Coming October 25: PeerSpot Awards will be announced! Learn more

Veracode Manual Penetration Testing OverviewUNIXBusinessApplication

Veracode Manual Penetration Testing is #2 ranked solution in top Penetration Testing Services. PeerSpot users give Veracode Manual Penetration Testing an average rating of 8.6 out of 10. Veracode Manual Penetration Testing is most commonly compared to Cobalt.io: Veracode Manual Penetration Testing vs Cobalt.io.
What is Veracode Manual Penetration Testing?

Veracode Manual Penetration Testing leverages the skills of experiencedpenetration testers combined with automated application security testing scan results to dramatically reduce risk in an application. Penetration testing is necessary to catch vulnerability classes -such as authorization issues and business logic flaw -that cannot be found through automated assessments alone. Veracode’s serviceuses a proven process to provide extensive and comprehensive security testing results, including attack simulations,for web, mobile, desktop, back-end, IoT applications, and DevOps environments. Results from all assessmentscan be found within Veracode’sSaaS portal, simplifying reporting for internal stakeholders, regulating bodies, customers, and prospects.

Veracode Manual Penetration Testing Customers

Security Design & Eng in the Finance Industry

Veracode Manual Penetration Testing Video

Veracode Manual Penetration Testing Pricing Advice

What users are saying about Veracode Manual Penetration Testing pricing:
"Its cost for what we needed it for was too high. It wasn't too high for other companies and it was competitively priced, but for us, it just didn't fit. We did plan to use it and increase the usage. In the end, it may have been abandoned because of the cost, but I'm not a hundred percent sure. So, even though we had planned on using it more and more, because of the cost and the business conditions of things, we didn't have the opportunity to really use it more."

Veracode Manual Penetration Testing Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
EricOlson1 - PeerSpot reviewer
Application Security Program Manager at a tech services company with 5,001-10,000 employees
It integrates seamlessly with other CICD solutions
Pros and Cons
  • "I don't have much experience with the solution yet. We're looking at integrating Manual Penetration Testing with JIRA and Bamboo and then building that into a CICD model, so the integration is the most valuable feature so far."
  • "I haven't heard about any problems so far. However, it would be great if Veracode automatically packaged stuff up for you."

What is our primary use case?

Manual Penetration Testing is a security tool for static code scanning. It's still in testing, so the client has it in their commercial cloud. As soon as it's federally approved, they'll move it to the government cloud. That's supposed to happen any day now. I think their government cloud is AWS. I believe they're looking at the dynamic piece as well.

What is most valuable?

I don't have much experience with the solution yet. We're looking at integrating Manual Penetration Testing with JIRA and Bamboo and then building that into a CICD model, so the integration is the most valuable feature so far.

What needs improvement?

We're still trying to get things operationalized, piloted, and tested. I haven't heard about any problems so far. However, it would be great if Veracode automatically packaged stuff up for you. 

For example, it would be nice if the solution used AI or machine learning to detect what your code was by doing. It could perform the review and decide how to package up the software. You could run it and wouldn't need as much developer involvement.

For how long have I used the solution?

We've had Veracode in place for about three or four months now.

What do I think about the stability of the solution?

I haven't heard anything negative about Veracode's performance, and we've had a hundred people test it at one time. We may get to a point where see some degradation, but we haven't yet. 

What do I think about the scalability of the solution?

Manual Penetration Testing looks relatively scalable. We won't know those things until we get a critical mass of people testing all at the same time. We have around four teams that are scanning continuously, or on a fairly regular basis at this point. So.

How are customer service and support?

I'm happy with Veracode's support. We're getting the help we need. I meet with them weekly, and they answer our questions.

Which solution did I use previously and why did I switch?

We haven't worked with something like this before. This is the first time the organization has picked up this type of scanning solution.

How was the initial setup?

Setting up Manual Penetration Testing wasn't complex. None of these solutions are complicated. You get it, set it up, and run it. It has been deployed. They're already scanning, and more developers are being onboarded. 

We followed the implementation strategy provided by Veracode. One person is probably enough to onboard people and set them up. We need one person to concentrate on the strategy and ensure the systems are set up correctly.

What about the implementation team?

We deployed Manual Penetration Testing ourselves, but we have an arrangement with Veracode to provide the necessary professional services to support us. Consulting is part of the package they provide.

What was our ROI?

We used it to scan and detected a vulnerability, and they're trying to use it to identify how to fix the problem. That's the only example of an ROI we've got so far. 

What's my experience with pricing, setup cost, and licensing?

I'm not familiar with the costs, but I believe it's around half a million. I'm not sure how it compares to the other solutions, but I assume they're all in the same ballpark. HCL might have been a little less expensive.

Which other solutions did I evaluate?

I think someone at my company was looking at SonarQube, but whoever did that didn't go forward with a commercial version. I don't know how it would've worked out, and I didn't look at it. There was a community version someone had for years, but it never got the traction. 

Then I looked at HCL, Synopsis, and Cast. Cast is deep but highly expensive. Those were the Cadillac solutions. We went with the SaaS because they did not have anything that was on-premThey wanted something that would be in the gov cloud that we fed ramped and low maintenance on our side. 

What other advice do I have?

I rate Veracode Manual Penetration Testing nine out of 10 for support and ease of setup. If you're considering this solution, I suggest trying it out and taking the opportunity to learn and teach yourself. Take some classes or online training. I found the solution pretty straightforward, and I'm not terribly technical. 

