Veracode Security Labs Reviews

We use Veracode Security Labs along with Veracode Developer Training and other Veracode components in our company for Digitial Health, and security testing.

Veracode and all of its components have helped us in developing a secure product.

All of the features offered in this solution are valuable.

The features are extensive, which is why they are ahead of the game, and the reason I continue to use this solution.

The only area of this solution that needs improvement is the pricing for startups.

I have been working with Veracode for several years.

It's a stable solution. We have no issues with stability.

It's a scalable product.

The technical support is amazing! They are very responsive.

We also use Veracode Developer Training, Manual Penetration Testing, Static Analysis for the same use case.

The initial setup is straightforward and extremely easy to install.

Deployment only took a few hours.

We have a team in-house.

The pricing for qualified startups should only charge for Veracode Developer Training.

The licensing cost should be fair, and the use cost when the company or the clients release their product to the market should also be fair.

They put together a complete solution that has a number of components. My advice is to take it all. Don't just take just Developer Training or Security Labs or Static Analysis. Rather, take the whole solution and run with it.

Veracode cannot be taught about security. I would rate Veracode Security Labs a ten out of ten.

I have used it and looked at it from the perspective of its analysis, if you will, of database files, SQL, MCL SQL. I also looked at other components, Java and such, but not as in-depth. Personally, I think it was a little difficult trying to get it to profile those particular files to get them loaded in; however, it was honestly probably user error — just my misunderstanding of how to use the software more than anything else which is why it took a little longer. The Java stuff was a lot more streamlined. The database stuff was not as robust.

We used this solution to identify vulnerabilities. Essentially, load stuff up, find out what it finds. The next step is (assuming we have enough people to fix the higher priority ones) to look at some of the tips or remediation. Generally, just to find out what's wrong.

We're a smaller company, we had roughly 10 people or less using this solution. I don't think anyone is actively using it as much now because of project work, etc.

I am not familiar with how many other people are using it currently. Probably not many because the project work is different. Previously, there were more business needs for us to build more software but things have changed a little bit in the company. That requirement is different now from a corporate perspective.

Mainly it's just quality. The level of comfort that we have now just from using the product. Again, there may be some other people at the company that had used it a lot more than me but just knowing, having another set of eyes, gives you a comfort level. 

The database portion of it where it's loading and analyzing. That seemed to be a little more laborious compared to the Java stuff which was easier to use and more streamlined.

Its ability to handle more types of files and making it work better with databasing and other API could be improved. That would be really nice.

It seemed generally stable. The database stuff didn't seem to be working as well, as fast. It wasn't as responsive. In other words, we'd load something up and then we find out that it loaded everything but there were zero results that it found when it did the analysis. We tried it again and we got the same thing.

It seemed like it could handle volumes. It was pretty fast, too.

When the person I referenced earlier needed help, it seemed like he was able to get the help he needed — they were pretty responsive. He didn't mention that there were any issues with technical support.

No, I don't think we did. We had looked at the reviews and started using Veracode.

I wasn't that involved in the initial setup of it — the bootstrapping and getting it all ready on the cloud. That being said, setting up a profile for it to do its thing was pretty easy to do. That was pretty straightforward.

The deployment didn't take that long. I don't think it took the guy very long to do it. There was probably some stuff that was done before I started using it. I'm not familiar with what was done but I don't think it was much more than just getting a trial account and such. 

I don't recall who deployed it, but one person can look after deployment and maintenance. The CIO looked after it — he was a "Jack of all trades" type.

If you're interested in using this solution, you should take advantage of the trial and throw some real-life example code at it and try to figure out how you're going to deal with that. Once you get the results back, just do a trial.

On a scale from one to ten, I would give this solution a rating of seven.

It's hard to really put a number on it but it's just mainly because of my experience with the databasing analysis. Databasing is so prevalent and so important, the security of that, it shouldn't be as hard as it seemed to be when we were trying to analyze SQL code as it was, compared to the Java stuff.

Our use cases are for both dynamic and static scanning of web applications. The application is cloud-based in a major cloud provider. We schedule scans at regular intervals that support various compliance efforts within the enterprise. The application has a modern design with a responsive UI that adapts to the display of the device being used. Veracode seems to have little trouble scanning our application. Overall, we are happy with the service that Veracode provides us although the cost does seem quite high in my opinion.

Our developers are more security-aware and are writing better code. The e-learning option allows our developers to dig deeper into the security issues. Topics such as sanitizing input, carefully configured logging output, and other typical sources of vulnerabilities. We have a better understanding of the proper configuration of web servers and web proxies as well. The Atlassian integration has helped manage our compliance paperwork in a more automated way also. Overall, we are happy with the service that Veracode provides to us.

The Atlassian integration is the most valuable aspect of this solution. Many other security platforms don't seem to have this feature or want an exorbitant amount of money to get it. Automated integrations such as these make compliance much easier to track and maintain. Additionally, the integrations help with agile processes such as DevOps. We are able to schedule things like scan submissions to Veracode that aids in automatic, regular scanning of our web application. Veracode also allows for customizing your corporate policy for things such as remediation deadlines.

Developers frequently complain to me about the user interface and the difficulty in navigating the web site. I too have had some very frustrating moments trying to find things. I do not find the dashboards all that helpful though they are pretty and there seem to be plenty of them. I am running out of critiques to say about Veracode but it seems I must use 500 characters regardless of what I need to say. It seems like an arbitrary requirement. I'm still not at 500 yet. Can I say that this requirement should be cut in half?

We have been using Veracode for a little over two years.

Rock solid. I don't think we've ever had issues being able to access the system. Whenever we have needed to log in and look at something in our results, we have always been able to do so. The only stability issues we have had is with the dynamic scan authenticating into our web app. Sometimes for no understandable reason, it will stop authenticating. However this has only happened a couple of times.

Scalability seems fine. Have not noticed any issues.

Service and support is always helpful and knowledgeable. Turnover seems to be an issue. We are frequently being assigned new staff to our account. So far though, the level of service has been great.

We tried to do it manually ourselves with Burp Suite Pro but it was too cumbersome and no integrations with Atlassian.

Straightforward and web-based. 

Configured ourselves with some assistance setting our policy configuration as I recall. Veracode staff is knowledgeable and always helpful. 

Difficult to quantify. What's the cost if you ignore security?

It's expensive. Know that going in. Your organization, your programmers, and your product will be better for it though. 

I spoke with Checkmarx as well. At the time, Veracode seemed to be cheaper.