I have experience with Veracode, as I did download it, and our cyber team manages that. I've used Veracode for quite some time, more from a user perspective, not really as an admin person to run the scans. I share my role with Veracode by normally receiving the results and then analyzing them from there, as I was looking for options.
My impressions of Veracode's best features indicate that it doesn't have what I need. It's hard to integrate and perform hybrid analysis mapping. The threat modeling components aren't detailed enough. The deciphering of the results is challenging as they're hidden, making it difficult for a non-security user or normal IT developer to understand it.
We have about 100 to 200 licenses, with a very big portfolio of 500 systems, and people still don't understand it. Training 7,000 developers isn't feasible. We had training with Veracode where they conducted a major session, but nobody understood it. These developers can't be expected to remediate and configure the tool properly for comprehensive scanning. Instead, they turn everything off and only scan a very small line of code, which doesn't benefit the agency.
I wouldn't promote Veracode because it's not automated enough, and it has many configuration issues. Manual configuration is required, requiring expertise in Veracode. My thoughts on Veracode's development over time are that they have had sufficient time to figure it out, and I'm disappointed that it remains such a technical tool. It's a tool that everybody purchased when it was released, but it still isn't user-friendly.
I've used Veracode for quite some time, more from a user perspective, not really as an admin person to run the scans.
I would rate Veracode's customer service or technical support as not great, probably a four out of ten. Anytime we use the advisory to speak with an advisor, they are either too technical or have no understanding. We have a weekly meeting with Veracode because we have our own business relationship manager. He attends the calls without a technical person or lead architect to facilitate questions. When 40 people are on a call asking questions about turning off the API or fixing issues, the response is often that they cannot answer. The service is either a hit or miss, which is why I rank it low.
I wouldn't be inclined to take a 10-minute callback to discuss my experience with Veracode because I don't prefer it, so I don't think it would be a very good review. I'm looking to replace it.
My impressions of Veracode's policy reporting for compliance with industry standards and regulations are hit or miss. While it has industry standards built in, our organization has different policies that are more structured. Each policy must be set up individually, requiring comprehensive legwork.
For example, if there's a policy for a deprecated protocol in an internal-only system, Veracode still reports it as an issue. This creates unnecessary work for internal systems that aren't public-facing and have lower risk. Configuring the tool to align with policies for sensitive, public-facing systems based on law and NIST requirements requires reviewing each line individually, which becomes a two-year project.
My impressions of Veracode's ability to prevent vulnerable code from going into production is that the static code analyzer portion is adequate.
On a scale of 1-10, this solution rates a 5.