Security Analyst at a tech services company with 11-50 employees
Reseller
Top 20
2023-08-31T07:43:00Z
Aug 31, 2023
Veracode provides policy reporting to ensure compliance with industry standards and regulations. It is beneficial. The product also provides features to create custom policies. Most false-positives cases come under DAST. The false positives depend on the code. Veracode provides around 5% false positives. The solution shows the vulnerabilities in the code and provides generic remediations for it. We must then search it on Google. The product’s community is also good. Sometimes, the product provides solutions in the community. These solutions work well on the production level. I have also used the SCA features which help with identifying vulnerabilities in applications's third-party components. The Veracode user interface is so convenient and easy to use. Anyone can run a scan and generate a report easily. The solution provides absolute visibility into application status at every phase of development. The users can get visibility through the CI/CD pipeline. The time taken to complete the scans depends on how much code is present in a specific application and how big the application is. Veracode introduced a new module named Veracode Fix, which automates the fixes for insecure software with AI-generated secure code suggestions where the developer does not have to spend time searching and remediating the vulnerabilities. The developer does not have to spend time searching for vulnerabilities. Sometimes, the tool gives a generic recommendation, sometimes specific recommendations. It will be helpful if it always provides specific recommendations. The amount of time saved hinges on factors such as code complexity, the programming language employed, and the developer's proficiency in secure coding. If anyone uses Veracode throughout the entire process of building an application, from the start of development to the final production stage, can result in a time savings of around 30% to 40% when leveraging various security measures of the platform. Veracode has had a good impact on our organization’s overall security posture. If we choose to take the complete Veracode module, we can have security from the initial step to the production phase. I will recommend others to implement the solution. Veracode is in the Gartner Magic Quadrant. It is doing a good job. Overall, I rate the product a nine out of ten.
I am into DevOps, and we have integrated Veracode into our DevOps pipeline. I would recommend Veracode to other users. Overall, I rate Veracode a nine out of ten.
Chief Software Architect at a tech services company with 51-200 employees
Real User
Top 20
2023-08-25T13:38:00Z
Aug 25, 2023
My company has a hybrid Veracode deployment. It's a cloud-based solution, so it's tied to the company's automatic build cycles, where you can access and do scans through the cloud. Veracode doesn't require maintenance. The only maintenance my company performs is fixing vulnerabilities found by Veracode. Overall, my rating for Veracode is seven out of ten. I advise others looking to evaluate Veracode to utilize the presales marketing side first. For example, my company was able to utilize Veracode in a presales environment and do the scans to find out how vulnerable my company's software is and compare Veracode with the previous tool, WhiteSource. My company found additional vulnerabilities and was able to do that before signing the contract. It may be best to do a test run of Veracode to find out what the tool is all about and how it looks to your company.
Veracode is really not difficult or complex to understand. The whole concept is simple. It takes some time to get used to the tool, but it is a very simple tool to work with. It was quite fast. Scanning my code took 25 to 30 minutes, which was quite good.
Executive Director at Precise Financial Systems Limited
Real User
Top 10
2023-08-11T15:16:00Z
Aug 11, 2023
I rate Veracode an eight out of ten. We are currently in the process of investigating Veracode's capability to offer insight into the status of applications at each stage of development.
Executive Assistant at a tech company with 51-200 employees
Real User
Top 20
2023-08-01T09:41:00Z
Aug 1, 2023
I would rate Veracode an eight out of ten. I recommend Veracode to others. Veracode's false positives significantly impact our developers. When we encounter numerous false positive cases, we are required to conduct extensive reviews. How much it affects our developers depends on the number of false positive cases we are encountering and the significance of addressing them concerning the criticality of writing the code. Veracode can save time in our DevSecOps process, but it may not significantly reduce costs. Organizations that have security flaws in their code and seek to enhance their core security can consider Veracode as one of the best options for investment. Veracode is easy to implement and can effectively address the flaws in the code, provided that cost is not a significant concern. Maintenance is required from time to time, specifically regarding false positives. We need to verify whether the system is functioning properly and communicate with the support team. The intervals for these checks occur after approximately 30 or 60 days, which we have selected, and we must strive to improve the system during these instances. Veracode is deployed at two locations within our organization.
Information Security Architect at a tech vendor with 5,001-10,000 employees
Real User
Top 10
2023-07-31T20:43:00Z
Jul 31, 2023
I would rate Veracode an eight out of ten. Veracode needs to improve its SCA capabilities to become a market leader rather than a market follower. Another noteworthy area they are starting to focus on is container security. I assume they will compete with Laceworks and other companies in that domain, which makes it worth keeping an eye on. Veracode's software build of materials feature is integrated into the software composition analysis, which we are currently exploring for utilization. However, at this time, we are using a third-party product for that purpose. Veracode's false positive rate is very low based on what we have found. However, there are instances where it becomes confused, identifying one type of vulnerability when it is actually a different type that appears similar. Nevertheless, we always conduct verifications before approving a list of vulnerabilities for the developers to address. We thoroughly go through and verify at least most of the different types to ensure their validity. My team verifies the false positives, so the developers almost never see them. Because we don't encounter many false positives, we don't spend a lot of time fine-tuning policies. We'll make some minor adjustments, and it should mostly resolve the issue until we encounter a different type of false positive. Then, we'll have to address it separately. One of the other things that I have observed recently is a tool called Veracode Fix. We have not examined it yet, but it's worth considering. Normally, we avoid implementing too many automated fixes because sometimes they end up causing even more issues, particularly when dealing with legacy code while transitioning to Veracode. Allowing automation could potentially lead to the application being permanently shut down, especially in cases like Software Composition Analysis and Software Bill of Materials where we may need to upgrade to a different or less vulnerable, open source piece of code. If we upgrade without ensuring compatibility with our existing setup, it could break numerous things. Hence, we previously attempted to use automated fixes, but the outcome was negative, and we have decided never to repeat that mistake. Therefore, it's something we plan to explore, but we need to ascertain if there have been any changes in that type of setup. For someone who wants to use Veracode but is concerned about the cost, the amount of time saved, especially on the SAST side of things, makes it worthwhile. We are a multi-cloud organization primarily using AWS, with 25 percent of our infrastructure on Azure and a smaller portion on Google Cloud. We are currently using Google services only because we are a Google shop rather than a Microsoft Office shop. As a result, all of our emails are managed through Google, and we rely on Google Docs and other related tools. There are four architects and a group of DevSecOps professionals who work directly with the development and operations teams. They form the security component of the organization and are responsible for operating Veracode on a daily basis. Their primary role is to assist the developers in integrating Veracode into their workflows, setting up pipelines, and collaborating with them when vulnerabilities are identified. They are available to help the developers understand why they received a vulnerability and guide them on how to address and eliminate it. The only maintenance we will have to deal with is related to the ISM servers. These ISM servers are actually controlled by our company. There is an on-prem link to the Veracode cloud. When they conduct their scan, they access the server, which acts as a jump box. This enables them to scan our internal applications that do not have direct access to the outside world. Veracode is a good Dynamic Application Security Testing tool, but it excels as an outstanding Static Application Security Testing solution for organizations that prioritize serious security measures.
I rate Veracode eight out of 10. You should evaluate at least two vendors based on the company's needs. A host of issues need to be addressed, and it's a significant task. Veracode shows you many issues, but you must develop processes to address them. It was impressive when we first scanned our sources and found a thousand, but we had to develop compliance policies to deal with them. My advice is to not make the policies too strict. For example, you can start with high-priority issues.
Product Marketer at a media company with 1,001-5,000 employees
Real User
Top 5
2023-07-10T07:19:00Z
Jul 10, 2023
If a proof of concept is possible, I would ask you to try it out first to get a sense of what Veracode is before investing. But investing in this tool is very much needed. With security threats, for long-term purposes, the code-level threat detection and code-level error detection are very much needed by any organization.
Senior Manager Cyber Security at a tech services company with 201-500 employees
Real User
Top 20
2023-06-13T10:13:00Z
Jun 13, 2023
I give Veracode a ten out of ten. We are using Veracode in multiple locations and departments. Veracode does not require any maintenance. Veracode is an extremely user-friendly tool, operating through a web interface. Additionally, the support and guidance offered by the Veracode team are excellent. Considering all of these factors, I believe Veracode should be the choice for anyone.
I give Veracode an eight out of ten. Our customer provides us with a Veracode profile account for uploading and testing code. We do not manage the solution or have any insight into how it is deployed. I highly recommend Veracode for assisting in identifying vulnerabilities in code. I have learned that Veracode can confidently scan and detect vulnerabilities in code. However, for older or unsupported applications, we need to seek an alternative solution.
The impact that Veracode has on security posture depends on the size of the company. Usually, large companies have standards in place, and that makes code development more secure than it is in small companies. For small companies, Veracode can really make a huge improvement to the SDLC.
Security Lead at a retailer with 10,001+ employees
Real User
Top 10
2023-05-19T13:46:00Z
May 19, 2023
I would rate Veracode a seven out of ten. Although it doesn't fulfill all our requirements, I am still impressed with it and find the solution appealing. Veracode has excelled in SAST, DAST, and IAST, but conducting scans, secret scanning, and IAC are new areas for them. Veracode alone cannot solve our issues or problems. We need to have an agile mindset and ensure that security is embedded and maintained. We need to educate developers to be able to use these tools effectively and incorporate them into their everyday processes. Veracode can be hosted within Europe or at our local location if needed. However, I believe they offer various instances. Personally, I prefer the SaaS solution over on-prem, mainly because unless we have specific data privacy requirements, using the SaaS solution is more convenient. Opting for on-prem would require additional resources, such as setting it up and engaging with Veracode support, which can be a more complex process. Veracode handles the maintenance. All we need to do is set up the files for pipeline scans. Our engineering teams can handle that. In terms of policies, we should review them annually. Credentials will naturally expire on an annual basis, so they need to be reviewed as well. If we want to pursue additional tasks like GitHub integrations, then the setup process is required. I recommend evaluating the top four solutions listed in the Gartner report or any other reliable source of information. Test them thoroughly and ensure that the vendor truly understands the organization's environment before making a commitment. It is crucial for individuals to comprehend and establish a workflow environment before they commence providing tools, and I believe there is indeed a wealth of information pertaining to data dashboards. Although it may require time, we can collaborate with Veracode to construct it. Overall, it is beneficial. It is truly excellent.
I give Veracode an eight out of ten. Veracode is not a cost-effective solution for small businesses, but it is a good solution for medium and enterprise businesses. Veracode does not require any maintenance. I recommend Veracode to organizations that need a static code security analysis. Veracode is simple to understand and supports all programming languages.
Manager Consultant at a tech services company with 1-10 employees
Reseller
Top 20
2023-05-12T14:37:00Z
May 12, 2023
I would rate Veracode a perfect ten out of ten because it consistently delivers on its promises. Those who are concerned about Veracode's price should be aware that the solution holds value. Additionally, they should consider that other solutions are on-premises and require additional fees for reporting traffic processed, unlike Veracode. The maintenance is all taken care of by Veracode. Veracode is so straightforward that I have no advice to offer to anyone. There are many companies out there that do not consider code security when thinking about cybersecurity risks. This holds true even for larger companies, where it is still a greenfield situation.
Principal. - Head - IT, Information Security and Admin at a consultancy with 201-500 employees
Real User
Top 5
2023-05-08T12:16:00Z
May 8, 2023
I give Veracode an eight out of ten. The solution is comprehensive, albeit a bit costly. We have not observed any impact on our policy reporting and compliance with industry standards and regulations since we started using Veracode. The false positive rate is slightly high, but we are able to manage it. The false positive rate of the static analysis has not affected the time we spend on the tuning process. Veracode has not affected our developers' time significantly, as the response rates for certain tasks have been slightly slower. I recommend conducting a cost analysis and rate of return evaluation to determine whether the solution is worthwhile. I highly recommend using Veracode for complex products, but it may not be as valuable for simpler ones. Veracode does not require any maintenance. I have learned that it is necessary to plan our strategy for the product and security prior to using Veracode.
I give the solution an eight out of ten. Veracode is user-friendly depending on how we use it. We have seven people using the solution. Veracode does not require any maintenance on our end. Veracode is a secure, reliable, and sustainable tool that all organizations should use for scanning code.
I rate Veracode eight out of 10. It's an excellent product for developing a secure platform that will benefit your company and its customers while helping you build a sustainable development team. Before implementing Veracode, you need to prepare and have at least one person who understands how to use the product.
