Veracode Reviews

We scan various types of software codes, such as codes or applications built in languages like C, Java, Python, PHP, and Ruby, among others. We assess the code quality using Veracode.

Veracode prevents 90 percent of vulnerable code from being introduced into production.

Previously, in our organization, we did not have a dedicated workflow or a tool for capturing code vulnerabilities. After the code passed the testing phase, it was directly implemented in production. However, since implementing Veracode and launching it, we have been able to identify vulnerabilities beforehand. As a result, our code now goes into production without any vulnerabilities. Only after ensuring this, do we allow it to go live.

Veracode provides visibility into application status at every phase of development.

Based on our experience, Veracode quickly and effectively identifies false positives.

Our project teams understand the importance of conducting code scanning in addition to code development and Veracode testing. This ensures that any flow issues are addressed before proceeding to the next phase. It has become ingrained in their approach.

Veracode has helped our developers save time by assisting in fixing the vulnerabilities that could have had disastrous effects if they had gone into production.

Veracode has had a tremendous impact on our security posture, particularly in one region in Asia where Veracode is being used for security testing and vulnerability assessment. Now, other regions, including the US, have also recognized its value and started adopting Veracode.

Static Scanning is the most valuable feature of Veracode.

Veracode's policy reporting, which ensures compliance with industry standards and regulations, is valuable. It would also be helpful to have a specific example that we can relate to in order to better understand it. Currently, the information is scattered, so precision would greatly assist us.

Veracode can be improved in terms of software composition analysis and related vulnerabilities. For instance, when an application team provides us with their software code, we perform code scanning. During this process, we often encounter software composition analysis vulnerabilities that require the application team to upgrade their Java file from version X to version Y. We then communicate this to the application team, and they proceed with the upgrade. Once the upgrade is complete, we conduct a rescan. However, during the rescan, Veracode may identify compatibility issues with the upgraded version Y. This situation puts the application team in a difficult position, as they may be unable to accommodate this change within their project schedule. Therefore, this is an area where I believe Veracode could make improvements.

The technical consultation can be enhanced to effectively address the communication variations among different regions.

I have been using Veracode for three years.

Veracode is 100 percent stable.

Veracode can scale to meet our maximum requirements.

There are cultural differences in the way we communicate with people from different countries. So, when a Japanese person is talking to an American, the rapid conversation provided by the American technical support person may not be easily understood by the Japanese individual. As a result, instead of having just one discussion or consultation with Veracode, we end up having three to four consultations.

Neutral

I give Veracode a ten out of ten.

We are using Veracode in multiple locations and departments.

Veracode does not require any maintenance.

Veracode is an extremely user-friendly tool, operating through a web interface. Additionally, the support and guidance offered by the Veracode team are excellent. Considering all of these factors, I believe Veracode should be the choice for anyone.

We use Veracode for static web application scanning, and we've been using Vericode for our ethical hackers as well.

We have a dev, UAT, and staging environment. Veracode is included as a part of our DevSecOps in the staging environment. That means that when code is promoted to our staging environment, it automatically initiates a Veracode scan on our application.

The output and the recommendations given by Veracode are very useful. We are able to mitigate some of the vulnerabilities that the tool shows us. We are maintaining very clean applications with the help of the scanning we do with Veracode.

If any critical or high-risk vulnerabilities are detected in our code, we don't move it to production until we get a clean report. While we allow moderate and low-risk findings, we stop if it's critical or high. We do a scan on our staging whenever new code is promoted. Effectively, Veracode helps us to prevent moving the code to production if we detect any abnormalities.

Our application is an external-facing application and that means we have to proceed with the utmost caution when we promote code. Veracode has certainly been very helpful in giving us more accurate results and ensuring that our application does not have any vulnerabilities.

Veracode keeps developers aware of the possibility that issues will be identified. Once a vulnerability is detected, developers are careful to abide by the recommendations given by Veracode the next they are involved in new development. That's a positive regarding the solution. It helps improve the development process. We also share findings with the other development teams, so that they don't make the same mistake. We document the best practices so that the same flaws are not detected again. To that extent, our developers' time is optimally utilized.

