Veracode Reviews

The solution is used for performing application security processes like source code assessment, dynamic assessment, and SCA.

We sell the product to our customers. We are a vendor.

The SAST and DAST modules are great. The scanning part is also good. It’s pretty easy and convenient to use. Everything is described within the product. Almost everything is available in the community and the guidelines.

Veracode Greenlight scans the code while the developer writes it. It will be beneficial for developers if Veracode Greenlight includes Python.

I have been using the solution for almost one year.

The tool is stable.

The scalability of the product depends upon the pricing. The price is a bit high for a small company. It is suitable for a large company.

Support is very good. The support team resolves some issues within 24 hours.

Positive

I tried a few solutions before using Veracode. Veracode is better because it is convenient to use. The solution’s dashboard and features are pretty good. It is the topmost product among the other tools that I used. It is pretty simplified. Veracode has a lot of options to do authenticated scans. Veracode’s simplified features are helpful for people who use different authentication methodologies.

We are using the SaaS version of the solution. The initial deployment was pretty easy. The CI/CD pipeline has a lot of dependencies, like connecting with Jenkins and Jira. If we directly upload the code to the cloud, we can deploy the product within a single day. If we do it in the CI/CD pipeline, it will take some time.

One person can deploy the product. I haven’t had any maintenance-related issues with the solution. Whatever new vulnerabilities come, they are already updated in the database. Since we are a partner, it will be helpful if Veracode notifies us whenever it releases the vulnerability reports. We cannot always check the portal.

The product’s price is a bit higher compared to other solutions. However, the tool provides good vulnerability and database features. It is worth the money.

Veracode provides policy reporting to ensure compliance with industry standards and regulations. It is beneficial. The product also provides features to create custom policies. Most false-positives cases come under DAST. The false positives depend on the code. Veracode provides around 5% false positives.

The solution shows the vulnerabilities in the code and provides generic remediations for it. We must then search it on Google. The product’s community is also good. Sometimes, the product provides solutions in the community. These solutions work well on the production level.

I have also used the SCA features which help with identifying vulnerabilities in applications's third-party components. The Veracode user interface is so convenient and easy to use. Anyone can run a scan and generate a report easily.

The solution provides absolute visibility into application status at every phase of development. The users can get visibility through the CI/CD pipeline. The time taken to complete the scans depends on how much code is present in a specific application and how big the application is.

Veracode introduced a new module named Veracode Fix, which automates the fixes for insecure software with AI-generated secure code suggestions where the developer does not have to spend time searching and remediating the vulnerabilities. The developer does not have to spend time searching for vulnerabilities. Sometimes, the tool gives a generic recommendation, sometimes specific recommendations. It will be helpful if it always provides specific recommendations. The amount of time saved hinges on factors such as code complexity, the programming language employed, and the developer's proficiency in secure coding. If anyone uses Veracode throughout the entire process of building an application, from the start of development to the final production stage, can result in a time savings of around 30% to 40% when leveraging various security measures of the platform.

Veracode has had a good impact on our organization’s overall security posture. If we choose to take the complete Veracode module, we can have security from the initial step to the production phase. 

I will recommend others to implement the solution. Veracode is in the Gartner Magic Quadrant. It is doing a good job.

Overall, I rate the product a nine out of ten.

We are a software company providing software to paper manufacturing organizations, and we have an extensive ERP product along with many add-on products.

With the need to increase security awareness and vulnerabilities, we decided that we needed to scan our software, so that was how we started using Veracode.

We found Veracode eye-opening because we had many third-party libraries in our application, and we found vulnerabilities and had to upgrade those libraries or seek alternatives.

Our use cases for Veracode were to make our software more secure and provide a better competitive advantage over our competitors by telling our clients that we have secure software.

What we found most valuable in Veracode is the ability to do automatic scans of our software. We've incorporated the solution into our SDLC process, so we take our builds before they get released and put them through scans to ensure any new vulnerabilities haven't occurred.

