Veracode Reviews

My main task involved integrating a security tool into a cloud platform. Once the integration was complete, we ran the pipeline. After completion, the overall metadata was fed into the security tool. The tool then scanned the data from the cloud platform and transferred it to the Veracode platform. Once Veracode processed the information, it scanned the overall metadata to identify vulnerabilities based on OWASP or application security top ten rules. The tool categorized the vulnerabilities as critical, high, or medium based on these rules. This was the workflow we implemented in the industry.

Veracode helps organizations develop software by reducing the risk of security vulnerabilities through developer enablement and applications focused on governance. You can utilize different levels of processes to achieve better performance or a more scalable service. Since I started working with it in 2022, I’ve found it to be cost-effective as well. Overall, Veracode is a user-friendly security tool.

It includes features such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA). During the development phase, we can identify vulnerabilities in the application. This process occurs in the staging environment during development. When we're ready to go to production, we conduct a final check. Essentially, this tool helps identify vulnerabilities during the code development stage, including both high-level vulnerabilities and those related to open-source software composition. We utilize specific methodologies for this purpose. Additionally, it offers a feature that allows us to set up policies based on client requirements. This means we can customize the tool to meet the specific needs of our clients, ensuring that they receive the appropriate level of security in their applications.

Veracode is user-friendly as well. Compared to other tools, their scans take 15 minutes or under. If you have a large scale of libraries or data, it might take longer, but based on my personal experience, the scan usually runs within fifteen minutes.

For my case study using the Veracode tool, I worked on an internal project following industry standards. We used Veracode to improve our security posture and speed up the time to market by streamlining the development process. This enhanced collaboration between developers, operations, and security teams. The automated scanning process helped identify and fix vulnerabilities earlier in the development process. We maintained compliance with regulatory requirements, avoided fines, and built customer trust by integrating security into the development process.

When we conduct this scan, we receive data on a list of vulnerabilities. This information improved our communication and increased transparency, which leads to better reports about the efforts being put in. This results in a more effective and efficient collaboration process, making it user-friendly for all involved. When considering costs, if we resort to manual processes, it can be time-consuming. Therefore, we utilize automated scans to identify and fix security issues. This allows us to address vulnerabilities early in the development process, as we discussed previously. This applies both to our in-house code and third-party libraries, using Software Composition Analysis (SCA) agent-based scans. In the future, we will also implement SCA agent-based scans as a separate feature within Veracode, which can help organizations avoid the expensive and time-consuming consequences of security issues. Furthermore, we have seen an increase in compliance, helping to maintain adherence to regulatory requirements and industry standards, thereby avoiding fines and reputational damage associated with noncompliance.

Additionally, by integrating security into the development process, we enhance customer trust in our organization and its products. 

Veracode is a modular cloud-based solution for application security with features such as SAST, DAST, SCA, IAST, and pen testing. It helps organizations reduce the risk of a security breach through analysis, developer enablement, and AppSec governance. The tool integrates into cloud platforms to scan metadata, identify vulnerabilities based on OWASP Top 10 rules, and set up policies according to client requirements. It's also time-efficient, scalable, cost-friendly, and enhances customer trust.

I have been using Veracode for four years and have found some areas that need improvement. When we implement a policy, it can be very difficult to locate. Running SAST and DAST simultaneously can be challenging. The initial deployment was not easy, and the internal training was quite difficult. However, after using it for about a month, it became more user-friendly.

I have been using Veracode since 2022.

Veracode is time-efficient compared to other tools, taking nearly 15 minutes for standard scans. When dealing with large-scale libraries or data, it may require more time. Veracode's price is lower and the solution is more scalable.

The technical support team provides immediate responses. We can resolve multiple issues during the calls. They provide good technical support, and I would rate their support as seven out of ten.

In response to our inquiry, they provide an update within 24 hours. They share detailed information via email, including screenshots or further clarification about the issue. If we are experiencing a significant backlog in processing technical issues, we arrange a call with our senior technical team. They will provide guidance and help resolve the issue during the call.

Neutral

For quality and SAST-based purposes, we can use SonarQube and ShiftLeft. ShiftLeft only provides SAST and SCA based scans. For DAST, we work with Acunetix or Burp Suite. We compared ShiftLeft, Veracode, and GitHub Advanced Security. While Veracode has five features, ShiftLeft provides SAST and SCA, and GitHub only handles secret scanning. Veracode was ultimately the best choice.

The initial deployment wasn't easy. During the internal training, I found it quite challenging. However, after about fifteen to twenty days of use, or nearly a month, it became user-friendly.

As for the deployment team, we had specific client requirements. They had multiple applications, which meant we needed more than one person. Initially, we started with two people, and then one intern joined us later on. In total, we had three members working on approximately 120 applications.

