Veracode Reviews

I'm an automation practice leader and we are customers of Veracode.

The valuable features are the static analysis and the dynamic analysis. The security is also a good feature.

The solution has issues with scanning. It tries to decode the binaries that we are trying to scan. It decodes the binaries and then scans for the code. It scans for vulnerabilities but the code doesn't. They really need two different ways of scanning; one for static analysis and one for dynamic analysis, and they shouldn't decode the binaries for doing the security scanning. It's a challenge for us and doesn't work too well. 

As an additional feature I'd like to see third party vulnerability scanning as well as any container image scanning, interactive application security testing and IAS testing. Those are some of the features that Veracode needs to improve. Aside from that, the API integration is very challenging to integrate with the different tools. I think Veracode can do better in those areas.

I've been using this solution for four years. 

I haven't had any issues with the stability. 

The solution is scalable but if we scale too far then the performance is impacted. We have around 300 developers using Veracode. 

The technical support is good. Whenever we have any vulnerability issues, we can easily contact them and then have a triage with the technical support team.

The initial configurations were okay, but then the integration to the CI/CD pipeline was not so smooth. We had multiple rounds of calls with the Veracode engineers to get it up and running.

Veracode is very, very expensive, one of the most expensive security scanning tools available.
We pay an annual license fee that is over $1 million. 

For any company wanting to use Veracode and buying vendor binaries from third party vendors, it's important to get the legal and compliance clearance from the vendor as well. Some vendors have a policy that they're selling you the binary of a particular software but you're not supposed to decode it. Those are the general terms and conditions that every vendor gets you to sign but Veracode does decode and then scans for the vulnerabilities. It's a challenge for any company purchasing the solution from vendors.

I rate the solution six out of 10.

Software Composition Analysis (SCA) is used to detect vulnerabilities in open source libraries, which are used by our customers for their own product. 

We are a consulting company who provides consulting services to clients. We don't buy the software for our own internal use. However, we advise customers about which solutions will fit their environment.

Most of our clients use SCA for cloud applications. 

For application security, the SCA product from Veracode is a good solution. It has a good balance. Altogether, the balance between the outcome of the tool, the speed of the tool, and its cost make it a good choice. 

One of the reasons why we recommend Veracode because it is very important in that SAST and SCA tools, independently from the vendor, should work seamlessly within the build pipeline. Veracode does a good job in this respect.

In this day and age, all software is developed using a large amount of open source libraries. It is kind of unavoidable. Any product application has a lot of embedded libraries. In our experience, many times customers don't realize that it is not just a code that can be vulnerable, but also an open source library that they may take for granted. In many ways, this has been a learning experience for the customers to understand that there are other components to open source libraries, and that SCA is an invaluable tool to address those issues.

SCA provides guidance for fixing vulnerabilities. It provides extensive guidance for both writing secure code and pointing to vulnerable open source libraries are being used.

From the time it takes for the solution to detect a vulnerability, both in the source code and the open source library, it is efficient. 

Within SCA, there is an extremely valuable feature called vulnerable methods. It is able to determine within a vulnerable library which methods are vulnerable. That is very valuable, because in the vast majority of cases where a library is vulnerable, none of the vulnerable methods are actually used by the code. So, if we want to prioritize the way open source libraries are updated when a library is found vulnerable, then we want to prioritize the libraries which have vulnerable methods used within the code. 

The Static Analysis Pipeline Scan is faster than the traditional scan that Veracode has. All Veracode products are fast. I have no complaints. On average, a piece of code for a customer takes 15 to 20 minutes to build versus the Static Analysis Pipeline Scan of Veracode that takes three or four minutes. So, that is 20 to 30 percent of the total time, which is fairly fast.

Most of our time is spent configuring the SAST and SCA tools. I would consider that one of the weak points of the product. Otherwise, once the product is set up on the computer, it is fairly fast.

Like many tools, Veracode has a good number of false positives. However, there are no tools at this point in the market that they can understand the scope of an application. For example, if I have an application with only internal APIs and no UI, Veracode can detect that. It might detect that the HTML bodies of the requests are not sanitized, so it would then be prone to cross-site injections and SQL injections. But, in reality, that is a false positive. It will be almost impossible for a tool to understand the scope unless we start using machine learning and AI. So, it's inevitable at this point that there are false positives. Obviously, that doesn't make the developers happy, but I don't think there is another way around this, but it is not just because of Veracode. It's just the nature of the problem, which cannot be solved with current technologies. 

