Veracode Reviews

Veracode helps scan applications for security purposes to ensure they are safe before deployment. The solution is continuously monitoring the security of our infrastructure and workflows. About five people use the solution across our organization. 

Our security posture has improved since we implemented Veracode because our developers have a better understanding of the security risks that may arise due to some actions we take on various projects and tasks. We're more aware of how vulnerabilities can be introduced into our daily work. 

Veracode has reduced the amount we spend to remedy security risks by about 60 percent. Security testing is much easier than before. The time needed to address vulnerabilities can affect the workflows and lead to late delivery of our services across customers. It has helped us to mitigate risks by effectively monitoring workflows. The conditional scanning procedures we previously used have been replaced by modern systematic algorithms.

Veracode saves time and costs because it's flexible in terms of an organization's data requirements. It can provide data intelligence from various work platforms and guidance on the best practices for security mitigation so we can safeguard our data in various work processes.

The solution enables us to establish a strategic policy management infrastructure to monitor the performance of each application periodically and report on the security performance. The dynamic analysis gives us feedback from time to time and performance metrics inside the program interface. 

This platform is one of the most efficient and effective tools for upgrading applications to meet an organization's performance standards and policies. It helps us improve our development because sometimes the coding procedure might not reflect the latest threats. 

Veracode's most valuable aspect is continuous integration. It helps us integrate with other applications so that it can monitor the security process. By continuously scanning our applications, we can mitigate risks that may arise in some workflows. It streamlines compliance, policy management, and reporting on various data analytics. We use it daily to gain insight into our work processes.

The solution is built into our SecOps program. It offers modern policy management, essential support, and analytics features. It's efficient with fast and powerful risk-mitigation tools.

I think Veracode could integrate some advanced technologies to better address new threats as they arise. 

We have used Veracode for about a year.

Veracode has been a stable product. We've had some downtime, but it has performed well overall. 

I rate Veracode support a nine out of ten. Veracode's support team has always been helpful. When we contact them by phone or online chat, they respond quickly with a solution within the time frame established in our support contract.  

Positive

Deploying Veracode was straightforward, and we had help from the vendor's support team. Our deployment team has six members, and the whole process took about three weeks. 

After deployment, the product requires some maintenance. We sometimes face some networking challenges that require repairs, and we need to periodically update some tools.

Veracode is a good investment, and I can recommend it to anyone who is looking for the best security tester. I estimate that we saw a 60 percent ROI this year, and it continues.

Veracode is a little costly. It's cost-effective for a large enterprise, but it may be too expensive for small businesses. 

I rate Veracode an eight out of ten. I would recommend it to others who need to do testing for application performance or security and risk management. 

The most important purpose of this platform is code security. We are able to scan our code and find security flaws.

Veracode has saved us a lot of time because we have been able to reduce manual processes. We are able to do most things automatically with the platform. It has saved us between 30 and 40 percent of our time.

The main feature, and one of the most important, is the static code analysis. We are able to complete an analysis of the security flaws with this platform. It's very good at helping us find and fix flaws.

The sandbox environment is also one of the features we are using as well as integration with our CICD pipeline, which is very useful. The product is pretty easy to understand, which is quite good.

The policy reporting for ensuring compliance with industry standards and regulations also helps us a lot.

It gives us visibility into application status at every phase. We have definitely seen an improvement in that regard.

I'm pretty new to this platform. I'm going with a trial right now and have been using it for about a month. We have spent most of our time analyzing the code.

It's a stable product.

It is also very scalable.

The support team could be more responsive, and the dependency of users on the support team is too high and should be reduced.

Neutral

This is the first such tool we are using.

The initial deployment was not very complex. It took us around 15 days because we were trying to understand the policies and many other things. Our team has 15 people and everyone was involved in making some decisions regarding the solution.

We have only needed help with the product itself. That's what we have reached out to their team for. But there hasn't been any maintenance of the product for us.

The pricing is a bit high. Although we are in a trial phase, if we are going to make the decision to purchase the software, the pricing is going to be high for us.