Ours is a Java-based application and Veracode can detect vulnerabilities in both Angular, which is used for the UI, and also in the backend code, which includes APIs and microservices. That's one good aspect and something where other applications have a lower rating. Veracode gives us wholesome insights into the vulnerabilities in the application, both in the UI and in the backend.

Also, the false positive rate is good. I don't have any qualms about using Veracode.

The scanning on the UI portion of our applications is straightforward, but folks were having challenges with scans that involved microservices. They had to rope in an expert to have it sorted. In addition, one of my developers told me that they looked at the documentation that was given but still required the involvement of an expert to get the issue fixed. I would like the documentation to be a little more user-friendly.

Also, the turnaround times could be improved. From what I've heard, the scanning takes a bit of time to complete. If it could be completed a little more quickly, that would help.

We've been using it for five years.

There have been a couple of instances when the scan stopped or aborted and had to be manually triggered to complete. Other than that, there haven't been any challenges with Veracode

We used to have a tool called CAST, which determined code quality. It wasn't a security tool or scanner.

As an application manager, I certainly find Veracode very useful. It definitely improves the robustness of the application. It detects every single small or large flaw and helps us with the appropriate recommendations. I would go with Veracode unless there is a product that is equally capable but with a lower price.

Right now we have it on-prem but we are moving toward the cloud in the next six months or so. We've started that journey. I don't think there have been any difficulties in maintaining the pipeline. We've never had any challenges since we introduced Veracode as part of our DevSecOps pipeline.

For my application, it has definitely been a great tool. It ensures that your application is devoid of vulnerabilities. Go for it.

I'm using it to troubleshoot and know the issues in my code and resolve them as soon as possible.

Veracode helps me to understand and resolve vulnerabilities in my code. It's very good to have, and what's most interesting is that the Veracode Greenlight gives me real-time output and resolution. I can also schedule calls with the security experts for any resolution. It's good for understanding and resolving issues that my code might have.

Veracode definitely helps in creating a secure environment for both the company as well as the clients. Our clients require their data to be secure. They also require a stable solution. Veracode is helping me in developing a good product. It provides full information and also helps in a quick resolution.

Veracode is secure, and it has coding standards. It helps me in penetration testing and application security consultation. It exposes common vulnerabilities. The static scan is very good, and it gives me valuable information and a very good recommendation of how I can fix it.

We can integrate Veracode for both static and dynamic analysis to reduce the risks in the application and prevent vulnerabilities. A significant benefit is that you have a risk-free code. It minimizes the risks.

It gives visibility into the application status at every phase of development. There is Veracode Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Test throughout SDLC.

Veracode has been very important and helpful in creating stable products because we are able to identify issues in the code and then create powerful and stable products for clients.

Veracode provides all details regarding the issues and the way to resolve them. It makes it easy for me as a developer to understand the issue in a better way. It improves a developer's confidence in the solution when fixing vulnerabilities.

Veracode has saved a lot of our time. It has saved us about 45% time.

Veracode has enhanced security. We are able to identify what is missing and what are the issues in the code. When we know that the code has an issue, we are able to make sure that we correct it. Veracode has helped us a lot in providing a stable, secure solution to our clients.

Veracode has helped us to develop faster because it's so straightforward. It has clear documentation that you can use to create a very good and stable environment for developers to collaborate and create a unique solution.

IDE Scan is the most important feature, and then you have SCA and Platform Scan.

I like the fact that it can be used at any stage of application development. I use scanning with a particular piece of code. There is an extension that helps me to create my code easily in Visual Studio and then find flaws before deploying the code. It's definitely benefiting me and the organization. It's so quick and easy to create a code and then deploy it live.

It's easy to create reports. It works very well. It's straightforward, and it does not require a lot of time. It's a straightforward platform that you can use for performing scans or mitigating issues. It has a very good user interface. FAQs are also helpful in case you are not familiar with it. It's good and straightforward when you integrate it with machine learning platforms.

