Overall, I would rate the solution a nine out of ten. It is a good solution for security. In my personal opinion, there are not many products like Veracode in the market.
It is a good product, and you should consider it, but it can be elevated more for startup culture. It should be more pricing-friendly and user-friendly. There should also be strengthening of the developer community. We are only doing code analysis with it. For manual penetration testing, we have to contact an entity. It hasn't reduced our scan time. It also hasn't helped our organization with certification and audits. We're a small startup, and at this time, we don't have audits, etc. We might do that later. I would rate this product a six out of ten.
Try all of the features. Make sure that you use the Veracode SCA with different languages since we can see differences between scanning Java, Node.js, or PHP. For our site, we only use SAST and DAST for penetration testing. Also, the penetration testing for SCA is handled by another vendor since we have a different vendor for this usage. It helps indirectly with Webex. I would rate the solution as eight out of 10.
Penetration Tester at a tech vendor with 51-200 employees
Real User
Top 5
Sep 14, 2021
My advice would be to start with meeting with people from Veracode. Once you meet with the team from Veracode, the best way to handle that is to start asking questions and identifying the things that would be of value so that an organization doesn't start out by paying too much money. Then you're moving away from that being too scared of what the outcome is. I think once they go in and they have a meeting with people and they can actually discuss what they want to do, that's the first step towards planning out how the platform will be used. I would rate it a ten out of ten.
Use Veracode for the special use case of binary scanning, because it is the best in this special use case. Security Labs is very good as well. We are not using it day-to-day, but it's a good feature.
Lead Cyber Security engineer at a manufacturing company with 10,001+ employees
Real User
Dec 29, 2020
I can be confident about more of our applications in production. We can be more confident against many kinds of external threats. The lesson learnt is about being proactive, which is a good thing in security. Veracode integrates with our developer tool 95 percent of the time. It is supported very well because developers get to know why the security features are really important in any organization or application along with what they develop. They get to know the market standards of what the security threats are and how to fix them, making sure the coding or the applications are secure enough to move to production. However, with MuleSoft, it does not support most of the API parts. We use cloud-based applications and take support from the community. At the moment, we are only using SCA and Static Analysis, which we have been very satisfied with. However, we are not using their DAST or pen testing. In our organization, we concentrate on high-end and medium alerts, but we really don't bother much with false positives. I would rate this solution as a nine (out of 10).
Principle Consultant at a tech services company with 11-50 employees
Consultant
Dec 20, 2020
I don't think that Veracode has helped developers with security training, but it helps developers have a reality check on the code that they write and their open source library. That is the best value that developers can get from the product. Veracode products can be run as part of the development pipeline. That is also valuable. It integrates with tools like GitHub or Jenkins. At a high level, it does integrate with most of the pipeline of tools. It would be a showstopper if the incorporation of security was not in the developer workflows. We are past a time when developers or software engineers run a SCA or DAST scan on the code, then hand it off to the development team. What works instead is to inject a security tool in a development pipeline, which is why it is absolutely paramount and important that tools, like Veracode, be a part of the build pipeline. We limited the user to SAST and SCA. We haven't used any of the penetration testing, especially for the DAST solution that they have. For that, they are behind the curve, meaning that there are other products in the market that are being established. In my opinion, they don't have a viable product for DAST, because I believe they are not even testing APIs. So, it's not mature enough. We also have never used their pen testing because that is one of the services that we provide. At this point, Veracode is one of the best solutions available, though it's not perfect by any means, but you have to work with whatever you have. I will give the solution a seven (out of 10). When they integrate the SCA and SAST portions more tightly together, I could probably bump it up to an eight. Also, if they make improvements to the UI and the support, they can get a better rating. However, at this point, I would still pick Veracode for a company who doesn't have a million dollar plus budget.
Senior Director, Quality Engineering at a tech services company with 1,001-5,000 employees
Real User
Nov 20, 2020
Veracode has evolved to be a good partner, overall, in working through our learning needs and problem escalations. There are layers of training and consultation available, as well as recurring support engagements if the enterprise scanning needs warrant it.
In summary, I think that this is a good tool and I recommend it for helping with security in software development. I would rate this solution an eight out of ten.
Enterprise Architect at a computer software company with 1-10 employees
Real User
Mar 16, 2020
We were part of the initiation when the company started. They introduced it and we began using the solution. We're just a customer. For those companies hoping to automate the solution, I would not recommend it. It's too difficult for those heavily dependant on automation. However, for those companies who want to manually use it, I can recommend the solution. In those cases, it's easy to use even if you won't build it as a part of your automation test tools or on any internet server. I'd rate them eight out of ten. I'd rate them higher, but they have bad automation and terrible documentation. Other than that, they are very good.
Enterprise Architect, VP at a financial services firm with 501-1,000 employees
Real User
Mar 16, 2020
The advice that I would have for people who are new to the product would be to start with a proof of concept. This will help you to see how the product works with your process and people. The biggest lesson I have learned from using this solution is that it definitely increased my education on how to prevent application vulnerabilities earlier on and how not to repeat them. It also helped me as a manager to better understand how to guide and coach people. On a scale from one to ten where one the worst and ten is the best, I would rate this product probably as a seven, if I am going back in time. I thought that there was room for improvement, but at the same time, it did what we needed it to do. We got what we expected. So I thought it was good, but I also think there were some additional manual steps or work involved that we should not have needed to do. That is really why I do not rate it with a higher number.
I handle software composition analysis. Currently, I'm moving away from Veracode. I don't know which version of the solution I am using currently. It's not quite the most up-to-date version. If a company is looking for a long-term partner, and not just a transactional solution, I'd suggest a different company. I'd rate the solution eight out of ten.