We are able to justify the false positives because security flaws are one of the biggest things that Veracode's features help us with.

Overall, the product is good. It has made a very good impression. There are some flaws, as I have mentioned, but overall it looks very good, with the features I've mentioned. The impact on our security has been good. The main challenge for us will be the pricing, but if we ignore that factor, the impact has been very good and we would definitely implement Veracode.

I would suggest having a look at Veracode. Go for a trial of the system to see if Veracode is something that can help solve your problems. Pricing should be ignored because there are definitely some very specific features that help a lot. 

Because Veracode is more interactive than Secure Code Warrior, the big benefit for our organization will be that the developers will not just get the blue team excited, but they will learn to think like the red team, like an attacker. The interactive labs will help developers see that some of the red team attack methods aren't that hard to do, and that will bring them more security awareness. 

Because developers will see exactly how you do a certain type of red team attack or exploit, they will understand that it's important that they don't think, "Oh, this could never happen." And when they realize that some of the attack methods are not so hard to implement, they will secure the code base and fix the vulnerabilities that already exist.

For example, when I tried SQL injection labs, I learned new ways to make those, and that is extremely valuable for me because. If I'm working with a code base, I can know exactly how to mitigate SQL injection, because not all systems are using Hibernate. I've been on code reviews where I could actually point out things related to injection, which is something I wouldn't have been able to do without Veracode.

Another big benefit for our organization is that it is more interactive and fun, in a way, than Secure Code Warrior. Developers will engage and spend more time in Veracode.

It has had a good effect on my security posture because the labs are very informative with current information, showing you some of the things that could be done by attackers if your code is done incorrectly. I have retained more useful information in a fast manner.

And if we talk about scanning, we will see advantages there as well. For example, I'm working on a Java project and because Java is a high-level language, it's hard to make code errors. But if I worked with C or C++, the scanner tool would be very good. If you take the OWASP dependency checker, for example, it goes through all the third-party dependencies which are often where the trouble is in a Java project. However, I have heard that you can upload the necessary files and it will go through the third-party components as well and, in that case, it's very beneficial for the organization to have such a tool.

It can be very hard to make a good lab environment with a console with log windows and code bases. What I like about Veracode is that they managed to do that. It has a very responsive graphical user interface and has worked very well. I was very pleased with that.

I like the web interface of the interactive labs and the information there. It's very well done by those who developed it, and it works very well. It's very fun and you get to learn new things and think like an attacker. It's not like on TryHackMe, but the information I got from doing the labs here was information that I didn't have before. The quality of the information was really good.

When I started to use Veracode, there were a lot of policy documents and I actually have a habit of always reading those. I haven't made a list of all the regulations and policies and how well it complies with all the security regulations, but from what I could see, it is aligned with security regulations and certifications. And in the lab environment, they have divided things into different topics like OWASP top-10. That is very actual and follows the security guidelines that are commonly accepted by organizations today.

I would like to see more AI features. It's a current subject because with ChatGPT and other solutions being developed all the time, IT attacks will increase. I actually talked to the CEO of an IT security company in the United States because he ranked the top-10 IT security risks this year, and one of the biggest risks was new vulnerabilities or attacks would occur because of ChatGPT and similar services. To defend against those it's very important that the good guys use AI in ways that are good instead of bad.

I have been using Veracode for about two weeks. I recently got access to Veracode to test it. I've been spending a lot of time on it, working with it in the lab environment. I have also tried out the scanning tools for code bases, but I mostly have experience working with it in the lab environment.

I haven't used it for very long, but I have never experienced any problems with the stability.

We are an enterprise-size company and I know that our security employees are using Veracode and some of the developers as well, but I don't know to what extent developers are using it. It's pretty widely used across our organization.

I give their technical support a very high grade. I was in contact with them with an inquiry I had, and there was a very fast response time. They took my request and prioritized it. They were nice as well, and that's how you want support to be, although not every support team is like that.

Positive

I was previously working with Secure Code Warrior which is very different, but it's within the security field.

