. 

You should also maximize Veracode's benefit by working closely with the tech support team. We don't use many of the features we have procured. Setting up an ongoing review mechanism with Veracode technical support is critical to better understand the product and ensure you get the maximum return for your investment. These are some points that company leaders need to discuss with their DevSecOps and DevOps teams.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Veracode
March 2025
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
844,944 professionals have used our research since 2012.
reviewer2287986 - PeerSpot reviewer
Lead Product Security Engineer at a computer software company with 1,001-5,000 employees
Real User
Top 20
Provides good visibility and reporting, but produces many false positives
Pros and Cons
  • "The source composition analysis had very good reporting."
  • "Veracode's ability to fix flaws is less sophisticated than that of its competitors."

What is our primary use case?

We used Veracode for code scanning and source composition analysis.

How has it helped my organization?

Veracode can block vulnerable code from going into production.

The SBOM is a good option for companies that are asked about their SBOM.

The SBOM helps manage our risk.

Generating SBOM reports is not difficult, but setting up the necessary infrastructure for analysis takes time.

The policy reporting is incredibly robust.

Veracode provides visibility into application status in every phase of development.

What is most valuable?

The source composition analysis had very good reporting.

What needs improvement?

Veracode's long scan time for vulnerable code can hinder productivity. There is room for improvement in this area.

Veracode produced a lot of false positives.

Veracode's ability to fix flaws is less sophisticated than that of its competitors. For example, Veracode's static analysis scanning workflow for flaws is not as highly developed as Checkmarx's or Snyk's. Veracode would often provide incorrect sources and fail to identify the source of malicious user input coming to the team.

The process of bundling binaries or code for scanning could be improved.

For how long have I used the solution?

I trialed Veracode for two weeks. 

What do I think about the stability of the solution?

In our short trial period, we did experience some stability issues.

What do I think about the scalability of the solution?

Veracode scales sufficiently.

How are customer service and support?

I worked with Veracode's technical consultation staff and found the agent to be incredibly knowledgeable and sophisticated in their use of Veracode, as well as in vulnerable load patterns.

How would you rate customer service and support?

Positive

How was the initial setup?

The deployment was complex.

Ten people were involved in the deployment.

What about the implementation team?

We used the experience of engineers who had used Veracode in the past, as well as feedback from Veracode's engineers.

What's my experience with pricing, setup cost, and licensing?

Veracode's pricing is competitive.

I believe Veracode would be willing to negotiate decent terms for organizations that are concerned about the pricing.

Which other solutions did I evaluate?

We also evaluated Checkmarx and Snyk, respectively. This puts them at a slight disadvantage in terms of identifying execution paths and their ability to comprehensively show how vulnerable code is executed in our solution.

What other advice do I have?

I would rate Veracode six out of ten.

Once Veracode is fully configured, the maintenance should be relatively minimal.

Veracode's best advantages are detailed reporting for industries such as government work, or other industries that may require exceptionally detailed reports or secure security verifications. However, I would suggest that people look out for the accuracy of results and the usefulness of findings on a large scale. Additionally, Veracode has a difficult-to-navigate user interface.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Satheesh Bojedla - PeerSpot reviewer
Senior engineer at a financial services firm with 5,001-10,000 employees
Real User
Top 10
A scalable solution that supports the automation of the scanning processes
Pros and Cons
  • "I contacted the solution's technical support during the automation part, and it went well, after which I never faced any issues."
  • "If you schedule two parallel scans under the same project, one of them will be a failure."

What is our primary use case?

My company uses Veracode Static Analysis for scanning purposes and static analysis. I am a DevOps engineer configuring automation for multiple teams in our company using Veracode Static Analysis. Our company uses the product to identify vulnerabilities in third-party libraries that our teams use internally to secure our products before moving the product outside of our company. The aforementioned features of the solution are used mostly in our company. Most of the teams within my organization use Veracode's static analysis part. My company did not procure the license for Veracode Dynamic Analysis.

