Veracode Reviews

The most valuable features of Veracode Static Analysis are its ability to work with GitLab and GitHub so that you can do the reviews and force the code.

I have been using Veracode Static Analysis for approximately five years.

The stability of Veracode Static Analysis is good.

I rate the stability of Veracode Static Analysis a nine out of ten.

We have approximately 900 people using the solution.

The solution is scalable, but there is a high cost attached to it.

I use SonarQube with Veracode Static Analysis.

The initial setup of Veracode Static Analysis was reasonably quick.

We did the deployment of the solution in-house.

The price of Veracode Static Analysis could improve.

Sometimes the model that Veracode pushes forward for you to use isn't beneficial. I advise companies to use SonarQube and Veracode together because we use SonarQube for all the individual developers to scan and do their checks and tasks before they do a full peer review to make sure that they have it clean and it's understood. We then use Veracode Static Analysis for repository control because you need fewer licenses. Veracode Static Analysis is expensive and this is why we split the two solutions.

There are extra costs per developer and it can get expensive quickly. They charge approximately $25 a month for each developer that uses it.

I rate the price of Veracode Static Analysis an eight out of ten.

I would advise people to use Veracode Static Analysis in the final levels of deployment. For example, when you used another tooling, such as SonarQube to do the initial tasks with the developers, then for peer reviews it is best to use Veracode Static Analysis for making sure that your repositories are controlled and managed properly.

I would always advise people to deploy at least two tools, one at a lower level to do the peer-to-peer that is cheaper, such as SonarQube because close to being free. Then use something, such as Veracode for the repository control and the management control of your data cubes.

No solution is a hundred percent perfect. I wouldn't rate any solution a 10 because they've all got faults. SonarQube might pick something up that Veracode Static Analysis doesn't and vice versa.

I rate Veracode Static Analysis a seven out of ten.

We're using Veracode Static Analysis for scanning security vulnerabilities.

Once the image is built in the container, we send it to Veracode Static Analysis for static analysis assessment, and the tool scans it. The tool then provides us with information on vulnerabilities in our code and the third parties, then provides recommendations on how to solve vulnerabilities, and that's helpful.

What I found most valuable in Veracode Static Analysis is that it categorizes security vulnerabilities. My company is mainly worried about security vulnerabilities, so it's beneficial that the tool identifies security-related vulnerabilities.

Veracode Static Analysis lacks penetration testing, so that's a concern. The tool is also unable to scan when it's a C or C++ model, so that's another area for improvement.

I've used Veracode Static Analysis for one and a half years, and I'm still using the tool.

I didn't find any stability issues with Veracode Static Analysis. It's a stable tool.

Veracode Static Analysis is a scalable solution. My company has between one hundred fifty to two hundred microservices, yet the tool can scan cost-efficiently without issues.

Veracode Static Analysis has good support. There's a channel where my team communicates with support, raises tickets, then support will give you a call, though there were a few times when support struggled on specific cases.

The IT team set up Veracode Static Analysis, but it's a bit complex.

We deployed Veracode Static Analysis in-house.

We have not reached the point where we see ROI from Veracode Static Analysis because we're still assessing it, but there are so many vulnerabilities. If we fix some of the high-priority vulnerabilities not reported by the customer, and zero them out or reduce them, then we see value from the tool. Those high-priority vulnerabilities are less than manageable because they have multiple levels or layers.

To my knowledge, licensing for Veracode Static Analysis is paid yearly by my company.

We compared Veracode Static Analysis with other vendors, including SonarQube, and went with Veracode because it had more value than others.

Twenty-five to thirty people from the development and QA teams use Veracode Static Analysis, but my company is still learning the best way to reduce the load. There's no plan to increase the tool's usage for now.

Based on my initial analysis, I'd recommend Veracode Static Analysis to anyone looking into implementing it, as it's a good tool.

My rating for Veracode Static Analysis is eight out of ten.

We are using the static application security testing from Veracode and the Software Composition Analysis solution for the main product that we are developing. We don't use the Software Composition Analysis for checking license requirements, but only for finding problems in third-party dependencies.

It has given our management a view into issues with all of our product lines. We have three products and all of them were scanned. As a result, the project lead for each product has taken measures to improve things.

We also use a third-party dependency check from OWASP that is included in one of our other solutions. The Software Composition Analysis from Veracode is on top of that. It offers integration with the Veracode platform so that we can visualize all of these security problems at once. It is great to have an overview of all of the security problems that we have on all of our applications.