I've been using the security platform TryHackMe a lot, which also has a web console, but I wouldn't pay for the kind of console window that TryHackMe had. It has a lot of good aspects, so no disrespect to them; I learned a lot from it. But I understand how hard it is to create that and Veracode has managed to do so in a responsive way that works well. It's very impressive.

Scanning tools are a big safeguard for getting vulnerable code out of production. It's almost mandatory today to scan applications because there are so many attacks happening in the world right now, no matter which solution you use.

I was very pleased when I tried Veracode because I hadn't heard about it before, but it was much better than I thought.

We're using Veracode Static Analysis for scanning security vulnerabilities.

Once the image is built in the container, we send it to Veracode Static Analysis for static analysis assessment, and the tool scans it. The tool then provides us with information on vulnerabilities in our code and the third parties, then provides recommendations on how to solve vulnerabilities, and that's helpful.

What I found most valuable in Veracode Static Analysis is that it categorizes security vulnerabilities. My company is mainly worried about security vulnerabilities, so it's beneficial that the tool identifies security-related vulnerabilities.

Veracode Static Analysis lacks penetration testing, so that's a concern. The tool is also unable to scan when it's a C or C++ model, so that's another area for improvement.

I've used Veracode Static Analysis for one and a half years, and I'm still using the tool.

I didn't find any stability issues with Veracode Static Analysis. It's a stable tool.

Veracode Static Analysis is a scalable solution. My company has between one hundred fifty to two hundred microservices, yet the tool can scan cost-efficiently without issues.

Veracode Static Analysis has good support. There's a channel where my team communicates with support, raises tickets, then support will give you a call, though there were a few times when support struggled on specific cases.

The IT team set up Veracode Static Analysis, but it's a bit complex.

We deployed Veracode Static Analysis in-house.

We have not reached the point where we see ROI from Veracode Static Analysis because we're still assessing it, but there are so many vulnerabilities. If we fix some of the high-priority vulnerabilities not reported by the customer, and zero them out or reduce them, then we see value from the tool. Those high-priority vulnerabilities are less than manageable because they have multiple levels or layers.

To my knowledge, licensing for Veracode Static Analysis is paid yearly by my company.

We compared Veracode Static Analysis with other vendors, including SonarQube, and went with Veracode because it had more value than others.

Twenty-five to thirty people from the development and QA teams use Veracode Static Analysis, but my company is still learning the best way to reduce the load. There's no plan to increase the tool's usage for now.

Based on my initial analysis, I'd recommend Veracode Static Analysis to anyone looking into implementing it, as it's a good tool.

My rating for Veracode Static Analysis is eight out of ten.

For every application we develop, we want both static and dynamic security scans done before deploying them.

The solution helps us to verify if our code is error-prone or has any OWASP security flaws. It has also reduced our scanning time, but it's difficult to say by how much.

Also, the scanning process helps a lot when it comes to improving standards and best practices. If we scan multiple times and we get the same warnings again and again, it helps us to identify that there's something we need to rectify, overall, in our standards and processes.

In addition, the solution has helped to increase our security and development teams' productivity.

On the whole, Veracode has improved the quality of our code and the end product. It has reduced our security debt by 40 or 50 percent. It helps protect our application from external attacks.

It scans for the OWASP top-10 security flaws at the dynamic level and, at the static level, it scans for all the warnings so that developers can fix the code before we go to UAT or the next phase.

It also gives us a centralized view of issues and that is important because security is key to any application. We want to identify the flaws as early as possible. The centralized view means that everybody can see the report and remediate accordingly.

I would like to see improvement on the analytics side, and in integrations with different tools.

Also, the dynamic scanning takes time.

We have been using Veracode for more than six years.

It's a stable product.

We have about 30 to 40 developers using the solution. We use it on a weekly basis but I can't comment on whether we will increase our use of it. That depends on our product.

Technical support is average. They take some time to respond.

Neutral

We didn't use anything prior to this.

The ROI for us is that it improves our code quality and helps remove security flaws. It is an essential tool.

It does root analysis, but fixing things is up to us. Also, it doesn't require much maintenance.

I would highly recommend it.

We use it for static scans. It is mandatory in our company for every sort of project.