How has it helped my organization?

From the market, my company could identify some of the libraries that were outdated and had severe vulnerabilities. Our company wishes to secure its products before moving out for production, for which we find Veracode helpful. Our company sees value in Veracode Static Analysis.

What is most valuable?

The most valuable feature of the solution is Veracode's library, which supports the automation of Veracode's scanning process.

The major benefit of Veracode Static Analysis is that you can schedule a scan on demand. We found the delta approach in scanning to be super quick in terms of returning results in our company, even though we had to make uploads of certain things, but it would be longer if the size of the scanning part were huge, making it one of the drawbacks.

What needs improvement?

If Veracode develops a plugin for multiple orchestration tools, it will be easy for us to use the product in our company.

If you schedule two parallel scans under the same project, one of them will be a failure. It would be good if Veracode could provide two different site codes since if another code scan gets triggered while the scanning for one code is going on, the newly triggered code scan fails, stating that there is already a scanning process in progress. If Veracode can handle a newly triggered second code scan in their sequence instead of making it fail and take it up later or on a wait so that they can trigger it after the first code scan gets completed, then it would be a nice improvement. There is no queuing mechanism for scanning right now.

Module selection is manual. If somebody adds a new module, it is not detected automatically, and moreover, it ignores that module and moves forward. You have to go and include that module manually, so if it is made dynamic in the future, it will be nice.

For how long have I used the solution?

I have been using Veracode Static Analysis for two years. Almost six years ago, I used Veracode Static Analysis for a year. In total, I have three years of experience with Veracode Static Analysis. My company procured the solution, so I am an end user.

What do I think about the stability of the solution?

It is a stable solution. The speed of the solution was good in the past, and they have worked constantly to improve the speed.

What do I think about the scalability of the solution?

It is a scalable solution.

Though Veracode Static Analysis is primarily available in the USA, we scan our company from multiple locations. The solution may have a huge number of users, but our company supports 30 projects with the help of the solution, which includes scanning for 30 microservices. I am unsure of the actual numbers regarding the solution's use since it is handled by someone else in my company.

How are customer service and support?

I contacted the solution's technical support during the automation part, and it went well, after which I never faced any issues.

Which solution did I use previously and why did I switch?

My company used Code Insight, a very similar solution to Veracode Static Analysis, but not the same.

Code Insight scanned even first-party libraries, which includes what we used to develop in our company.

Code Insight's vulnerabilities in the database completely differed from Veracode Static Analysis, but I can't recollect where it differs. If both Veracode Static Analysis and Code Insight were the same, we would not have used both in our company, so there is a difference between them. Veracode wasn't of any support when it came to dynamic scans in the past, though Veracode has recently started to support it, which I haven't used yet. I don't see any drawbacks with Veracode, so I am satisfied with whatever Veracode offers.

How was the initial setup?

The solution is deployed on the cloud.

What's my experience with pricing, setup cost, and licensing?

Depending on the number of users, my company makes payments toward the solution's licensing costs.

What other advice do I have?

Veracode handles the maintenance part of the solution. Veracode's side may be down at times for maintenance.

I recommend Veracode Static Analysis to those planning to use it, but the scans should not be carried out daily since it can get too costly. I recommend not doing the frequent scans to save on the costs.

I rate the overall solution an eight out of ten.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Dipjyoti Roy - PeerSpot reviewer
Senior Devops Engineer at Thosmon Reuters
Real User
Top 20
Easy to integrate and provides good visibility, but the reporting can be more detailed
Pros and Cons
  • "The capability to identify vulnerable code is the most valuable feature of Veracode."
  • "There are times when certain modules cannot be scanned automatically, requiring us to manually select these modules and initiate the scanning process on our side."

What is our primary use case?

We use Veracode to test for errors in the code in the applications we are building within our service pipelines.

How has it helped my organization?