Once we explain to the developers why there are false positives, they understand. In Veracode, embedded features (where there are false positives) can be flagged as such. So, next time that they run the same scan, the same "vulnerability" will be still flagged as a false positive. Therefore, it's not that bad from that point of view.

Veracode has a few shortcomings in terms of how they handle certain components of the UI. For example, in the case of the false positive, it would be highly desirable if the false positive don't show up again on the UI, instead still showing up for any subsequent scan as a false positive. There is a little bit of cluttering that could be avoided. However, that is not necessarily a shortcoming of the product. I think it's more of a shortcoming of the UI. It's just the way it's visualized. However, going forward, I personally don't want to see any more vulnerabilities that I already flagged as a false positive.

It does take some time to understand the way the product works and be able to configure it properly. Veracode is aware of that. Because the SCA tools are actually a company that they acquired, SourceClear, the SCA tool and SAST tool are not completely integrated at this point. You are still dealing with two separate products, which can cause some headaches. I did have a conversation with the Veracode development team not too long ago where I voiced my concerns. They acknowledged that they're working on this and are aware of it. Developers have limited amounts of time dedicated to learning how to use a tool. So, they need quite a bit of help, especially when we're talking about this type of integration between the SAST and SCA. I would really like to see better integration between the SAST and SCA.

I have been using it for almost a year.

It is stable. One of the selling points is that it is a cloud solution. The maintenance is more about integrating Veracode into the pipeline. There is a first-time effort, then you can pretty much reproduce the same pipeline code for all the development teams. At that point, once everything runs in the pipeline, I think the maintenance is minimal.

We have deployed the solution to FinTech or technology medium-sized companies with more than 100 employees.

Their technical support is less than stellar. They have essentially two tiers: the technical support and the consulting support. With the consulting support, you have the opportunity to talk to people who have intimate knowledge of the product, but this usually takes a bit of effort so customers still like to go through the initial technical support that is less than stellar. We rarely get an answer from the technical support. They seem a lot more like they are the first line of defense or help. But, in reality, they are not very helpful. Until we get to the second level, we can't accomplish anything. This is another complaint that I have brought up to Veracode.

One of the reasons why we decided on Veracode is because they have an integrated solution of SAST and SCA within the same platform. Instead of relying upon two different, separate products, the attraction of using a Veracode was that we could use one platform to cover SAST and SCA. 

The SAST tool is pretty straightforward; there is very little complexity. The pipeline works very well. The SCA tool is more complex to set up, and it doesn't integrate very well with the SAST tool. At the end of the day, you have essentially two separate products with two separate setups. Also, you have two different reports because the report integration is not quite there. However, I'm hopeful that they are going to fix that soon. They acquired SourceClear less than two years ago, so they are still going through growing pains of integrating these two products.

The setting up of the pipeline is fairly straightforward. It works a lot of the main languages, like Java, Python, etc. We have deployed it across several development teams. Once we create a pipeline and hand the code to the developers, they have been able to make a little adjustment here or there, then it worked.

For both SCA and SAST tools, including documentation, providing the code, writing the code for the pipeline, and giving some training to the developers, a deployment can take us close to two weeks. 

Deploying automated process tools, like Veracode, Qualys, and Checkmarx, does take more effort than uploading the code manually each time.

As long as developers use the tool and Veracode consistently, that can reduce the cost of penetration testing.

Checkmarx is a very good solution and probably a better solution than Veracode, but it costs four times as much as Veracode. You need an entire team to maintain Checkmarx. You also need on-premise servers. So, it is a solution more for an enterprise customer. If you have a small- to medium-sized company, Checkmarx is very hard to use, because it takes so many resources. From this point of view, I would certainly recommend for now, Veracode for small- to medium-sized businesses. 

Compared to other similar products, the licensing and pricing are definitely competitive. If you see Checkmarx as the market leader, then we are talking about Veracode being a fraction of the cost. You also have to consider your hidden costs: you need a team to maintain it, a server, and resources. From that point of view, Veracode is great because the cost is really a fraction of many competitors. 

Veracode provides a very good balance between a working solution and cost.