I give the solution an eight out of ten. We have Veracode deployed in multiple locations. Maintenance is only required when updating the solution. You should evaluate multiple solutions, but I suggest considering Veracode if it aligns with the organization's requirements.
I give the solution a nine out of ten. All coders should have Veracode since it helps prevent security issues in applications, thereby safeguarding critical data. As we know, all applications contain sensitive information. If we only store some of our data online, we have to rely on applications that meet industry standards and compliance requirements. Veracode can help achieve these standards and compliance. To ensure this, Veracode must be set up to scan and integrate with the Jenkins CI/CD pipeline. We capture the health and pharmacy data of users, so Veracode is deployed in various countries and running live. We have over ten million users.
I rate Veracode a ten out of ten. If you plan to implement Veracode, you should have an in-house tech team that knows Veracode. It will be hard if you don't have one set up. You also need to ensure you have the budget to cover Veracode. Overall, Veracode is a stable solution I recommend to any serious enterprise, especially those in finance, charity, and or any other field with stringent data protection requirements. I recommend Veracode for DevOps teams, and it's the only stable solution I have used so far that I would suggest to someone else. The prices are constant throughout, and Veracode's support team is there to help you resolve any issue. They can help you resolve issues faster if you have some knowledge about Veracode. Do some planning before you implement the solution. Get to know Veracode, how it is used, and where it is applied. Everything will be smooth.
I rate the solution nine out of ten. Regarding the tool's false positive rate, the analysis is good but can be affected by data and code not supported by Veracode. In these cases, we can experience some challenges, but other than that, the false positive reporting is good. In cases of unsupported code, developer confidence can be affected, as we know there may be some flaws we can't control. If they are minor enough, we can ignore them. I advise others considering the product to go with it if it fulfills their requirements. Veracode is a tested name in the market for application security and detecting flawed code. They should evaluate other options if they fit the needs better, but I highly recommend Veracode.
Program Analyst at a tech services company with 10,001+ employees
Real User
Top 10
2023-01-27T19:57:00Z
Jan 27, 2023
The false positive rate is pretty low. When I started using Veracode, there were a lot of false positives, but that number became notably smaller. There are some false positives because new types of flaws are generated for each new version. Initially, in general, whenever you see any kind of false positives or true negatives, it reduces your confidence. But whenever the reports are generated by Veracode, as developers we can understand that they show certain patterns of what might be a false positive. So we get an idea that this kind of a flaw might be a false positive while this kind might not be a false positive. We get clarity about the reports sent by Veracode. At a certain point, we might be sure that we can explain all the false positive data to management so that they can look into them and understand: If this kind of data or this kind of code flaw comes up, it is a false positive. We can easily associate these scenarios with false positives because they are normal and common. During the initial phase, false positives affect our time because we can't deduce any conclusions. Static analysis is the kind of process in which you will encounter false positives in certain cases. But after a couple of implementations of machine learning, the results should be pretty accurate and the false positives should decrease. Preventive maintenance is critical. Per my experience with Veracode, there are certain maintenance issues, but they are the normal types of things. I would highly recommend Veracode, but initially, don't do a deep dive into the tool. Take a couple of licenses to start adapting to the tool and work out how it works and whether it's suitable for your development processes and developers, and get their feedback. I highly recommend it because it's a real time-saver, provides stability, and improves your organization's productivity.
Veracode is a valuable tool to have in the toolbox to prevent vulnerable code from going into production. Veracode's false positive rate has been very good. It's reasonable. False positives take more time, but I have not noticed that time to be a significant burden. Its policy reporting for ensuring compliance with industry standards and regulations is adequate. In terms of having visibility into application status at every phase of deployment, Veracode doesn't provide that. It doesn't control the whole deployment cycle, so there's no way it can report on all of it. The platform's interfaces look slightly antiquated but don't let that stop you from using it, because it has been a good solution for us. The biggest lesson I have learned using it is that it's really nice to have these security checks in a single place in your code pipeline. We have multiple security companies at this point, but having the code review and product review security in one place helps us know that that part is "containerized." Having everything dealing with code review in one place is nice.
Security Engineer at a comms service provider with 10,001+ employees
Real User
Top 10
2023-01-09T23:33:00Z
Jan 9, 2023
When it comes to managing risks, we use the remediation feature that Veracode has. Whenever there is a flaw, we do have tickets open up for it and the application owner or the developer goes through the vulnerabilities. There are times when the vulnerability is a false positive and you can mark it as such within the Veracode platform itself. And we, as security professionals, do the validation for whether the business justification is good or not. And we either have a source code review for the vulnerability or have an exception open up for the remediation step that the application or the owner is asking for. We do risks via the platform, as well as through the ticketing tool that we use. We are also using SBOM (Software Bill of Materials) for inventing all the different kinds of modules and libraries that we are using for an application. Using the SBOM feature, you would have to leverage the API to get the inventory from the API calls that Veracode has. But in our organization, we use the GUI report generation more than the SBOM report because there is an executive summary in the GUI report with regard to first-party and third-party flaws. It also has the mitigation steps. SBOM would only give you the list of softwares, libraries, and versions that are being used. It is not as detailed as the GUI report that Veracode provides. Things to consider when looking at Veracode include the different integration points where you want to integrate Veracode, how big your organization is, and how many applications you want to do security analysis on. If it's a big organization, Veracode is obviously a solution to evaluate, but for a small organization, below 500 apps, it might be a little pricey. Also, you will need a couple of Veracode champions on your team who know it inside out. You will need training provided by Veracode, so make sure that is included during the procurement stage. That will help you implement the tool within your organization faster and much more efficiently. I would have given Veracode a nine out of 10 a couple of years back, but given the tools that are coming out on the market, and the scope of development, which is increasing, I would place it at eight.
Senior Software Engineer at a tech vendor with 11-50 employees
Real User
2022-12-02T19:58:00Z
Dec 2, 2022
I rate Veracode eight out of 10. I recommend first testing it on your code to see if it's appropriate. You need to see how long it takes to scan the code.
Senior Director, Quality Engineering at Everbridge
Real User
2022-06-06T14:54:33Z
Jun 6, 2022
All of the Veracode applications operate as one platform. Most of the competitors out there separate their products from their reporting and configuration, so you don't get a single pane of glass. With Veracode, you get a single pane of glass and reporting that you can combine with the different scan types to look at compliance. The advice I would give regarding this solution is this: Look at the policies, the dashboards, and integration with ALM applications like Veracode and JIRA. They have a tighter integration there that I see with most of the competitors. I'm sure that the scan quality is consistent. Perhaps there's some applications that are a little better than others at detection. But we find that Veracode is very comparative to other things you solutions the quality of catching vulnerabilities.
DevOps Engineer at a insurance company with 10,001+ employees
Real User
2022-05-23T11:33:00Z
May 23, 2022
If you have Azure DevOps and would like to understand your code and how secure it is, then there are not a lot of better options. Also, there are not many choices in this area at the moment. Once your code is scanned by the static scan of Veracode, you get some evaluation scores based on some criteria. For the management, when it is above a certain number, it is fine, but when it is built below, then it is no-go for production. Even though there is a possibility to create a sandbox environment for projects, they don't get it. That is understandable to me. I try to explain to them that there are no issues if you are working in a development environment and you get difficult scans. It is fine then because you can create a sandbox environment, which will not screw up or make the production releases worse because it is in a separate bucket. We are happy using the solution. I would rate it as nine out of 10.
Veracode only has a cloud offering. You upload your binary files for static scanning, or you whitelist your IP and have them come in and scan your website. It doesn't require any maintenance on our end. Overall, it's really good. It's a lot better than other offerings I've seen. The dynamic scanner works really well. The static scanner is still good, but it could be improved.
Sr. VP Engineering at a computer software company with 51-200 employees
Real User
2021-10-28T21:05:00Z
Oct 28, 2021
My advice would depend on the size of your company and whether you have dedicated security engineers. For us, given the size of our company, Veracode has been very important. We needed a turnkey solution, and one that integrated directly into our product. We wanted something immediate. We couldn't take the time to hire a bunch of security engineers and have them figure it out and then do an RFP. That was not us. If you're in that position, where you need something that really meets all of your software security needs during the development life cycle, check out Veracode for sure. Look at a couple of their competitors. It's fine to kick the tires a bit and then what you can get from others, but I would definitely recommend that one-stop-shop type of thinking. You really want to get your solutions from one vendor, a partner that is strong in this area. For the manual pen testing, there's a full day where they engage your product. It takes us about half a day of planning and putting it together, and then providing them with a live website. They then bring their team together and go through all the reports about what they saw and, typically, within a period of three days from the time of the manual pen test, we get results from them. Along with that, they also offer any kind of service you need to interpret or understand the results. You can also get some follow-on from them in terms of best practices and how to fix things. In terms of false positives, I like my security scans to be a little more conservative, rather than being aggressive about eliminating things without me seeing them. I'm okay with the fact that, every once in a while, they flag something and bring it to our attention, and we see that it is really a non-issue. The reason that is my approach is that, when you do a static scan or a pure dynamic scan, these products don't completely understand your application environment. They cannot guess that this or that code is not used in this fashion. They can only flag something to bring it to your attention, and then you make the judgment call. Veracode has flagged a few issues for us that we decided were non-issues. In their dashboard, you can actually provide a dispensation for each of those items. So we have gone in there and checked a box and put a comment saying, "Not applicable to our workflow." I was very happy that they caught those things. It gives us some confidence that they're looking deep into our product. We haven't had any major issues with false positives. What they flagged to us was reasonable, and we were able to decide that they were not really an issue for us. Our confidence level is very high, thanks to Veracode's solution and our internal focus on shift-left methodology. I push my engineers to make security a part of the design, development, and testing processes. It can't be something that is done as an afterthought. We need shift-left thinking all the way to the left. You want to tackle an issue before it occurs. Overall, Veracode has affected all our application security in a very strong, positive way, and I look forward to using their products and technology to continuously improve our security best practices. I would give it a 10 out 10. It really is a strong solution for the industry. I'm looking forward to engaging Veracode in an even stronger way in 2022. I want to tightly align what we're doing, from a security best-practices perspective, even more with what they have to offer.
Cybersecurity Executive at a computer software company with 51-200 employees
Real User
2021-09-29T20:54:00Z
Sep 29, 2021
My advice would be to understand how you want Veracode to function within your environment from a workflow perspective. That way, you can potentially start taking advantage of a lot of the functionality it offers out of the gate, which is something we are not doing yet. We're on a delay until 2022. That is really important. Also, in introducing the product to those who will be receiving the output, the findings reports, it would be great to include them in some conversation and collaboration on the move down that Veracode path or, frankly, any path that leads to scanning applications. Veracode provides guidance for fixing vulnerabilities, although we haven't actually had to utilize that. But as a part of our licensing model, they provide us a certain number of opportunities to engage with someone for consultation. We are not focusing on using the solution to enhance developer security training right now, although it is a part of our roadmap. We are banking on being able to utilize that aspect of Veracode because we are an Agile environment and we want developers to be able to engage that training. Also, when there are findings, we want our developers to get that assistance in real-time. That is a part of our 2022 strategy. We have started out with a much more narrow policy for ourselves because we are just learning about how the tool works and how it functions. But we did evaluate some of Veracode's policies, out of curiosity, and they seem to be very aligned and very helpful. However, I would not be able to speak to whether they are on the money for utilization against compliance frameworks.
Automation Practice Leader at a financial services firm with 10,001+ employees
Real User
2021-08-23T14:07:08Z
Aug 23, 2021
For any company wanting to use Veracode and buying vendor binaries from third party vendors, it's important to get the legal and compliance clearance from the vendor as well. Some vendors have a policy that they're selling you the binary of a particular software but you're not supposed to decode it. Those are the general terms and conditions that every vendor gets you to sign but Veracode does decode and then scans for the vulnerabilities. It's a challenge for any company purchasing the solution from vendors. I rate the solution six out of 10.
We are customers and end-users. We don't really have a business relationship with Veracode. I'm more from the performance testing side of things. I've just added the security testing to my list of responsibilities recently. We're using a mix of deployment models. We use both on-premises and cloud deployments. It's a good tool. I've done some comparisons with both SAST and DAST. It gives us this end-to-end sort of feature that we appreciate. Therefore, rather than you doing SAST with one tool and DAST with another tool, I prefer going with Veracode, which offers both. You can learn both static and dynamic scans with a single tool. You could effectively negotiate a price and do that. If you got some simple apps, from a CAC standpoint, I'd recommend folks to use Veracode. I'd rate the solution at a seven out of ten.