Veracode assists in preventing vulnerable code from entering production. It is essential to ensure that our applications entering production are free from errors.

It has assisted our organization by providing a report that we can share with our developers, identifying vulnerabilities in their code. This enables them to address the issues before the code is put into production.

Ever since the implementation of Veracode, I have noticed that the processes for rectifying the issues in our pipelines have become much easier.

Veracode helps our developers save time. The solution has simplified the coding process for our developers.

I would rate Veracode's impact on our organization's overall security posture as nine out of ten. The solution has been beneficial to us daily, and we haven't encountered any issues with their solution so far.

What is most valuable?

The capability to identify vulnerable code is the most valuable feature of Veracode.

What needs improvement?

There are times when certain modules cannot be scanned automatically, requiring us to manually select these modules and initiate the scanning process on our side.

The vulnerability report has potential for improvement and should encompass more detailed information about the vulnerability, rather than solely identifying it.

For how long have I used the solution?

I have been using Veracode for three years.

What do I think about the stability of the solution?

Veracode is stable.

What do I think about the scalability of the solution?

I believe Veracode is scalable, but I am not certain.

What other advice do I have?

I rate Veracode a seven out of ten.

I recommend Veracode. The solution only requires a one-time configuration into the pipeline and the testing is done automatically. 

Integrating Veracode with our pipelines is an easy process. We simply use VML files and the integration is done automatically for us.

We currently have approximately 55 microservices, composed of various teams. Altogether, there are about 170 people utilizing Veracode.

I recommend becoming as familiar as possible with Veracode before using it. Even watch online tutorials to ensure that the deployment goes as smoothly as possible.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Evan Gertis - PeerSpot reviewer
Penetration Tester at a tech vendor with 51-200 employees
Real User
Top 10
The scanning process helps to significantly improve our standards and best practices
Pros and Cons
  • "The solution's ability to help create secure software is very valuable. We're a zero-trust networking company so we want to have the ability to say that we're practicing security seriously. Having something like Veracode allows us to have confidence when we're speaking to people about our product that we can back up what we're doing with a certification, with a reputable platform, and say, "This is what we're using to scan an application. Here's the number of vulnerabilities that are on an application. And here's the risk that we're accepting.""
  • "The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We don't want people to feel like they're missing out on something or that they're not following directions in the right way."

What is our primary use case?

We use software composition analysis and static code analysis. We use a software composition analysis component to identify third-party vulnerabilities in our software. And then we use the static composition analysis to analyze flaws within our application on the front-end and the back-end.

We also use Veracode for static composition and software composition analysis and static code analysis because we need a way to identify vulnerabilities and flaws in the application and relay that information to our developers.

The manual penetration testing is not really used as much.

Having a centralized view is probably one of the most important aspects of the platform. We need to have some way of looking at all the flaws and all the vulnerabilities in one centralized view. 

Having this has improved our visibility into application status. It's very important because it's the way that we communicate flaws to our developers. And without it, we'd be missing out on an opportunity to explain what seems to be fixed and what needs to be managed.

How has it helped my organization?

Veracode helps us to reduce security debt. We're finding that issues like cross-site scripting injection, injection, and those sorts of vulnerabilities are getting addressed more quickly. And we don't really have to worry about where those are, whether that's being fixed or not because we can see them in the platform and we can see the score increase every time those get fixed.

The solution's ability to help create secure software is very valuable. We're a zero-trust networking company so we want to have the ability to say that we're practicing security seriously. Having something like Veracode allows us to have confidence when we're speaking to people about our product that we can back up what we're doing with a certification, with a reputable platform, and say, "This is what we're using to scan an application. Here's the number of vulnerabilities that are on an application. And here's the risk that we're accepting."

