From the usability perspective, it is not up to date with the latest trends. It looks very old. Tools such as Datadog, New Relic, or infrastructure security tools, such as AWS Cloud, seem very user-friendly. They are completely web-based, and you can navigate through them pretty quickly, whereas Veracode is very rigid. It is like an old-school enterprise application. It does the job, but they need to invest a little more on the usability front. From the pricing perspective, it is not very convenient for startup organizations. They should have options to onboard it for the startup ecosystem quickly and affordably. There should also be strengthening of the developer community.
The mitigation recommendations are sometimes helpful. Sometimes, they are outdated. Sometimes, there are a lot of false positives inside Veracode. That is something that I already suggested to the Veracode team. It could have better integration with our pipeline. If we could have better integration with our application pipeline, e.g., Jira, Bamboo, or Azure DevOps, then that will be very helpful. Right now, it is quite hard to integrate the solution into our existing pipeline. If it has better integration with our DevOps pipeline, then we would use it more. However, at the moment, if the solution can be used for a new project, then we can integrate it. However, if that takes too long, we will integrate other things that are faster.
The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We don't want people to feel like they're missing out on something or that they're not following directions in the right way. And we have a process in place where there's a set of tickets and people can work on them. It just seems that people are more focused. They tend to pay attention to what they're doing and there's accountability. So having a more rigorous JIRA integration would be very helpful.
There is room for improvement in the speed of the system. Sometimes, the servers are very busy and slow. Also, because we are located in Europe, it would be a big help if they had a European or national service, because of the regulations, not only because of the speed. Also, the integration with SonarQube is very weak, so we had to implement a custom solution to extend it.
Lead Cyber Security engineer at a manufacturing company with 10,001+ employees
Real User
2020-12-29T10:56:00Z
Dec 29, 2020
The scanning could be improved, because some scans take a bit of time. Many developers have commented on the packaging. It is quite different compared to other tools, so the packaging of codes could be changed. They should make it more uniform. On the reporting, there should be an option like sending reports to groups or task ID.
Principle Consultant at a tech services company with 11-50 employees
Consultant
2020-12-20T08:24:00Z
Dec 20, 2020
Most of our time is spent configuring the SAST and SCA tools. I would consider that one of the weak points of the product. Otherwise, once the product is set up on the computer, it is fairly fast. Like many tools, Veracode has a good number of false positives. However, there are no tools at this point in the market that they can understand the scope of an application. For example, if I have an application with only internal APIs and no UI, Veracode can detect that. It might detect that the HTML bodies of the requests are not sanitized, so it would then be prone to cross-site injections and SQL injections. But, in reality, that is a false positive. It will be almost impossible for a tool to understand the scope unless we start using machine learning and AI. So, it's inevitable at this point that there are false positives. Obviously, that doesn't make the developers happy, but I don't think there is another way around this, but it is not just because of Veracode. It's just the nature of the problem, which cannot be solved with current technologies. Once we explain to the developers why there are false positives, they understand. In Veracode, embedded features (where there are false positives) can be flagged as such. So, next time that they run the same scan, the same "vulnerability" will be still flagged as a false positive. Therefore, it's not that bad from that point of view. Veracode has a few shortcomings in terms of how they handle certain components of the UI. For example, in the case of the false positive, it would be highly desirable if the false positive don't show up again on the UI, instead still showing up for any subsequent scan as a false positive. There is a little bit of cluttering that could be avoided. However, that is not necessarily a shortcoming of the product. I think it's more of a shortcoming of the UI. It's just the way it's visualized. However, going forward, I personally don't want to see any more vulnerabilities that I already flagged as a false positive. It does take some time to understand the way the product works and be able to configure it properly. Veracode is aware of that. Because the SCA tools are actually a company that they acquired, SourceClear, the SCA tool and SAST tool are not completely integrated at this point. You are still dealing with two separate products, which can cause some headaches. I did have a conversation with the Veracode development team not too long ago where I voiced my concerns. They acknowledged that they're working on this and are aware of it. Developers have limited amounts of time dedicated to learning how to use a tool. So, they need quite a bit of help, especially when we're talking about this type of integration between the SAST and SCA. I would really like to see better integration between the SAST and SCA.
Senior Director, Quality Engineering at Everbridge, Inc.