There are other products in the market. However, some of those products are extremely expensive or require a larger team to support them. Often, they have to be installed on-prem. Veracode is a bit more appealing for our organizations who don't have larger AppSec teams or where budget is a constraint. In this respect, SCA is a good solution.

We have been using Checkmarx for years, but mainly for their on-prem solution. They do have an offering in the cloud, but we haven't done any side-by-side tests in respect to speed. We did do a side-by-side comparison between Veracode and Checkmarx two or three years ago from a technical ability standpoint. At that time, Checkmarx came in a bit ahead of Veracode.

Checkmarx is more complex to set up because it is on-prem with multiple servers as well as there are a lot of things going up. If you have a larger budget and team, look into Checkmarx because it is a market leader. However, when it comes to a price, I would choose Veracode for a smaller company, not a large enterprise. 

Another consideration for Checkmarx, as an on-prem solution, is that you are pretty much ascertained that your code doesn't leave your company. With companies like Veracode, even if they are saying that you only upload the binary code, that's not quite true. The binary code can be reverse-engineered and the source code can be essentially reconstructed. For example, Veracode would not be suitable for a government agency or a government consultancy. 

For DAST, our customers like to use Qualys Web Application Scanning. There are very few players out there that can test APIs, but Qualys is one of them. 

Another promising solution that allows for testing APIs is Wallarm. We have done a couple of PoCs with them.

We tested Black Duck a few years ago, but they only had a SCA solution. They didn't have a SAST solution. I think they do now have a SAST solution because they acquired another company, Fujita.

I don't think that Veracode has helped developers with security training, but it helps developers have a reality check on the code that they write and their open source library. That is the best value that developers can get from the product. 

Veracode products can be run as part of the development pipeline. That is also valuable.

It integrates with tools like GitHub or Jenkins. At a high level, it does integrate with most of the pipeline of tools. It would be a showstopper if the incorporation of security was not in the developer workflows. We are past a time when developers or software engineers run a SCA or DAST scan on the code, then hand it off to the development team. What works instead is to inject a security tool in a development pipeline, which is why it is absolutely paramount and important that tools, like Veracode, be a part of the build pipeline.

We limited the user to SAST and SCA. We haven't used any of the penetration testing, especially for the DAST solution that they have. For that, they are behind the curve, meaning that there are other products in the market that are being established. In my opinion, they don't have a viable product for DAST, because I believe they are not even testing APIs. So, it's not mature enough. We also have never used their pen testing because that is one of the services that we provide.

At this point, Veracode is one of the best solutions available, though it's not perfect by any means, but you have to work with whatever you have.

I will give the solution a seven (out of 10). When they integrate the SCA and SAST portions more tightly together, I could probably bump it up to an eight. Also, if they make improvements to the UI and the support, they can get a better rating. However, at this point, I would still pick Veracode for a company who doesn't have a million dollar plus budget.

In India, we have a digital development center. I'm from the security team. There are teams who develop all the applications for security features and coding security analysis. We use the Veracode Static Analysis for all projects and applications within our organization.

All the top vulnerabilities are detected. This makes sure all our applications are up-to-date on market threats, which are occurring. It gives a good workaround process for the developers to secure their code and ensure all our applications are secure. Up-to-date vulnerabilities are detected. It detects the vulnerabilities in the market on time. We keep running the scan over regular intervals, which ensures that we are secure.

Veracode has helped with developer security training and building developer security skills. I had never used Veracode previously. The training portals really helped teach me how to run the scan, know the Veracode processes, what processes should be followed, and what Veracode is all about. The training has really helped everyone.

Veracode covers most policy scans of most of the top vulnerabilities, like mobile. It pretty much covers all the policies per our compliance guidelines.

We give the developer a specific SLA period to fix each severity part of the vulnerabilities. So, they have a certain time limit to fix it. They are very comfortable in receiving these threats and working on fixing them. 

We are very much confident in the SCA scanning mechanism. If things are going fine, we can push it into production. On scale from one to five, I can give it a four and a half.

There have been a lot of benefits gained from Veracode. Compared to other tools, Veracode has good flexibility with an easy way to run a scan. We get in-depth details on how to fix things and go through the process. They provide good process documents, community, and consultation for any issues that occur during the use of Veracode.