The most important thing that we have used Veracode for is the static application testing. That was our main target.

The UI is messy because it freezes sometimes and some of the UI components are blocked and I do not know why that is happening. It's not happening only to me. Colleagues have reported to me that they have this issue.

We have been using Veracode for more than a year, but we have only been using the Software Composition Analysis for a few months.

We haven't run it often enough to check if it is stable or not.

The support guys are good professionals. We have received valuable comments on proposals from their side. They are reliable partners and have good expertise.

Positive

We use various techniques to improve our security. We use an OWASP software application networking model to improve security in our different products. We use a number of native plugins to check licenses and vulnerabilities in the third-party libraries that are part of the application. We also have several plugins from SonarLint that are integrated in another tool that we use for quality assurance.

We put Veracode in place because we have an agreement with SAP and we must fulfill some security checks to become partners for their solution. Veracode's functionalities resolve all of the security checks that were demanded of us.

We use a different company for pen tests, three times per year, and it usually takes two or three weeks each time.

There isn't much of an implementation. We upload binaries to the Veracode platform and they are scanned and processed according to certain policies and security requirements. Then we get the results.

We are working on implementing Veracode SCA with our biggest product.

We want to integrate the software composition analysis with our CI pipeline and we are working on it, but because of the size of the application we have encountered some difficulties, things we have to tackle technically.

It's problematic if you want to integrate it with your pipelines because the documentation is not so well written and it's full of typos. It is not presented in a structured way. It does not say, "If you want to achieve this particular thing, you have to do steps 1, 2, and 3." Instead, it contains bits of information in different parts, and you have to read everything and then understand the big picture. Hopefully, then, you can integrate it.

Regarding the recommendations provided by Veracode scanning engine, we have our own way of dealing with the software composition issues. We plan to change them, but not very soon because it was really hard to impose Veracode on our whole group and for all product lines, as Veracode is a relatively new technology for us. We have had it for one year, but the change has not been so easy. We will try to combine all of our strategies in the Veracode platform in the future.

We hope that we will have a successful integration in the near future and that it will bring major benefits, at least for the managers and the people who are responsible for analyzing the flows and for keeping security under control. The amount of management effort will be reduced at that point.

For our company, the price is reasonable for the benefits that we get.

We paid for a one-year license. The contract was reasonable in terms of financial features. The pricing itself depends on the size of the company and on how much the company is willing to pay for these security extensions and how much the company is willing to invest in security in the first place.

Veracode was rated by industry reviews as the top player in this field for static application security testing and SCA. My advice would be to investigate the market because it will give you an idea of what is the best and most cost-effective solution for your company.

We use Veracode for static and dynamic code analysis, as well as software composition analysis (SCA). Using it ensures that our products are compliant, and it also provides an external method to assure our customers that our products are free from any flaws, or application security issues.

Our product resides on the Azure Cloud, and we have Veracode access it directly.

Using Veracode has helped to improve our organization in that we now have discipline in terms of periodically scanning our systems. We do this every six months, and it is done to meet our compliance requirements.

We are now at the point where it is integrated as part of our software lifecycle automation. I can't point to a particular example of how it has improved our product, although it has helped in terms of validating our product. Also, it has shown us the competency of our teams.

The certification levels are helpful. They are different levels where I think that five is the highest, and we are at level four. Having that badge and showing that we are compliant to that level helps one's reputation in the market.

The interface is easy to use.

The training lab is not very user-friendly and takes a long time to set up. This is an area that should be improved because we've not used it as much as we should have.

We have been using Veracode for more than a year, since January 2021.

This is a pretty stable product. I would rate the stability an eight out of ten.

I can't specifically speak to scalability because we only engage with them for a single product. However, I do think that scaling might be expensive and is probably something that needs to be negotiated.

The Veracode technical support is very good. They are responsive and very knowledgeable. Every time we wanted to set up a meeting, they responded very quickly. In terms of the instructions that they provide, the details are very explicit and although there's a lot to refer to, we can get what we want fast. We don't get lost in what we need to look at.

I would rate the customer support an eight out of ten.

Positive

We did not use another similar solution prior to Veracode.

I was not heavily involved in the initial setup and deployment, although I understand that it was straightforward. We were able to start using it and scanning our code on day one.

It's all on the web, so there is not much to set up. We just have to configure the access so that the web tool can connect, and it takes it from there.

Except for the Lab component, we didn't have to keep contacting our Veracode account manager.