Veracode provides the organization an understanding of security bugs and security holes in our software, finding out if the software is production-ready. It is used as gate management, so we can have a fast understanding if the software is suitable for deployment and production.

My job is to help projects by getting the data integrated in Veracode. I don't own the code or develop code. In this area, I am a little bit like an integration specialist.

We use Azure and AWS, though AWS is relatively fresh as we are now just starting to define guidelines and how the architecture will look. Eventually, within a half year to a year, we would like to have deployments there. I am not sure if dynamic scanning is possible in AWS Cloud. If so, that would be just great.

The possibility to integrate Azure is very valuable because you can have every build integrated into the content integration pipeline. So, you can have every build scanned and determine when a new bug was introduced. Thus, you can keep great track of your code's security.

You can easily integrate it with Azure DevOps. This is an added value because we work with Azure DevOps. Veracode is natively supported and we don't have to work with APIs.

Third-party library scanning would be very useful to have. When I was researching this a year ago, there was not a third-party library scan available. This would be a nice feature to have because we are now running through some assessments and finding out which tool can do it since this information needs to be captured. Since Veracode is a security solution, this should be related.

I would recommend that they keep working on the integrations. For Azure DevOps, the integration is great. I am not sure what the integration possibilities are for the Google platform or AWS, but I would suggest every other platform should have this easy and great integration. It takes a lot of time for companies, so this feature is a big plus.

I have been using it for about three years.

There have been no issues at all. There has been no downtime registered.

I worked with the technical support to integrate some things. One of our private cloud providers only had old routers. It was possible only to open network connections to IP addresses, while Veracode only provided the URL in their guide. So, I asked the technical support if it was possible to provide some fixed URLs that we could give our provider since it is unfortunately against the concept of the cloud to provide the IP addresses that work just for some time. The technical support's response was within a day, and it was prompt and clear. Also, all their reasoning made sense so the support was very good. I would rate the technical support as 10 out of 10.

Positive

We also use SonarCloud, which is a code quality tool. We use both of them because both these platforms are good in some areas. While the Veracode is very good at finding security-related issues, the SonarQube Sonar suite is very good at determining code quality. Also, when I was looking into the topic, the SonarQube team answered that there is no point for them to go further into code security since there are already great competitors who have years of experience and development behind them, specifically mentioning Veracode as masters in their field. That is the reason why we use both solutions: We benefit from using them both. These solutions compliment each other.

I evaluated WhiteSource Bolt specifically for third-party library scanning, but I did not have a lot of time to create a proper PoC. I had a call with WhiteSource and told them that I would like to do a PoC, but I was not very satisfied with their support. It was like, "Just try the free solution then contact us again." However, the free solution didn't provide me enough things to make a decision. So, I just put it off until sometime possibly in the future. If Veracode offered third-party scanning, then we wouldn't need WhiteSource Bolt at all.

If you have Azure DevOps and would like to understand your code and how secure it is, then there are not a lot of better options. Also, there are not many choices in this area at the moment.

Once your code is scanned by the static scan of Veracode, you get some evaluation scores based on some criteria. For the management, when it is above a certain number, it is fine, but when it is built below, then it is no-go for production. Even though there is a possibility to create a sandbox environment for projects, they don't get it. That is understandable to me. I try to explain to them that there are no issues if you are working in a development environment and you get difficult scans. It is fine then because you can create a sandbox environment, which will not screw up or make the production releases worse because it is in a separate bucket.

We are happy using the solution. I would rate it as nine out of 10.

When code is being developed by our developers, the testing team runs through the static code application scanning and takes a look at how it is working out.

There are multiple code check-ins happening. When check-ins occur, we want to make sure that anything that needs to be tested, whether in that particular unit, or whether in the end-to-end functionality, is scanned and that the code is certified as usable. That's the first step we do, and it's a very important one. The scanning process helps our security team and developers fix flaws in the code and increases our fix rate.

Veracode SCA also reduces scan times because it scans incrementally. There is an initial baseline when the code is being created, but it does any additional delta check-ins fast and gets us the information.