When considering pricing, Veracode stands out due to its lower cost per service and more scalable options. It offers nearly five security testing features within its own service, making it a competitive choice compared to other tools. Overall, Veracode's pricing is lower and more scalable than many alternatives in the market.

I would rate Veracode as eight out of ten.

I have experience with Veracode, as I did download it, and our cyber team manages that. I've used Veracode for quite some time, more from a user perspective, not really as an admin person to run the scans. I share my role with Veracode by normally receiving the results and then analyzing them from there, as I was looking for options.

My impressions of Veracode's best features indicate that it doesn't have what I need. It's hard to integrate and perform hybrid analysis mapping. The threat modeling components aren't detailed enough. The deciphering of the results is challenging as they're hidden, making it difficult for a non-security user or normal IT developer to understand it.

We have about 100 to 200 licenses, with a very big portfolio of 500 systems, and people still don't understand it. Training 7,000 developers isn't feasible. We had training with Veracode where they conducted a major session, but nobody understood it. These developers can't be expected to remediate and configure the tool properly for comprehensive scanning. Instead, they turn everything off and only scan a very small line of code, which doesn't benefit the agency.

I wouldn't promote Veracode because it's not automated enough, and it has many configuration issues. Manual configuration is required, requiring expertise in Veracode. My thoughts on Veracode's development over time are that they have had sufficient time to figure it out, and I'm disappointed that it remains such a technical tool. It's a tool that everybody purchased when it was released, but it still isn't user-friendly.

I've used Veracode for quite some time, more from a user perspective, not really as an admin person to run the scans.

I would rate Veracode's customer service or technical support as not great, probably a four out of ten. Anytime we use the advisory to speak with an advisor, they are either too technical or have no understanding. We have a weekly meeting with Veracode because we have our own business relationship manager. He attends the calls without a technical person or lead architect to facilitate questions. When 40 people are on a call asking questions about turning off the API or fixing issues, the response is often that they cannot answer. The service is either a hit or miss, which is why I rank it low.

Positive

I wouldn't be inclined to take a 10-minute callback to discuss my experience with Veracode because I don't prefer it, so I don't think it would be a very good review. I'm looking to replace it.

My impressions of Veracode's policy reporting for compliance with industry standards and regulations are hit or miss. While it has industry standards built in, our organization has different policies that are more structured. Each policy must be set up individually, requiring comprehensive legwork.

For example, if there's a policy for a deprecated protocol in an internal-only system, Veracode still reports it as an issue. This creates unnecessary work for internal systems that aren't public-facing and have lower risk. Configuring the tool to align with policies for sensitive, public-facing systems based on law and NIST requirements requires reviewing each line individually, which becomes a two-year project.

My impressions of Veracode's ability to prevent vulnerable code from going into production is that the static code analyzer portion is adequate.

On a scale of 1-10, this solution rates a 5.

I have been using Veracode for the last two years, which is one of the security scans that is part of our organization and is mandatory for all products to be scanned by this tool.

We use Veracode for DAST scans, which involves dynamic scanning of our web application. Veracode only supports web application scanning for security vulnerabilities, and it performs black box testing on our application for security issues and cybersecurity testing methodology.

Our product is in the backup and recovery space and has a web interface for it. Since it is a relatively new product that we have, we perform Veracode scans every month to ensure that whatever we are developing is in compliance with Veracode standards. To identify any early vulnerabilities we introduce in our development process, we conduct monthly scans. Initially, I used to perform scans manually by logging into Veracode and following the step-by-step procedure to execute a scan, but now we have automated it somewhat. Although Veracode does not provide a tool for automating scans, we have found a workaround using Selenium to automate it ourselves. We are using Veracode to identify early security issues in our development.

One benefit is that we have automated the scanning process. There is a first layer of security where every month Veracode scans run and share a report on whether there are any high severity vulnerabilities in our application. This is beneficial as it provides a base-level security layer that helps us identify entry-level issues early on using Veracode. This tool is able to track basic issues.

Veracode seems to be a basic security testing tool because we have observed that Veracode was not able to find some actually severe vulnerabilities in our application. When we later conducted penetration testing with a dedicated pen testing team, we found many security issues that I feel should have already been identified through Veracode if it were doing its dynamic testing properly. These vulnerabilities were relatively simple for Veracode to find in our application, but they were not found by Veracode and instead were found by the other team. Even another product called ZAP, the ZAP tool from OWASP, which we have used, identified issues that Veracode could not identify.

Honestly speaking, Veracode is just our compliance scan that we have to do but don't want to do, as it is part of our compliance testing. Regarding any particular feature, I will say the Veracode UI is the only noteworthy aspect. It is not that easy to use, but if you spend some time, you will be okay with it, though it is not that good. I honestly do not feel its UI is comfortable or its reporting is clear because it is not really understandable what exact issue we have. They should make it simpler. In my opinion, Veracode lacks significantly in most parts, including its UI, its reporting, ease of use, and the features that it provides. I do not have any favorite feature and just use it for the sake of our compliance.