We completed the deployment ourselves.

There were two people involved. The first was our IT person, and the second was a senior member of the engineering team. There is no maintenance required.

It's too early to say whether we have seen ROI because we're marketing our product and services to newer customers. We haven't had visibility from that perspective, yet.

The pricing is a little on the high side but since we combine our product into one suite, it is easy to do and works well for us. It's an expensive product but we are paying for quality.

We evaluated two or three different products before choosing Veracode. 

The reasons that we chose Veracode were their reputation and ease of use. Also, one of the senior people on the team had previous experience with it.

Another point is that their pre-sales team was very professional. Their discussions helped us in terms of getting to what we wanted.

My advice for anybody who is looking into Veracode is that it's one of the very few solutions that can perform dynamic, static, and software composition analysis.

I would rate this solution an eight out of ten.

I use Veracode for static and dynamic analysis.

Veracode supports a broad range of code technologies, and it can analyze large applications. Fortify takes a long time and may not be able to generate the report for larger applications. We don't have these constraints with Veracode.

I've been using Veracode for four or five years.

We have about 230 users. 

We've raised a few tickets with Veracode support. Sometimes, their frontline support can resolve the issue, but we may need to escalate it and get their global team involved. The problem is usually resolved in a couple of days. Overall, support is not a concern. It's fine.

Veracode is an easy-to-use browser-based solution. It isn't a standalone product like Fortify, so there's no installation. You put in the credentials and start the scan. 

While Veracode is way ahead of its competitors on Gartner Magic Quadrant, it's a bit more expensive than Fortify. It's a good solution for the cost, but if we had a high budget, we would go with Checkmarx, which is much better than Veracode. 

Veracode and Micro Focus Fortify SSC are both making progress. Fortify's cloud-on-demand model is an improvement over the past. Both solutions handle the analysis part well, but Fortify needs to improve a lot of things. For one, Micro Focus Fortify hasn't been updated in a long time. They acquired the solution from HP long back, but I haven't seen much improvement. 

Veracode's browser-based solution doesn't have cloud-on-demand functionality. You only need to give consent once on Veracode's access URL, but Micro Focus requires another consent for Dynamic Application testing for WebInspect server, so we need to use SQL Server Express for the WebInspect server. 

We have some difficulties in a SQL Server because a client might not be able to install that in their environment. We may be able to install WebInspect, but we face some challenges dealing with SQL Server Express and other dependents. We have issues with those other supported plugins, libraries, or framework installation parts.

I rate Veracode Static Analysis eight out of 10. I recommend Veracode over Micro Focus. Some companies prefer Micro Focus because they can get a discount and buy it for less than the market price. That's the only reason to use Micro Focus. Otherwise, I don't think Micro Focus can compete with Veracode.

We have a website built on the Microsoft stack, with .NET. Veracode comes in and scans our code and, for the static side of it, we zip up the CS files and the JavaScript files, and upload them for scanning.

It gives us peace of mind regarding what our website's security environment looks like. It provides that quality check to make sure that we have as few vulnerabilities as possible.

The dynamic scanning tool is what I like the best. Compared to other tools that I've used for dynamic scanning, it's much faster and easier to use.

I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use.

Also, with the dynamic tool, sometimes a scan gets stuck and it can be hard to get a hold of the right person in a timely manner to find out why it got stuck and to get it unstuck, or to create a new one.

Overall, speed and customer support could be improved.

I have been using Veracode at my current job for about two years and I used it at my previous job for at least six years or so.

It's very stable. It's very good that way. I haven't run into too many times where their website is down. Usually, it's just for maintenance and they'll let you know ahead of time.

Since it's a cloud offering, we don't have to worry about its scalability.

We don't utilize our current offering to its fullest, so we don't have plans to expand use of it.

Their technical support is pretty good. It depends on who you get. As I mentioned, sometimes it's hard to get an answer from them quickly about why a scan got stuck or what's going on with it. 

Neutral

I've used Checkmarx and IBM AppScan.

I don't know what ROI might be in terms of a dollar amount, but the peace of mind and quality it gives us, making sure we don't get hacked, are types of ROI.

The "gold star" goes to Veracode's dynamic scanning capabilities. I've used other static scanners that may be a little bit better than Veracode, but the dynamic is a lot faster and a lot easier to use. The other ones I have used can be very complex when setting up the scans.