It's very expensive for a small organization.

I have been using it for a year and a half.

It's a very stable solution.

It's scalable enough. Veracode is being used in the engineering department. It's being only used in one department by two people. It's a developer tool for developing solutions faster, troubleshooting, and debugging.

Their support is good because there is an option to request a consultation. If you face any issue or any difficulty with the scans or mitigation, they can help you out. The support service for me is very costly, but you also have a well-organized FAQ and a very big community for asking questions and getting a solution. I'd rate their support a 10 out of 10.

Positive

I haven't used a different solution. This is the first solution I've used.

I was involved in its deployment. It took me one week to implement Veracode. The process was straightforward. If you are lost or have any issues, you can read the documentation.

I implemented it.

It's not so huge to provide a lot of return on investment, but it's helping us to have a stable solution. It's a secure platform, but in terms of the return on investment, it hasn't made a very good impact yet. We have only seen 10% to 15% ROI.

It has reduced the cost of DevSecOps for the organization because we can use one platform to develop, troubleshoot, and debug faster, so it has helped us a lot.

It's very expensive, especially when you are a very small organization. If you're using Veracode at an individual level, for example, you're a developer or you run agents, the pricing might not affect you, but if you're using it at a company level to troubleshoot security issues, the pricing is not quite favorable. It may affect ROI.

Veracode is good. It's for organizations that want to give their customers both security and privacy. It's good in case you want to dive deep into the code and get the flaws that could be dangerous to both the organization and the customers using an application. If you are looking to create a good application that is also secure, I'd recommend Veracode.

Overall, I'd rate Veracode a 9 out of 10.

Our primary use cases are uploading and assigning scans, uploading compiled codes into the sandboxes, and searching marks to determine whether scans have been completed.

We have multiple locations, teams, and endpoints; we're a worldwide telecommunications company with over 2000 internal and external apps. Some apps communicate from the outside to the inside, but every app goes through Veracode.

We have to scan about 2000 apps, and we're already at 366 scanned within the year's first two months. Additionally, the company has been using Veracode for years; both are testaments to the solution's efficiency.

The platform provides visibility into application status at every phase of the development- Veracode Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Testing throughout our SDLC. In terms of DevSecOps processes, the solution makes them quicker and smoother, with less confusion.   

Veracode positively affects our organization's ability to fix flaws; we have a particular app at the moment that failed the scan twice due to its vulnerabilities. Without the solution, we likely wouldn't get that.

The solution has positively affected our organization's overall security posture and will continue to improve it. 

I like the sandbox, the ability to upload compiled code, and how easy it is.

It's also straightforward to find scans we've uploaded. 

The solution's ability to prevent vulnerable code from going into production is incredible. I have done several consultations and remediation calls with the app team, and Veracode catches almost everything. It picks up the same issues in everything we scan, and we've done a lot of retests that way; the tool is very proficient in this area.  

Veracode helps our developers save time; it's a straightforward product that shows us the vulnerabilities and allows us to relay them back to the developers. This is faster and more efficient than staff going through the code manually. The solution is like having a proofreading app for our code rather than using a proofreader.  

The sandbox could use some improvement; when creating a sandbox, it requires us to put the application name in twice, which seems unnecessary.

We've been using the solution for a month and a half. 

Veracode is very stable; unlike many programs and apps, I've never had a problem with it.

The solution is scalable; we're a global telecom company, and we use it to scan every one of our over 2000 apps. 

The technical support is excellent. 

Positive

I'm unfamiliar with the solution's pricing, but it must be worth the cost from a company perspective, as we have been using it for years and have no plans to move away from it.

The product was in place long before I arrived at the company, so I don't know if they evaluated other options.

I rate the solution 10 out of 10. 

I recommend Veracode to any company looking for this type of platform. Though I need to become more familiar with competitor products, I like going into programs and clicking around. Even if I don't initially understand something within Veracode, I can keep going and make sense of it. I updated my resume to include my new experience with the solution.