Using Veracode SCA helped increase productivity for our security and development teams. Every week we do a vulnerability report and we look at the flaws that were reported by Veracode. Our process essentially goes by meeting with developers, looking at the report, finding out which flaws are the most important ones to fix first. After we've done that, we set up a sprint and we have developers work out two to three of those tickets until they're complete. We've done that now for about six months. We increased our application score from a pretty low level all the way up to Veracode Level Three, so above 90. We don't have any high severity or high vulnerabilities and we don't have any mediums and applications anymore. Following that process is extremely helpful. We also utilize the Veracode dashboards as well. We use the Veracode dashboard to monitor our progress in triaging flaws. Then we want to make sure that things are actually getting fixed. And then we can count those metrics by looking at those dashboards.

It has definitely improved our security posture and communication with developers. I think that now developers are taking our security seriously, whereas before it was something that was always important, but there was no real way of actually tracking what was getting done. Now that we have the tool that we can use to track what's getting done, we're making objectives and setting goals, and working towards this.

What is most valuable?

We use the screening process to help our security professionals and developers fix flaws in the code. It's probably the most utilized security tool that we have at our company.

Scanning with Veracode SCA reduces scan times by a few seconds. It also helps to increase our fixed-rate by 14%.

The scanning process helps to significantly improve our standards and best practices.

The mitigation recommendations provided by the scanning engine of Veracode are important for developers to understand. They need to know how to fix things. So just giving them a blank vulnerability and saying, "this is the issue," doesn't really help. They need something that tells them how to fix the flaw and where to fix the flaw.

Veracode helped us with certification and audit. We're working towards Veracode Level Four right now, we've achieved Veracode Level Three status, and we're looking forward to reaching the next certification level. The goal of that is to eventually have all of our third-party vulnerabilities and mitigate them so that we're in good standing and we don't have anything coming from a third-party library that could possibly compromise our application. Once we get to that fourth certification Veracode Level Four, that would be great.

What needs improvement?

The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We don't want people to feel like they're missing out on something or that they're not following directions in the right way. And we have a process in place where there's a set of tickets and people can work on them. It just seems that people are more focused. They tend to pay attention to what they're doing and there's accountability. So having a more rigorous JIRA integration would be very helpful.

For how long have I used the solution?

I have been using Veracode for over a year. 

What do I think about the stability of the solution?

It's a very stable product, and I think that the team at Veracode is constantly putting in more effort into trying to make it into a better platform. They take feedback seriously. They constantly improve the platform. They are working towards adding features that developers are requesting. So it's always changing, there's always something new being added to it, which is very good.

What do I think about the scalability of the solution?

Large enterprises are probably following a very different practice from what we're following. I think that smaller organizations are going to have an easier time using something like Veracode because of the flexibility of the different API tools that they have available. An enterprise might have a more complicated time scaling it. The issue with that is that the enterprise is probably going to use a proxy and having to deal with the networking issues, it's going to become very difficult for that to scale. However, in a small company, those situations are mitigated pretty easily by getting two or three people together. So we move through those very fast, we're extremely agile. We're always forward moving. We're always rapidly developing. I think each company has its own specific way of handling scalability, it's always been easy just because we're a very collaborative team. We know how to work with each other and we're always receptive to each other's feedback. I can't really speak for other companies, but I can tell you that we find it pretty scalable. That's really just our culture though.

I run all of the administration and I direct people in what needs to be done. So, that's about it. In total, about seven people are really using it.

We are using it to its fullest extent. Even the manual penetration testing aspect of the platform is very useful. The manual penetration testing aspect of the platform is something that would be nice to incorporate because the cost is significantly less than other security companies. For example, InfoSec is about $3,000 more than Veracode, for any organization that wants an all-encompassing security platform. But what we get with Veracode is a platform that provides software composition analysis, static code analysis, Docker Container Scanning, manual penetration testing results, and dashboards that show the progress for moving through all of those issues. And that's probably the most important aspect of the platform.

Once they introduced the prebuilt dashboards that really reduced the amount of friction with upper management. Typically, my mentor said that almost all issues in any business organization come down to personal relationships and opinions, so when Veracode introduced those dashboards, it removed the ability for people to give opinions about what was being done and what wasn't being done.