We found Veracode good at preventing vulnerable code from going into production.

We also use the Software Bill of Materials (SBOM) as we run many applications through Veracode. We use SBOM to discover all the different vulnerabilities and what that stack looks like.

We also found Veracode very good in helping us manage risks, such as supply chain, licensing, and security. The solution allows us to see where the risks are and if updates are available and identify how to remediate our software quickly.

Our company also found it moderately easy to use Veracode when creating a report via the Software Bill of Materials. There may be a bit of a learning curve, but once users have done it, they'll run the same report.

As for policy reporting in Veracode to ensure compliance with industry standards and regulations, we have not used the solution that way. Instead, we rely on the different statuses to achieve the levels we want to achieve and be able to use that on marketing material.

Veracode offers visibility into the application status at every development phase throughout the software development life cycle, but we have not implemented that. That feature is built into the development tool, so developers will get alerts as they code, but we plan to do that in the coming year.

We found a moderate false positive rate in Veracode. There were a few false positives. Veracode can identify vulnerabilities, which we found nice. We could flag false positives on Veracode so they don't continue to pop up and hunt them down, and the solution will ignore those in the future.

The false positive rate in Veracode doesn't affect developer confidence in the solution when fixing vulnerabilities because we realized that our application is huge. False positives will happen in large applications just because of the different ways of implementation and features. No toolset can handle all those different features and interactions, so we can't say they relate to vulnerability.

Veracode dramatically impacted our company's ability to have security awareness and achieve a level of confidence that we can put out to the marketplace.

We also saw how Veracode affected our company's overall security posture, explicitly being able to put the solution into automatic scanning mode, then through our SDLC cycles, and achieve a Veracode-verified status. We can use that as a marketing advantage and say that we've achieved Veracode-verified status with one of the leading vendors of security scanning software. We've reached a level of status with them, and we continually scan our software so our clients can be confident that our software has been scanned for security files before implementing a new software release.

An area for improvement in Veracode is the time that it takes to scan large projects, as that makes it difficult to fit into our CI/CD pipelines.

One of our app scans times out after two hours, which requires uploading and scanning that particular application manually. Still, there's no visibility into the CI system with the vulnerabilities found. My company cannot incorporate that into the automatic cycle and has to scan manually, so Veracode could improve on that.

I've been using Veracode for about two years.

Veracode is very stable. I have no concerns with its stability.

Veracode is very scalable from the perspective of ERP applications, though we aren't sure if other clients have applications larger than ours. For reference, we have five million lines of code in our application.

I've contacted the Veracode technical support team and found the support responsive. The team also got back to me quickly. I didn't find any issues with Veracode support.

I would rate technical support as eight, just because you still need to do manual scans, as Veracode still has not addressed that issue.

Positive

We used a product called Mend.io, formerly WhiteSource, before Veracode to look at vulnerabilities.

I was part of the initial deployment of Veracode, and it was straightforward because Veracode had excellent training programs and onboarding procedures. The Veracode team also helped along the way and was very supportive in answering questions and keeping my team plugged into any new offerings.

We implemented Veracode in-house with only three people involved.

I found Veracode very expensive, though I'm not the person paying for it. I was surprised to find out how much the subscription costs and that the executive board approved it, but it was a no-brainer because now my company has better security scans.

What I can tell others looking into Veracode but concerned about its price is that the price or cost is justified. After all, you can tell potential clients that your software is better than competitor software because you're scanning it and Veracode-verified.

The verification levels of Veracode are essential because you can use Veracode to start climbing up the ladder to say that your software's even more secure than anybody else because it achieved this level of verification.

In terms of Veracode reducing the cost of DevSecOps in our company, we find that tough to determine because we never had a real concentration on DevSecOps before Veracode. It was forced on us by the fact that the industry was becoming more vulnerable, so now we are experiencing an increase in price in DevSecOps because we're paying attention to it now. We used to skate by and weren't affected by vulnerabilities. Still, because the industry had more vulnerabilities, our customers asked if we were scanning our software, so we had to find a solution and add DevSecOps to address industry needs.