Veracode reduced the cost of DevSecOps for our organization; we upload a scan, run the test, get the vulnerabilities, and set up a remediation meeting. This makes communication more manageable, and the information is more visible, as all our staff can access the scan results. In several instances, we've consulted with employees from the Veracode side, and they've been very helpful in walking our app team and testers through whatever vulnerabilities we've had issues with.  

I am a software engineer, and one of my clients needed Veracode for security requirements. We needed to send the code through some security tools to see if there are breaches or malicious code that could attack the company. In this case, the client used Veracode to scan third-party libraries from our application. Veracode was running on a private cloud using Azure. 

Veracode helped us prevent possible security breaches. The team can anticipate and correct issues earlier instead of waiting for someone to find the issue or discover it when your application is attacked. 

The report is good because it has lots of security information. It isn't related to the code itself, like the line of the code or the connected library that contains an issue. It's sometimes difficult to figure out how to solve that.

Veracode saves time in the development process because we can anticipate security issues in an application. On the other hand, from a software development perspective, it could be a technical increase in depth. After we develop a feature in the application and run Veracode, we might find some security issues we need to fix. 

For example, we spent a month building a feature on an application, but during this month, Veracode found a security issue in the third-party library we were using and reported it. If we had found the issue mid-development, we would need to rebuild the solution. Sometimes, it might increase the technical depth of the application because this type of security flaw was not found previously in our daily work. 

Veracode creates a list of issues. You can go through them one by one and click through to a new window with all the information about the issue discovered.

We waste a lot of time figuring out which results are false positives, and it has affected our trust in the tool. After we've spent time training and setting up the tool correctly, we need to scan our code and remove all the false positives. Finally, it's good enough to identify our security issues.

We get some false positives with JavaScript languages like React, TypeScript, and Angular. The problem is rooted in the build process of JavaScript, not the code we are using. This is something we spend lots of time trying to resolve. When we point to a specific library and review that on the code, we can see it is a part of the build that isn't going into production. It's only a part of the build because JavaScript has a different build process. 

This hasn't happened in .NET or C# because we use can all the libraries used when coding. In JavaScript, it's tough, and we spend tons of time trying to find the issue. However, it's not a problem because it's a pre-compiled language. This isn't unique to Veracode. Black Duck does the same thing.

Maybe Veracode could automatically detect the language type first and improve the way it scans JavaScript to reduce the false positive rate for this specific language. Also, in the reporting area, it could connect to the source code Veracode uses for the third-party library.

When Veracode finds security issues, it creates a report with the number and description of the issues. Sometimes, we are not able to connect that issue with the third-party library containing the code and applications the developers are building. The relationship between the flaw in the code and the third-party library could be more apparent because developers may not realize that the root cause is the library, not the code itself. 

The compliance features are good, but it's pretty picky in terms of what it considers a security issue. I and the other developers struggle to understand what is flagged as a security vulnerability. If you can see a security issue in there, you can see all the documentation, but it's difficult to relate that to the code to determine why the issue happened. It could be clearer how to find the issue in the structure of the code. 

I'm not using Veracode anymore, but I used it for eight months in the last year. 

Veracode is stable overall. When we start the process on the Veracode side, the report generates in less than a minute, and we can see the issues. I don't have any problems with stability.

I used a tool called Black Duck when I worked for another company two years ago. The client chose to use Veracode. It wasn't my option. 

We put Veracode in our pipeline, so the process runs automatically during development. It isn't something we can run manually. There are scripts that run when we start. There isn't any maintenance on the developer side. A designated team takes care of all this.

I don't think we've seen a return on this, but it's hard to calculate because you have to estimate the value of a breach that hasn't happened. This is the main benefit of using this tool. I don't know how to measure that.

I rate Veracode eight out of 10. It can help you improve your security by identifying and preventing issues faster. At the same time, you should know that using Veracode will lengthen the development process because the team needs to check and correct issues. It could increase your development costs. 