SCA enables developers to write secure code from the start. During the development process, we run the scan. If any threats or vulnerabilities occur, we make sure to fix them, then rerun the scan. Then, we move to production. We have all the applications of our organization on Veracode using CI for our pipeline.

We use the Static Analysis Pipeline Scan, and it provides a good benefit for our developers. Previously, we didn't have any of these kinds of tools within the organization. We were using a code quality tool, but Veracode also gives us code quality. It also detects the vulnerabilities within the application, which makes sure the quality of the application is treated well. Therefore, I can give it a rating of four and a half out of five.

The scanning could be improved, because some scans take a bit of time. 

Many developers have commented on the packaging. It is quite different compared to other tools, so the packaging of codes could be changed. They should make it more uniform.

On the reporting, there should be an option like sending reports to groups or task ID.

We have been using Veracode for one year within our organization.

The stability is good; there is nothing unstable about it.

SCA scales well. 

Most of the users are developers, about 90 percent. 100 to 150 employees are using Veracode as of now.

We have more than 30 applications. Some use it on a daily basis, then others use it on a biweekly or monthly basis.

We do have plans to increase usage. All our developers across our organization, across the globe, will start implementing Veracode within all their platforms or applications that they are developing very soon.

We receive guidance for fixing vulnerabilities in case something is new to us, or we are stuck from there. We can very easily get consultation through calls and emails, which gets things easily clarified. That means we get things done quickly.

We were using SonarQube previously, but just as a code quality tool.

The initial setup was somewhere between straightforward and complex. I am not a developer, so I would not know how to package these codes and send them in for a scan. What I prefer is if there could be some mechanism where if I am a layman, then I just need to run a scan of the application. After that, there should be some option where I can get the project details. Instead of doing the packaging or some changes in the uploading part, this change would really help anybody who had to run the scan.

We have multiple applications developed at our organization, but it didn't take much time to deploy the solution to each. If a new application comes into picture in our organization, we provide access, so they can start running the scan in one or two days.

SCA reduced the cost of AppSec for our organization, because of things like stability.

It scans quickly versus other tools, like Qualys, Burp Suite, SonarQube, and Nexus. 

I can be confident about more of our applications in production. We can be more confident against many kinds of external threats. The lesson learnt is about being proactive, which is a good thing in security.

Veracode integrates with our developer tool 95 percent of the time. It is supported very well because developers get to know why the security features are really important in any organization or application along with what they develop. They get to know the market standards of what the security threats are and how to fix them, making sure the coding or the applications are secure enough to move to production. However, with MuleSoft, it does not support most of the API parts.

We use cloud-based applications and take support from the community.

At the moment, we are only using SCA and Static Analysis, which we have been very satisfied with. However, we are not using their DAST or pen testing. 

In our organization, we concentrate on high-end and medium alerts, but we really don't bother much with false positives.

I would rate this solution as a nine (out of 10).

Veracode has both static application security testing as well as dynamic application security testing, also called Dynamic Analysis. Our primary use case was on the static analysis side, not on the dynamic, because we have an automated tool in the dynamic analysis scope. So our primary use was static analysis security testing.

Application security improved a lot because the teams got a list of all vulnerabilities, they analyzed them, and then they incorporated the fixes. It helped ensure that these kinds of issues would not happen when they wrote code in the future, because when the fix was applied, it was applied to all the vulnerabilities. That means our AppSec improved greatly once we started using Veracode.

It has SAST, DAST, as well as SCA—software composition analysis, which is used for finding vulnerabilities in third-party components. All these are in one tenant. Veracode provides a uniform view that enabled us to see the vulnerabilities of an application holistically. Our primary use case was the SAST. The DAST and SCA were not for our products. It definitely helped reduce risk exposure because, no matter how secure the code you write is, ultimately, you end up using third-party libraries. So finding vulnerabilities in the third-party libraries is also essential and this unified view gave us a holistic security profile of the application, rather than just our code or just the third-party code or only static or only dynamic. All these pieces are combined to give a unified view. It helped give a holistic picture of the security status of the application.

The most valuable feature, from a central tools team perspective, which is the team I am part of, being a DevSecOps person, is that it is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage. 

Also, because it's SaaS and hosted, we didn't have any infrastructure headache. We didn't have to think about capacity, the load, the scan times, the distribution of teams across various instances. All of this, the elasticity of it, is a major advantage.