Veracode can improve to stand in this market. They do not have to do much; they just need to improve their UI experience and add more documentation within the application rather than just creating documentation pages on different websites. They need to ensure their web application guides whoever uses it. Since whoever uses Veracode must be a technical person, they just need to guide them to the actual points. They can also improve their security capabilities by adding more filters to identify what vulnerabilities their application has. They need to improve their scanning engine to scan for more critical defects. Also, the integration part can be enhanced by adding features to integrate with a CLI, such as introducing a CLI version or a Jenkins plugin. If such features exist, they should show it as a pop-up, signaling that they have a new feature. Currently, it feels Veracode from two years ago is still the same, so that is something Veracode needs to improve.

They can improve the security part. Some of the severe security issues were never caught by Veracode in the reports. In fact, I have never seen any high or critical severity issues pop up in my Veracode report. That is one thing they can improve on their scanning ability to catch high severity issues. Next is integration; Veracode does not provide any tools to integrate with Jenkins or CLI. I do not even know if there is any CLI for Veracode that I can use to automate in my pipeline. The last thing is the UI interface that they have, as it is a bit confusing. I remember we did not have the capability to handle authentications of our internal application. We had to write Selenium code using a Selenium IDE. To write a Selenium script for a Veracode scan, you have to download a Selenium IDE, record it, and then paste that file into Veracode. I can see that Selenium IDE is already decommissioned, so it is no longer used by anyone. Still, we have to use it because Veracode only supports that kind of file for Selenium to automate. They can add more ways to authenticate our application using normal JavaScript or Python or Shell script. I feel these are the four main points.

They can document it more by adding tooltips into the application that explain why a parameter is required and what other options are available. For the same example with the Selenium script, they can add a link to their documentation that explains what other kinds of scripts can be written for authentication. I feel they can also make the UI more intuitive so that whoever uses it can guide themselves, as whoever uses Veracode is already a technical person.

I have not seen any outages because it is on our private cloud. However, I have observed that it is not that reliable in terms of security because Veracode was not able to find some security threats in our application that existed since the product was developed. I feel it is less reliable, considering that Veracode has the responsibility to find common issues such as path traversal vulnerabilities or issues with broken authentication mechanisms. There were security issues I feel should have been caught by Veracode, but it does not instill the reliability I expect.

I have never experienced its scalability. I have worked on a single product and performed scans for only one product, so I am not sure how it works at scale.

I never got a chance to deal with customer support. Most of the issues I faced were resolved within our organization. I have never contacted them.

Negative

In my previous company, I used SonarQube, which we implemented into our pipelines and was comparatively easy. However, in this company, they do not use SonarQube; they use Veracode. I did not switch solutions; I just switched companies, which is why I am now using Veracode.

If I had a chance to replace it, I would go with SonarQube or something else because it has more features.

Veracode seems to be a basic security testing tool because we have observed that it was not able to find some actually severe vulnerabilities in our application. When we later conducted penetration testing with a dedicated pen testing team, we found many security issues that I feel should have already been identified through Veracode if it were doing its dynamic testing properly. These vulnerabilities were relatively simple for Veracode to find in our application, but they were not found by Veracode and instead were found by the other team. Even another product called ZAP, the ZAP tool from OWASP, which we have used, identified issues that Veracode could not identify.

Veracode is just our compliance scan that we have to do but do not want to do, as it is part of our compliance testing. Regarding any particular feature, I will say the Veracode UI is the only noteworthy aspect. It is not that easy to use, but if you spend some time, you will be okay with it, though it is not that good. I honestly do not feel its UI is comfortable or its reporting is clear because it is not really understandable what exact issue we have. They should make it simpler. In my opinion, Veracode lacks significantly in most parts, including its UI, its reporting, ease of use, and the features that it provides. I do not have any favorite feature and just use it for the sake of our compliance.

I do not feel Veracode has improved any efficiency in our project. It is just another release check that we have to perform. It did not add any improvement to our efficiency or security life cycle; it is just there. My overall review rating for this product is 6 out of 10.

My use case for Veracode is to identify security vulnerabilities in our production Jars.

Veracode's best features include the ability to perform multiple types of scans such as SAST and DAST scans, and we can scan third-party Jars as well. If we are using certain Jars that are expired and have no long-term support, we can mitigate that and change the versions. In the DAST scan, we can test in real-time how hackers would attack our system and identify security flaws while going through the results.

Veracode has improved our organization by allowing us to identify vulnerabilities and mitigate them as soon as possible without getting exposed to the outside world. Hackers cannot hack anything, so we can protect our entire system using this solution.

Veracode has areas for improvement in that the scan takes some time for each Jar depending on the size. If it were faster, that would be more helpful for us.

I have been using Veracode for around one to two years.

I have never faced downtime, bugs, or glitches with Veracode over the past few years. It is stable.