Using Veracode has challenged us to be more conscious of security. Sometimes, developers just want to build code. This tool allows you to check if the code or libraries are secure enough to add. 

The most valuable features of Veracode Static Analysis are its ability to work with GitLab and GitHub so that you can do the reviews and force the code.

I have been using Veracode Static Analysis for approximately five years.

The stability of Veracode Static Analysis is good.

I rate the stability of Veracode Static Analysis a nine out of ten.

We have approximately 900 people using the solution.

The solution is scalable, but there is a high cost attached to it.

I use SonarQube with Veracode Static Analysis.

The initial setup of Veracode Static Analysis was reasonably quick.

We did the deployment of the solution in-house.

The price of Veracode Static Analysis could improve.

Sometimes the model that Veracode pushes forward for you to use isn't beneficial. I advise companies to use SonarQube and Veracode together because we use SonarQube for all the individual developers to scan and do their checks and tasks before they do a full peer review to make sure that they have it clean and it's understood. We then use Veracode Static Analysis for repository control because you need fewer licenses. Veracode Static Analysis is expensive and this is why we split the two solutions.

There are extra costs per developer and it can get expensive quickly. They charge approximately $25 a month for each developer that uses it.

I rate the price of Veracode Static Analysis an eight out of ten.

I would advise people to use Veracode Static Analysis in the final levels of deployment. For example, when you used another tooling, such as SonarQube to do the initial tasks with the developers, then for peer reviews it is best to use Veracode Static Analysis for making sure that your repositories are controlled and managed properly.

I would always advise people to deploy at least two tools, one at a lower level to do the peer-to-peer that is cheaper, such as SonarQube because close to being free. Then use something, such as Veracode for the repository control and the management control of your data cubes.

No solution is a hundred percent perfect. I wouldn't rate any solution a 10 because they've all got faults. SonarQube might pick something up that Veracode Static Analysis doesn't and vice versa.

I rate Veracode Static Analysis a seven out of ten.

We use Veracode Static Analysis in the IDE for our engineers to be able to catch security issues while they're coding. Additionally, we use it for the Veracode verified program to show that we're scanning and compliant, and we get the third-party seal of approval.

It's a scanning security, static analysis code scanning software.

Veracode Static Analysis has benefited our company because we are catching potential security issues earlier in the pipeline. Before anything goes to human code review, Veracode Static Analysis catches issues as the engineer is working in their IDE.

The most valuable feature of Veracode Static Analysis is the scanning.

Veracode Static Analysis can improve the false positive. There are always improvements that can be done to the false positive rate. There are some things that get flagged that are not an issue. However, it is not a huge concern.

I have been using Veracode Static Analysis for approximately 18 months.

Veracode Static Analysis is stable.

We have got 5 million lines of code and it hasn't choked at all but seems to run just fine.

We have approximately 40 users and most of those are frontline engineers. Additionally, we have security officers who use it to run reports and team leads that use it for training. We plan to increase our usage when we have new deployments.

I rate the scalability of Veracode Static Analysis a ten out of ten.

I have not used the support from Veracode Static Analysis.

We used HCL AppScan prior to Veracode Static Analysis.

The deployment can be done in approximately 10 minutes. We use Bitbucket Pipelines and Veracode Static Analysis is integrated into our deployment pipelines.

I rate the initial setup of Veracode Static Analysis an eight out of ten.

We did the deployment of the solution in-house. We typically can do the deployments with one person.

I cannot say we have had a return on investment because we haven't had any security incidents, but we didn't have any before using Veracode Static Analysis either.

The price of Veracode Static Analysis is expensive. There is an annual fee to use the solution and the company is upfront with the pricing model and fees.

I rate the price of Veracode Static Analysis a three out of ten.

We evaluated Checkmarx and Synopsys before choosing Veracode Static Analysis.