We're driven by facts as people, so we can look at those metrics and say, "This is what's actually getting done." And there's no ambiguity. Then really that just removes all opinion from any sort of conversation.

How are customer service and support?

They monitor all of the conversations in the platform on the Veracode community. My rep is very responsive. He answers community questions. He votes up really important questions and the issues are getting answered quickly. That's the most important part because then the business, if we run into an issue on Monday and we spend two or three days trying to debug the issue, we haven't figured it out. You can go to a place and actually get an answer. Whereas some organizations try to use a tool that's custom made and they're going to run into an issue where it's intractable. It can't be solved. However, with Veracode, customer support has always been able to find some sort of solution. Anytime I've ever had a problem, it's always been resolved 100%. There's never been a time where it's gone unresolved. I can't say that about every tool.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We used a combination of things. We use Sonar, Veracode, and JFrog Artifactory just give us a diverse picture of what vulnerabilities are in the application and how we can fix them. Veracode seems to always provide the best feedback. Other platforms really aren't at the same level, they provide reports and those reports are usually very static and they're not very informative. Whereas with Veracode, the platform is very interactive. You can tell that it was designed for users and Sonar is the same way. Sonar is very static. Even in Bitbucket, you can now scan your code with Snyk.

How was the initial setup?

The initial setup was pretty straightforward. The best way to handle it is to get the Java JAR file for the upload, use the terminal on any given laptop, like a Mac or a Linux, and create a small script that uploads a couple of JAR files up to the platform.

Once that's complete, once you have a proof of concept that works with just a couple of lines, then the next step is to move that into a pipeline. Preferably something like Jenkins. Jenkins allows people to run scripts. You can just run Dash straight in a pipeline. Once you have that setup, you pull all that down into the Jenkins pipeline.

Once that's done, you now have all of the binaries that need to be scanned, and you can set the pipeline to run a scan on a weekly cadence. If you want to take it a step further, you could actually move that into a build pipeline and really follow shift-left practices where you're moving the security aspect of the development cycle further up the pipeline. Flaws are being found before they go into production rather than after they're in production. So that would be my recommended approach for working through that problem.

I went through and I actually added container scanning now, so in Veracode at this point, we're running software composition analysis, static code analysis, and on top of that Docker container scanning. So it's a pretty big product. The thing that would be more helpful is better Jira automation since that aspect keeps track of what's getting done. Then essentially you have a full pipeline setup that automates the generation of tickets, scanning, and just takes care of itself. It's a self-service security tool.

The setup took around a week.

What was our ROI?

We have absolutely seen ROI. We have buy-in from upper management and developers. We have a lot of people who are very excited about what we're doing and we're working towards that.

We've personally seen a major decrease in vulnerabilities and we've seen an increase in awareness for security. So people actually have conversations about security now, and they're taking it seriously. It's no longer an issue that gets swept under the rug. I think a lot of smaller organizations would benefit from having a tool that showed them what is being done, as opposed to someone just saying this is what we're doing if they can see the results that really improve. So, once we added that, we saw a decrease in vulnerabilities, we decreased our third-party vulnerabilities from a pretty significant level and attended the three down to single digits, which is huge for any organization.

What's my experience with pricing, setup cost, and licensing?

The thing that I'll go back to is when one of my mentors said to me "Evan, security is a critical aspect of any organization. People don't always believe in it. And the best way to sell it is to explain what could go wrong." So when we compare what could go wrong, having a third-party vulnerability, like a graph library, such as the one that Equifax used, which led to a $3 million lawsuit, and their reputation was destroyed. When you compare that to paying $8,000 for an application, it's a no-brainer. Once the reputation of an organization has been tarnished, that's it. The whole thing is completely over. Really everyone loses faith and once people lose trust, it's almost impossible to get people to believe in a vision.