Real User
2020-11-20T11:13:00Z
Nov 20, 2020
Three areas that we continue to struggle with are * Identifying and flagging false positives that reappear in other locations, where a rule that can catch other occurrences such that we don't have to repeat the override each time would help in productivity, and * Improving sorting through findings reports to filter by only what is critically relevant will help developers focus on issues, * Add enterprise aggregate reporting, showing teams grouped in business units with trends per team and at the group level that can be sent by email as a digest with drill-in back to the dashboard.
It takes a while to get a response to the software composition analysis. It is within an acceptable range but it could still be improved. In the future, I would like to see the RASP capability built-in.
Enterprise Architect at a computer software company with 1-10 employees
Real User
2020-03-16T06:56:15Z
Mar 16, 2020
The licensing model could be improved. If they can provide an automatic upload model, that would be really good. Right now we have to upload the NK bucket hosting to get through the analysis. That is kind of cumbersome. The documentation is poor and the technical support isn't helpful.
Enterprise Architect, VP at a financial services firm with 501-1,000 employees
Real User
2020-03-16T06:56:00Z
Mar 16, 2020
There is a concept called false positives where things might come up as a potential issue but they really are not. In our case specifically, we might get a false positive when a potential vulnerability is discovered through Veracode analysis, but the way that the application is built makes it so what appears to be a vulnerability is not really an issue. Stated a different way, even though there might be something that prevents that particular event from ever happening, the product does not correctly detect the safeguards or the impossibility of the issue arising. When a false positive gets reported by the Composition Analysis, it results in more work for you to do than you should have to. There is a lot of information to go through and so some of it is due to those false positives. You either have to do work to eliminate the false positives being identified, or you have to look at the alert and determine that it is harmless. As far as what might be added in future releases, more artificial intelligence capabilities would be desirable. I do not know if they have it now. Maybe one example could be to make more focused suggestions or give more information in the reports to locate the cause of the issues. It should be something that improves results over time so that people do not have to do as much work to understand the details.
The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified. The solution needs to be more flexible. It needs to work with clients more effectively. Right now, the licensing model is based on the number of applications as opposed to being flexible and based on the number of developers or based on some other parameters. This constrains our company in terms of defining what an application is and doing the scans. We have an application with multiple deposit rates, but Veracode has a hard time recognizing the different components sitting in different depositories as one application. The solution is pretty similar to others. There wasn't anything that was so startlingly different it would make us want to stay.
Veracode is a leading provider of application security solutions, offering tools to identify, mitigate, and prevent vulnerabilities across the software development lifecycle. Its cloud-based platform integrates security into DevOps workflows, helping organizations ensure that their code remains secure and compliant with industry standards.
Veracode supports multiple application security testing types, including static analysis (SAST), dynamic analysis (DAST), software composition analysis...
There is room for improvement in documentation. Maybe the documentation about how to configure something. It is difficult to get the expected result.
From the usability perspective, it is not up to date with the latest trends. It looks very old. Tools such as Datadog, New Relic, or infrastructure security tools, such as AWS Cloud, seem very user-friendly. They are completely web-based, and you can navigate through them pretty quickly, whereas Veracode is very rigid. It is like an old-school enterprise application. It does the job, but they need to invest a little more on the usability front. From the pricing perspective, it is not very convenient for startup organizations. They should have options to onboard it for the startup ecosystem quickly and affordably. There should also be strengthening of the developer community.
The mitigation recommendations are sometimes helpful. Sometimes, they are outdated. Sometimes, there are a lot of false positives inside Veracode. That is something that I already suggested to the Veracode team. It could have better integration with our pipeline. If we could have better integration with our application pipeline, e.g., Jira, Bamboo, or Azure DevOps, then that will be very helpful. Right now, it is quite hard to integrate the solution into our existing pipeline. If it has better integration with our DevOps pipeline, then we would use it more. However, at the moment, if the solution can be used for a new project, then we can integrate it. However, if that takes too long, we will integrate other things that are faster.
The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We don't want people to feel like they're missing out on something or that they're not following directions in the right way. And we have a process in place where there's a set of tickets and people can work on them. It just seems that people are more focused. They tend to pay attention to what they're doing and there's accountability. So having a more rigorous JIRA integration would be very helpful.
There is room for improvement in the speed of the system. Sometimes, the servers are very busy and slow. Also, because we are located in Europe, it would be a big help if they had a European or national service, because of the regulations, not only because of the speed. Also, the integration with SonarQube is very weak, so we had to implement a custom solution to extend it.