I find that Veracode's scalability is a ten out of ten, as I have never faced any issues.

When comparing Veracode with other products such as SonarQube, I find that Veracode has much more support because they offer numerous customer support options. Whenever there are doubts, we can log a session with them, and they are always happy to help.

Positive

Setting up Veracode is very easy. We are using it as a platform as a service, and we just need to integrate some creator access IDs and a few security passwords with our existing CI pipeline.

It takes about a week to set up Veracode.

Currently, we are using Veracode for on-premises services. If we have any doubts, we can schedule a meeting with them to explain all the services they offer, including types of scans and security details, which is how we got to know about Veracode.

Most of the developers in my organization, around fifty to eighty, are using Veracode because it is their code that they are building.

We are a customer of Veracode.

Veracode does not require any maintenance from our end. It is a platform as a service where we just put our code and do the scanning, with everything being taken care of by Veracode itself.

Regarding pricing, Veracode is cost-efficient and not that expensive.

Veracode saves us a lot in terms of security, ensuring that external users or others cannot easily hack our system, which is the main motive for using Veracode. It has saved everything for our organization.

I would rate the technical support of Veracode a ten out of ten.

I would definitely recommend Veracode to other users because it always helps in identifying security issues with our code and applications. It is the best tool that I can recommend, and I would rate it a ten out of ten.

My use case for Veracode includes utilizing the SSA and SAST modules as part of improving the code that we are developing in the company, and we have 130 developers that we are trying to onboard in this platform. We have been able to onboard 100 more or less in these months, and the idea is to change the way they are developing because we want them to heavily use the IDE integration. 

We mostly use Visual Studio Code, and we have them using the integration plugin with Veracode so that they can fix the security issues at dev time. When we have the product in the pipeline, and we run the scans again, it's a green light.

Veracode Fix has affected our time to remediate security flaws in cases where we've been able to use it correctly because the proposals were on point, and it's been great. 

We've seen that in the same sprint that we were developing the features, now those features are implemented without any technical security debt. What happened before was that we needed another sprint to solve those technical debts. So we haven't seen an increase in time, and the speed of development of the teams is better, and now the product is being delivered with less technical debt.

One of the aspects I appreciate most about Veracode is that even though we have a license for developers, we don't get charged by the users who don't develop code but are only trying to access the platform to see the reports or the dashboard, such as architects who do some code reviews but don't develop. That's a nice feature that doesn't happen on other platforms that we analyzed. 

Another feature that we appreciate significantly is Veracode Fix and how it's integrated with Visual Studio Code. Even though it has some room for improvement, the key usage for us is to be able to solve everything. The developers also learn how and why they have to solve the security vulnerabilities detected. At the same time, they are developing the feature. Veracode Fix has affected our time to remediate security flaws in cases where we've been able to use it correctly because the proposals were on point, and it's been great.

Regarding room for improvement, we have some problems when onboarding new projects because the build process has to be done in a certain way, as Veracode analyzes the binaries and not the code by itself alone. If the process is not configured correctly, it doesn't work. That's one of the things that we are discussing with Veracode. Something positive that we've been able to do is submit formal feature requests to them, and they are working on them; they've already solved some of them. This encourages us to propose new ideas and improvements. Another improvement that we asked for this use case is to be able to configure how Veracode Fix proposes and fixes because sometimes it makes proposals using libraries that go against our architecture design made by the enterprise architecture team. For example, we want them to propose using another library, and that's something we already asked Veracode, and they are working on it. We want to specify when you see this kind of vulnerability, you can only propose these two options.

I have been using Veracode for nine months.

It's not that easy to onboard, but once they have been onboarded on the platform, and the pipeline configured alongside the product configured, it works effectively.

I have contacted the technical support and customer support. With Veracode's technical support, for some issues, it has been really difficult for them to understand the problem, and they ask us to do some tests we've already told them we completed in the first ticket. I think there is room for improvement there. However, we are also working with premier support, where we have an engineer assigned to our account. When we work with him on one of our problems, it gets solved much faster. Now we always try to add this engineer to all of our tickets so that we can solve everything faster. That's because we have the premier support as part of our agreement.

Positive

The initial deployment was difficult. We had some problems with the SSO integration. But Veracode found a fix, and they are delivering the final solution to production. It took us a lot of time to get that mitigation, and it's not that fast to onboard the dev teams. We are having meetings with each team depending on the language they are using and the type of application; it may be really fast or take up to a week for them to have the product integrated. My expectation was that it was going to be faster.

For us, it wasn't the most expensive solution proposed. Part of our decision to get Veracode was that when we evaluated against other products, Veracode was cheaper. What they need to measure is that you need a tool that is efficient and works for your products and how you develop, which has a nice level of detection and a low level of false positives. We make an evaluation and only choose tools that offer a good balance between providing good detections and a low amount of false positives. What was happening with SonarQube was that we had lots of false positives, making teams not care about the vulnerabilities because most were false positives. Regarding price, the evaluation should focus on how efficiently they will recover their investment, considering the time saved through the use of Veracode Fix, for example, and the ability to fix code at dev time compared to the problems faced when fixing after the product is already deployed.