I did a Gartner search on the top three solutions and looked at their reviews, and Veracode came out to be the leader, so I just went with the leader from a partner perspective.

My company has a hybrid Veracode deployment. It's a cloud-based solution, so it's tied to the company's automatic build cycles, where you can access and do scans through the cloud.

Veracode doesn't require maintenance. The only maintenance my company performs is fixing vulnerabilities found by Veracode.

Overall, my rating for Veracode is seven out of ten.

I advise others looking to evaluate Veracode to utilize the presales marketing side first. For example, my company was able to utilize Veracode in a presales environment and do the scans to find out how vulnerable my company's software is and compare Veracode with the previous tool, WhiteSource. My company found additional vulnerabilities and was able to do that before signing the contract. It may be best to do a test run of Veracode to find out what the tool is all about and how it looks to your company.

We utilize Veracode in three primary ways. The first is through Dynamic Scans, followed by Static Scans, and Software Composition Analysis Scans. I find this tool to be highly effective. We have various forms of support available. For instance, we can initiate our scans through the CI/CD pipeline or manually if needed. Additionally, we can create separate sandboxes for each of our code modules. Since development involves distinct code modules, each catering to different functionalities, we can conveniently set up corresponding sandboxes within Veracode. This allows us to scan any module whenever required, which is quite advantageous.

From a SAST perspective, Veracode can prevent vulnerable code from entering production by adhering to our manual checklist.

We haven't utilized the Software Bill of Materials; however, we have employed Software Composition Analysis. Whenever we scan a codebase, any third-party applications or libraries that have been incorporated into the code are automatically analyzed. Subsequently, a comprehensive report is generated. This report outlines the third-party libraries and applications that have been utilized in the codebase, along with their respective versions. Additionally, if any of these versions are found to have vulnerabilities, they are promptly detected.

Veracode is efficient. I have used various other tools such as DAST or SAST, and employing those tools usually takes between five and eight hours. In contrast, Veracode completes the task in two to three hours. For each scan, there is a consultation button available. Clicking on that button allows us to schedule a call with a Veracode support team member. During the call, they explain any issues, clarify why certain problems are false positives, and discuss the reasons behind issue detections. There's also a consolidation part and a support button, where we can raise tickets. I have found that their maximum response time to these tickets is within one day. Before starting the scan, Veracode offers a pre-scan functionality. This functionality performs connection and server checks in the pre-scan phase. It's similar to the SAST side of things for all the tools, where the code base is examined before initiating the SAST application to determine if it's sound. However, in Veracode's case, this is implemented in the DAST system. It checks whether the server is operational if the provided call scripts are correct, and if the provided login scripts are accurate. This pre-scan functionality doesn't run during the actual scan but rather at the very beginning to ensure that all prerequisites are met. Once everything is verified, then we can proceed to initiate the actual scan.

Using Veracode policy regulations, we can offer predefined rules. When setting up any application, we establish the application name and other necessary details. Following this, there is a section where we can input this information. Essentially, there exist predefined regulations which we can either directly utilize if they suit our needs, or adjust them based on the requirements of our project team. Therefore, we have a pre-existing set of rules and functionalities available.

We do have a dashboard in Veracode that offers visibility into the status of applications. There is a section where we can view the application names, and next to each name, there is a status report such as "The SAST has been completed" or "in progress," and the same goes for DAST.

After the scanning is completed, with other solutions from a DAST perspective, we would receive a report. If there are any false positives, we would have to identify them ourselves. However, with Veracode, one of their engineers or a support team member will verify the information, which helps to minimize the number of false positives.

