Try our new research platform with insights from 80,000+ expert users

Share your experience using Codacy

The easiest route - we'll conduct a 15 minute phone interview and write up the review for you.

Use our online form to submit your review. It's quick and you can post anonymously.

Your review helps others learn about this solution
The PeerSpot community is built upon trust and sharing with peers.
It's good for your career
In today's digital world, your review shows you have valuable expertise.
You can influence the market
Vendors read their reviews and make improvements based on your feedback.
Examples of the 96,000+ reviews on PeerSpot:

reviewer2724171 - PeerSpot reviewer
Manager at a government with 10,001+ employees
Real User
Manual configuration challenges overshadow efficient static code analysis

What is our primary use case?

I have experience with Veracode, as I did download it, and our cyber team manages that. I've used Veracode for quite some time, more from a user perspective, not really as an admin person to run the scans. I share my role with Veracode by normally receiving the results and then analyzing them from there, as I was looking for options.

What is most valuable?

My impressions of Veracode's best features indicate that it doesn't have what I need. It's hard to integrate and perform hybrid analysis mapping. The threat modeling components aren't detailed enough. The deciphering of the results is challenging as they're hidden, making it difficult for a non-security user or normal IT developer to understand it.

We have about 100 to 200 licenses, with a very big portfolio of 500 systems, and people still don't understand it. Training 7,000 developers isn't feasible. We had training with Veracode where they conducted a major session, but nobody understood it. These developers can't be expected to remediate and configure the tool properly for comprehensive scanning. Instead, they turn everything off and only scan a very small line of code, which doesn't benefit the agency.

What needs improvement?

I wouldn't promote Veracode because it's not automated enough, and it has many configuration issues. Manual configuration is required, requiring expertise in Veracode. My thoughts on Veracode's development over time are that they have had sufficient time to figure it out, and I'm disappointed that it remains such a technical tool. It's a tool that everybody purchased when it was released, but it still isn't user-friendly.

For how long have I used the solution?

I've used Veracode for quite some time, more from a user perspective, not really as an admin person to run the scans.

How are customer service and support?

I would rate Veracode's customer service or technical support as not great, probably a four out of ten. Anytime we use the advisory to speak with an advisor, they are either too technical or have no understanding. We have a weekly meeting with Veracode because we have our own business relationship manager. He attends the calls without a technical person or lead architect to facilitate questions. When 40 people are on a call asking questions about turning off the API or fixing issues, the response is often that they cannot answer. The service is either a hit or miss, which is why I rank it low.

How would you rate customer service and support?

Positive

Which other solutions did I evaluate?

I wouldn't be inclined to take a 10-minute callback to discuss my experience with Veracode because I don't prefer it, so I don't think it would be a very good review. I'm looking to replace it.

What other advice do I have?

My impressions of Veracode's policy reporting for compliance with industry standards and regulations are hit or miss. While it has industry standards built in, our organization has different policies that are more structured. Each policy must be set up individually, requiring comprehensive legwork.

For example, if there's a policy for a deprecated protocol in an internal-only system, Veracode still reports it as an issue. This creates unnecessary work for internal systems that aren't public-facing and have lower risk. Configuring the tool to align with policies for sensitive, public-facing systems based on law and NIST requirements requires reviewing each line individually, which becomes a two-year project.

My impressions of Veracode's ability to prevent vulnerable code from going into production is that the static code analyzer portion is adequate.

On a scale of 1-10, this solution rates a 5.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Flag as inappropriate
reviewer2732385 - PeerSpot reviewer
Senior Software Engineering Manager at a tech vendor with 10,001+ employees
Real User
Room for improvement remains despite some positives

What is our primary use case?

Currently, my use cases for Klocwork are focused on improving our code quality and streamlining development processes.

What is most valuable?

When comparing Klocwork to other solutions, determining their respective strengths would require a detailed assessment, but overall I find Klocwork's features superior for our needs.

What needs improvement?

For the kind of reviews that we are doing, we need to consider points of improvement and evaluate what Klocwork can do better as of now.

What do I think about the stability of the solution?

I have not contacted the technical support directly since I have not encountered major issues, but the stability has been satisfactory overall.

How are customer service and support?

I would rate the support out of 10 as a solid 8, as they have been responsive and helpful.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

The reviewer was asked about experience with alternative solutions.

How was the initial setup?

For someone who does not have any experience with Klocwork and is deploying the solution for the first time, it can be straightforward, though consideration should be given to the deployment team size requirements, whether one person can handle a small project, or if a team is necessary.

Which other solutions did I evaluate?

A comparison between Klocwork and alternative solutions would require detailed assessment.

What other advice do I have?

When starting with Klocwork, new users should consider their specific requirements and implementation approach. I rate Klocwork a 9 out of 10.

Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Flag as inappropriate