We have used some alternatives to Veracode for some of the use cases. For example, for SAST, we've been using SonarQube from Sonatype and also some IDE plugins that we've asked the developers to use, but we didn't have any centralized platform to manage and false positives or findings. For SSA, we've been using Renovate Bot and also SonarQube and some of the GitLab integrations that we've been using for some use cases. The only one that we've used as an enterprise solution for all the products was SonarQube and Renovate Bot; the other tools were tested with a small number of teams.

We don't use some of these tools because we don't have the license for them. We are not using Veracode for DAST or for manual penetration testing, but we are using the other ones, and they give visibility through the process. I think that Veracode does it, but since we are not using DAST, we are only part of the development process before going to the runtime environments. So we are not checking anything on runtime. That part of the process, where you have the product running and you make real tests on the running product, we are not solving with Veracode, but that's mainly because we don't have the DAST licenses. The way we are using Veracode now means that since we haven't finished the rollout yet, we are not putting any restrictions on our pipelines so that they can only go to production if Veracode didn't find any critical vulnerability. Now, we are not using it as a blocker, so it depends on the team. Some teams don't want to appear in red in the reports from the last pipeline scan, so they are delivering much more secure code to production. Other teams don't care and still deliver with the same vulnerabilities, but that's something that varies from team to team. Generally, most teams have improved a lot, for example, by updating all the libraries and reducing all the critical and high vulnerabilities, delivering to production only with low or medium vulnerabilities.

We use the scan and code scanning functionality. Those are the main ones. I just changed my role, so this company is using Veracode, but I've been using it for quite some time before joining this new company. It is currently only managing the source code review. We have other tools that we integrate as such as infrastructure as code, container security, cloud misconfiguration reviews, and others. So it's part of the overall security posture. I can't say that it's solely for our entire security posture because it just manages a subset of one of the security requirements, which is the source code review.

It has met the company's requirements. Nowadays, we are talking about AI code generation. The company is required to leverage the existing code scan to see whether it can support scanning the code that is generated from GenAI before pushing that code to the developers. The developer wouldn't know whether this code is secure or not. Usually, we do the static scan first, but now with a code generator, we want to ensure that it generates secure code.

It did the job. Just before production, we did a scan and ensured that there were no critical or high-criticality issues before going to production. I think that helps to sanitize the code without going into a peer review. We have an automatic scan that catches all these things first, so it's beneficial.

This is especially true for the library because most of these static code scans or software component analyses scan the third-party library that has a CVE or CVSS finding. But if it's a custom-built library that isn't known to the public, it's unclear whether there's a vulnerability or not. Currently, it lacks the ability to trigger on those. We probably have to use a different solution for that.

There should be a feature where we can actually scan code that has been generated by GenAI, such as ChatGPT or Copilot. When they generate this code, they should have some kind of third-party integration feature that can suggest to us, 'This code is clean' or 'this code is good to be used for the developer.' 

We are also looking at Black Duck. They introduced a new feature. We were testing on this secure code for AI, so they do have some tools that we are currently exploring to see whether they can do secure AI code.

Regarding remediation, based on my experience, the recommendation from Veracode on remediation is quite helpful. It gives valid reasoning, and the recommendation is fixed. 

The developers actually understand how to fix that. However, some of the recommendations, such as upgrading a certain library to version XYZ, sometimes don't go deeper because some of these libraries are not as simple as just changing the version to fix them. There are interdependencies with other third-party components. 

Sometimes, when the recommendation asks to upgrade the version to XYZ, when we actually upgrade it, there will be another issue with other things. We usually face difficulty with that one. Sometimes we take an exemption because we can't upgrade this without breaking certain things, so we decide to go for the risk exception.

I just changed my role, so this company is using Veracode, but I've been using it for quite some time before joining this new company.

The stability is acceptable overall.

I didn't get involved much with asking them questions. During the initial phase when we started integrating, they were very helpful, but after they deployed the license and everything, we haven't reached out to them to ask any other questions. It's gone into autopilot. Once you have the license, everything just continues as it is.

In my last company, they used Veracode, and then they transitioned to Snyk. The price point was the first priority we looked at. Secondly was the integration—whether it had deeper integration with our system, and was easy for our developers to enroll and use. After a trial of 12 months with Veracode, we decided to move to Snyk.

Previously, we did a comparison between Veracode, Synopsys (which is Black Duck), and Snyk. We did our own internal review. Veracode needs to shift to a more modern approach because it still feels traditional in its way of doing code scanning compared with others, such as Snyk. They still use a base app, although they have a web version as well, but the integration part could be more seamless. I'm comparing it side-by-side with Snyk, as I'm also a heavy user of Snyk. Those aspects can be improved.