Before using Veracode, we used to perform many tasks manually. We had a checklist for the SAST. We would go through each line of code, attempting to determine its compliance and level of security. Even with the DAST, we used to carry out this process manually. Completing the DAST scan took a considerable amount of time. For each module, we had to dedicate at least two to three days. However, since adopting Veracode, we can now not only perform this process for each module, but we can also initiate scans for all the modules simultaneously. As a result, we can obtain the results within a maximum of three to four hours. Time-saving for fixing flaws is one of the significant benefits that Veracode has provided us, helping reduce the time by almost 60 percent.

Regarding Software Composition Analysis, an exceptional feature is that during a SAST scan, SCA is seamlessly conducted in the background. Once we scan all modules and obtain SAST results, switching to the SCA section reveals the associated reports. This integrated approach eliminates the need for separate SAST and SCA scans, as is required by other tools.

The reporting feature is noteworthy. The reports are well-structured, providing comprehensive details for each vulnerability. Information about the vulnerability itself, its origin, the specific section of code it pertains to, and even the exact line of code involved are all included.

I've found that Veracode is not particularly suitable for Dynamic Application Security Testing. Unlike other tools equipped with their own crawlers, Veracode necessitates the use of a Selenium script for crawling. However, the tool's compatibility with all functions is limited, which can be frustrating. For instance, functions like upload, download, or those triggering new tabs are challenging to handle within the DAST section due to Selenium's inadequacies when used with Veracode.

In contrast to other tools where we can monitor requests and responses during a scan, Veracode lacks this capability. The scan initiates, and we must wait until completion to see the results. There's no opportunity to check if the right requests are being sent or if certain components are being excessively targeted. Once the scan starts, we're essentially locked in until it concludes, and only then can we access the results. Furthermore, even after the scan, we're only provided with a summary of scanned URLs and the number of requests made, without the specifics of the request or response contents.

I have been using Veracode for four months.

Veracode is stable, and we have not encountered any issues.

The cloud version of Veracode can scale according to the file size.

I have engaged in two different types of experiences with technical support. One involves the ticketing system, and the other involves consultation calls. The consultation calls revolved around static analysis. During these calls, we presented all the vulnerabilities we discovered. We conducted our analysis and demonstrated how Veracode identified certain vulnerabilities. However, we also explained instances where these were false positives due to specific reasons. During the call, they acknowledged these issues. They pointed out some of Veracode's limitations, highlighting that it solely scans the code and doesn't consider the framework side. This implies that they accept these limitations. Furthermore, they provided us with insights into how they plan to implement fixes in the future, which is quite beneficial.

Additionally, whenever we had inquiries or doubted Veracode's detection of false positives, they provided detailed explanations. They shared the specific Veracode setup and rules within the SAST side that led to the detection of certain vulnerabilities. They also explained that by incorporating certain mitigations at the code level, these vulnerabilities could be addressed. 

Regarding the ticketing system, for minor issues or questions, we would raise a ticket. They consistently responded within a maximum of one day, providing us with the necessary information.

Positive

Before transitioning to Veracode, the client had been utilizing a free community version tool. However, the count of false positives was exceedingly high with that specific tool. This prompted the client to seek a solution that could deliver superior results with fewer false positives. As a result, the decision was made to switch to Veracode.

I would rate Veracode a seven out of ten because the DAST has room for improvement.

The maintenance is completed by the Veracode team because we are using the cloud version.

For individuals seeking exclusively SAST and SCA capabilities, rather than DAST, Veracode stands out as the most suitable tool. However, if someone intends to utilize Veracode solely for DAST, I believe they should explore alternative tools. The effectiveness of Veracode's DAST functionality is limited, and using other tools might yield better results. Additionally, Veracode provides comprehensive training resources through its portal, including a list of documents and video tutorials. These resources are readily accessible and offer adequate guidance for initiating the use of Veracode.

We have data deployments for B2B and B2C with the product. Before we used a deployment center like Jenkins. We use it for backend content.

We've only used the solution for a year; it hasn't been that long.

The deployment mode is very useful.

We like that it can prevent vulnerable code from going into production.

We use the low-level elements and do greenlight deployment through Veracode.

It helps us manage our licensing and security risks. However, we are in the implementation process right now. So far, it's okay and working fine.