We have been able to handle the overall code review process faster, because of Veracode's static code analysis. For example, we were able to onboard around 120 applications in seven to 10 months.

Another benefit is that it helps reduce security debt. It becomes much easier to run through the overall code. We have predominantly used it for shift-left, testing code much earlier from a security standpoint. Compared to when we started versus now, we have done a phenomenal job. Year on year, our security debt has been continuously decreasing by 10 to 12 percent.

Veracode takes the burden out of manual code reviews, helping to create secure software. The Greenlight feature helps the developer, at his desktop, before his code is even checked in. He gets a good understanding of how things look from a security standpoint, meaning how secure his code is. It will mitigate a lot of basic vulnerabilities at the start. And then, during the source code analysis, once it has been checked in, we have seen a 30 to 40 percent reduction in dynamic vulnerability identification because of the static code analysis that precedes it. Our vulnerabilities are at the dynamic standpoint. It's one of our most important requirements because we want to make sure that we provide a secure product and services. It's of paramount importance.

And as an educated guess, it has increased security and development teams' productivity by 7 to 9 percent, and that's a month-on-month increase.

The main feature we have been using is the software composition analysis, which provides us with a scoring system in terms of version 3 of the CVS. A lot of vulnerabilities are typically detected, but, at the end of the day, we also want to check how well they are being targeted, based on the Common Vulnerability Scoring system. Not every vulnerability is high-severity, because some of them do have fixes. That particular feature is helpful for us.

It gives you JSON output. When you do agent-based scans, at any point in time, there are multiple check-ins of the code. We have to look at it from the perspectives of how important it is to fix something and when it should be prioritized for fixing. The JSON output from the agent-based scans gives us the CVS core, and that makes things much easier. It's available on the new version of the Veracode SCA agent.

It also has a decent support system for audits. From that perspective, they did a very good job.

The mitigation recommendations are the standard ones, but if there are specific activities that come into the picture, Veracode should provide more remediation solutions. Since all of our team members are pretty good at what they do, they're able to do a good job with the information they get. But if somebody had to start off from the ground floor, they might need some help to understand things.

Veracode doesn't really help you so much when it comes to fixing things. It is able to find our vulnerabilities but the remediation activities it does provide are not a straight out-of-the-box kind of model. We need to work on remediation and not completely rely on Veracode.

Also, there are certain third-party libraries that might be called up by the code and that might have vulnerabilities. I haven't seen that Veracode is able to deal with that aspect. 

Another area for improvement is when the code's logic might have certain flaws that can result in a security vulnerability. Veracode doesn't handle that as well. Improvement in those areas would help us determine things much faster.

I've been using Veracode Software Composition Analysis for about five years.

It's pretty robust.

The scalability is very good. 

Our users are developers and security testers, predominantly. The number of people using it depends on the project. Sometimes we have 10 people on it and at other times we might have only five.

The teams that work on it take care of maintenance, so we do not need any additional team to do that. We also have a center of excellence that takes care of things.

The solution's technical support is good.

Positive

We did not have a previous solution.

The process of setting it up was fast and easy. Integrating it into our ecosystem was much faster than expected. That was one of the biggest ways it improved our ability to get the code analysis done. 

The reason why it was straightforward is that everybody knows how it has to be set up. All the developers and the testers are well-educated, from a Veracode standpoint, because they have experience with it from the past. It was not a new tool on the block.

The cost has been an important aspect for us, but we have run with the additional cost of the overall code analysis. One of the major reasons is that developers get a better understanding of where their code stands before a security tester gets into the picture. The cost-benefit for us is that, rather than having to build up a whole security testing team, developers get security insights earlier in the development lifecycle. After that, we can introduce the testers to get things finished, and that reduces the manpower cost.

Compared to the typical software composition analysis solutions, Veracode is not so costly, although the static analysis part of it is a little costlier. It depends upon the ecosystem you are using, whether your application is a web application or a custom, non-web application. It can support all of them. The pricing depends where you are at with your overall security strategy.

