What advice do you have for others considering Veracode Static Analysis?

I rate the overall product an eight out of ten.

I rate Veracode six out of 10. I would recommend Veracode to others. The scanner is best in class, but the rest, not so much.

Overall, I would rate Veracode a nine out of ten. With AI capabilities, it would be a ten.

It is a very good product. Veracode Fix is also there. It gives very good solutions about the code and its reusability and fixes. It has been there for the last 17 years. Without such a solution, it is very difficult to find vulnerabilities and manage fixes. I would recommend using Veracode. It has good features. It scans your source code and your third-party libraries. There are a lot of new products in the market, but Veracode is good. Overall, I would rate Veracode an 8 out of 10.

I'd advise colleagues considering Veracode to evaluate the specific requirements for their application and do an in-depth analysis. I would recommend it as a product. I'd rate the solution ten out of ten.

Veracode can list a lot of vulnerabilities, but processing all of them is a time- and resource-intensive process. I think Veracode has no innovative features because a lot of other software can do that. In our opinion, innovative features are a commodity with Veracode, but they are doing a good job. The solution's ability to provide visibility into application status at every phase of development is valuable. It can be faster, but it can also slow down because our backlog may be much longer. There will be a lot of vulnerabilities or false positives that have to be processed. So, it is not black and white, but it is safer. Veracode has helped our developers save time. Veracode has had a very low impact on our organization’s overall security posture because it is a very expensive product. An enterprise with 1,000 applications uses the solution for one or two applications. Veracode does not need any maintenance because it's cloud-based. Veracode is very important to our organization’s shift-left security strategy when we have a project with enough sources to provide the license. I use Veracode’s cloud version. The return on investment with Veracode is good for one or two mission-critical projects running in the company. For other things, users should use open-source solutions or much cheaper products like SonarQube that are not as good as Veracode. The fact that Veracode scans only binary code and doesn't scan source code concerns me sometimes. Sometimes, we have to do some source repository audits. We cannot use Veracode for source repository audits because it scans only binary code. I would recommend Veracode to other users. Overall, I rate the solution ten out of ten.

I would rate Veracode eight out of ten. Maintenance is performed by Veracode. During a Veracode evaluation, consider the following factors: Evaluate the time required for Veracode to complete a scan. Faster scans allow for quicker feedback and integration into development workflows. Consider the overall cost of Veracode, including licensing fees and any associated charges for scans. Assess Veracode's orchestration tools, particularly its compatibility with your existing CI/CD pipeline. Ideally, Veracode should offer seamless integration for easy adoption. Evaluate the availability and variety of connectors Veracode offers for integration with your development tools. A wider range of connectors simplifies the integration process.

I rate Veracode 10 out of 10. Veracode is constantly changing and improving.

I rate Veracode 10 out of 10. When implementing Veracode, you need to develop a workflow or a process. It becomes easier if you have that in place. For example, you can create a workflow where you scan inside the sandbox and approve those fixes before moving to production. Also, you should have separate people for raising issues, remediation, and approval. That way, you will have some control over which issues are mitigated and for what reason. That process flow has to be set up properly. Another aspect of successful implementation is automation. Your team needs to invest time in automating and embedding scanning in your pipelines.

I would rate Veracode an eight out of ten. Veracode's pricing hinders my overall rating of the solution. Veracode was deployed in two regions with 25-plus users. Veracode requires some maintenance to keep the scanning accurate. While I highly recommend Veracode, affordability for smaller organizations may be a significant hurdle due to its pricing structure. It's crucial to carefully evaluate their budget constraints and explore alternative solutions if necessary.

They keep on working on their product. They keep on upgrading that. The threat landscape keeps on evolving, and there are new threats every day. The Veracode team helped us in mitigating and remediating them and guiding us with those particular threats. I would surely recommend Veracode. I even tried to recommend it over here, but I am not one responsible person for that decision over here. They have recently introduced a feature called "Veracode Fix" that produces AI-generated fixes. I read about it somewhere. It does vulnerability identification and prioritization and some behavioral analysis. It does dynamic analysis of any malware or any abnormal or malicious behavior. It is evolving. One more thing that I read was pattern recognition. The AI algorithm that has been provided recognizes patterns. It can assist in recognizing patterns and trends in security data. It has policy reporting for ensuring compliance with industry standards and regulations, but we did not use that. To those who want to use Veracode or any similar solution, I would advise being aware of their environment and security posture and seeing where it fits into their security posture. If they proactively work on the alerts provided by Veracode, they will surely save a lot of money, time, and resources. I would suggest working proactively on the alerts given by Veracode. Overall, I would rate Veracode an eight out of ten.

