Veracode Pros

Stephen Pack - PeerSpot reviewer
Software development program leader at Vendavo
The static scan is the feature that we use the most, as it gives us insight into our source code. We have it integrated with our continuous integration, continuous delivery system, so we can get insight quickly.
View full review »
KB
Sr. VP Engineering at a tech vendor with 51-200 employees
There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place.
View full review »
MT
Software Architect at Alfresco Software
The solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful.
View full review »
Buyer's Guide
Veracode
November 2022
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
653,522 professionals have used our research since 2012.
Karen Meohas - PeerSpot reviewer
Information Assurance Manager at xMatters
In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application.
Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers.
View full review »
SS
Head Of Information Security at a media company with 51-200 employees
The most valuable features are that you can do static analysis and dynamic analysis on a scheduled basis and that you can push the findings into JIRA.
View full review »
Srinivasa Rao Kuruba - PeerSpot reviewer
Manager, Information Technology at Broadcom Corporation
It is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage.
View full review »
SM
Principal for the Application Security Program and Access Control at a engineering company with 10,001+ employees
The time savings has been tremendous. We saw ROI in the first six months.
View full review »
Mauro Verderosa - PeerSpot reviewer
Cybersecurity Expert at PSYND
Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced... in the e-learning you can check into best practices for developing code and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool.
View full review »
KE
Cybersecurity Executive at a computer software company with 51-200 employees
The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code.
View full review »
RL
Security Architect at a financial services firm with 1,001-5,000 employees
The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards.
View full review »

Veracode Cons

Stephen Pack - PeerSpot reviewer
Software development program leader at Vendavo
The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it.
View full review »
KB
Sr. VP Engineering at a tech vendor with 51-200 employees
I would ask Veracode to be a lot more engaged with the customer and set up live sessions where they force the customer to engage with Veracode's technical team. Veracode could show them a repo, how they should do things, this is what these results mean, here is a dashboard, here's the interpretation, here's where you find the results.
View full review »
MT
Software Architect at Alfresco Software
Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated.
Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access.
View full review »
Buyer's Guide
Veracode
November 2022
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
653,522 professionals have used our research since 2012.
Karen Meohas - PeerSpot reviewer
Information Assurance Manager at xMatters
The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most.
View full review »
SS
Head Of Information Security at a media company with 51-200 employees
The policies you have, where you can tune the findings you get, don't allow you not to file tickets about certain findings. It will always report the findings, even if you know you're not that concerned about a library writing to a system log, for example. It will keep raising them, even though you may have a ticket about it. The integration will keep updating the ticket every time the scan runs.
View full review »
Srinivasa Rao Kuruba - PeerSpot reviewer
Manager, Information Technology at Broadcom Corporation
When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications.
View full review »
SM
Principal for the Application Security Program and Access Control at a engineering company with 10,001+ employees
There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed.
View full review »
Mauro Verderosa - PeerSpot reviewer
Cybersecurity Expert at PSYND
Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly.
View full review »
KE
Cybersecurity Executive at a computer software company with 51-200 employees
Scheduling can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had.
View full review »
RL
Security Architect at a financial services firm with 1,001-5,000 employees
The static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools... Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved.
View full review »
Buyer's Guide
Veracode
November 2022
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
653,522 professionals have used our research since 2012.