At the time that we used this solution, we were a startup, the software may not have been that complex. It's not like Oracle. My advice to others who are interested in using this solution is to pay attention to the full instructions. I would rate Veracode Developer Training a ten out of ten.
Software Engineer at a tech services company with 1,001-5,000 employees
Real User
2020-12-03T05:52:00Z
Dec 3, 2020
I've participated in some of the online courses, which helped. There are some levels that the team should have. You follow some courses, you get to level one, and then you move on to the next level. Each level of certification was really useful to learn about some of the flaws and some of the vulnerabilities that we could face. They give you some great use cases and how to remedy things in C# and many different languages. The online course also shows you how a developer can make some mistakes in his code, and how those mistakes can be used to bypass app security. By knowing that, you can avoid doing it in the future. There were also some events organized recently—security labs—and they were also useful. There were tasks and I even had to work on them outside of work, but they were really helpful and a challenge. The training also helped us to identify the existing vulnerabilities in our code and some of the third-parties that we are using that have vulnerabilities in them. We know we need to upgrade them. My advice is that you should follow the training, initially. It was really helpful, even at the first level. Then, go on and read all the detailed documentation online. There are even some video tutorials which are really helpful. These are the steps that I followed. There is a section on the supported frameworks. Veracode supports a wide variety of languages, but it would be good to check that before diving into the analysis and why it's not detecting your code. I have been really satisfied with the areas of Veracode that I have had a chance to work with.
We were skeptical about running scans with a cloud-based solution, but then we saw the benefits. Everything is up to date without us having to lift a finger. We know we don't have to take care of maintenance. Also, if you work in the domain of medical devices, payment methods, or other things that are related to privacy, Veracode provides all these modules. This is a big advantage. Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly. False positives are not a main problem. The platform does try to overprotect but, of course, a system like this can only understand the syntax and not the semantics. So it's overprotective when there is a doubt. Sometimes, we ignore some of the advice received.
I'm pretty confident about Veracode's ability to prevent vulnerable code from going into production when I'm using it. When you use Veracode, instead of using it as a manual tool, you should integrate it into your CI/CD pipeline. This way, every build is certified. Then, if there is an issue, you will know about it earlier in the development cycle, not later. Because as the time passes, it becomes more difficult to fix that issue. With Veracode's support for cloud-native applications, there are some components of our application (which are cloud-native), that we treat in the same way as regular software, e.g., the source code and dynamic URLs. We don't have a model where we can do the real-time scanning. This is something which is currently in talks for maintaining the security of the distributed application. Hopefully, that should get implemented in about two months' time. The reports that they share have been pretty informative, but someone has to go through them and read them quickly. In the early days, they might have offered some kind of training plan, but we did not opt for that. Veracode has a plugin which we use, and it works with developer tools. While there are false positive, there aren't much (around 10 percent). We normally farm these to the Veracode team, who act accordingly. Our developers still report 90% valid issues, and this is satisfactory for us. Biggest lesson learnt: Security should not be an afterthought. I would rate this solution as an eight out of 10. I took off points due to the extra time that it takes to do the dynamic scan.
Head Of Information Security at a media company with 51-200 employees
Real User
2020-11-11T08:18:00Z
Nov 11, 2020
My advice would be to definitely have some code that has a lot of security defects embedded into it and to run it through the scanner to test it early on in the process, ideally during the evaluation process. If your company works in five programming languages, you would want to create some code in each of those languages, code that has a lot of security defects, and then run the scanner over it to just make sure it can catch the security vulnerabilities you need it to catch and that it's consistent with how it raises those vulnerabilities. Veracode provides guidance for fixing vulnerabilities but that doesn't enable developers to write secure code from the start. The way the product works is it scans code that has already been written and then raises issues about the security problems found in the code. That is the point at which the developer sees the issue and can look at the remediation advice Veracode gives, and the possible training. But it doesn't allow them to write secure code in the first place, unless they really remember everything. It does educate them about it, but it's usually after the fact. The solution provides policy reporting for ensuring compliance with industry standards and regulation. While those features were not applicable to us, they were in there. I think they would be very useful for anyone working in a high-compliance industry. It also provides visibility into application status across all testing types, including SAST, DAST, SCA, and manual penetration testing, in a centralized view. If you buy the SAST and DAST license, of course you'll see those scan results inside that view, but to see the pen testing that means you'd have to buy pen testing from them as well. Seeing those testing types in one view didn't really affect our AppSec. It's nice for the security team, but it's just not that important because they weren't in there everyday looking at it. Since we had the JIRA integration, the defects would flow into JIRA. The software engineers would take a look at it and categorize whether it was something they could fix or something that was in a vendor's library. The software engineers would prioritize the things that they could fix, and if it was in a vendor's library, I would batch those up and communicate them to the vendor. Overall, I would grade Veracode as a "B" when it comes to its ability to prevent vulnerable code from going into production. It will find everything that's wrong, but it doesn't have enough tuning parameters to make it easier for organizations without compliance burdens to use it more effectively. Overall, it's pretty solid. I would give it an eight out of 10.
R&D Director at a computer software company with 201-500 employees
Real User
2020-11-11T08:18:00Z
Nov 11, 2020
The solution is efficient when creating secure software. Though, it depends on how you adopt the tool and how frequently you're running it. As long as you keep it as part of your routine and frequently run the tool, you will catch vulnerabilities closer to real-time. Eventually, you will improve the security of your software. We haven't seen a lot of false positives. However, the tool points us to vulnerabilities to fix, which because of our behavior or software, we don't necessarily need to fix because we have other protections. We are not using it for cloud software. Our solution is only on-prem. I would rate this solution as an eight out of 10.
Principal for the Application Security Program and Access Control at a engineering company with 10,001+ employees
Real User
2020-11-09T08:11:00Z
Nov 9, 2020
It is good for third-party scanning and if your code base is all modern web frameworks. It is also great for the third-party analysis. However, the Software Composition Analysis is not good if you have C++ code or anything legacy, as it does not cover that. It also does not cover iOS code. It has a lot of constraints. The solution’s policy reporting for ensuring compliance with industry standards and regulations is fine. We are using it for internal reporting, but we haven't really dug into the policy definitions and tweaking them. We are using its default policies. As part of our validation and testing, we are able to catch vulnerable code early on. That has been helpful. Automating some of the process has been really helpful, at least from our team's effort perspective. The tool highlights the risk associated with vulnerabilities. That effort is very much automated with this tool. I would rate this solution as a six out of 10. If you have legacy applications, the solution is great. Their SaaS scanning is geared towards that. If you have modern frameworks, the SaaS scanning and dynamic scanning don't provide much value. My advice to anybody looking at Veracode: Use them for third-party scanning. They are really good at that because of their SourceClear acquisition. For the rest of their products though, just keep looking.
IT Cybersecurity Analyst at a educational organization with 11-50 employees
Real User
2020-11-08T07:00:00Z
Nov 8, 2020
The product is very good, very reliable, and they've made a lot of improvements to the dashboards and the reports. They've made the product easy to use. There used to be a lot of things that you had to search for and maneuver to dig deep down for them, but you don't have to do that anymore. Many of the things are now at your fingertips, including performance reports. Those things are easy to get to.
I can give advice to other managers. If they are willing to properly manage, but they don't have the time or the bandwidth to actually operate, it's a very good tool. It's easy to get access to information and it's easy to understand what's going on with your application without much of a burden. You don't have to waste a lot of time trying to understand a complicated report. Everything is accessible. And the amount of information that Veracode gives based on the flaws is very straightforward and makes it easy for the Dev team to fix them. I would rate it at eight out of 10. The tool itself is a very good tool. The way they work to update the flaws and the findings is very effective. But the support is a little bit expensive and it could be a little bit better. And there are few things that could be updated in the UI, but overall it's a very good tool.
Usually, we open tickets now using the JIRA/GitHub integration and then we plan them. We decide when we want to fix them and we assign them to developers, mostly because there are some projects that are a little bit more on the legacy side. Changing the version of the library is not easy as in the newer projects, in terms of testing. So we do some planning. But in general, we open tickets and we plan them. We also have it integrated in the pipelines, but that's really just to report. It's a little bit annoying that the pipeline might break because of security issues. It's good to know, but the fact that that interrupts development is not great. When we tried to put it as a part of the local build, it was too much. It was really getting in the way. The developers worried that they had to fix the security issues before releasing. Instead, we just started creating the issues and started doing proper planning. It is good to have visibility, but executing it all the time is just wrong, from our experience. You have to do it at the right time, and not all the time. The solution integrates with developer tools, if you consider JIRA and GitHub as developer tools. We tried to use the IntelliJ plugin but it wasn't working straightaway and we gave up. We haven't been using the container scanning of Veracode, mostly because we are using a different product at the moment to store our Docker images, something that already has some security scanning. So we haven't standardized. We still have to potentially explore the features of Veracode in that area. At the moment we are using Key from IBM Red Hat, and it is also software as a service. When you upload a Docker image there, after some time you also get a security scan, and that's where our customers are getting our images from. It's a private registry. Overall, I would rate Veracode as a five out of 10, because the functionality is there, but to me, the usability of the user interface is very important and it's still not there.
Security Architect at a financial services firm with 1,001-5,000 employees
Real User
2020-11-04T07:28:00Z
Nov 4, 2020
If you are doing pipeline-based implementation, it would be more complex than the way that I'm doing this, but I didn't see any real challenges that would be tool-specific or vendor-specific, with implementation. Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive. But if you have maybe one or two developers doing many projects, then you might look more towards software that has a developer-centric model. We don't use the Static Analysis Pipeline Scan because of the build process that our developers use. They don't really have an automated build pipeline in which they push the code to production. Also, with the false positive rate, it's a bit tricky when you implement that into the pipeline, as it might stop a developer from pushing code out to test. We use it more like a gate. The developers submit the code to us and then we scan it and review it with them. The biggest lesson I've learned from using Veracode is that you need to manage it with the developers, so that you speak through the findings with them. It's not just a tool that you throw down their throats. Overall, I would rate it at seven out of 10. Ideally, I would prefer a product that had the interactive testing, as well as the ability to scan a little faster.
It is an excellent solution. I would recommend adopting it. If you come from a security background, Veracode is an easy solution. If you don't come from a security background, the adoption of Veracode will take a bit of time. Veracode has been integrated with our IDEs. It has been also integrated with our DevOps CI/CD server, which is Bamboo, Jenkins, or GitLab CI/CD. It is all pretty neat and clean. I would rate this solution as a nine out of 10.
The biggest lesson I have learned from using Veracode is that there isn't an answer for everything. But when an area needs to be mitigated the mitigation process is fairly easy. It's pretty efficient, but in my case it took a long time to upload my information. It was a very big project, so I was not surprised that it took a long time, but it was mostly because of the internet around here. It would take a long time to upload the DLL and run the static analysis. It would take about two hours, but again, it's a large project. Overall, it does a very good job of preventing vulnerable code from going into production. It identified issues that were not detected in penetration tests and allowed us to lock them down.
Head IT Architecture at a tech vendor with 11-50 employees
Real User
Top 20
2019-06-16T07:23:00Z
Jun 16, 2019
I would strongly recommend doing an internal analysis first, before setting it across to Veracode to proceed and to use it more as a final verification point. My point is that Veracode is very good, and I would strongly recommend it. I have seen other solutions on the market and that's why I say: don't waste your time on other products, just get Veracode. I would rate it an eight out of ten. Not a ten because of the reporting issues I mentioned that I would like to see improved.
When it comes to DevSecOps, in the industry it is still under adoption. With the advent of the cloud and code being there, or on other public platforms, many people have embraced it or are in the process doing so. My advice for anybody interested in implementing this solution is to be really careful when choosing your tools. Be very proactive and up-front on the requirements of your systems, because no tool is perfect. You need to find the best fit for each particular use case. I would do a thorough analysis. As a solution architect, I do small POCs and run initiatives on products to find out various aspects. For example, the technical feasibility of the product is an important aspect. Other important ones are usability, testing, and implementation. Normally, I select at least three products and do a comparative analysis based on the POC. After this, I recommend a particular solution. I would recommend Veracode. There are plusses and minuses to this solution, but given the chance to use it again I would definitely do so. Every product has its own flaws, but for my use case, it did fit very well. I would rate this solution an eight and a half out of ten.
