The easiest route - we'll conduct a 15 minute phone interview and write up the review for you.
Use our online form to submit your review. It's quick and you can post anonymously.
I have experience with Veracode, as I did download it, and our cyber team manages that. I've used Veracode for quite some time, more from a user perspective, not really as an admin person to run the scans. I share my role with Veracode by normally receiving the results and then analyzing them from there, as I was looking for options.
My impressions of Veracode's best features indicate that it doesn't have what I need. It's hard to integrate and perform hybrid analysis mapping. The threat modeling components aren't detailed enough. The deciphering of the results is challenging as they're hidden, making it difficult for a non-security user or normal IT developer to understand it.
We have about 100 to 200 licenses, with a very big portfolio of 500 systems, and people still don't understand it. Training 7,000 developers isn't feasible. We had training with Veracode where they conducted a major session, but nobody understood it. These developers can't be expected to remediate and configure the tool properly for comprehensive scanning. Instead, they turn everything off and only scan a very small line of code, which doesn't benefit the agency.
I wouldn't promote Veracode because it's not automated enough, and it has many configuration issues. Manual configuration is required, requiring expertise in Veracode. My thoughts on Veracode's development over time are that they have had sufficient time to figure it out, and I'm disappointed that it remains such a technical tool. It's a tool that everybody purchased when it was released, but it still isn't user-friendly.
I've used Veracode for quite some time, more from a user perspective, not really as an admin person to run the scans.
I would rate Veracode's customer service or technical support as not great, probably a four out of ten. Anytime we use the advisory to speak with an advisor, they are either too technical or have no understanding. We have a weekly meeting with Veracode because we have our own business relationship manager. He attends the calls without a technical person or lead architect to facilitate questions. When 40 people are on a call asking questions about turning off the API or fixing issues, the response is often that they cannot answer. The service is either a hit or miss, which is why I rank it low.
Positive
I wouldn't be inclined to take a 10-minute callback to discuss my experience with Veracode because I don't prefer it, so I don't think it would be a very good review. I'm looking to replace it.
My impressions of Veracode's policy reporting for compliance with industry standards and regulations are hit or miss. While it has industry standards built in, our organization has different policies that are more structured. Each policy must be set up individually, requiring comprehensive legwork.
For example, if there's a policy for a deprecated protocol in an internal-only system, Veracode still reports it as an issue. This creates unnecessary work for internal systems that aren't public-facing and have lower risk. Configuring the tool to align with policies for sensitive, public-facing systems based on law and NIST requirements requires reviewing each line individually, which becomes a two-year project.
My impressions of Veracode's ability to prevent vulnerable code from going into production is that the static code analyzer portion is adequate.
On a scale of 1-10, this solution rates a 5.
Currently, my use cases for Klocwork are focused on improving our code quality and streamlining development processes.
When comparing Klocwork to other solutions, determining their respective strengths would require a detailed assessment, but overall I find Klocwork's features superior for our needs.
For the kind of reviews that we are doing, we need to consider points of improvement and evaluate what Klocwork can do better as of now.
I have not contacted the technical support directly since I have not encountered major issues, but the stability has been satisfactory overall.
I would rate the support out of 10 as a solid 8, as they have been responsive and helpful.
Positive
The reviewer was asked about experience with alternative solutions.
For someone who does not have any experience with Klocwork and is deploying the solution for the first time, it can be straightforward, though consideration should be given to the deployment team size requirements, whether one person can handle a small project, or if a team is necessary.
A comparison between Klocwork and alternative solutions would require detailed assessment.
When starting with Klocwork, new users should consider their specific requirements and implementation approach. I rate Klocwork a 9 out of 10.