If you have multiple applications and you want to scale it at an enterprise level, this is a good tool. But a very small shop might not want to go with it because there are a bunch of alternatives that work well. Again, it depends upon where you are at on your overall software AppSec journey.

In terms of security breaches, the static code analysis is what we use to try to ensure that an application is free of vulnerabilities. But when you deploy it in the environment, there are multiple aspects that might contribute to a breach. It could be either due to the infrastructure or another application or even through endpoint network solutions. So, we cannot completely rely on Veracode to prevent security breaches but it can reduce them.

Veracode SCA reviews the code and allows us to provide overall information in terms of vulnerabilities. It does a pretty decent job. We are used to Veracode, having used it for a long time. Compared to when we started, all the developers are comparatively more confident and happy with it.

There are three areas where we started using Veracode immediately. One is static component analysis. The second is their static application security test, where they take a static version of your code and scan through it, looking for security vulnerabilities. The third piece is the DAST product or dynamic application security test.

We also use their manual pen-testing professional services solution in which they manually hit a live version of your product and try to break it or to break through passwords or try to get to your database layer—all that stuff that hackers typically do.  

One of the big things for us, and something that I realized because of my experience with engineering teams for more than 20 years, is that when it comes to security, changes are happening so fast. The vulnerabilities are being uncovered so quickly that we cannot go at this alone. No matter how big an army of engineers you have internally, who scan systems, study security engineering best practices, and do a lot of research, there is no way for an individual organization to keep up with everything that's going on out there. Leaning on an expert like Veracode, a company where this is their only job, is absolutely critical for us and game-changing. It really took it up a notch for us in terms of identifying challenges before they occur.

We were using best-coding practices already, but the question was, is that good enough? The first thing we got out of Veracode was a quick validation of our processes. They said, "Oh this is great. What you've been doing is extremely good. Now keep doing what you're doing from a design and development perspective." But, yes, the world is changing so fast that we also want to make sure that we stay ahead of best practices.

When OWASP, which is the main group that puts out lists of the top ten security issues, updated their list recently, Veracode provided it to us, even though it was something that was right off the OWASP website. When you're with Veracode and you're talking about it, your engineers pay extra attention to it. They look through it and they think about what they can do better when they code. We felt we couldn't go at it alone. We needed a partner. Veracode has been a great partner so far for us.

The four products we have from Veracode give us visibility into application status and help to reduce risk exposure for our software. That is one of the things we like about Veracode a lot. There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place. Having one area where we get all these results, rather than having to run around and pull reports together from four or five different places, is very helpful to us.

The solution has also definitely reduced the cost of application security for our organization. But the point is almost moot. Thinking about security engineering costs in a silo doesn't make sense anymore. You need security to be integrated completely into your product. Ten years ago, or even five years ago, we would have hired a couple of security engineers who would have been solely and entirely responsible for software security. They would have done their best using some integrated tools and some manual tools. But in no way would they be close to being as efficient and capable as Veracode's tools.

Hiring engineers would be a bad idea because, aside from their being more expensive than Veracode's tools, guaranteed, two security engineers are not going to come close to identifying all of the issues and challenges that Veracode is uncovering for us. Veracode has a large team that is constantly learning, growing, and engaging the industry as a whole, to understand the latest and greatest for security best practices and security vulnerabilities. Two engineers don't have the time to do that much work. To me, it's not even a question of budget. It's more a question of leveraging an industry leader that has core competency in this area. We need a partner like that to work with us.

With the static component analysis, they scan your code statically and they look specifically at third-party libraries and at any third-party code that you have in your product for vulnerabilities, updates, and changes in licensing. For example, if one of them changed from a license that allowed for more changes on your side to something that is more restrictive, they would flag that for you so that you can evaluate it and know immediately that you need to take some action. They keep abreast of the latest and greatest regarding third-party components. That has been good and very helpful for us to know how secure our product is as a result of using third-party libraries, as we didn't write that code.

The SAST component looks directly at our own code and any best practices we haven't followed and whether there is a security challenge or loophole. We get immense value from that as well. They've been able to flag items and say, "While this is a low-risk item, we would suggest you refactor it or add it to your roadmap to close that loophole, just in case a very clever hacker tries to get around your system. That has been very helpful to us too.