Managing Principal Consultant at a tech vendor with 11-50 employees
Real User
2019-06-11T11:10:00Z
Jun 11, 2019
My advice for anybody who is interested in implementing this solution is to ensure that your technology is actually supported because the coverage is quite patchy. It is possible that if you use a framework or a language that Veracode does not support then it will give quite poor results. I would rate this solution a six out of ten.
If the springboard issue doesn't hold them back and the pricing model stays the same as the one that we have right now for this year with them, it's a good deal. Veracode is pretty straightforward to use and the support is really good. We don't have a lot of complaints about that. I don't know how the pricing model is going to change the actual price of the application. On a per license basis, Veracode has a very lucrative way of doing business. I don't think a big company that has a lot of services and applications would enjoy paying upwards of $200,000 per year to scan all their code. Prospective customers should look at how the pricing model affects them, especially if they are in the microservice type of architecture or if they are moving towards something like that. I would rate Veracode an eight out of ten just based on the experience that we had the past two years. The reason it's not ten is because of the ways these tools integrate. That rating is at risk of becoming a seven now with the pricing model changing. Veracode is probably not going to be that attractive anymore compared to other competitors. We knew other competitors were more expensive. The reason that we didn't go with them was that Veracode was very straightforward.
Be aware that the first run will find a lot of issues, many of which are not real issues; it will take time to understand that. Don't change object names as that will confuse it. Make sure you get development buy-in early. We're looking to expand its use within the development organization and are looking into another license. Currently, we have four users of the solution, myself (security) and developers. The four of us also maintain it.
AVP, IS Manager at a financial services firm with 1,001-5,000 employees
Real User
2018-11-12T09:12:00Z
Nov 12, 2018
I would recommend it. It covers all our custom-developed applications and will expand as new applications and services are added. We have 50-plus users of Veracode. Their roles include InfoSec, developers, development managers, QA, and configuration management. In terms of deployment and maintenance, we have four people in configuration management and InfoSec.
Chief Information Security Officer with 501-1,000 employees
Real User
2018-11-01T11:57:00Z
Nov 1, 2018
I would absolutely recommend Veracode. I've suggested to one of the larger agencies that they implement the solution and that they come to see what we've experienced and how we use the tool. I really like Veracode. That is one of the reasons that we brought them onboard ten years ago. Of course, they were new back then. The different aspects of the offerings that Veracode provides to their customers are somewhat unique and, right now, I couldn't ask another thing from them. We have approximately 30 Java developers and four or five testers. There are also project managers using it. We have one person who manages running of the scans and that person might have one or two other people to help. We haven't really been utilizing it to its full potential. We probably utilize it once or twice per quarter. We are planning to increase the capacity that we've purchased. However, we're getting ready to elect a new governor in Ohio. With that election, things will change, according to his or her desires. Right now, we're in a holding pattern waiting for November to come and go. In terms of integrating the solution into our existing software development lifecycle, because we started so long ago - before the software development lifecycle was fully implemented - we were doing Veracode testing just because it was a good idea. Then we actually developed a lifecycle. We got into scrums and it just naturally worked its way in, so when we actually hired a testing group, Veracode was already a part of the process.
CISO at Laboratory Corporation of America Holdings
Real User
2018-05-16T06:43:00Z
May 16, 2018
On the rating scale is there anything above 10? If there are no ones and tens, it would be the closest to 10. They have always been supportive. We have had to change, do course corrections during implementations, or particular types of coding. I have just never had a problem. My loyalty to the product has been primarily due to the service and the expedience in which they solve any problems we have.
For us, whenever we are selecting a partner, vendors to work with who are going to be working with our customers, we have to make sure that they align regarding customer support philosophy, and that is the reason we selected to work with Veracode. I would definitely rate Veracode a 10 out of 10, based on our customer feedback. Whenever we know the relationship is going well between Veracode and our customers, it reflects very well on us.
Cyber Security Engineer at a consumer goods company with 1,001-5,000 employees
Real User
2018-05-16T06:43:00Z
May 16, 2018
I give Veracode a solid nine out of 10 because it is a full-featured product. It is not just something that they are selling to you and then leaving you to figure out how to use it. They actually help you every single step of the way and they want to show you how to do it. Their testers, their application security consultants, really help you and help educate the developers. They walk you through every step of the way.
SVP Application Security at a financial services firm with 10,001+ employees
Real User
2018-05-16T06:43:00Z
May 16, 2018
I would give Veracode a nine out of 10 because it scales incredibly well, they have very qualified people working there who are able to clearly articulate what the problems are when they are talking in a remediation or consultation call. They are very knowledgeable, they are not condescending when they talk to a developer. The tool is very easy to consume. It's not like looking at a menu with 20 pages at a restaurant, it's very simple to digest. They have a lot of API connectors, they cover a lot of languages and it just scales. You can't beat that. Finally, the relationship is great with them.
Information Security Engineer Team Lead at a hospitality company with 1,001-5,000 employees
Real User
2018-05-02T07:27:00Z
May 2, 2018
My advice is what I mentioned in the pricing/licensing section above, you really need to understand what it is you are looking to do. Also, take into account a data sensitivity for the applications. It's not "one policy fits all." I really like that Veracode allows me to set up specific policies that I can apply to applications. Understand which are your critical apps that deal with critical, very sensitive data, and then apply a more rigorous scan model to them, versus internal applications that perhaps don't deal with as much PII, with as much sensitive information, and aren't available to the outside world. Those might have a lower risk footprint. Understand that, so when your developers go in there you are not treating every single thing like it is a public-facing, client-data-gathering, credit-card-processing web app. That way your developers can prioritize what they need to work on, so that you are delivering the right metrics to your leadership. You really need to understand that strategy going in, because the tool is not going to help you determine that. The tool is only going to help you scan. The only reason I don't rate it a nine or a 10 out of 10 is because we haven't hit those scalability roadblocks yet. I know we might have some challenges in the future, but I would say eight out of 10 is an incredibly good score for a product like this. If you were just asking me about the support and the people behind it, I would rate that a nine or a 10. If you bundle it all together it's an eight. I recommend CA Veracode to colleagues all the time.
Director Security and Risk OMNI Cloud Operations at Manhattan Associates
Real User
2018-04-12T05:42:00Z
Apr 12, 2018
We recommend Veracode to colleagues all the time. I'd give the advice of not getting hung up on trying to compare the static scanning to the dynamic scanning, that's number one. Don't even compare them. If you're doing neither, do statics first. It'll get the majority of your exposures addressed. Then you come in, in a second round, and do dynamic. Dynamic really becomes more of a confirmation of security. The other piece of advice I'd give is to "follow the directions." Make sure they understand how they're supposed to compile code. Take the advice of the program management team with their code, and follow their lead, and you'll come out in a very good position very quickly. I'd give Veracode a 10 out of 10 because the rate at which we gained control of our security posture, from a development perspective, was fast. There is a lack of wasted time on our developer organization in chasing down erroneously reported vulnerabilities. The erroneous reported vulnerabilities is very low, and that means that our developer time is very effective as we investigate a reported issue. As I said, it's 96, 98 percent probability it is real. So our developers gain confidence and don't second-guess the results. The level of detail that we are provided for a given vulnerability - the data path that it follows, the precision with which the justification is provided - is very high. Again, you're highly confident in the result. You are provided a tremendous amount of detail about the vulnerability it found. And the rate at which you can ramp up and be productive is very fast.
Chief Compliance Officer at a financial services firm with 51-200 employees
Real User
2018-04-11T10:47:00Z
Apr 11, 2018
Have them guide you through your first scan - make sure to add hours to your initial contract for that. I am very likely to recommend Veracode to colleagues.
I hold Veracode in high regard. It's a good organization to work with, and it's a very conscientious organization. I'm always a recommender of the solution set.
I am highly likely to recommend Veracode to colleagues. Make sure, once you scan and find issues with your code, that the developers know how to remediate those issues so they don't go through them again. It's going to take some time to get through your first set of scans and mitigations. To fix your code is not straightforward. But once you do that and implement it back through your whole development cycle, they identify the issues and it's very easy to fix them, once you know and have gone through it once.
I would advise that you figure out a way to integrate it into your software development lifecycle in a way that it's not intrusive to your developers. That was really something that I set out to do. I didn't want my developers to have to go into their code, and kick off scans, and upload their code. So, I would really suggest looking at your integrations, your JIRA, your Jenkins, all of your add-ons, and hopefully that fits into the SDLC process, and then automating via their API. Essentially, what we were able to achieve is, my developers still live within JIRA and the issues get opened from Veracode into JIRA and they work on things that way. They can remediate it, kick it that way, and if they need to they can log into Veracode. But I'd suggest making the SDLC process integrated as much as you can to make it something that developers aren't having to spend a lot of time doing every day. Overall, I would give Veracode a nine out of 10, just because nothing is perfect. But it does everything for us and it was so painless. I speak very highly of it for those reasons. I would highly recommend CA Veracode. Every engineer that I've dealt with has been really sharp. The review process they have is really good and the knowledge they have has been tremendous. I really recommend working with them.
Information Security Lead Analyst at a consumer goods company with 10,001+ employees
Real User
2018-03-20T11:53:00Z
Mar 20, 2018
I recommend it all the time. It's an important aspect of a complete security program. Not necessarily this product, but source code, fraud detection. I'd give it an eight out of 10 because it's pretty straightforward, but you still have to mostly wrap it with organizational policies that encourages its use. It's not a product - and I don't think it's really a product category - that sells itself to the end-user. They see benefits, but they do have to be convinced to use it.
CA Veracode provides application security (AppSec) best practices and guidance to our teams in a couple ways. First of all, they have an e-learning module that has courses that we have required our developers to take. That's a best practice. Secondly, when we do have errors, Veracode is always available, their consultants, to help us either mitigate the error, or provide technical assistance on pointing exactly where the problem is and how we could probably fix it. I'm always amazed at how knowledgeable they are. They also have what's called a Software Composition Analysis that can point out errors and fixes for third-party software frameworks, which is very nice. The list goes on... And again, having received, early on, education from them on how best to integrate this in the workflow, those are areas where we've relied on best practices from Veracode. I'm in healthcare, and it's very important - and I'm sure in other industries just as well - but the stakes are very high. If we get hacked, if there's a data breach, it could put us out of business. It's a very good price point for a small company to have these kinds of capabilities, something we can afford for our application. I am very likely to recommend it to colleagues. As I mentioned, I brought it to this company, and I've already recommended and provided references to a few other companies over the last couple of years.
Information Technology at a insurance company with 51-200 employees
Real User
2018-03-14T08:56:00Z
Mar 14, 2018
In terms of integrating Veracode into our existing software development lifecycle, as our two existing applications are quite mature, and not changed often, we have not taken steps to have Jenkins or another CI tool that would allow us to get the full power from the Veracode environment. We look forward doing it, starting with the next app that gets developed from scratch. CA Veracode provided AppSec best practices and guidance to our security and development team during the kickoff phase. They offered assistance on specific code issues that were hard to fix, and guidance on preparing a credible set of rules for Veracode policy, all this at no additional cost. As Veracode licensing is generally time-related, I suggest you start the subscription once everything is ready for consumption, assign a specific person to it and declaring it mandatory at the policy level. Losing two months of great value because the devs are too busy, or because they think they don’t need it, or they fear the results, or because no one is taking charge of the Veracode process, is really a pity. Once the clock starts ticking, try to take advantage as much as you can. I would recommend Veracode to anyone involved in high-risk environments.
Senior Infrastructure Engineer at a healthcare company with 5,001-10,000 employees
Real User
2018-03-13T06:59:00Z
Mar 13, 2018
In terms of Veracode providing AppSec (application security best practices) and guidance to our teams, they've been able to adapt their scanning and remediation in their SDLC, which is something we did not have really before. It's been a little bit of "not the best honeymoon" so far, doing this with our developers, but they've started coming along here in the past year and a half. The advice I'd give is look around, make sure it's the right fit for you. Make sure that the tools they offer are a good fit for your organization. And make sure this is something that you really feel would be good for your company. If you aren't currently doing this kind of analysis on your code, I would take a strong look at whether this is something that you really should be doing. It's a different world out there right now. I would recommend Veracode very highly, especially since the program management staff that I work with from Veracode are some of the best people that I've worked with in this industry.