The integrated IDE tool enables users to get instant feedback in real-time on the code itself, rather than waiting for it to go through the CI/CD pipeline and get the result. They can instantly review their code on demand, which is quite beneficial.

For my previous company, when they first adopted source code review, they went for the open-source option first. I always advocate for people to go with the open-source option to understand what the features are and how exactly the source code scanning looks. Once comfortable with it, or if certain features are needed, then look for the enterprise version. Sometimes for different companies, especially small businesses, they couldn't afford Veracode because of the steep price.

Regarding integration, apps such as Jira and Confluence are important. The main thing was that it's fully and deeply integrated with the user and the repository, like Confluence. Every time there's a report, we can immediately generate a ticket from Snyk to Jira. It helps the developer get notified about issues after the scan. Then they fix the issue, tag the ticket as resolved, and once it's marked as resolved, we will do the rescan.

As a beginner, the interface is quite straightforward. People will not get confused. The technical report is professional and can be used by regulators. I can simply export it as a PDF and then share it with a regulator or any auditor for their review.

Regarding mobile code support, such as iOS, Kotlin, and others, the results were not really promising. For Java and C#, it's very good. They are pioneers in that. But for mobile development, if you're a mobile company that builds mobile apps and you have iOS, Objective-C, Swift, and Kotlin, that area needs to be polished.

I rate Veracode a seven out of ten.

My main use case for Veracode involves SAST scanning and SCA scanning of applications. In my workflow, I specifically use Veracode for SAST and SCA scanning by generating binaries of our many applications and uploading them onto Veracode, which then provides the scans. Additionally, I have integration with our Bamboo pipeline that generates these binaries and runs the scans.

In my opinion, SCA is more powerful than SAST in Veracode, as it has a very good interface showing all the SCA dependencies and the possible fixes, along with a very good sitemap feature and superior DAST capabilities.

Regarding the features, I would say the reporting is very good compared to its peer tools, such as Fortify or Semgrep, although the integrations are not as strong due to the limited API features. Usability of the web UI is very good.

Veracode has positively impacted my organization by helping secure our critical applications, and it has impacted very well. The sitemap feature allowed us to find some shadow IT, which is a significant benefit.

Veracode can be improved with more integrations, more automations, enhanced API features, and more advanced analytics. While its usability is very good, some features such as report generation could be much more intuitive.

Speed of scans should be improved, with the metrics regarding the speed of scan provided accurately, as it starts off with a higher estimate and then goes up. The right estimate should be given.

I have been working in my current field for 10 years.

Veracode is very stable.

Scalability of Veracode is very good.

Customer support for Veracode is good.

Neutral

I previously used HP Fortify; we switched to Veracode because it is a newer tool.

I think there is no direct metric regarding return on investment, unless considering the impact on our defensive posture. It helped more than any measurable metric relating to fewer employees or money saved.

My experience with pricing, setup cost, and licensing is that it is very good.

Before choosing Veracode, we evaluated Snyk and HCL AppScan among other options.

Finding shadow IT has impacted my team and organization by alerting the relevant teams who then took action to ensure that there is no shadow IT anymore in that region of applications.

My advice for others looking into using Veracode is to look at your applications and evaluate Veracode's capabilities beforehand. If it can handle your applications and if it is a good fit, then I recommend going for Veracode.

I chose a rating of eight because I did not give a higher score due to some limitations and issues, such as the automations and integrations I previously mentioned, but I did not give a lower score because it is not a bad platform and is fairly mature.

It helps with intelligent software composition, ISC, allowing us to test fast and get fast feedback around third-party library vulnerabilities, and have a quality gate around the CVEs, and so on.

I work as a digital consultant helping customers with their digital transformation side, with the primary focus on reliability engineering, SecDevOps, and Cloud. I have multiple clients using this same product. My clients are from different industries such as retail, consumer goods, travel, hospitality, and energy.

Veracode provides visibility into application status at every phase of development, as it's how we stitch it together, allowing us to introduce it at various phases to gain fast feedback. This capability increases the velocity in DevSecOps processes as developers receive feedback on vulnerabilities before committing, reducing the overall rework.

It helps developers save time significantly. For instance, if I take a library and assume it's going to work until it reaches QA or UAT, where we find out there's a vulnerability, that can require extensive effort for code refactoring or redesigning; Veracode helps prevent that before the pull request is merged.

Veracode impacts the overall security posture by maintaining data integrity, ensuring we are not exposed to threats from third-party libraries with known vulnerabilities. From my perspective as a SecDevOps evangelist, Veracode is crucial for an organization's shift-left security strategy. Veracode's SCA perspective offers tools that facilitate shift-left security by providing feedback before failures occur in the development process.