Veracode only has a cloud offering. You upload your binary files for static scanning, or you whitelist your IP and have them come in and scan your website. It doesn't require any maintenance on our end.

Overall, it's really good. It's a lot better than other offerings I've seen. The dynamic scanner works really well. The static scanner is still good, but it could be improved.

We have found the static analysis to be useful in Veracode Static Analysis. However, we are in the process of testing.

Veracode Static Analysis could improve the terminology. For example, I do not know what the sandbox scan does. The terminology and the way they have used it are quite confusing. They should have a process of capturing problems that users are having on their end.

Veracode Static Analysis should adapt and detect the vulnerability which is coming from customers.

I have been using Veracode Static Analysis for one and a half years.

Veracode Static Analysis is a scalable solution.

We have approximately 10 people using this solution in my organization. However, we do not use it daily.

We previously used a free tool that is integrated into the Eclipse.

The initial setup of Veracode Static Analysis is in the middle range of difficulty. We had some minor issues but we had some guidance and support. It took us approximately one month to scan all of the microservices.

Our IT team did the implementation with support from the Veracode team. The Veracode team was very good.

The price of Veracode Static Analysis is on the higher side.

My advice to others would be to follow the instructions and they will not have any issues.

I rate Veracode Static Analysis a seven out of ten.

My company produces a SaaS application that is used by very large customers for pricing analytics and sales workflows. The data that our customers put into our software is very sensitive and confidential. This means that they want a high degree of confidence that our solution is secure.

We use Veracode as one of the pillars that we can point to as helping us to deliver on the promise of having a secure product. We have a multi-dimensional security program and Veracode is one important aspect of that.

Veracode provides guidance for fixing vulnerabilities. It provides guidance to help us understand what it flags, and what we can do about it. It still takes some interpretation and insight on our side, but we aren't generally security experts, so we get good information from Veracode to help inform us.

The developers are able to understand the types of issues Veracode looks for, and then as they see that happen, it helps them to learn. It's good because they consider it the next time and hopefully, we don't need Veracode to flag the issue because there is no issue.

With respect to efficiency when it comes to creating secure software, Veracode is able to help us with very low overhead. There's not a lot of work needed on our side unnecessarily. Once we've wired everything together, it's seamless to get the scan done and get the results back and know what we need to do about them.

We use Veracode for some of our older, more monolithic software, as well as for our newer solutions, which are designed to be cloud-native. We've found Veracode useful in both use cases; first, with our huge monolithic software, as well as with our microservices cloud-native solutions.

In terms of AppSec, there are a lot of benefits that cloud-native design brings in terms of not only cost and scalability, but testability and security. Certainly, the design patterns of cloud-native are well aligned with delivering good security practices. Working with products that support cloud-native solutions is an important part of our evolution.

Using Veracode has helped with developer security training and skill-building. It's definitely a good way to create awareness and to deliver information that's meaningful and in context. It's not abstract or theoretical. It's the code that they've written yesterday that they're getting feedback on, and it is a pretty ideal way to learn and improve.

The static scan capability is very powerful. It's very good in terms of the signal-to-noise ratio. The findings that we get are meaningful, or at least understandable, and there's not a bunch of junk that some other code scanning tools can sometimes produce. Having results like that make it hard to find the valuable bits. Veracode is highly effective at finding meaningful issues.

The speed of the static scan is okay. It meets or exceeds our expectations. For our monolithic application, which is a million lines of code, it takes a while to scan, but that's totally understandable. If it could be done magically in five minutes, I wouldn't say that's bad. Overall, it's very reasonable and appropriate.

Veracode has policy reporting features for ensuring compliance with industry standards and regulations. We have one such policy configured and it's helpful to highlight high-priority areas. We can address and help focus our effects, which ensures that we're spending our time in the best way possible for security movement. The policy is a good structure to guide results over time.

We use Veracode as one metric that we track internally. It gives us information in terms of knowing that we are resolving issues and not introducing issues. I cannot estimate metrics such as, for example, Veracode has made us 10% more secure. I can certainly say it's very important when we talk to our customers about the steps we follow. We do external pen tests, we do web app pen tests, and we also use Veracode. It's certainly very helpful in those conversations, where we can state that it is one of our security practices, but there's no outcome-based quantitative statistic that I can point to.

The static scan is the feature that we use the most, as it gives us insight into our source code. We have it integrated with our continuous integration, continuous delivery system, so we can get insight quickly. We're doing scans daily, so that's the most important feature for us.