CISSP, CISM at a tech services company with 1,001-5,000 employees
Real User
2018-03-08T09:23:00Z
Mar 8, 2018
I recommend CA Veracode all the time. I am a public speaker, frequently on the speaker circuit, and I recommend it all the time. There are really three solutions at the top of the industry ratings, and Veracode is the best, in my opinion. We are a good customer and we had been for a long time. I actually am a bit of an evangelist for them when I'm doing public speaking.
I would be highly likely to recommend working with CA Veracode to colleagues. I rate it an eight out of 10. It's a good product - I can't say that it's lighting my world on fire - but it does what it needs to do. Just be prepared that it's going to take effort from all aspects of the business to be able to utilize and achieve the goal that you're looking to achieve with the product.
Director Software Engineering at a tech services company with 51-200 employees
Real User
2018-03-07T09:02:00Z
Mar 7, 2018
We have made process changes and improvements, although Veracode is not tightly integrated into our CI/CD platform yet. I am very likely to recommend to colleauges that they work with CA Veracode.
Application & Product Security Manager at a insurance company with 1,001-5,000 employees
Real User
2018-03-06T09:06:00Z
Mar 6, 2018
Regarding measures taken to integrate Veracode into our existing software development lifecycle, we have 100% API integration. We use the Jenkins plugin as a last resort, but we are moving away from that. The AppSec best practices and guidance to our security and development teams are manifested in the static analysis it provides. In terms of advice to others looking into implementing this project, I would say don’t use the UI, and do what you can to have license conversations up front. It depends on the use case and budget, but I would recommend CA Veracode to colleagues.
I never give 10s. I would give it a nine. It does nearly everything, but penetration testing. It covers such a broad breadth of our portfolio. In our business, we have applications written in so many different languages. Finding something that can consistently scan and not generate false positives across the paradigm or the whole ecosystem of languages, that is impressive. It is speed of inspection, the accurateness of the inspection outcomes, and frankly, it has fairly good business analytics embedded on the platforms. So, it does a lot more for us than not.
Technical Director at a financial services firm with 1,001-5,000 employees
Real User
2017-11-26T07:43:00Z
Nov 26, 2017
The most important criteria when selecting a vendor are * reliability * customer service. Take advantage of all of the help that Veracode provides, for implementation, operations, and maintenance, because they absolutely know what they're doing.
Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.
Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis...
Veracode provides policy reporting to ensure compliance with industry standards and regulations. It is beneficial. The product also provides features to create custom policies. Most false-positives cases come under DAST. The false positives depend on the code. Veracode provides around 5% false positives. The solution shows the vulnerabilities in the code and provides generic remediations for it. We must then search it on Google. The product’s community is also good. Sometimes, the product provides solutions in the community. These solutions work well on the production level. I have also used the SCA features which help with identifying vulnerabilities in applications's third-party components. The Veracode user interface is so convenient and easy to use. Anyone can run a scan and generate a report easily. The solution provides absolute visibility into application status at every phase of development. The users can get visibility through the CI/CD pipeline. The time taken to complete the scans depends on how much code is present in a specific application and how big the application is. Veracode introduced a new module named Veracode Fix, which automates the fixes for insecure software with AI-generated secure code suggestions where the developer does not have to spend time searching and remediating the vulnerabilities. The developer does not have to spend time searching for vulnerabilities. Sometimes, the tool gives a generic recommendation, sometimes specific recommendations. It will be helpful if it always provides specific recommendations. The amount of time saved hinges on factors such as code complexity, the programming language employed, and the developer's proficiency in secure coding. If anyone uses Veracode throughout the entire process of building an application, from the start of development to the final production stage, can result in a time savings of around 30% to 40% when leveraging various security measures of the platform. Veracode has had a good impact on our organization’s overall security posture. If we choose to take the complete Veracode module, we can have security from the initial step to the production phase. I will recommend others to implement the solution. Veracode is in the Gartner Magic Quadrant. It is doing a good job. Overall, I rate the product a nine out of ten.
I am into DevOps, and we have integrated Veracode into our DevOps pipeline. I would recommend Veracode to other users. Overall, I rate Veracode a nine out of ten.
My company has a hybrid Veracode deployment. It's a cloud-based solution, so it's tied to the company's automatic build cycles, where you can access and do scans through the cloud. Veracode doesn't require maintenance. The only maintenance my company performs is fixing vulnerabilities found by Veracode. Overall, my rating for Veracode is seven out of ten. I advise others looking to evaluate Veracode to utilize the presales marketing side first. For example, my company was able to utilize Veracode in a presales environment and do the scans to find out how vulnerable my company's software is and compare Veracode with the previous tool, WhiteSource. My company found additional vulnerabilities and was able to do that before signing the contract. It may be best to do a test run of Veracode to find out what the tool is all about and how it looks to your company.
We are a customer and end-user. I'd rate the solution nine out of ten. I'd recommend the solution to others.
Veracode is really not difficult or complex to understand. The whole concept is simple. It takes some time to get used to the tool, but it is a very simple tool to work with. It was quite fast. Scanning my code took 25 to 30 minutes, which was quite good.
I rate Veracode an eight out of ten. We are currently in the process of investigating Veracode's capability to offer insight into the status of applications at each stage of development.
I would rate Veracode an eight out of ten. I recommend Veracode to others. Veracode's false positives significantly impact our developers. When we encounter numerous false positive cases, we are required to conduct extensive reviews. How much it affects our developers depends on the number of false positive cases we are encountering and the significance of addressing them concerning the criticality of writing the code. Veracode can save time in our DevSecOps process, but it may not significantly reduce costs. Organizations that have security flaws in their code and seek to enhance their core security can consider Veracode as one of the best options for investment. Veracode is easy to implement and can effectively address the flaws in the code, provided that cost is not a significant concern. Maintenance is required from time to time, specifically regarding false positives. We need to verify whether the system is functioning properly and communicate with the support team. The intervals for these checks occur after approximately 30 or 60 days, which we have selected, and we must strive to improve the system during these instances. Veracode is deployed at two locations within our organization.
I would rate Veracode an eight out of ten. Veracode needs to improve its SCA capabilities to become a market leader rather than a market follower. Another noteworthy area they are starting to focus on is container security. I assume they will compete with Laceworks and other companies in that domain, which makes it worth keeping an eye on. Veracode's software build of materials feature is integrated into the software composition analysis, which we are currently exploring for utilization. However, at this time, we are using a third-party product for that purpose. Veracode's false positive rate is very low based on what we have found. However, there are instances where it becomes confused, identifying one type of vulnerability when it is actually a different type that appears similar. Nevertheless, we always conduct verifications before approving a list of vulnerabilities for the developers to address. We thoroughly go through and verify at least most of the different types to ensure their validity. My team verifies the false positives, so the developers almost never see them. Because we don't encounter many false positives, we don't spend a lot of time fine-tuning policies. We'll make some minor adjustments, and it should mostly resolve the issue until we encounter a different type of false positive. Then, we'll have to address it separately. One of the other things that I have observed recently is a tool called Veracode Fix. We have not examined it yet, but it's worth considering. Normally, we avoid implementing too many automated fixes because sometimes they end up causing even more issues, particularly when dealing with legacy code while transitioning to Veracode. Allowing automation could potentially lead to the application being permanently shut down, especially in cases like Software Composition Analysis and Software Bill of Materials where we may need to upgrade to a different or less vulnerable, open source piece of code. If we upgrade without ensuring compatibility with our existing setup, it could break numerous things. Hence, we previously attempted to use automated fixes, but the outcome was negative, and we have decided never to repeat that mistake. Therefore, it's something we plan to explore, but we need to ascertain if there have been any changes in that type of setup. For someone who wants to use Veracode but is concerned about the cost, the amount of time saved, especially on the SAST side of things, makes it worthwhile. We are a multi-cloud organization primarily using AWS, with 25 percent of our infrastructure on Azure and a smaller portion on Google Cloud. We are currently using Google services only because we are a Google shop rather than a Microsoft Office shop. As a result, all of our emails are managed through Google, and we rely on Google Docs and other related tools. There are four architects and a group of DevSecOps professionals who work directly with the development and operations teams. They form the security component of the organization and are responsible for operating Veracode on a daily basis. Their primary role is to assist the developers in integrating Veracode into their workflows, setting up pipelines, and collaborating with them when vulnerabilities are identified. They are available to help the developers understand why they received a vulnerability and guide them on how to address and eliminate it. The only maintenance we will have to deal with is related to the ISM servers. These ISM servers are actually controlled by our company. There is an on-prem link to the Veracode cloud. When they conduct their scan, they access the server, which acts as a jump box. This enables them to scan our internal applications that do not have direct access to the outside world. Veracode is a good Dynamic Application Security Testing tool, but it excels as an outstanding Static Application Security Testing solution for organizations that prioritize serious security measures.
I rate Veracode eight out of 10. You should evaluate at least two vendors based on the company's needs. A host of issues need to be addressed, and it's a significant task. Veracode shows you many issues, but you must develop processes to address them. It was impressive when we first scanned our sources and found a thousand, but we had to develop compliance policies to deal with them. My advice is to not make the policies too strict. For example, you can start with high-priority issues.
If a proof of concept is possible, I would ask you to try it out first to get a sense of what Veracode is before investing. But investing in this tool is very much needed. With security threats, for long-term purposes, the code-level threat detection and code-level error detection are very much needed by any organization.
I give Veracode a ten out of ten. We are using Veracode in multiple locations and departments. Veracode does not require any maintenance. Veracode is an extremely user-friendly tool, operating through a web interface. Additionally, the support and guidance offered by the Veracode team are excellent. Considering all of these factors, I believe Veracode should be the choice for anyone.
I give Veracode an eight out of ten. Our customer provides us with a Veracode profile account for uploading and testing code. We do not manage the solution or have any insight into how it is deployed. I highly recommend Veracode for assisting in identifying vulnerabilities in code. I have learned that Veracode can confidently scan and detect vulnerabilities in code. However, for older or unsupported applications, we need to seek an alternative solution.
The impact that Veracode has on security posture depends on the size of the company. Usually, large companies have standards in place, and that makes code development more secure than it is in small companies. For small companies, Veracode can really make a huge improvement to the SDLC.
I would rate Veracode a seven out of ten. Although it doesn't fulfill all our requirements, I am still impressed with it and find the solution appealing. Veracode has excelled in SAST, DAST, and IAST, but conducting scans, secret scanning, and IAC are new areas for them. Veracode alone cannot solve our issues or problems. We need to have an agile mindset and ensure that security is embedded and maintained. We need to educate developers to be able to use these tools effectively and incorporate them into their everyday processes. Veracode can be hosted within Europe or at our local location if needed. However, I believe they offer various instances. Personally, I prefer the SaaS solution over on-prem, mainly because unless we have specific data privacy requirements, using the SaaS solution is more convenient. Opting for on-prem would require additional resources, such as setting it up and engaging with Veracode support, which can be a more complex process. Veracode handles the maintenance. All we need to do is set up the files for pipeline scans. Our engineering teams can handle that. In terms of policies, we should review them annually. Credentials will naturally expire on an annual basis, so they need to be reviewed as well. If we want to pursue additional tasks like GitHub integrations, then the setup process is required. I recommend evaluating the top four solutions listed in the Gartner report or any other reliable source of information. Test them thoroughly and ensure that the vendor truly understands the organization's environment before making a commitment. It is crucial for individuals to comprehend and establish a workflow environment before they commence providing tools, and I believe there is indeed a wealth of information pertaining to data dashboards. Although it may require time, we can collaborate with Veracode to construct it. Overall, it is beneficial. It is truly excellent.
I give Veracode an eight out of ten. Veracode is not a cost-effective solution for small businesses, but it is a good solution for medium and enterprise businesses. Veracode does not require any maintenance. I recommend Veracode to organizations that need a static code security analysis. Veracode is simple to understand and supports all programming languages.
I would rate Veracode a perfect ten out of ten because it consistently delivers on its promises. Those who are concerned about Veracode's price should be aware that the solution holds value. Additionally, they should consider that other solutions are on-premises and require additional fees for reporting traffic processed, unlike Veracode. The maintenance is all taken care of by Veracode. Veracode is so straightforward that I have no advice to offer to anyone. There are many companies out there that do not consider code security when thinking about cybersecurity risks. This holds true even for larger companies, where it is still a greenfield situation.