The scanning could be improved, because some scans take a bit of time. Many developers have commented on the packaging. It is quite different compared to other tools, so the packaging of codes could be changed. They should make it more uniform. On the reporting, there should be an option like sending reports to groups or task ID.
Most of our time is spent configuring the SAST and SCA tools. I would consider that one of the weak points of the product. Otherwise, once the product is set up on the computer, it is fairly fast. Like many tools, Veracode has a good number of false positives. However, there are no tools at this point in the market that they can understand the scope of an application. For example, if I have an application with only internal APIs and no UI, Veracode can detect that. It might detect that the HTML bodies of the requests are not sanitized, so it would then be prone to cross-site injections and SQL injections. But, in reality, that is a false positive. It will be almost impossible for a tool to understand the scope unless we start using machine learning and AI. So, it's inevitable at this point that there are false positives. Obviously, that doesn't make the developers happy, but I don't think there is another way around this, but it is not just because of Veracode. It's just the nature of the problem, which cannot be solved with current technologies. Once we explain to the developers why there are false positives, they understand. In Veracode, embedded features (where there are false positives) can be flagged as such. So, next time that they run the same scan, the same "vulnerability" will be still flagged as a false positive. Therefore, it's not that bad from that point of view. Veracode has a few shortcomings in terms of how they handle certain components of the UI. For example, in the case of the false positive, it would be highly desirable if the false positive don't show up again on the UI, instead still showing up for any subsequent scan as a false positive. There is a little bit of cluttering that could be avoided. However, that is not necessarily a shortcoming of the product. I think it's more of a shortcoming of the UI. It's just the way it's visualized. However, going forward, I personally don't want to see any more vulnerabilities that I already flagged as a false positive. It does take some time to understand the way the product works and be able to configure it properly. Veracode is aware of that. Because the SCA tools are actually a company that they acquired, SourceClear, the SCA tool and SAST tool are not completely integrated at this point. You are still dealing with two separate products, which can cause some headaches. I did have a conversation with the Veracode development team not too long ago where I voiced my concerns. They acknowledged that they're working on this and are aware of it. Developers have limited amounts of time dedicated to learning how to use a tool. So, they need quite a bit of help, especially when we're talking about this type of integration between the SAST and SCA. I would really like to see better integration between the SAST and SCA.
Three areas that we continue to struggle with are * Identifying and flagging false positives that reappear in other locations, where a rule that can catch other occurrences such that we don't have to repeat the override each time would help in productivity, and * Improving sorting through findings reports to filter by only what is critically relevant will help developers focus on issues, * Add enterprise aggregate reporting, showing teams grouped in business units with trends per team and at the group level that can be sent by email as a digest with drill-in back to the dashboard.
It takes a while to get a response to the software composition analysis. It is within an acceptable range but it could still be improved. In the future, I would like to see the RASP capability built-in.
The licensing model could be improved. If they can provide an automatic upload model, that would be really good. Right now we have to upload the NK bucket hosting to get through the analysis. That is kind of cumbersome. The documentation is poor and the technical support isn't helpful.
There is a concept called false positives where things might come up as a potential issue but they really are not. In our case specifically, we might get a false positive when a potential vulnerability is discovered through Veracode analysis, but the way that the application is built makes it so what appears to be a vulnerability is not really an issue. Stated a different way, even though there might be something that prevents that particular event from ever happening, the product does not correctly detect the safeguards or the impossibility of the issue arising. When a false positive gets reported by the Composition Analysis, it results in more work for you to do than you should have to. There is a lot of information to go through and so some of it is due to those false positives. You either have to do work to eliminate the false positives being identified, or you have to look at the alert and determine that it is harmless. As far as what might be added in future releases, more artificial intelligence capabilities would be desirable. I do not know if they have it now. Maybe one example could be to make more focused suggestions or give more information in the reports to locate the cause of the issues. It should be something that improves results over time so that people do not have to do as much work to understand the details.
The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified. The solution needs to be more flexible. It needs to work with clients more effectively. Right now, the licensing model is based on the number of applications as opposed to being flexible and based on the number of developers or based on some other parameters. This constrains our company in terms of defining what an application is and doing the scans. We have an application with multiple deposit rates, but Veracode has a hard time recognizing the different components sitting in different depositories as one application. The solution is pretty similar to others. There wasn't anything that was so startlingly different it would make us want to stay.
A high number of false positives are reported and this should be reduced.