The interface is great. It allows us to look at our different applications, understand all of the different types of scans, as well as the results. The types of testing include SAST, DAST, and SCA, and it pulls all of the information together into a single view. It also produces reports that we can give to our customers when requested.

Veracode certainly provides a quick and intuitive way to understand the results, to see the context of them, and to identify what we need to do to address them. In general, it's a pretty quick way to get the information that we need in the most useful way possible. Then, we can turn around an action plan.

We have it integrated with our build pipeline and that works well. It's very important because we don't have to complete a separate, manual step of sending the software up to Veracode to scan it and get the results. It's great. the more things that we can integrate into the build pipeline, the better. It's a very positive thing.

Veracode is very good in terms of not having a lot of false positives. It would be very frustrating if a tool gave you 10 good results but 50 false positives. Even with the issues that we get that we choose not to address, we can still understand why they're being flagged. We have found that the results are meaningful and accurate, which gives us confidence in the solution when fixing vulnerabilities. 

We may choose not to address them for different reasons. For example, it could be because it's an issue about input sanitization, but we have another layer on top of that component to handle that task. We can recognize that it's important that Veracode is flagging those things at that lower level, and that they're bringing that additional insight and consideration to the designs that we're choosing. Overwhelmingly, even the issues we choose not to address are still valuable and meaningful, so the actual false positive rate is quite low.

This is a very useful and powerful tool that ensures our code is well-designed and correctly implemented. It is important that it's only one aspect of a security program and not the only insight or the only test. That said, it provides us with some pretty important feedback and insights that we wouldn't have a great way to get otherwise.

The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it. The pricing model was expensive and the results were not the same as the full solution analysis. It gives a differently scoped "just in time" analysis within the context of the IDE, so it didn't speak to the same problem space.

The best situation would be the one where the developers don't even need to log into the web portal, and the results from the scans would be delivered into their IDEs. It would be an asynchronous job, but if they could see the results right there, while they're working on the code, then they wouldn't need to go to a separate tool to look at the information to figure out what to do next.

The workflow today on the build side is optimal, so imagine that's still doing the same thing but then in the backend, whenever a developer has that project open in the browser, if they chose to, they could enable a view to see the most recent Veracode results of that module. That scan might be from last night or six hours ago or any other point, and that's fine. It would be the best possible situation to put the results and the actions right in front of the developer, in the tool that they're already using when they're touching the code.

The only other thing that we've found a reasonable workaround with is how to work with microservices in the context of Veracode. This was necessary because Veracode's licensing model and the interaction model are built around an idea of an application. When you're talking about a section of business logic that's being delivered by possibly dozens of microservices, there is some friction with Veracode in terms of how that application gets defined and how the scans occur and get reported on.

When we reached out to Veracode about this, I got a slide deck that provided us with different options of how they recommend proceeding in this context. It was helpful, and clearly a question they've considered and they had answers ready to go on. The ideas helped us and essentially reinforced what we were already thinking. It's getting the job done, but it still feels like a little bit of a square peg in a round hole and it could be a little smoother in terms of that interaction.

The problem boils down to how we fit the microservices architecture into the Veracode notion of an application. We need to be able to get a holistic view across the microservices, which is extremely challenging, especially when those microservices are owned by different teams who have different needs to see and respond to the scans. 

I have been using Veracode for between five and six years.

The stability is great. They've probably had some downtime, but I don't know about them. From our perspective, it's been solid.

I know the web portal has some planned downtimes because I see the splash screens about them. They're good about warning you, but they're also performed at very weird times, like the middle of the night, so it's never blocked me from getting in when I need to get in.

We use Veracode for all of our software development. We have more than 100 engineers, and our entire engineering team is using it. Obviously, every team has some designated people who look at this more than others, so not everybody's in there every day, but in terms of the software we write, we know that it's all being scanned constantly.

Over the last few years, we've made a couple of acquisitions of other companies and when we've done that, we very quickly brought those solutions in as well. We've seen the value and because of that, it's part of our onboarding process when we integrate other companies into our environment.

If we create another solution or we acquire another company, we will certainly expand our use of Veracode to match within our current solution stack.

The support has been good at understanding issues. There are two aspects of technical support. One concerns issues with the platform in terms of functionality, and the other is that they will provide you with assistance in terms of interpreting your findings.

Our experience from the technical side is that they helped us with figuring out how to best use the platform for microservices applications. They were very helpful in that conversation.