I rate Veracode a nine out of ten.
I give Veracode an eight out of ten. The solution is comprehensive, albeit a bit costly. We have not observed any impact on our policy reporting and compliance with industry standards and regulations since we started using Veracode. The false positive rate is slightly high, but we are able to manage it. The false positive rate of the static analysis has not affected the time we spend on the tuning process. Veracode has not affected our developers' time significantly, as the response rates for certain tasks have been slightly slower. I recommend conducting a cost analysis and rate of return evaluation to determine whether the solution is worthwhile. I highly recommend using Veracode for complex products, but it may not be as valuable for simpler ones. Veracode does not require any maintenance. I have learned that it is necessary to plan our strategy for the product and security prior to using Veracode.
I give the solution an eight out of ten. Veracode is user-friendly depending on how we use it. We have seven people using the solution. Veracode does not require any maintenance on our end. Veracode is a secure, reliable, and sustainable tool that all organizations should use for scanning code.
I rate Veracode eight out of 10. It's an excellent product for developing a secure platform that will benefit your company and its customers while helping you build a sustainable development team. Before implementing Veracode, you need to prepare and have at least one person who understands how to use the product.
I give the solution an eight out of ten. We have Veracode deployed in multiple locations. Maintenance is only required when updating the solution. You should evaluate multiple solutions, but I suggest considering Veracode if it aligns with the organization's requirements.
I give the solution a nine out of ten. All coders should have Veracode since it helps prevent security issues in applications, thereby safeguarding critical data. As we know, all applications contain sensitive information. If we only store some of our data online, we have to rely on applications that meet industry standards and compliance requirements. Veracode can help achieve these standards and compliance. To ensure this, Veracode must be set up to scan and integrate with the Jenkins CI/CD pipeline. We capture the health and pharmacy data of users, so Veracode is deployed in various countries and running live. We have over ten million users.
The process of packaging scannable modules is not straightforward.
I rate Veracode a ten out of ten. If you plan to implement Veracode, you should have an in-house tech team that knows Veracode. It will be hard if you don't have one set up. You also need to ensure you have the budget to cover Veracode. Overall, Veracode is a stable solution I recommend to any serious enterprise, especially those in finance, charity, and or any other field with stringent data protection requirements. I recommend Veracode for DevOps teams, and it's the only stable solution I have used so far that I would suggest to someone else. The prices are constant throughout, and Veracode's support team is there to help you resolve any issue. They can help you resolve issues faster if you have some knowledge about Veracode. Do some planning before you implement the solution. Get to know Veracode, how it is used, and where it is applied. Everything will be smooth.
I rate the solution nine out of ten. Regarding the tool's false positive rate, the analysis is good but can be affected by data and code not supported by Veracode. In these cases, we can experience some challenges, but other than that, the false positive reporting is good. In cases of unsupported code, developer confidence can be affected, as we know there may be some flaws we can't control. If they are minor enough, we can ignore them. I advise others considering the product to go with it if it fulfills their requirements. Veracode is a tested name in the market for application security and detecting flawed code. They should evaluate other options if they fit the needs better, but I highly recommend Veracode.
The false positive rate is pretty low. When I started using Veracode, there were a lot of false positives, but that number became notably smaller. There are some false positives because new types of flaws are generated for each new version. Initially, in general, whenever you see any kind of false positives or true negatives, it reduces your confidence. But whenever the reports are generated by Veracode, as developers we can understand that they show certain patterns of what might be a false positive. So we get an idea that this kind of a flaw might be a false positive while this kind might not be a false positive. We get clarity about the reports sent by Veracode. At a certain point, we might be sure that we can explain all the false positive data to management so that they can look into them and understand: If this kind of data or this kind of code flaw comes up, it is a false positive. We can easily associate these scenarios with false positives because they are normal and common. During the initial phase, false positives affect our time because we can't deduce any conclusions. Static analysis is the kind of process in which you will encounter false positives in certain cases. But after a couple of implementations of machine learning, the results should be pretty accurate and the false positives should decrease. Preventive maintenance is critical. Per my experience with Veracode, there are certain maintenance issues, but they are the normal types of things. I would highly recommend Veracode, but initially, don't do a deep dive into the tool. Take a couple of licenses to start adapting to the tool and work out how it works and whether it's suitable for your development processes and developers, and get their feedback. I highly recommend it because it's a real time-saver, provides stability, and improves your organization's productivity.
Veracode is a valuable tool to have in the toolbox to prevent vulnerable code from going into production. Veracode's false positive rate has been very good. It's reasonable. False positives take more time, but I have not noticed that time to be a significant burden. Its policy reporting for ensuring compliance with industry standards and regulations is adequate. In terms of having visibility into application status at every phase of deployment, Veracode doesn't provide that. It doesn't control the whole deployment cycle, so there's no way it can report on all of it. The platform's interfaces look slightly antiquated but don't let that stop you from using it, because it has been a good solution for us. The biggest lesson I have learned using it is that it's really nice to have these security checks in a single place in your code pipeline. We have multiple security companies at this point, but having the code review and product review security in one place helps us know that that part is "containerized." Having everything dealing with code review in one place is nice.
Overall, I'd give Veracode an eight out of ten.
When it comes to managing risks, we use the remediation feature that Veracode has. Whenever there is a flaw, we do have tickets open up for it and the application owner or the developer goes through the vulnerabilities. There are times when the vulnerability is a false positive and you can mark it as such within the Veracode platform itself. And we, as security professionals, do the validation for whether the business justification is good or not. And we either have a source code review for the vulnerability or have an exception open up for the remediation step that the application or the owner is asking for. We do risks via the platform, as well as through the ticketing tool that we use. We are also using SBOM (Software Bill of Materials) for inventing all the different kinds of modules and libraries that we are using for an application. Using the SBOM feature, you would have to leverage the API to get the inventory from the API calls that Veracode has. But in our organization, we use the GUI report generation more than the SBOM report because there is an executive summary in the GUI report with regard to first-party and third-party flaws. It also has the mitigation steps. SBOM would only give you the list of softwares, libraries, and versions that are being used. It is not as detailed as the GUI report that Veracode provides. Things to consider when looking at Veracode include the different integration points where you want to integrate Veracode, how big your organization is, and how many applications you want to do security analysis on. If it's a big organization, Veracode is obviously a solution to evaluate, but for a small organization, below 500 apps, it might be a little pricey. Also, you will need a couple of Veracode champions on your team who know it inside out. You will need training provided by Veracode, so make sure that is included during the procurement stage. That will help you implement the tool within your organization faster and much more efficiently. I would have given Veracode a nine out of 10 a couple of years back, but given the tools that are coming out on the market, and the scope of development, which is increasing, I would place it at eight.
I rate Veracode eight out of 10. I recommend first testing it on your code to see if it's appropriate. You need to see how long it takes to scan the code.
All of the Veracode applications operate as one platform. Most of the competitors out there separate their products from their reporting and configuration, so you don't get a single pane of glass. With Veracode, you get a single pane of glass and reporting that you can combine with the different scan types to look at compliance. The advice I would give regarding this solution is this: Look at the policies, the dashboards, and integration with ALM applications like Veracode and JIRA. They have a tighter integration there that I see with most of the competitors. I'm sure that the scan quality is consistent. Perhaps there's some applications that are a little better than others at detection. But we find that Veracode is very comparative to other things you solutions the quality of catching vulnerabilities.
If you have Azure DevOps and would like to understand your code and how secure it is, then there are not a lot of better options. Also, there are not many choices in this area at the moment. Once your code is scanned by the static scan of Veracode, you get some evaluation scores based on some criteria. For the management, when it is above a certain number, it is fine, but when it is built below, then it is no-go for production. Even though there is a possibility to create a sandbox environment for projects, they don't get it. That is understandable to me. I try to explain to them that there are no issues if you are working in a development environment and you get difficult scans. It is fine then because you can create a sandbox environment, which will not screw up or make the production releases worse because it is in a separate bucket. We are happy using the solution. I would rate it as nine out of 10.
Veracode only has a cloud offering. You upload your binary files for static scanning, or you whitelist your IP and have them come in and scan your website. It doesn't require any maintenance on our end. Overall, it's really good. It's a lot better than other offerings I've seen. The dynamic scanner works really well. The static scanner is still good, but it could be improved.
My advice would depend on the size of your company and whether you have dedicated security engineers. For us, given the size of our company, Veracode has been very important. We needed a turnkey solution, and one that integrated directly into our product. We wanted something immediate. We couldn't take the time to hire a bunch of security engineers and have them figure it out and then do an RFP. That was not us. If you're in that position, where you need something that really meets all of your software security needs during the development life cycle, check out Veracode for sure. Look at a couple of their competitors. It's fine to kick the tires a bit and then what you can get from others, but I would definitely recommend that one-stop-shop type of thinking. You really want to get your solutions from one vendor, a partner that is strong in this area. For the manual pen testing, there's a full day where they engage your product. It takes us about half a day of planning and putting it together, and then providing them with a live website. They then bring their team together and go through all the reports about what they saw and, typically, within a period of three days from the time of the manual pen test, we get results from them. Along with that, they also offer any kind of service you need to interpret or understand the results. You can also get some follow-on from them in terms of best practices and how to fix things. In terms of false positives, I like my security scans to be a little more conservative, rather than being aggressive about eliminating things without me seeing them. I'm okay with the fact that, every once in a while, they flag something and bring it to our attention, and we see that it is really a non-issue. The reason that is my approach is that, when you do a static scan or a pure dynamic scan, these products don't completely understand your application environment. They cannot guess that this or that code is not used in this fashion. They can only flag something to bring it to your attention, and then you make the judgment call. Veracode has flagged a few issues for us that we decided were non-issues. In their dashboard, you can actually provide a dispensation for each of those items. So we have gone in there and checked a box and put a comment saying, "Not applicable to our workflow." I was very happy that they caught those things. It gives us some confidence that they're looking deep into our product. We haven't had any major issues with false positives. What they flagged to us was reasonable, and we were able to decide that they were not really an issue for us. Our confidence level is very high, thanks to Veracode's solution and our internal focus on shift-left methodology. I push my engineers to make security a part of the design, development, and testing processes. It can't be something that is done as an afterthought. We need shift-left thinking all the way to the left. You want to tackle an issue before it occurs. Overall, Veracode has affected all our application security in a very strong, positive way, and I look forward to using their products and technology to continuously improve our security best practices. I would give it a 10 out 10. It really is a strong solution for the industry. I'm looking forward to engaging Veracode in an even stronger way in 2022. I want to tightly align what we're doing, from a security best-practices perspective, even more with what they have to offer.
My advice would be to understand how you want Veracode to function within your environment from a workflow perspective. That way, you can potentially start taking advantage of a lot of the functionality it offers out of the gate, which is something we are not doing yet. We're on a delay until 2022. That is really important. Also, in introducing the product to those who will be receiving the output, the findings reports, it would be great to include them in some conversation and collaboration on the move down that Veracode path or, frankly, any path that leads to scanning applications. Veracode provides guidance for fixing vulnerabilities, although we haven't actually had to utilize that. But as a part of our licensing model, they provide us a certain number of opportunities to engage with someone for consultation. We are not focusing on using the solution to enhance developer security training right now, although it is a part of our roadmap. We are banking on being able to utilize that aspect of Veracode because we are an Agile environment and we want developers to be able to engage that training. Also, when there are findings, we want our developers to get that assistance in real-time. That is a part of our 2022 strategy. We have started out with a much more narrow policy for ourselves because we are just learning about how the tool works and how it functions. But we did evaluate some of Veracode's policies, out of curiosity, and they seem to be very aligned and very helpful. However, I would not be able to speak to whether they are on the money for utilization against compliance frameworks.
For any company wanting to use Veracode and buying vendor binaries from third party vendors, it's important to get the legal and compliance clearance from the vendor as well. Some vendors have a policy that they're selling you the binary of a particular software but you're not supposed to decode it. Those are the general terms and conditions that every vendor gets you to sign but Veracode does decode and then scans for the vulnerabilities. It's a challenge for any company purchasing the solution from vendors. I rate the solution six out of 10.