It's definitely worth it considering what could go wrong. The DevOps Mantra is to always be prepared for what could go wrong. Most things are going to go wrong.

Having a static cost gives people confidence. And once people start using it, if the price changes, then that's going to be dependent on how much they're getting out of it.

Which other solutions did I evaluate?

I definitely looked at other security platforms, but Veracode seems to have the most performance.

With Xray, essentially you upload your builds, once you've uploaded your build, you index it. And after you index it, it'll give you a security report. Now, the thing with that is you have to make a policy, you get a report, the report comes out as a PDF and the PDF doesn't really tell you how to fix it. It tells you the fixed version.

The first path of that really was just creating a pipeline that ran a curl request over to Artifactory to generate that PDF. And then on Monday mornings, that was automated. So management can go in, look at that PDF and say, "Oh, okay, these are the things that are happening in our application." Whereas Veracode, is fully automated, it runs the full scan and then creates the tickets. So that's the contrast. 

What other advice do I have?

My advice would be to start with meeting with people from Veracode. Once you meet with the team from Veracode, the best way to handle that is to start asking questions and identifying the things that would be of value so that an organization doesn't start out by paying too much money. Then you're moving away from that being too scared of what the outcome is. I think once they go in and they have a meeting with people and they can actually discuss what they want to do, that's the first step towards planning out how the platform will be used.

I would rate it a ten out of ten. 

Which deployment model are you using for this solution?

Private Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Vikas Agrawal - PeerSpot reviewer
DevOps Lead at HealthEdge Software, Inc.
Real User
Top 20
We have fewer vulnerabilities and bugs, and we get security information daily
Pros and Cons
  • "The SCA, agent-based analysis, is valuable. SAST and DAST take time, while this is quite fast. It gives the results very quickly. We have implemented it into our CI/CD pipeline."
  • "We connected with Veracode's support a couple of times, and we got a different answer each time."

What is our primary use case?

We use Veracode for SAST and SCA. We are moving towards dynamic analysis as well. We use it now to scan our artifacts and reports, and very soon we are going to use the Veracode plugin for our IDE to have immediate results for security analysis purposes.

How has it helped my organization?

Before integrating Veracode, we were getting so many security vulnerabilities on higher branches. We integrated it to fix that. It prevents vulnerable code from going into production. We have fewer vulnerabilities and bugs.

We are getting the security vulnerability results on a day-to-day basis. Our pipeline is running every hour, and we are getting early feedback, giving us a shift-left approach. On a daily basis, we are able to rectify issues rather than find them in production or pre-production.

It provides visibility into application status at every phase of development. We have our initial feature branch, or low-level branch, and then we commit. The pipeline is running, so we will know about things immediately. This is quite valuable for us.

What is most valuable?

The SCA, agent-based analysis, is valuable. SAST and DAST take time, while this is quite fast. It gives the results very quickly. We have implemented it into our CI/CD pipeline.

Another aspect that is quite good is the policy reporting for ensuring compliance with industry standards and regulations. Initially, we were using freeware tools, but we are quite impressed with how Veracode gives the most detailed and latest vulnerability and security information.

For how long have I used the solution?

I have been using Veracode for almost a year.

What do I think about the stability of the solution?

It's a stable solution. There are no problems. The stability is a seven or eight out of 10.

How are customer service and support?

We connected with Veracode's support a couple of times, and we got a different answer each time.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We used to use Snyk and other tools. The switch to Veracode was an enterprise-level discussion, and I was not involved.

What was our ROI?

It took some time to see the benefits, around six to eight months.

What other advice do I have?

Although Veracode doesn't scan source code, only binary code, I'm not concerned because we can scan the source code with an SCR tool.

Veracode hasn't yet helped our developers save time. Their development time has increased because, initially, we were only taking the security and vulnerability issues on the higher branches. Now it is on lower branches as well, so the development time has increased. In the local branches, if a report indicates something has not passed, we are not allowing them to merge their code into higher branches.