It's good that we can do a full code scan, front to back, or vice versa.

We mostly use the policy scan and vulnerability scan mostly. 

The security is okay.

The reporting can be difficult. It's not very easy.

It's taking too much time to do a quality scan. It hasn't saved us much time. Deployment was three or four months ago. We did a policy scan using a greenlight deployment. When we do the deployment in Jenkins, we can do it faster. In Veracode, it can take four hours or even eight hours.

We don't like how long it takes to do a deployment. It should deploy more quickly.

I've used the solution for a year.

While there is no lagging or crashing, it takes too much time to deploy. 

We haven't had any issues with scalability. That said, currently we are not scaling. Previously it was fine. Currently, we're not scaling. 

Currently, we do not use support. We don't communicate with them. 

We have used SAP and Jenkins in the past.

The deployment takes too long.

I was not directly involved in the deployment of Veracode. I generally use Jenkins only.

Two people are typically involved in the deployment. 

Every week, on Friday, we put the servers down, and every Monday, we put them back up, to save on costs.

The deployment is automated using Jenkins. We just need some parameters to deploy the code to the environment.

The pricing is worth it. However, users need to go through the documentation first to get a handle on the implementation. Users might need the help of a support platform.

We did not evaluate other options before choosing this solution.

I'm not sure how much visibility we are getting using the solution. 

The false positive rate we haven't really looked into. We need to learn more about it.

We are just end users, not partners. 

I'd rate the solution eight out of ten. 

It's a good idea to look at the documentation. Be very cautious when implementing servers.

We use Veracode for its code analysis features, which include static code analysis, dynamic code analysis, and checking for security flaws in our code. Mainly, we utilize Veracode for application security, making code security one of our primary use cases.

Since implementing Veracode, we have seen significant improvements in our code's security and the overall code development process. Veracode has been instrumental in enhancing our code security and streamlining the development workflow. In the past, we relied heavily on third-party applications that were not directly aligned with our codebase. However, now we can seamlessly integrate Veracode into our application process, saving a substantial amount of time. Veracode has not only improved our security setup but also enhanced the overall security of our organization.

Before implementing Veracode, the same process that used to take one hour now only takes 15 to 20 minutes.

Veracode's policy reporting for insurance compliance with industry standards and regulations is good. We can integrate numerous reports, and the positive reporting feature is also highly commendable.

Veracode provides visibility into the application's status at every phase of development.

Veracode works very well overall, and our security has been greatly improved, significantly impacting our ability to fix flaws.

The security process has been improved. Before using Veracode, we used to perform it manually. However, at that time, there was no application that could be integrated with the code. Now, with Veracode, we can directly integrate it with our code. As a result, security checks are being done automatically, saving us 30 to 40 percent of our time.

Veracode offers various security features. Veracode performs the analysis using three different methods: static analysis, dynamic analysis, and software composition analysis. These security features are the best, and the most valuable features.

Veracode's ability to prevent vulnerable code from going into production is commendable. However, we have encountered numerous cases of false positives that need improvement.

The technical support service has room for improvement. There are times when we rely on them, but we are not receiving an adequate response.

The stability has room for improvement.

I have been using Veracode for one and a half years.

Veracode is stable, but there is room for improvement.

Veracode is highly scalable. We have not had any issues with scalability. 

Before I joined my organization, they used a third-party application to check code. Since I joined, we have been using Veracode.

The initial setup was somewhat complex. The deployment took a couple of weeks because we needed to resolve numerous technical issues that we had to understand first. We had six people involved in the deployment.

Veracode's price is reasonable.

I would rate Veracode an eight out of ten. I recommend Veracode to others.

Veracode's false positives significantly impact our developers. When we encounter numerous false positive cases, we are required to conduct extensive reviews. How much it affects our developers depends on the number of false positive cases we are encountering and the significance of addressing them concerning the criticality of writing the code.

Veracode can save time in our DevSecOps process, but it may not significantly reduce costs.