We also have experience with the other layer of technical support that Veracode provides, which is where you can get consultations about the findings. We've done a few of those where you set up an appointment with a Veracode engineer. It helps to understand the results if the platform isn't totally clear on why something is a problem or what we need to do about it. For us, that's been pretty good.

Obviously, the Veracode engineer doesn't have the full understanding of what our application does and in a short call, you can't possibly do an architectural deep dive to understand the context of an issue, but their conversations have been useful when we've had them in terms of understanding issues and context and if we need to do anything.

Prior to using Veracode, we used other code quality scanning tools, but not anything at the level of Veracode for security issues.

The initial setup was straightforward. It was pretty easy to get going and we've incrementally gotten better and deeper as we've used it over the years.

The initial setup was manual uploads of applications, and then it was about incorporating it into our build pipelines and using the sandbox to support our microservices architecture. We've gotten more mature over time, but time to initial use and results were very easy.

Only a very short time is required for deployment, as there is very little that has to be done. Ours was completed within a couple of days and that's a matter of coordination in terms of getting our teams to upload a solution and figure it out. It was a learning experience for us but there was no time or delay brought on by the solution.

When we first began with Veracode, the initial strategy was just to get our first solution uploaded and scanned and see what the results looked like. We didn't have a systematic history of doing that, back then.

With approximately 500 employees, we're not a huge company. Deploying it in an enterprise company would be a different situation but for us, it was just a matter of understanding how we needed to configure the platform and how we needed to provide our software and states and get good results.

It probably took a couple of uploads of trial and error and we were running.

We implemented the solution in-house. It is not that complicated.

In terms of maintenance, there is certainly some overhead involved for each team. They have to make sure that the build pipeline integration is still working and essentially, that we're still getting results. Occasionally, for whatever reason, it breaks and somebody has to go in and fix it.

I can't say that there is no staffing required for maintenance but it's rare. In total, a few hours a month across the company is spent keeping it going. More time is spent evaluating and resolving the findings, which is part of our development work. That's not imposed by the solution but rather a positive outcome from using Veracode. As such, I wouldn't count that as maintenance. 

We have seen a return on our investment with Veracode. I can't point to a dollar figure, but I've been directly involved in customer conversations where we can talk about our security program and how Veracode is an important element. We've distributed report summaries and talked about results with our customers and having this information in those conversations is definitely valuable.

It's also very useful that we can talk about it with our security auditors. We have SOC 1, SOC 2, and ISO 27001, and they don't specify that you must have a static analysis tool. But when we need to maintain secure engineering practices, having a tool like Veracode is very important for us to demonstrate that to auditors. There's certainly value there as well.

There is also a tremendous value on the marketplace that we get from having those security audits and certificates, which is a second-order of value that Veracode drives.

I can't say with certainty that Veracode reduces the cost of application security, although I would say that it focuses our effort. It gives us guidance and prioritization on where we should spend time. Otherwise, we might not know about particular issues. We might inadvertently spend time on things that aren't that valuable. So, the value is more about focusing on where we need to spend time.

From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately.

I like that the platform provides you with some flexibility. We had to revise our licensing because it did not fit our environment. We wanted to license based on the number of applications, rather than another measure such as the number of lines of code. There was clearly some complexity that led us to be in that situation, although it seems preventable. Ever since our last renewal, the licensing has been smooth and clear. There is a certain amount of flexibility in that regard but also, they allow us some leeway in our current model.

There have been times when for some reason, we spin up a new application on a temporary basis. It may be because we're trying a new configuration. Even though we're licensed for a certain number of applications, the platform lets us exceed that. Consequently, we receive an email stating that we can't do that forever, but it's very useful to have the flexibility for the couple of times that we've used it to briefly exceed the application account.

I am not sure what other solutions, if any, the company looked at before choosing Veracode initially. We have renewed it since that time and we pretty quickly decided to stick with Veracode, rather than switching. However, because of the relatively high cost, we will probably evaluate other options next time it's up for renewal.

We see at least quarterly updates about new features or things that have been fixed. It happens without our involvement, which is great.

My advice for anybody who is considering Veracode is to test it. Although I have not compared Veracode against other products as part of an evaluation process, it would be very useful and very easy to actually try it. Top-load your application, get the results and take a look at what Veracode finds. This is the most useful activity somebody could do.

This is a product that lives up to its promise. It's easy to use, and it's predictable. There are some improvement opportunities but on the whole, it's very good at what it does. 

I would rate this solution a nine out of ten.