We are customers and end-users. We don't really have a business relationship with Veracode. I'm more from the performance testing side of things. I've just added the security testing to my list of responsibilities recently. We're using a mix of deployment models. We use both on-premises and cloud deployments. It's a good tool. I've done some comparisons with both SAST and DAST. It gives us this end-to-end sort of feature that we appreciate. Therefore, rather than you doing SAST with one tool and DAST with another tool, I prefer going with Veracode, which offers both. You can learn both static and dynamic scans with a single tool. You could effectively negotiate a price and do that. If you got some simple apps, from a CAC standpoint, I'd recommend folks to use Veracode. I'd rate the solution at a seven out of ten.
At the time that we used this solution, we were a startup, the software may not have been that complex. It's not like Oracle. My advice to others who are interested in using this solution is to pay attention to the full instructions. I would rate Veracode Developer Training a ten out of ten.
I've participated in some of the online courses, which helped. There are some levels that the team should have. You follow some courses, you get to level one, and then you move on to the next level. Each level of certification was really useful to learn about some of the flaws and some of the vulnerabilities that we could face. They give you some great use cases and how to remedy things in C# and many different languages. The online course also shows you how a developer can make some mistakes in his code, and how those mistakes can be used to bypass app security. By knowing that, you can avoid doing it in the future. There were also some events organized recently—security labs—and they were also useful. There were tasks and I even had to work on them outside of work, but they were really helpful and a challenge. The training also helped us to identify the existing vulnerabilities in our code and some of the third-parties that we are using that have vulnerabilities in them. We know we need to upgrade them. My advice is that you should follow the training, initially. It was really helpful, even at the first level. Then, go on and read all the detailed documentation online. There are even some video tutorials which are really helpful. These are the steps that I followed. There is a section on the supported frameworks. Veracode supports a wide variety of languages, but it would be good to check that before diving into the analysis and why it's not detecting your code. I have been really satisfied with the areas of Veracode that I have had a chance to work with.
We were skeptical about running scans with a cloud-based solution, but then we saw the benefits. Everything is up to date without us having to lift a finger. We know we don't have to take care of maintenance. Also, if you work in the domain of medical devices, payment methods, or other things that are related to privacy, Veracode provides all these modules. This is a big advantage. Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly. False positives are not a main problem. The platform does try to overprotect but, of course, a system like this can only understand the syntax and not the semantics. So it's overprotective when there is a doubt. Sometimes, we ignore some of the advice received.
I'm pretty confident about Veracode's ability to prevent vulnerable code from going into production when I'm using it. When you use Veracode, instead of using it as a manual tool, you should integrate it into your CI/CD pipeline. This way, every build is certified. Then, if there is an issue, you will know about it earlier in the development cycle, not later. Because as the time passes, it becomes more difficult to fix that issue. With Veracode's support for cloud-native applications, there are some components of our application (which are cloud-native), that we treat in the same way as regular software, e.g., the source code and dynamic URLs. We don't have a model where we can do the real-time scanning. This is something which is currently in talks for maintaining the security of the distributed application. Hopefully, that should get implemented in about two months' time. The reports that they share have been pretty informative, but someone has to go through them and read them quickly. In the early days, they might have offered some kind of training plan, but we did not opt for that. Veracode has a plugin which we use, and it works with developer tools. While there are false positive, there aren't much (around 10 percent). We normally farm these to the Veracode team, who act accordingly. Our developers still report 90% valid issues, and this is satisfactory for us. Biggest lesson learnt: Security should not be an afterthought. I would rate this solution as an eight out of 10. I took off points due to the extra time that it takes to do the dynamic scan.
My advice would be to definitely have some code that has a lot of security defects embedded into it and to run it through the scanner to test it early on in the process, ideally during the evaluation process. If your company works in five programming languages, you would want to create some code in each of those languages, code that has a lot of security defects, and then run the scanner over it to just make sure it can catch the security vulnerabilities you need it to catch and that it's consistent with how it raises those vulnerabilities. Veracode provides guidance for fixing vulnerabilities but that doesn't enable developers to write secure code from the start. The way the product works is it scans code that has already been written and then raises issues about the security problems found in the code. That is the point at which the developer sees the issue and can look at the remediation advice Veracode gives, and the possible training. But it doesn't allow them to write secure code in the first place, unless they really remember everything. It does educate them about it, but it's usually after the fact. The solution provides policy reporting for ensuring compliance with industry standards and regulation. While those features were not applicable to us, they were in there. I think they would be very useful for anyone working in a high-compliance industry. It also provides visibility into application status across all testing types, including SAST, DAST, SCA, and manual penetration testing, in a centralized view. If you buy the SAST and DAST license, of course you'll see those scan results inside that view, but to see the pen testing that means you'd have to buy pen testing from them as well. Seeing those testing types in one view didn't really affect our AppSec. It's nice for the security team, but it's just not that important because they weren't in there everyday looking at it. Since we had the JIRA integration, the defects would flow into JIRA. The software engineers would take a look at it and categorize whether it was something they could fix or something that was in a vendor's library. The software engineers would prioritize the things that they could fix, and if it was in a vendor's library, I would batch those up and communicate them to the vendor. Overall, I would grade Veracode as a "B" when it comes to its ability to prevent vulnerable code from going into production. It will find everything that's wrong, but it doesn't have enough tuning parameters to make it easier for organizations without compliance burdens to use it more effectively. Overall, it's pretty solid. I would give it an eight out of 10.
The solution is efficient when creating secure software. Though, it depends on how you adopt the tool and how frequently you're running it. As long as you keep it as part of your routine and frequently run the tool, you will catch vulnerabilities closer to real-time. Eventually, you will improve the security of your software. We haven't seen a lot of false positives. However, the tool points us to vulnerabilities to fix, which because of our behavior or software, we don't necessarily need to fix because we have other protections. We are not using it for cloud software. Our solution is only on-prem. I would rate this solution as an eight out of 10.
It is good for third-party scanning and if your code base is all modern web frameworks. It is also great for the third-party analysis. However, the Software Composition Analysis is not good if you have C++ code or anything legacy, as it does not cover that. It also does not cover iOS code. It has a lot of constraints. The solution’s policy reporting for ensuring compliance with industry standards and regulations is fine. We are using it for internal reporting, but we haven't really dug into the policy definitions and tweaking them. We are using its default policies. As part of our validation and testing, we are able to catch vulnerable code early on. That has been helpful. Automating some of the process has been really helpful, at least from our team's effort perspective. The tool highlights the risk associated with vulnerabilities. That effort is very much automated with this tool. I would rate this solution as a six out of 10. If you have legacy applications, the solution is great. Their SaaS scanning is geared towards that. If you have modern frameworks, the SaaS scanning and dynamic scanning don't provide much value. My advice to anybody looking at Veracode: Use them for third-party scanning. They are really good at that because of their SourceClear acquisition. For the rest of their products though, just keep looking.
The product is very good, very reliable, and they've made a lot of improvements to the dashboards and the reports. They've made the product easy to use. There used to be a lot of things that you had to search for and maneuver to dig deep down for them, but you don't have to do that anymore. Many of the things are now at your fingertips, including performance reports. Those things are easy to get to.
I can give advice to other managers. If they are willing to properly manage, but they don't have the time or the bandwidth to actually operate, it's a very good tool. It's easy to get access to information and it's easy to understand what's going on with your application without much of a burden. You don't have to waste a lot of time trying to understand a complicated report. Everything is accessible. And the amount of information that Veracode gives based on the flaws is very straightforward and makes it easy for the Dev team to fix them. I would rate it at eight out of 10. The tool itself is a very good tool. The way they work to update the flaws and the findings is very effective. But the support is a little bit expensive and it could be a little bit better. And there are few things that could be updated in the UI, but overall it's a very good tool.
Usually, we open tickets now using the JIRA/GitHub integration and then we plan them. We decide when we want to fix them and we assign them to developers, mostly because there are some projects that are a little bit more on the legacy side. Changing the version of the library is not easy as in the newer projects, in terms of testing. So we do some planning. But in general, we open tickets and we plan them. We also have it integrated in the pipelines, but that's really just to report. It's a little bit annoying that the pipeline might break because of security issues. It's good to know, but the fact that that interrupts development is not great. When we tried to put it as a part of the local build, it was too much. It was really getting in the way. The developers worried that they had to fix the security issues before releasing. Instead, we just started creating the issues and started doing proper planning. It is good to have visibility, but executing it all the time is just wrong, from our experience. You have to do it at the right time, and not all the time. The solution integrates with developer tools, if you consider JIRA and GitHub as developer tools. We tried to use the IntelliJ plugin but it wasn't working straightaway and we gave up. We haven't been using the container scanning of Veracode, mostly because we are using a different product at the moment to store our Docker images, something that already has some security scanning. So we haven't standardized. We still have to potentially explore the features of Veracode in that area. At the moment we are using Key from IBM Red Hat, and it is also software as a service. When you upload a Docker image there, after some time you also get a security scan, and that's where our customers are getting our images from. It's a private registry. Overall, I would rate Veracode as a five out of 10, because the functionality is there, but to me, the usability of the user interface is very important and it's still not there.
If you are doing pipeline-based implementation, it would be more complex than the way that I'm doing this, but I didn't see any real challenges that would be tool-specific or vendor-specific, with implementation. Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive. But if you have maybe one or two developers doing many projects, then you might look more towards software that has a developer-centric model. We don't use the Static Analysis Pipeline Scan because of the build process that our developers use. They don't really have an automated build pipeline in which they push the code to production. Also, with the false positive rate, it's a bit tricky when you implement that into the pipeline, as it might stop a developer from pushing code out to test. We use it more like a gate. The developers submit the code to us and then we scan it and review it with them. The biggest lesson I've learned from using Veracode is that you need to manage it with the developers, so that you speak through the findings with them. It's not just a tool that you throw down their throats. Overall, I would rate it at seven out of 10. Ideally, I would prefer a product that had the interactive testing, as well as the ability to scan a little faster.
It is an excellent solution. I would recommend adopting it. If you come from a security background, Veracode is an easy solution. If you don't come from a security background, the adoption of Veracode will take a bit of time. Veracode has been integrated with our IDEs. It has been also integrated with our DevOps CI/CD server, which is Bamboo, Jenkins, or GitLab CI/CD. It is all pretty neat and clean. I would rate this solution as a nine out of 10.
The biggest lesson I have learned from using Veracode is that there isn't an answer for everything. But when an area needs to be mitigated the mitigation process is fairly easy. It's pretty efficient, but in my case it took a long time to upload my information. It was a very big project, so I was not surprised that it took a long time, but it was mostly because of the internet around here. It would take a long time to upload the DLL and run the static analysis. It would take about two hours, but again, it's a large project. Overall, it does a very good job of preventing vulnerable code from going into production. It identified issues that were not detected in penetration tests and allowed us to lock them down.
Of all the tools vendors I have relationships with, Veracode is simply our best vendor in terms of partnership, value add, and support responsiveness.
I would strongly recommend doing an internal analysis first, before setting it across to Veracode to proceed and to use it more as a final verification point. My point is that Veracode is very good, and I would strongly recommend it. I have seen other solutions on the market and that's why I say: don't waste your time on other products, just get Veracode. I would rate it an eight out of ten. Not a ten because of the reporting issues I mentioned that I would like to see improved.
When it comes to DevSecOps, in the industry it is still under adoption. With the advent of the cloud and code being there, or on other public platforms, many people have embraced it or are in the process doing so. My advice for anybody interested in implementing this solution is to be really careful when choosing your tools. Be very proactive and up-front on the requirements of your systems, because no tool is perfect. You need to find the best fit for each particular use case. I would do a thorough analysis. As a solution architect, I do small POCs and run initiatives on products to find out various aspects. For example, the technical feasibility of the product is an important aspect. Other important ones are usability, testing, and implementation. Normally, I select at least three products and do a comparative analysis based on the POC. After this, I recommend a particular solution. I would recommend Veracode. There are plusses and minuses to this solution, but given the chance to use it again I would definitely do so. Every product has its own flaws, but for my use case, it did fit very well. I would rate this solution an eight and a half out of ten.
My advice for anybody who is interested in implementing this solution is to ensure that your technology is actually supported because the coverage is quite patchy. It is possible that if you use a framework or a language that Veracode does not support then it will give quite poor results. I would rate this solution a six out of ten.