If someone is looking at Veracode but is concerned about the price, I'd advise a balanced approach to maximize security. You need to prioritize it by evaluating your specific needs and budget constraints. Ensure baseline security measures are in place. If you need other services, like penetration testing, you need to measure benefits against costs, especially if you are a smaller organization. It's totally worth the cost. Investing in robust security is worth it. However, you need to prioritize approaches based on your organization's unique requirements. I'd rate the solution nine out of ten.

Although Veracode doesn't scan source code, only binary code, I'm not concerned because we can scan the source code with an SCR tool. Veracode hasn't yet helped our developers save time. Their development time has increased because, initially, we were only taking the security and vulnerability issues on the higher branches. Now it is on lower branches as well, so the development time has increased. In the local branches, if a report indicates something has not passed, we are not allowing them to merge their code into higher branches. We have it deployed in a multi-cloud and hybrid environment. We are using AWS, Azure, and VMware vSphere. Overall, I would recommend Veracode. It is quite helpful.

Not every such application is able to prevent everything from going to production, but several issues can be spotted via the scanning of the code and resolved, and they are valid. There are many others that can be detected with additional tooling from OWASP, Sonar, et cetera. We are not using the SBOM functionality from Veracode. We use another tool to create the software bill of materials. That solution is also able to scan Docker images, and it also provides details about what is inside the layers of the Docker image file. In terms of visibility into application status at every phase of development, it depends on how able you are to scan your application. For large applications, you have to do manual uploads, which is the case for us. We don't do manual uploads on every build, but we trigger it at certain times when we want to create releases for customers. That helps with our accuracy, but it doesn't represent the exact moment when there is a problem in the application. We still have to analyze the commits and history, track things, and match them with the new flaws that have been found in the latest report. Veracode doesn't save us time. We have to spend a lot of time fixing security issues, especially those that impact lots of dependencies, dependent code, and sub-projects. But in the end, we can sleep well at night knowing that we have closed a possible security leak within the code, which is better for everybody. Even if there is no real problem at that moment and you don't see any probability of that vulnerability appearing in production, it is better to take some time to fix it, and then you feel better. It has provided what we were looking for in such an application, meaning static application security testing functionality. That was what we were interested in.

I would rate Veracode nine out of ten. Veracode has a bit of a learning curve to get used to its different modules, such as our integrations, APIs, and our policies, as well as getting insights. However, my experience is that once everything is set up and scanned on the website, I really like the process of reviewing the flaws that Veracode lists and responding to the resolution steps that it provides. I also appreciate the ability to set up a consultation call and have the issue resolved. I think these are the steps that I really like, and they are helpful to me as a developer. Veracode helps me to learn about security considerations first and foremost, both while creating an app and after, and that has been a good experience for me.

I'd rate the solution ten out of ten. Potential new users should ensure that they take into account the amount of time their teams are spending on dev setups and consider what other work those people could be doing that might be more meaningful - rather than physically looking through code. Veracode has the ability to improve a team's operations as well as an employee's efficiency with doing complex work. Companies definitely need to consider how efficient their team is and consider what this tool could do to improve that.

I've not used the Software Bill of Materials in Veracode. I'm unsure how the false positive rate affects developer confidence in Veracode on fixing vulnerabilities because I'm more of a DevOps user and don't work on development but automation. I'm also unsure of the effect of Veracode on my organization's ability to fix flaws because I've not used it directly to fix any flaws. I report to the dev team, who then takes the report and fixes the flaws accordingly. I'm unsure of the impact Veracode had on the overall security posture of my organization, as I didn't use it for that. In my organization, Veracode has a hybrid cloud deployment. The solution doesn't require any maintenance. My rating for Veracode, overall, is eight out of ten. What I'd tell others looking into buying the solution is that as far as DevOps is concerned, Veracode is a must-have. It's been helpful for my organization DevOps-wise, though I have no information on other Veracode offerings. I recommend that others buy Veracode. My organization has a business relationship with Veracode. It's a Veracode partner.