And the SAST is very quick. It sniffs through the product very quickly and almost immediately gives us the results we need. Static analysis is something you do every once in a while, in a very regimented and rigorous way, so you don't need it to be super-duper fast, but you need it to be efficient. You don't want to wait days for them to give you an analysis. And Veracode's static analysis comes back in a very short period of time.

With the DAST, you provide their product with a dynamic instance of your operational product, by pointing the dynamic testing tool at your product. It beats it up, pokes around, and tries to find ways to penetrate its defenses and find security issues and challenges within your product.

Veracode also has a very good report that gives us best practices regarding ensuring compliance, and we can go back to them for additional consulting. We've not had to do that. We typically scan through it and say, "Okay, it's good that it meets those best practices." We rely on them to make sure that their products are kept updated, so that we don't have to review a lot of these standards issues.

Also, as we did our analysis of Veracode, we loved the fact that they are completely integrated into GitHub. You can trigger everything using GitHub Actions. You don't want to go too far out of the application, move something into another repo, and have to write or copy and paste it over. Veracode easily integrated into our GitHub repos.

One thing I would strongly encourage Veracode to do, early on in the process—in the first 30 days—is to provide a strong professional services-type of engagement where they come to the table with the front solution engineers, and work with their customer's team and their codebase to show how the product can be integrated into GitHub or their own repository. They should guide them on best practices for getting the most out of Veracode, and demonstrate it with live scanning on the customer's code. It should be done in a regimented way with, say, a 30-minute call on a Tuesday, and a 30-minute call on a Friday.

I would ask Veracode to be a lot more engaged with the customer and set up live sessions where they force the customer to engage with Veracode's technical team. Veracode could show them a repo, how they should do things, this is what these results mean, here is a dashboard, here's the interpretation, here's where you find the results. And they should say, "If you don't understand something, here's how you contact customer support." A little bit more hand-holding would go a long way toward the adoption of Veracode's technology.

I'm familiar with Veracode from a couple of companies. One is my previous company. We had examined the platform and trialed it for use. When I joined my current company, about six months back, I looked at various platforms that we could use for both static and dynamic testing of our code and I naturally picked Veracode. I had familiarity with them and experience with them. We did some research on them and we did a couple of reviews with my engineers, and then I decided to sign up with Veracode.

It's a very stable solution, absolutely. We've had no issues with it. We have not had to poke around and report bugs or anything of that sort.

We have not had any scale limitations thus far, not even close. Maybe it's the size of our repositories and what we do, but for our needs, it has been super-scalable.

It's being used by all my teams now. I'd like it to be used even more often by building a tighter integration into our regular SDLC practices. I'm hoping that that happens over time. That is one of my focal points as I start to plan for next year.

We bought their premier service package and that allows us to have access to their consultants, their customer support, and their customer success manager so that we get a higher level of service from them. We took the premier package from day one because we needed the consulting hours, help, and training from them.

Every month or so we have a call with their customer success group. Sometimes we come prepared and say, "Hey, we want to talk about these specific five things," and other times we just ask them to give us their latest and greatest and to update us on what has happened since the last time we spoke: What did you add to the product? What did you find? What should we be watching out for? They alert us to new vulnerabilities and things that we should be looking for.

We also do a hands-down, tactical Q and A, where we ask questions like, "Hey, we tried to do this and it failed," or about challenges we had and how they suggest we go about resolving them. I pretty much have my entire team on these calls and that helps us stay on top of things. As VP of engineering, I'm a big believer in shift-left practices. I would like to make sure that my team takes full responsibility for quality assurance and security.

We did not have a previous solution for application security testing in this company.

The initial setup was straightforward. That was something I really liked about it in my previous job, and it bore fruit right away in what we are doing in my current company. That's one of the reasons I chose them. It's very easy to set up. You can get going quickly and you don't have to learn a whole lot. We were able to integrate it into our system fairly quickly, and start, almost immediately, to generate the results we needed to improve our product.