My advice to others is if they use Veracode Static Analysis they are using a very solid solution. You get what you pay for. It's an expensive solution, but it's very good. You're going to save a lot of time and a lot of headaches with fewer false positives, but you're going to pay for it. It's good if you want to automate something into your pipeline and it's going to run fast and give you good results. I would choose Veracode Static Analysis, but be cognizant of the cost.

I rate Veracode Static Analysis an eight out of ten.

Our primary use case for Veracode is SAST and SCA in our SDLC pipelines. We also use it for DAST on a periodic basis and time-based scans on our staging system. We use the trading modules for certifying all our developers annually.

In addition, we use Veracode to scan within our build's pipeline. We do use Greenlight, which is their IDE solution for prevention of issues of vulnerabilities.

We are FedRAMP certified as a company, so we use this as part of our certification process for Veracode ISO 27001 and various other certifications we have.

There is a tight integration of Veracode with JIRA. We use JIRA for nearly all of our issue tracking.

This integration provides a way to link all of the vulnerabilities discovered to our backlogs and active scrum queues, so that there's high visibility within teams for any of the issues that are related to their teams.

I think the most valuable to us is the policy management, which enables us to create different kinds of policies for different kinds of applications. Veracode policy management also allows us to plan for, track against, and report on our compliance with those different policies.

I think the biggest room for improvement is around known or accepted vulnerabilities that, when we re-scan, we want those things to be recognized as already accepted, as an exception. Sometimes they show up as something new and we have to go back and re-accept that as an accepted exception in order to bring our numbers back into compliance. I think if they could improve the operations around accepted vulnerabilities, we would see improvements in our productivity.

I would also like to see more executive reporting. Having a good snapshot of how well we're tracking, where each of the teams that own the applications, how they're doing, and where their gaps are would be good. Currently, the reporting is geared towards tracking current vulnerabilities. Even though they have trending, the trending doesn't necessarily evaluate the teams and how well they're doing. I would also like to be more oriented towards teams.

Overall, I would give Veracode a nine out of 10.

The company's been using Veracode for five years. I've been using it for four years.

Veracode is stable in my opinion. We've had very little interruption that was unplanned.

We have not run into an issue with scalability yet. Veracode was built based on application counts and not users, which is what a lot of the competitors do.

We have some 300 people using Veracode. Some are executives while others are engineers actively working in Veracode. 

Veracode's technical support is great. They assigned us a TAM and once a week, we have a brief engagement with the TAM to verify that everything's going well. If we have any outstanding issues, they get serviced and addressed.

Positive

We have used Veracode the entire time I have been with this organization. However, I know that they used Coverity and WhiteSource prior to switching to Veracode. The main reason my organization chose Veracode is its comprehensive dashboard. 

Our deployment took a while so I would say the initial setup was moderately complicated. We gradually moved into the pattern we are in today and displaced some other vendors along the way. So it was a slow ramp for us because of our business needs.

We were up and running and operational within a couple of months. And then, over time, we broadened our footprint with Veracode.

We deployed Veracode in-house. 

Our biggest return on investment is maintaining certifications that enable us to attract customers of larger scale and government-sensitive customers.

Going back to the cost structure, I think that the way Veracode is priced and their comparison to third parties, I still put them at four out of five.

Veracode recently introduced some pricing based on microservices. This model gives us a lot of flexibility in being able to add and remove microservices and scale them that way.

The pricing is solid. I think with the current consolidated pricing that we have is pretty consistent every year.

All of the Veracode applications operate as one platform. Most of the competitors out there separate their products from their reporting and configuration, so you don't get a single pane of glass. With Veracode, you get a single pane of glass and reporting that you can combine with the different scan types to look at compliance.

The advice I would give regarding this solution is this: Look at the policies, the dashboards, and integration with ALM applications like Veracode and JIRA. They have a tighter integration there that I see with most of the competitors.

I'm sure that the scan quality is consistent. Perhaps there's some applications that are a little better than others at detection. But we find that Veracode is very comparative to other things you solutions the quality of catching vulnerabilities.