We have it deployed in a multi-cloud and hybrid environment. We are using AWS, Azure, and VMware vSphere.

Overall, I would recommend Veracode. It is quite helpful.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
AjitMatthew - PeerSpot reviewer
Principal. - Head - IT, Information Security and Admin at a consultancy with 201-500 employees
Real User
Top 5
Offers dynamic scanning, static scanning, and software composition analysis
Pros and Cons
  • "Veracode does not require any maintenance."
  • "When we engaged Veracode to conduct the manual penetration testing, they were extremely slow in completing the task and delivering the report, causing a delay of two to three weeks for us."

What is our primary use case?

We use Veracode for product testing.

We exclusively utilize Veracode for a product used in our consulting services, which we provide on a licensing basis.

We deploy Veracode in the cloud and can utilize any cloud provider, including Google Cloud, Azure, and AWS.

How has it helped my organization?

Veracode's ability to prevent vulnerable code from entering production is both effective and thorough.

The SBOM feature is straightforward, making it easy to create reports. The SBOM feature is crucial to our organization because we can utilize the report to effectively present a product to customers, demonstrating its viability and security. 

Veracode has helped us improve our secure coding practices, which, in turn, has boosted our confidence in selling our products.

We were able to experience all of Veracode's benefits for our organization within the first year.

Veracode helps to provide visibility into the application's status at every phase of development. This helps us ensure that our code is secure from the start, saving us time that would otherwise be spent sorting through bugs at the end. 

Veracode's false positives are beneficial for our developers as they assist in organizing and understanding the implications of these false positives.

Veracode has helped our organization address flaws by identifying our mistakes. The initial usage of the solution was challenging due to the large number of code lines that needed to be read, but it became easier over time.

What is most valuable?

I find all the features valuable, especially dynamic scanning, static scanning, and software composition analysis.

What needs improvement?

When we engaged Veracode to conduct the manual penetration testing, they were extremely slow in completing the task and delivering the report, causing a delay of two to three weeks for us. The duration of the manual penetration testing process needs to be improved.

The cost of the solution can be reduced.

For how long have I used the solution?

I have been using Veracode for two and a half years.

What do I think about the stability of the solution?

Veracode is a stable solution.

What do I think about the scalability of the solution?

Veracode is scalable. Veracode is used by around four people in our organization.

How are customer service and support?

The technical support response time is slow. 

How would you rate customer service and support?

Neutral

How was the initial setup?

The initial setup is straightforward. Veracode is a virtual platform, so all we need to do is upload the code, and it will be ready to use. The deployment was carried out by one of our senior product managers.

What about the implementation team?

The implementation was completed in-house.

What's my experience with pricing, setup cost, and licensing?

Veracode's pricing is on the higher end, but it is acceptable.

Which other solutions did I evaluate?

We evaluated multiple solutions, including BlackBox, three years ago. However, Veracode was the only solution that had all the features and also had a proper certification system in place. The other solutions did not provide a comprehensive suite. For instance, they offered static scanning but lacked dynamic scanning, whereas Veracode provided both, along with a training module.

What other advice do I have?

I give Veracode an eight out of ten. The solution is comprehensive, albeit a bit costly.

We have not observed any impact on our policy reporting and compliance with industry standards and regulations since we started using Veracode.

The false positive rate is slightly high, but we are able to manage it. The false positive rate of the static analysis has not affected the time we spend on the tuning process.

Veracode has not affected our developers' time significantly, as the response rates for certain tasks have been slightly slower.

I recommend conducting a cost analysis and rate of return evaluation to determine whether the solution is worthwhile. I highly recommend using Veracode for complex products, but it may not be as valuable for simpler ones.

Veracode does not require any maintenance.

I have learned that it is necessary to plan our strategy for the product and security prior to using Veracode.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.
Updated: March 2025
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.