I would rate Veracode six out of ten. Once Veracode is fully configured, the maintenance should be relatively minimal. Veracode's best advantages are detailed reporting for industries such as government work, or other industries that may require exceptionally detailed reports or secure security verifications. However, I would suggest that people look out for the accuracy of results and the usefulness of findings on a large scale. Additionally, Veracode has a difficult-to-navigate user interface.

Other than the scanning time, I would give it a solid eight out of 10.

I rate Veracode nine out of 10. If anyone is considering Veracode, I suggest trying a demo beforehand so that you can see how it addresses the kind of problems your organization is facing and how it works with the programs you are creating.

I would suggest starting Veracode scans at the earliest stage of development. It's crucial to catch vulnerabilities and risks early on so you don't invest too much time building something only to realize later that it can't be used due to a lot of issues, especially with third-party components. Using these tools as early as possible will benefit you in the long run and allow you to ship your product more quickly. Overall, I would rate the solution a nine out of ten.

Veracode handles the maintenance part of the solution. Veracode's side may be down at times for maintenance. I recommend Veracode Static Analysis to those planning to use it, but the scans should not be carried out daily since it can get too costly. I recommend not doing the frequent scans to save on the costs. I rate the overall solution an eight out of ten.

I recommend those planning to use the solution check the system requirements and choose a solution that supports programming languages and .NET Framework versions that record scans. I am not sure if it is one of the best solutions because I am not an expert in other solutions available in the market. Somehow, I personally feel it is one of the best tools in the market. I rate the overall product a nine out of ten.

My advice to others is if they use Veracode Static Analysis they are using a very solid solution. You get what you pay for. It's an expensive solution, but it's very good. You're going to save a lot of time and a lot of headaches with fewer false positives, but you're going to pay for it. It's good if you want to automate something into your pipeline and it's going to run fast and give you good results. I would choose Veracode Static Analysis, but be cognizant of the cost. I rate Veracode Static Analysis an eight out of ten.

Twenty-five to thirty people from the development and QA teams use Veracode Static Analysis, but my company is still learning the best way to reduce the load. There's no plan to increase the tool's usage for now. Based on my initial analysis, I'd recommend Veracode Static Analysis to anyone looking into implementing it, as it's a good tool. My rating for Veracode Static Analysis is eight out of ten.

It does root analysis, but fixing things is up to us. Also, it doesn't require much maintenance. I would highly recommend it.

I rate Veracode Static Analysis eight out of 10. I recommend Veracode over Micro Focus. Some companies prefer Micro Focus because they can get a discount and buy it for less than the market price. That's the only reason to use Micro Focus. Otherwise, I don't think Micro Focus can compete with Veracode.

We are accessing via a web browser to Veracode. I'm guessing it's some type of cloud deployment, hosted by Veracode. We have a lot of applications that are scanned with Veracode. We did scans for some of our core products, as well as on-demand products, and web applications. I'm mostly working with web applications for now. Based on my experience, new users should check as many features as they can, and also read the reports carefully. That way, they can get a full picture of how this product works. I'd rate the solution a nine out of ten.

Veracode Static Analysis isn't deployed on-premises. It's a SaaS offering. We are using Veracode Static Analysis for static analysis and SCA, and there is also a need for the DAST module for dynamic scanning. We are considering running a POC for this solution, but I don't have any other updates for the time being. I know its DAST features would also be useful. We are currently using HCL AppScan for SAST, and because we are not very satisfied with that product, we are considering using Veracode Static Analysis for DAST. A lot of people are using Veracode Static Analysis in our company, approximately 300 or 400 people: development team leaders, developers, and people who are very tech-savvy and using all their time to develop applications and new programs. I don't have pricing insight for this solution. I was not involved in the project before this was deployed. I just read in forums that the price for Veracode Static Analysis is high, but I cannot provide any specific insight. What I can tell others who are looking into implementing Veracode Static Analysis is that it is a platform that provides good features. Its reporting capabilities are interesting, and overall the platform gives high quality results. You can manage your vulnerabilities and your risks quite easily, and define your own mitigation strategies within the platform. I'm rating this solution a seven out of ten.

Veracode is well-suited for modern programming languages. Veracode is not for scanning large legacy applications with a huge codebase. It also doesn't support some unique languages such as SAP. This could be a challenge for certain people. More organizations are taking the left shift approach for application security and trying to integrate security early into their software development life cycle. Veracode is good for such automation. I would rate Veracode Static Analysis a nine out of ten.