They do an immediate kickoff right after you sign the contract so you can ask questions like, "How do we set this up? What do we do?" We went through that and, once they trained us on those things, we did not really have a reason to go back to customer support. The product is pretty intuitive. They sent us a couple of videos and provided some early consulting for setup. They have a good process, including a 30-day check-point. Very recently, there was one small thing we needed in terms of knowledge and education and they came back to us with a quick response.

We were ready to run tests within two weeks of setup, and we accomplished running it within a month of buying the product.

It does require much maintenance at all. I love the fact it's a SaaS product. Every time we use it, we're getting the latest version. It's updated automatically. We get decent updates about product management and the roadmap.

In terms of implementation services, we didn't go to any third party. Veracode was pretty good. They were very responsive and answered questions. We were able to get the help we needed.

If Veracode thinks that it's best to bring in an integrator for the first 30 days, they should build that into the cost of the contract. I don't think I would have blinked if they had told me, "We suggest paying a little bit extra for the first year because we want you to purchase a professional services contract from this company. They will work with you for a month and guarantee to get you up and running with best practices within 30 days."

I was impressed with the pricing we got from Veracode. I was able to make it work very well within our budget.

When I came to my current company, I looked at a few options for security testing, and then zeroed in Veracode as the best option for us and for what we needed to do. We didn't go through too many competitors. Because I had experience with it, I said we should use it. I felt that it was the right product for us.

One of the advantages of Veracode is that it is a one-stop shop for everything you need. I did not want to hunt around for five different solutions and have to put them together and have to use five different dashboards. I really wanted a single solution for all our needs, and that's what I got from Veracode: static, dynamic, and the manual pen testing.

My advice would depend on the size of your company and whether you have dedicated security engineers. For us, given the size of our company, Veracode has been very important. We needed a turnkey solution, and one that integrated directly into our product. We wanted something immediate. We couldn't take the time to hire a bunch of security engineers and have them figure it out and then do an RFP. That was not us.

If you're in that position, where you need something that really meets all of your software security needs during the development life cycle, check out Veracode for sure. Look at a couple of their competitors. It's fine to kick the tires a bit and then what you can get from others, but I would definitely recommend that one-stop-shop type of thinking. You really want to get your solutions from one vendor, a partner that is strong in this area.

For the manual pen testing, there's a full day where they engage your product. It takes us about half a day of planning and putting it together, and then providing them with a live website. They then bring their team together and go through all the reports about what they saw and, typically, within a period of three days from the time of the manual pen test, we get results from them. Along with that, they also offer any kind of service you need to interpret or understand the results. You can also get some follow-on from them in terms of best practices and how to fix things.

In terms of false positives, I like my security scans to be a little more conservative, rather than being aggressive about eliminating things without me seeing them. I'm okay with the fact that, every once in a while, they flag something and bring it to our attention, and we see that it is really a non-issue. The reason that is my approach is that, when you do a static scan or a pure dynamic scan, these products don't completely understand your application environment. They cannot guess that this or that code is not used in this fashion. They can only flag something to bring it to your attention, and then you make the judgment call.

Veracode has flagged a few issues for us that we decided were non-issues. In their dashboard, you can actually provide a dispensation for each of those items. So we have gone in there and checked a box and put a comment saying, "Not applicable to our workflow." I was very happy that they caught those things. It gives us some confidence that they're looking deep into our product. We haven't had any major issues with false positives. What they flagged to us was reasonable, and we were able to decide that they were not really an issue for us.

Our confidence level is very high, thanks to Veracode's solution and our internal focus on shift-left methodology. I push my engineers to make security a part of the design, development, and testing processes. It can't be something that is done as an afterthought. We need shift-left thinking all the way to the left. You want to tackle an issue before it occurs.

Overall, Veracode has affected all our application security in a very strong, positive way, and I look forward to using their products and technology to continuously improve our security best practices.

I would give it a 10 out 10. It really is a strong solution for the industry. I'm looking forward to engaging Veracode in an even stronger way in 2022. I want to tightly align what we're doing, from a security best-practices perspective, even more with what they have to offer.