If the springboard issue doesn't hold them back and the pricing model stays the same as the one that we have right now for this year with them, it's a good deal. Veracode is pretty straightforward to use and the support is really good. We don't have a lot of complaints about that. I don't know how the pricing model is going to change the actual price of the application. On a per license basis, Veracode has a very lucrative way of doing business. I don't think a big company that has a lot of services and applications would enjoy paying upwards of $200,000 per year to scan all their code. Prospective customers should look at how the pricing model affects them, especially if they are in the microservice type of architecture or if they are moving towards something like that. I would rate Veracode an eight out of ten just based on the experience that we had the past two years. The reason it's not ten is because of the ways these tools integrate. That rating is at risk of becoming a seven now with the pricing model changing. Veracode is probably not going to be that attractive anymore compared to other competitors. We knew other competitors were more expensive. The reason that we didn't go with them was that Veracode was very straightforward.
Be aware that the first run will find a lot of issues, many of which are not real issues; it will take time to understand that. Don't change object names as that will confuse it. Make sure you get development buy-in early. We're looking to expand its use within the development organization and are looking into another license. Currently, we have four users of the solution, myself (security) and developers. The four of us also maintain it.
I would recommend it. It covers all our custom-developed applications and will expand as new applications and services are added. We have 50-plus users of Veracode. Their roles include InfoSec, developers, development managers, QA, and configuration management. In terms of deployment and maintenance, we have four people in configuration management and InfoSec.
I would absolutely recommend Veracode. I've suggested to one of the larger agencies that they implement the solution and that they come to see what we've experienced and how we use the tool. I really like Veracode. That is one of the reasons that we brought them onboard ten years ago. Of course, they were new back then. The different aspects of the offerings that Veracode provides to their customers are somewhat unique and, right now, I couldn't ask another thing from them. We have approximately 30 Java developers and four or five testers. There are also project managers using it. We have one person who manages running of the scans and that person might have one or two other people to help. We haven't really been utilizing it to its full potential. We probably utilize it once or twice per quarter. We are planning to increase the capacity that we've purchased. However, we're getting ready to elect a new governor in Ohio. With that election, things will change, according to his or her desires. Right now, we're in a holding pattern waiting for November to come and go. In terms of integrating the solution into our existing software development lifecycle, because we started so long ago - before the software development lifecycle was fully implemented - we were doing Veracode testing just because it was a good idea. Then we actually developed a lifecycle. We got into scrums and it just naturally worked its way in, so when we actually hired a testing group, Veracode was already a part of the process.
I would rate the product as an eight out of 10 for recommend it to colleagues. I would rate the overall product as a seven out of 10.
Make sure the supported languages align with your developers.
Implement this solution if you see WAF and SOC in your future.
On the rating scale is there anything above 10? If there are no ones and tens, it would be the closest to 10. They have always been supportive. We have had to change, do course corrections during implementations, or particular types of coding. I have just never had a problem. My loyalty to the product has been primarily due to the service and the expedience in which they solve any problems we have.
For us, whenever we are selecting a partner, vendors to work with who are going to be working with our customers, we have to make sure that they align regarding customer support philosophy, and that is the reason we selected to work with Veracode. I would definitely rate Veracode a 10 out of 10, based on our customer feedback. Whenever we know the relationship is going well between Veracode and our customers, it reflects very well on us.
I give Veracode a solid nine out of 10 because it is a full-featured product. It is not just something that they are selling to you and then leaving you to figure out how to use it. They actually help you every single step of the way and they want to show you how to do it. Their testers, their application security consultants, really help you and help educate the developers. They walk you through every step of the way.
I would give Veracode a nine out of 10 because it scales incredibly well, they have very qualified people working there who are able to clearly articulate what the problems are when they are talking in a remediation or consultation call. They are very knowledgeable, they are not condescending when they talk to a developer. The tool is very easy to consume. It's not like looking at a menu with 20 pages at a restaurant, it's very simple to digest. They have a lot of API connectors, they cover a lot of languages and it just scales. You can't beat that. Finally, the relationship is great with them.
I wish Veracode support had more SDLC integration tools.
My advice is what I mentioned in the pricing/licensing section above, you really need to understand what it is you are looking to do. Also, take into account a data sensitivity for the applications. It's not "one policy fits all." I really like that Veracode allows me to set up specific policies that I can apply to applications. Understand which are your critical apps that deal with critical, very sensitive data, and then apply a more rigorous scan model to them, versus internal applications that perhaps don't deal with as much PII, with as much sensitive information, and aren't available to the outside world. Those might have a lower risk footprint. Understand that, so when your developers go in there you are not treating every single thing like it is a public-facing, client-data-gathering, credit-card-processing web app. That way your developers can prioritize what they need to work on, so that you are delivering the right metrics to your leadership. You really need to understand that strategy going in, because the tool is not going to help you determine that. The tool is only going to help you scan. The only reason I don't rate it a nine or a 10 out of 10 is because we haven't hit those scalability roadblocks yet. I know we might have some challenges in the future, but I would say eight out of 10 is an incredibly good score for a product like this. If you were just asking me about the support and the people behind it, I would rate that a nine or a 10. If you bundle it all together it's an eight. I recommend CA Veracode to colleagues all the time.
We recommend Veracode to colleagues all the time. I'd give the advice of not getting hung up on trying to compare the static scanning to the dynamic scanning, that's number one. Don't even compare them. If you're doing neither, do statics first. It'll get the majority of your exposures addressed. Then you come in, in a second round, and do dynamic. Dynamic really becomes more of a confirmation of security. The other piece of advice I'd give is to "follow the directions." Make sure they understand how they're supposed to compile code. Take the advice of the program management team with their code, and follow their lead, and you'll come out in a very good position very quickly. I'd give Veracode a 10 out of 10 because the rate at which we gained control of our security posture, from a development perspective, was fast. There is a lack of wasted time on our developer organization in chasing down erroneously reported vulnerabilities. The erroneous reported vulnerabilities is very low, and that means that our developer time is very effective as we investigate a reported issue. As I said, it's 96, 98 percent probability it is real. So our developers gain confidence and don't second-guess the results. The level of detail that we are provided for a given vulnerability - the data path that it follows, the precision with which the justification is provided - is very high. Again, you're highly confident in the result. You are provided a tremendous amount of detail about the vulnerability it found. And the rate at which you can ramp up and be productive is very fast.
Do your research, make sure you implement the tools you need. I am very likely to recommend Veracode to a colleague.
Have them guide you through your first scan - make sure to add hours to your initial contract for that. I am very likely to recommend Veracode to colleagues.
I am very likely to recommend Veracode to colleagues. Veracode is great.
I hold Veracode in high regard. It's a good organization to work with, and it's a very conscientious organization. I'm always a recommender of the solution set.
I am highly likely to recommend Veracode to colleagues. Make sure, once you scan and find issues with your code, that the developers know how to remediate those issues so they don't go through them again. It's going to take some time to get through your first set of scans and mitigations. To fix your code is not straightforward. But once you do that and implement it back through your whole development cycle, they identify the issues and it's very easy to fix them, once you know and have gone through it once.
I would advise that you figure out a way to integrate it into your software development lifecycle in a way that it's not intrusive to your developers. That was really something that I set out to do. I didn't want my developers to have to go into their code, and kick off scans, and upload their code. So, I would really suggest looking at your integrations, your JIRA, your Jenkins, all of your add-ons, and hopefully that fits into the SDLC process, and then automating via their API. Essentially, what we were able to achieve is, my developers still live within JIRA and the issues get opened from Veracode into JIRA and they work on things that way. They can remediate it, kick it that way, and if they need to they can log into Veracode. But I'd suggest making the SDLC process integrated as much as you can to make it something that developers aren't having to spend a lot of time doing every day. Overall, I would give Veracode a nine out of 10, just because nothing is perfect. But it does everything for us and it was so painless. I speak very highly of it for those reasons. I would highly recommend CA Veracode. Every engineer that I've dealt with has been really sharp. The review process they have is really good and the knowledge they have has been tremendous. I really recommend working with them.
I recommend it all the time. It's an important aspect of a complete security program. Not necessarily this product, but source code, fraud detection. I'd give it an eight out of 10 because it's pretty straightforward, but you still have to mostly wrap it with organizational policies that encourages its use. It's not a product - and I don't think it's really a product category - that sells itself to the end-user. They see benefits, but they do have to be convinced to use it.
CA Veracode provides application security (AppSec) best practices and guidance to our teams in a couple ways. First of all, they have an e-learning module that has courses that we have required our developers to take. That's a best practice. Secondly, when we do have errors, Veracode is always available, their consultants, to help us either mitigate the error, or provide technical assistance on pointing exactly where the problem is and how we could probably fix it. I'm always amazed at how knowledgeable they are. They also have what's called a Software Composition Analysis that can point out errors and fixes for third-party software frameworks, which is very nice. The list goes on... And again, having received, early on, education from them on how best to integrate this in the workflow, those are areas where we've relied on best practices from Veracode. I'm in healthcare, and it's very important - and I'm sure in other industries just as well - but the stakes are very high. If we get hacked, if there's a data breach, it could put us out of business. It's a very good price point for a small company to have these kinds of capabilities, something we can afford for our application. I am very likely to recommend it to colleagues. As I mentioned, I brought it to this company, and I've already recommended and provided references to a few other companies over the last couple of years.
In terms of integrating Veracode into our existing software development lifecycle, as our two existing applications are quite mature, and not changed often, we have not taken steps to have Jenkins or another CI tool that would allow us to get the full power from the Veracode environment. We look forward doing it, starting with the next app that gets developed from scratch. CA Veracode provided AppSec best practices and guidance to our security and development team during the kickoff phase. They offered assistance on specific code issues that were hard to fix, and guidance on preparing a credible set of rules for Veracode policy, all this at no additional cost. As Veracode licensing is generally time-related, I suggest you start the subscription once everything is ready for consumption, assign a specific person to it and declaring it mandatory at the policy level. Losing two months of great value because the devs are too busy, or because they think they don’t need it, or they fear the results, or because no one is taking charge of the Veracode process, is really a pity. Once the clock starts ticking, try to take advantage as much as you can. I would recommend Veracode to anyone involved in high-risk environments.
In terms of Veracode providing AppSec (application security best practices) and guidance to our teams, they've been able to adapt their scanning and remediation in their SDLC, which is something we did not have really before. It's been a little bit of "not the best honeymoon" so far, doing this with our developers, but they've started coming along here in the past year and a half. The advice I'd give is look around, make sure it's the right fit for you. Make sure that the tools they offer are a good fit for your organization. And make sure this is something that you really feel would be good for your company. If you aren't currently doing this kind of analysis on your code, I would take a strong look at whether this is something that you really should be doing. It's a different world out there right now. I would recommend Veracode very highly, especially since the program management staff that I work with from Veracode are some of the best people that I've worked with in this industry.
When asked, we let our customers and partners know that we use Veracode and that we are happy with it.
I would definitely recommend CA Veracode. Just make sure you define a process for your developers prior to implementing the technology.
I recommend CA Veracode all the time. I am a public speaker, frequently on the speaker circuit, and I recommend it all the time. There are really three solutions at the top of the industry ratings, and Veracode is the best, in my opinion. We are a good customer and we had been for a long time. I actually am a bit of an evangelist for them when I'm doing public speaking.
I would be highly likely to recommend working with CA Veracode to colleagues. I rate it an eight out of 10. It's a good product - I can't say that it's lighting my world on fire - but it does what it needs to do. Just be prepared that it's going to take effort from all aspects of the business to be able to utilize and achieve the goal that you're looking to achieve with the product.
We have made process changes and improvements, although Veracode is not tightly integrated into our CI/CD platform yet. I am very likely to recommend to colleauges that they work with CA Veracode.
Regarding measures taken to integrate Veracode into our existing software development lifecycle, we have 100% API integration. We use the Jenkins plugin as a last resort, but we are moving away from that. The AppSec best practices and guidance to our security and development teams are manifested in the static analysis it provides. In terms of advice to others looking into implementing this project, I would say don’t use the UI, and do what you can to have license conversations up front. It depends on the use case and budget, but I would recommend CA Veracode to colleagues.
I never give 10s. I would give it a nine. It does nearly everything, but penetration testing. It covers such a broad breadth of our portfolio. In our business, we have applications written in so many different languages. Finding something that can consistently scan and not generate false positives across the paradigm or the whole ecosystem of languages, that is impressive. It is speed of inspection, the accurateness of the inspection outcomes, and frankly, it has fairly good business analytics embedded on the platforms. So, it does a lot more for us than not.
The most important criteria when selecting a vendor are * reliability * customer service. Take advantage of all of the help that Veracode provides, for implementation, operations, and maintenance, because they absolutely know what they're doing.