Organizations that have security flaws in their code and seek to enhance their core security can consider Veracode as one of the best options for investment. Veracode is easy to implement and can effectively address the flaws in the code, provided that cost is not a significant concern.

Maintenance is required from time to time, specifically regarding false positives. We need to verify whether the system is functioning properly and communicate with the support team. The intervals for these checks occur after approximately 30 or 60 days, which we have selected, and we must strive to improve the system during these instances.

Veracode is deployed at two locations within our organization.

We have multiple verticals and products, and we use Veracode to perform static analysis on our hosted applications across all the platforms. We also perform static and software composition analysis on a couple of products.

Our offices are spread out across North America, South America, Europe, and Cyprus. We also have offices in Australia that use the solution. About 25 to 30 people use the solution regularly. 

Veracode has greatly improved the security posture of our applications because we can identify and mitigate vulnerabilities that we couldn't have without the solution. Veracode provides compliance reporting so we can identify issues without having to rely on complaints. Veracode has been extremely effective at fixing flaws in our applications. We have multiple applications across multiple verticals

Veracode or any other solution like it doesn't prevent anything. The product provides insight into the vulnerabilities, but it's up to the end-user to mitigate that and move it into production. If we fail to remedy the issue and move the code into production, it isn't Veracode's failure. We can't judge the product based on whether it could do that. The product is doing what it should be doing.

In addition to dynamic and static analysis, we can perform software composition analysis, which involves going into the various libraries to retrieve details about that. We see a few false positives in Veracode but not many. It's negligible. 

Veracode has saved our developers time by identifying and reporting flaws. The developers don't need to spend time checking the code by hand. It reduces the time spent on these tasks by about 10 to 20 percent. 

I believe the static analysis is Veracode's best and most valuable feature. Software composition analysis is a feature that most people don't use, and we don't use SCA for most of our applications. However, this is an essential feature because it provides insight into the third-party libraries we use.

We have some constraints interacting with Veracode self-support. I'm not talking about their technical support. I'm talking about self-support. We sometimes have a hard time communicating with them.

I have used Veracode for the last five or six years, but the company has used it for nearly 10. 

Veracode is a highly stable product.

I haven't had a scenario where we've had to scale it.

I rate Veracode technical support nine out of 10. They are excellent. When we have problems, they provide a solution every time. 

Positive

We had been using a third-party service for vulnerability checking. 

The deployment is a little complex. There is a small learning curve, but it isn't too difficult. The installation isn't hard, but we need to configure the dynamic analysis where it connects to a hosted application and performs checks. We have to configure the console and set a schedule. It takes a couple of hours to configure a new application.

We have been able to mitigate lots of flaws and vulnerabilities, so Veracode has had a positive effect on our products. It's hard for me to quantify. Our company has a large footprint across Asia, North America, South America, and Europe. 

Veracode is fairly priced. 

I rate Veracode eight out of 10. I would recommend Veracode to other users. However, I suggest doing a proof of concept before moving forward with any solution. 

We use Veracode for static code analysis scans for our clients.

Veracode is deployed both on the cloud and on-premises.

Veracode helps prevent vulnerable code from being deployed into production by identifying problematic code. It enables us to send a report to the application developer, allowing them to address the vulnerabilities based on their criticality level. The developers are given six months to address medium-level issues and three months for critical ones. If the criteria are not mapped with the higher critical alerts present in those applications, we can enforce the build field and proceed without deploying it into production.

Veracode has helped improve our customers' organizations through the scanning taskbar, which identifies vulnerabilities in code. We have worked with ten clients, all of whom used Veracode to identify vulnerable code early in the development stage and resolve the issues. Additionally, Veracode offers Greenlight ID, which developers can integrate into their development process, providing clarity during the development phase. Veracode can also generate reports that developers can resolve, facilitating the quick resolution of security concerns.

The policy reporting for ensuring compliance with industry standards is excellent. The report helps us maintain our compliance.