Associate Consultant at a comms service provider with 201-500 employees
Consultant
Feb 9, 2020
Overall, SourceClear is working fine for us and our main complaint is in regard to the high number of false positives. Nonetheless, I would recommend Checkmarx over SourceClear. I would rate this solution a six out of ten.
Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.
Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis...
Overall, I would rate the solution a nine out of ten. It is a good solution for security. In my personal opinion, there are not many products like Veracode in the market.
It is a good product, and you should consider it, but it can be elevated more for startup culture. It should be more pricing-friendly and user-friendly. There should also be strengthening of the developer community. We are only doing code analysis with it. For manual penetration testing, we have to contact an entity. It hasn't reduced our scan time. It also hasn't helped our organization with certification and audits. We're a small startup, and at this time, we don't have audits, etc. We might do that later. I would rate this product a six out of ten.
Try all of the features. Make sure that you use the Veracode SCA with different languages since we can see differences between scanning Java, Node.js, or PHP. For our site, we only use SAST and DAST for penetration testing. Also, the penetration testing for SCA is handled by another vendor since we have a different vendor for this usage. It helps indirectly with Webex. I would rate the solution as eight out of 10.
My advice would be to start with meeting with people from Veracode. Once you meet with the team from Veracode, the best way to handle that is to start asking questions and identifying the things that would be of value so that an organization doesn't start out by paying too much money. Then you're moving away from that being too scared of what the outcome is. I think once they go in and they have a meeting with people and they can actually discuss what they want to do, that's the first step towards planning out how the platform will be used. I would rate it a ten out of ten.
Use Veracode for the special use case of binary scanning, because it is the best in this special use case. Security Labs is very good as well. We are not using it day-to-day, but it's a good feature.
I can be confident about more of our applications in production. We can be more confident against many kinds of external threats. The lesson learnt is about being proactive, which is a good thing in security. Veracode integrates with our developer tool 95 percent of the time. It is supported very well because developers get to know why the security features are really important in any organization or application along with what they develop. They get to know the market standards of what the security threats are and how to fix them, making sure the coding or the applications are secure enough to move to production. However, with MuleSoft, it does not support most of the API parts. We use cloud-based applications and take support from the community. At the moment, we are only using SCA and Static Analysis, which we have been very satisfied with. However, we are not using their DAST or pen testing. In our organization, we concentrate on high-end and medium alerts, but we really don't bother much with false positives. I would rate this solution as a nine (out of 10).
I don't think that Veracode has helped developers with security training, but it helps developers have a reality check on the code that they write and their open source library. That is the best value that developers can get from the product. Veracode products can be run as part of the development pipeline. That is also valuable. It integrates with tools like GitHub or Jenkins. At a high level, it does integrate with most of the pipeline of tools. It would be a showstopper if the incorporation of security was not in the developer workflows. We are past a time when developers or software engineers run a SCA or DAST scan on the code, then hand it off to the development team. What works instead is to inject a security tool in a development pipeline, which is why it is absolutely paramount and important that tools, like Veracode, be a part of the build pipeline. We limited the user to SAST and SCA. We haven't used any of the penetration testing, especially for the DAST solution that they have. For that, they are behind the curve, meaning that there are other products in the market that are being established. In my opinion, they don't have a viable product for DAST, because I believe they are not even testing APIs. So, it's not mature enough. We also have never used their pen testing because that is one of the services that we provide. At this point, Veracode is one of the best solutions available, though it's not perfect by any means, but you have to work with whatever you have. I will give the solution a seven (out of 10). When they integrate the SCA and SAST portions more tightly together, I could probably bump it up to an eight. Also, if they make improvements to the UI and the support, they can get a better rating. However, at this point, I would still pick Veracode for a company who doesn't have a million dollar plus budget.
Veracode has evolved to be a good partner, overall, in working through our learning needs and problem escalations. There are layers of training and consultation available, as well as recurring support engagements if the enterprise scanning needs warrant it.
In summary, I think that this is a good tool and I recommend it for helping with security in software development. I would rate this solution an eight out of ten.
We were part of the initiation when the company started. They introduced it and we began using the solution. We're just a customer. For those companies hoping to automate the solution, I would not recommend it. It's too difficult for those heavily dependant on automation. However, for those companies who want to manually use it, I can recommend the solution. In those cases, it's easy to use even if you won't build it as a part of your automation test tools or on any internet server. I'd rate them eight out of ten. I'd rate them higher, but they have bad automation and terrible documentation. Other than that, they are very good.
The advice that I would have for people who are new to the product would be to start with a proof of concept. This will help you to see how the product works with your process and people. The biggest lesson I have learned from using this solution is that it definitely increased my education on how to prevent application vulnerabilities earlier on and how not to repeat them. It also helped me as a manager to better understand how to guide and coach people. On a scale from one to ten where one the worst and ten is the best, I would rate this product probably as a seven, if I am going back in time. I thought that there was room for improvement, but at the same time, it did what we needed it to do. We got what we expected. So I thought it was good, but I also think there were some additional manual steps or work involved that we should not have needed to do. That is really why I do not rate it with a higher number.
I handle software composition analysis. Currently, I'm moving away from Veracode. I don't know which version of the solution I am using currently. It's not quite the most up-to-date version. If a company is looking for a long-term partner, and not just a transactional solution, I'd suggest a different company. I'd rate the solution eight out of ten.
Overall, SourceClear is working fine for us and our main complaint is in regard to the high number of false positives. Nonetheless, I would recommend Checkmarx over SourceClear. I would rate this solution a six out of ten.