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Senior Software Developer at a pharma/biotech company with 201-500 employees
Real User
Top 5Leaderboard
A robust and full-featured solution that provides a good analysis of the vulnerabilities
Pros and Cons
  • "The analysis of the vulnerabilities and the results are the most valuable features."
  • "It can have more APIs and capabilities to handle other things well. We were doing a trial for it. There were two things that I looked at: one was uploading some Java-related content and the other was uploading database SQL files and having the review done on the quarterback. The Java portion of it worked fine, and it was pretty seamless, but the database portion was not. We uploaded some files to use for vulnerabilities, and the tell-all portion of it was pretty easy. We uploaded a war file and Java files, and we got the reports back on these. They were pretty clear to understand. We did the same thing for the database portion for the most part. However, the content wasn't getting uploaded in a predictable fashion, and it was slow and hard to get done. We had to do it over and over. After it indicated that the content was uploaded, there were no results. There were zero search findings. It was possibly a user error, something that we didn't do correctly, but they had acknowledged that it was something they were currently enhancing. This is something that could be made easier if they haven't already done that. I don't know how many releases they've had in that timeframe. I haven't looked at it since then. It was a trial period."

What is our primary use case?

We used it for initial discovery and analysis and for reviewing the product. We were doing a trial. We had uploaded code on the Veracode server for analysis.

We used the cloud service or the cloud website where you could interact and identify the artifacts that you wanted to be reviewed, analyzed, and reported on. There was a plugin that we used with some of our IDs. It probably was Greenlight.

How has it helped my organization?

It pointed out some areas to be improved that we were not aware of. That was very helpful because if you don't know that there is a problem, you can't fix it.

What is most valuable?

The analysis of the vulnerabilities and the results are the most valuable features.

What needs improvement?

It can have more APIs and capabilities to handle other things well. We were doing a trial for it. There were two things that I looked at: one was uploading some Java-related content and the other was uploading database SQL files and having the review done on the quarterback. 

The Java portion of it worked fine, and it was pretty seamless, but the database portion was not. We uploaded some files to use for vulnerabilities, and the tell-all portion of it was pretty easy. We uploaded a war file and Java files, and we got the reports back on these. They were pretty clear to understand. We did the same thing for the database portion for the most part. However, the content wasn't getting uploaded in a predictable fashion, and it was slow and hard to get done. We had to do it over and over. After it indicated that the content was uploaded, there were no results. There were zero search findings. It was possibly a user error, something that we didn't do correctly, but they had acknowledged that it was something they were currently enhancing. This is something that could be made easier if they haven't already done that. I don't know how many releases they've had in that timeframe. I haven't looked at it since then. It was a trial period.

What do I think about the stability of the solution?

It seemed fairly stable other than the database portion where the SQL files didn't seem to get uploaded.

What do I think about the scalability of the solution?

I didn't think there would be any concerns. We didn't exercise that. We didn't, in other words, try to upload gazillion artifacts and files. We just uploaded a few just to see how they handle it. It seemed fairly robust.

There were about ten Java and database developers who were using this solution. We were all collectively reviewing it and getting feedback on it.

How are customer service and technical support?

We didn't use their technical support.

Which solution did I use previously and why did I switch?

There was no other solution.

How was the initial setup?

I wasn't that involved in the setup. I was basically a reviewer after it was all done.

What about the implementation team?

I don't think there was any in-house work. I think it was just all on their server. We didn't have any equipment or any software per se other than just downloading a plugin or IDE, which essentially did the same sort of code analysis.

What's my experience with pricing, setup cost, and licensing?

Its cost for what we needed it for was too high. It wasn't too high for other companies and it was competitively priced, but for us, it just didn't fit. We did plan to use it and increase the usage. In the end, it may have been abandoned because of the cost, but I'm not a hundred percent sure. So, even though we had planned on using it more and more, because of the cost and the business conditions of things, we didn't have the opportunity to really use it more.

Which other solutions did I evaluate?

There were a few other solutions we had looked at, but they didn't seem to be as robust. They also didn't have good reviews. That's why we chose this solution.

What other advice do I have?

It is a robust software service for security analysis. It seemed to be pretty full-featured. We didn't exercise every single thing. Just a few of the features didn't seem to be up to snuff for our needs.

I would rate Veracode Manual Penetration Testing an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Alon Mantsur - PeerSpot reviewer
Chief Executive Officer at Cybrella
Real User
Top 5Leaderboard
Deployment was easy, configurable, and simple to manage

What needs improvement?

There needs to be better API integration to the development team's pipeline, which is something that is missing and needs to be improved.

For how long have I used the solution?

We have been using the solution for approximately three months.

How was the initial setup?

The installation was straightforward.

What other advice do I have?

I rate Veracode Manual Penetration Testing a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Raj Nachiappan - PeerSpot reviewer
Director of Solutions Architecture at VetsEZ
Real User
Top 20Leaderboard
Penetration Testing solution used by development team for static code analysis

What is our primary use case?

Our development team use this solution for static code analysis and pen testing.

What needs improvement?

The runtime code analysis could be improved so that we can see every element in one place.

For how long have I used the solution?

I have used this solution for two years. 

What other advice do I have?

I would rate this solution an eight out of ten. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user