It offers visibility into the application's status at every phase of development, including static analysis, dynamic analysis, composition analysis, and manual penetration testing throughout the Software Development Life Cycle.

Visibility aids the DevSecOps process by offering a clear framework for all involved departments, including the steps for handling severities.

Veracode assists our clients in addressing flaws by simplifying the process. The security team can review the code, approve or reject it, and developers can utilize the reports to promptly rectify the flaws.

It assists developers in saving approximately 20 percent of their time, primarily in the static part, as they no longer need to review all the code. Regarding the dynamic part, Veracode scans all the URLs, eliminating the necessity for developers to use additional tools. For third-party dependencies, developers depend on the reports and the Greenlight ID plug-in to streamline their workflow and save time.

Our clients depend on Veracode to improve their security stance.  

The CI/CD integration is the most valuable feature of Veracode. This feature is not present in other solutions.

The analytics dashboard is not user-friendly and can be improved to assist us with the application size and enable modifications, whether for static or dynamic scans. This is currently missing in Veracode.

Veracode needs to improve its integration with other tools.

We have requested an enhancement for Veracode because it does not support scanning the static and dynamic elements of code created by MuleSoft. Furthermore, it does not support these aspects for the new generation of applications and we have to use other tools.

I have been using Veracode for over seven years.

If there is an issue, I am unable to access all the logs due to insufficient permissions, which causes delays.

Veracode is scalable. To increase the scale, we simply need to increase the number of licenses.

The technical support team's response time is inadequate. Typically, they fail to provide assistance beyond the initial call due to the limited knowledge and inability of the first-level support to resolve issues effectively. I have been dealing with a single issue for three weeks without any resolution.

Neutral

The vendor handles the deployment, and we simply need to install the ISM agents on our network. The deployment time depends on the size of the application. Large applications may take up to five days to scan, but on average, it takes one or two days.

The pricing depends on the functionality each client desires. For example, one of our clients only wishes to scan two applications, so they pay for that specific service in addition to our organization's third-party access to their system.

I give Veracode an eight out of ten.

20 to 30 percent of the false positive rates are vulnerabilities. Sometimes, almost 50 percent of the reports are false positives, which affects the time spent on tuning policies.

The false positives increase the amount of time our developers need to spend investigating the reports. 

Veracode offers static analysis, dynamic analysis, and composition analysis all in one place.

We are a team of five individuals who assist in deploying and managing Veracode, along with handling other tasks.

Our client base varies depending on their budgets, but we serve a large number of organizations in the financial industry.

I recommend Veracode. The solution is on par with the others, and organizations can read the reviews and run some tests before making a purchase.

We primarily use Veracode for static code analysis.

Veracode detects vulnerabilities. The most essential part is Veracode's PCI compliance policies. We need to make sure our code is compliant. Veracode's policy reporting features are effective at ensuring compliance with industry standards and regulations. The policy has changed here, but that functionality works quite well. It provides visibility to application status at every development stage. 

The solution helped us find and fix flaws. It ultimately saves us some time, but we still spend a long time sorting through the false positives. Every report generates a number of issues, some of which are valid. Others are mitigated by application design or network devices. Veracode improved our security overall. There is no doubt about that. 

The CSA vulnerability scanning is useful. 

The dynamic scanning feature appears to be working, however, 90%-95% of all vulnerabilities could be easily detected by any web browser.

When it comes to dynamic scanning Veracode needs to improve its functionality.

They claim that we can do this, but it doesn't work when we're scanning the applications in real time.  

Static code analysis generates too many false positives, so it takes a lot of time to review them all. The security and development teams need to work together to mitigate the false positives. It doesn't affect the developers' confidence in the solution. It still works, but it takes time. It has a significant impact on the process. 

I have been using Veracode for five or six years.

I rate Veracode support a seven out of ten. We have weekly meetings with the support representatives to discuss any issues with the tool. It's pretty good.

Neutral

I rate Veracode a five out of ten.