All three of Veracode's offerings are valuable: SCA, SAST, and DAST. It helps identify security loopholes right in the development phase, allowing developers to get feedback around what kind of vulnerabilities exist as soon as they check in the code or even before that in their IDE.

It would be better if we had a channel for direct communication with the engineering team to speed up the process of providing feedback. 

I think Veracode has most areas covered, but I'm not sure if they have something around container scanning yet, which is important as workloads become containerized or serverless.

Regarding innovative features offered by Veracode, it would be beneficial for them to open up a channel to broadcast new developments and features to help us adapt. We are currently integrating Veracode using their GitHub Workflow app, but it's not yet mature.

It has been more than five years. 

We have an enterprise license and direct connection with the Veracode team. I consulted their team about a couple of issues or bugs in the product that weren't matching our requirements, and we provided feedback that they took back to address. 

I would assess their help as eight out of ten in terms of how they assist with the issues I bring to them. It's good to have access to their team at no extra cost with the license, as most SaaS platforms include consulting as part of their offerings, but access to the engineering team is crucial for faster feedback on the product fix process.

Positive

I do have experience with other testing tools such as Mend and Polaris. The main differences between Mend, Polaris, and Veracode lie in the specific functionalities and how each integrates with enterprises. Overall, the basic functionalities remain similar. In comparing Veracode's breadth of end-to-end testing versus Mend, I find Veracode to clearly be a winner in the SCA segment. Other than that, both are pretty much equal in the SAST and DAST areas.

When it comes to the initial setup, it's both straightforward and complex. While the product is mature, it requires integrators. For example, I'm using GitHub Flow, but the GitHub app to plug in is not sufficiently mature.

I have not examined Veracode's pricing in detail, but from an industry perspective, I see that there is a tendency toward Veracode, which suggests competitive pricing.

I would rate Veracode's ability to prevent vulnerable code from going into production at an eight out of ten because AI is evolving, and there are other tools emerging that help by proactively changing the code without needing the developer to take action, ensuring that pull requests are handled before going into production. 

We just got the Veracode Fix feature, but we need to understand it more deeply to know if it just performs code fixes or handles dependencies as well. Can it arrange or adjust my versions to make sure that the library that I'm using does not have any vulnerabilities? We have not enabled AI-generated fixes because we need to try it out and see how it performs, especially concerning human intervention in auto-upgrading or automatic patching in production. I am yet to explore the continuous delivery and continuous deployment aspects to provide feedback on that. 

I would recommend Veracode to others, as it maintains strong industry adoption.

Overall, I would rate Veracode an eight out of ten.

We use Veracode as a vulnerability scanning tool, which checks our code base and has certain rules and policies that can be updated as per the company policies; it checks our code, finds any vulnerable APIs or libraries, analyzes them, and gives us a report, and then we work on that so that we will use the latest, all non-vulnerable libraries to make the application more secure. 

Veracode provides visibility into application status at every phase of development through static analysis. Veracode definitely affects my DevSecOps processes because without this tool it would be difficult for developers or testers to find vulnerabilities, as in a large-scale production system there are hundreds of thousands of APIs and libraries used, and it's not possible for any individual to check all of them. 

This tool helps to get all the reports, outlining the APIs or libraries with severe vulnerabilities, which need to be fixed, so that is definitely helpful. Veracode positively impacts my ability to fix flaws since it not only gives us the version information but is also integrated with the artifact repository, helping us find all versions. It provides a list of vulnerable versions we are using and recommends upgrading to the non-vulnerable version. 

Veracode helps save time for my developers on the security vulnerability finding. Almost all users in my organization utilize Veracode, numbering in the thousands.

Veracode has a significant impact on my security posture. Without these tools, we would not know which libraries are vulnerable or what kind of attacks might occur, so at least from a security point of view, we can be assured we are using all non-vulnerable versions, providing a level of safety from the project team's perspective. 

The best features in Veracode include static analysis and the early detection of vulnerable libraries; it integrates with tools such as Jenkins.

The policy reporting does assist us with compliance. There are certain rules where fixing vulnerabilities is part of the policy. We have guidelines and we need to resolve them before putting something into a higher environment. It helps with that.

Veracode provides visibility into application status at every phase of development, including static analysis. Without this tool it will be difficult for the developers or the testers in a large-scale production system go through hundreds or thousands of APIs and libraries. It helps us quickly go through and understand what needs to be fixed. It sees everything, finds all versions, and gives us a list of all of the vulnerabilities and which versions have vulnerabilities. 

Improvements can be made to Veracode, particularly in terms of process. If it could be integrated directly with code repositories such as Bitbucket or GitHub, without the need to create a pipeline to upload and decode code, it would simplify the code scan process significantly.

I noticed there is no integration with Bamboo.

I have worked in a project for about five years, and while we do not exactly work in Veracode, we have integrated Veracode with our applications so that it will do all the analysis and give us reports.

Veracode is stable for us.

I am not sure about the scalability of Veracode or where they are hosting their servers.

I have never needed to raise a ticket and work with Veracode experts.

Positive

I have used both Veracode and Checkmarx before choosing Veracode for one of my projects; Veracode is very established and widely used, while Checkmarx is relatively newer and has a smaller user base, though both have their place in the market.

I am not sure how Veracode is managed in terms of deployment, as we use API keys for connection.

The pricing is okay.

I would suggest some static analysis tools should be in place. Either Veracode or CheckMarx. If there's a security gap, you'll never know the cost or effect. You need early detection in place to do all of that fixing. 

I would suggest that a static analysis tool should be in place, either Veracode or Checkmarx, as both help in the SDLC cycle with early detection of security gaps, which is crucial to avoid costly effects later on; so I would say this is a must-do to facilitate early detection and fixing before production.

I'm a Veracode customer.

From an organizational perspective, there is a separate team managing Veracode, and they might find that access valuable. The fact that Veracode doesn't scan source code (only binary code) does not concern me, as that decision is made at the organizational level, and I trust that they are managing all required features. 

I would recommend Veracode to other users. It definitely helps us detect vulnerabilities in code. 

Overall, I would rate the solution an eight out of ten.

My usual use case for Veracode involves integrating automatic scans for each of our pipelines, which starts every month automatically without my intervention. I review the results, and if there are any changes, such as new issues, flaws, or outdated components, I address this task with our developers.

Veracode has improved my organization's ability to fix flaws because before Veracode, we did not even know about issues from the security side. Application security is relatively new in our company. The fact that we started to remediate these issues is a good step towards security, which has positively impacted us.

Veracode's ability to prevent vulnerable code from going into production is excellent. I implemented it as a pipeline into our CI/CD, and if there are vulnerabilities above our level, such as high or very high severities, the pipeline will not build. Developers can contact security personnel if they need clarification.

Veracode has helped developers save approximately 15%-20% of time. Our security posture has improved as expected. 

We do not have many Veracode features yet. We are going to discuss expanding the subscription next year. Currently, Static Analysis is really good at scanning our code for vulnerabilities. Software Composition Analysis is also required for the upcoming rights from the EU Cyber Resilience Act, which is quite useful, and I am using them both. Both features are really important for us since we're using only Veracode.

The areas of Veracode that I would want to see improved or enhanced in the future are primarily related to user interface experience. I noticed they have started working on it as the main page has a new design, but other pages appear somewhat old and not intuitive. The interface needs to be more user-friendly, but otherwise, everything is acceptable.

I have been working with Veracode for approximately a year and a half.

Every time I wanted to work with Veracode, it worked, so there are no downsides. It was available every time.

Regarding scalability, Veracode is really good for our needs. You need many subscriptions because you need to include every developer who produces code. Implementing these features into our normal CI/CD was good, so I can say that scalability is really good.

I have communicated with the technical support of Veracode a couple of times, and this was a really great experience because these professionals know their material. They understood us immediately and helped us with our problems within half an hour. It was incredible. I would rate them a ten out of ten.

Positive

We did not use a different solution before Veracode. Veracode is our first solution.

I did not work directly with competing solutions similar to Veracode, but I attended several meetings with different companies to explore similar tools. They did not provide anything better than Veracode, and since I had already implemented Veracode in our CI/CD, there was no need to change the solution. I only saw Checkmarx as a competing solution. Though I did not try it myself, from what they showed me, it appeared quite similar but was not better than Veracode.

Without the documentation, the deployment and initial setup is complex. I tell my developers who are interested in Veracode that with this documentation, everything is possible because it is really thorough and helpful. At first, it was somewhat complicated, but with the documentation and time, it became a really good experience. After that, it became very easy and quick.

Since the Cyber Resilience Act is in motion, we need to provide static analysis and dynamic analysis, which we do not have right now. We must do it, and Veracode is a great tool for this purpose. We cannot sell our products without complying with this act, so Veracode is helping us achieve this.

When I joined the company, I was given Veracode. The decisions were made before I joined the organization. They had just bought it and needed a specialist for this, and I was the specialist.

I am working with the latest version of the features. Since starting with Veracode, I would rate the benefits as six or seven out of ten. It could be better if we had more high severity issues, but fortunately, we do not. It is a good sign that developers who are not in cybersecurity understand its value.

Regarding the solution's policy reporting for ensuring compliance with industry standards and regulations, I am using standard policies. I rated it five out of ten because we have not used it properly yet.

Veracode provides visibility into application status at development phases. We tried IDE scans for the developer stage of products, but it was not fully compatible with our IDE. It works in CI/CD as mentioned.

We do not currently have the Veracode Fix feature that produces AI-generated fixes. The fact that Veracode does not scan source code, only binary code, does not concern us as we have other tools for that purpose.

I would rate Veracode an eight out of ten.