There are two aspects to it. One is the infrastructure. The other one is the configuration. There are a lot of SaaS solutions where the infrastructure is taken care of, but the configuration of the application to start scanning takes some time to gain knowledge about it through research and study. That is not the case with Veracode. You don't have any extensive security profiles to consider. It's a two-pronged advantage.

Veracode also reports far fewer false positives with the static scanning. The scanner just goes through the code and analyzes all the security vulnerabilities. A lot of scanning tools in the market give you a lot of false positives. The false positive rate in Veracode is notably less. That was very helpful to the product teams as they could spend most of their time fixing real issues.

Veracode provides guidance for fixing vulnerabilities and that is one of their USPs—unique selling propositions. They provide security consultations, and scheduling a consultation is very easy. Once a scan is completed, anybody who has a Veracode login can just click a button and have a security consultation with Veracode. That is very unique to Veracode. I have not seen this offered in other products. Even if it is offered, it is not as seamless and it takes some time to get security advice. But with Veracode, it's very seamless and easy to make happen.

Along those lines, this guidance enables developers to write secure code from the start. One of the advantages with Veracode is its ability to integrate the scanning with the DevOps pipeline as well as into the IDEs of the developers, like Eclipse or IntelliJ or Visual Studio. This type of guidance helps developers left-shift their secure-coding practices, which really helps in writing far better secured product.

Another unique selling point of Veracode is their eLearning platform, which is available with the cloud-hosted solution. It's integrated into the same URL. Developers log into the Veracode tenant, go through the eLearning Portal, and all the courses are there. The eLearning platform is really good and has helped developers improve their application security knowledge and incorporate it in their coding practices.

One of the things that Veracode follows very clearly is the assignment of a vulnerability to the CWE standard or the OWASP standard. Every vulnerability reported is tied to an open standard. It's not something proprietary to Veracode. But it makes it easy for the engineers and developers to find more information on the particular bug. The adherence to standards helps developers learn more about issues and how to fix them.

We use the Static Analysis Pipeline Scan as part of the CI pipeline in Jenkins or TeamCity or any of the code orchestrators that use scanning as part of the pipeline. There's nothing special about the pipeline scan. It's like our regular Veracode Static Analysis Scan. It's just that if it is part of the pipeline, you are scanning more frequently and finding flaws at an earlier point in time. The time to identify vulnerabilities is quicker.

Veracode with the integrated development environments that the developers use to write code, including Microsoft Visual Studio, Eclipse, IntelliJ IDEA, etc. It also integrates with project and portfolio management tools like JIRA and Rally. That way, once vulnerabilities are reported you can actually track them by exporting them to your project management tools, your Agile tools, or your Kanban boards. The more integrations a scanning tool has, the better it is because everything has to fit into the DevOps or DevSecOps pipeline. The more integrations it has with the continuous integration tools, the IDEs, and the product management tools, the better it is. It affects the adoption. If it is a standalone system the adoption won't be great. The integration helps with adoption because you don't need to scan manually. You set it up in the pipeline once and it just keeps scanning.

When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications.

For C++ based languages, or languages where there is a platform dependency—for example, if I write C language code it is dependent on whether I'm executing that on Windows, or on Linux, or another platform—and with some of these platforms-specific languages, Veracode makes something called debug symbols that are introduced into the code. That gets cumbersome. They could improve that or possibly automate. If Veracode could quickly analyze the code and make file-line flags, that would be great. It is easy to do for Java, Python, and Pearl, but not so easy for C++. So when it comes to the debug symbols, guidance or automation could be improved.

Also, scan completion, as well scanning progress, is not reported accurately. Sometimes the scan says it will complete in two to three hours but it will take four or five hours. That is one of the areas where they can give a more accurate estimate.

I used to work for CA Technologies, which was acquired by Broadcom. Back in 2017, CA Technologies acquired Veracode, and that is when I started administering Veracode. Since it was a CA product, all product teams in various business units within CA were asked to adopt Veracode for their static analysis. My team is the central tools team and had the responsibility of enabling and deploying Veracode for all the product teams. So we used Veracode starting in 2017. I used it both in a DevSecOps lead role and as a Veracode admin and security admin.

It's quite stable because everything is in the cloud. I really don't need to worry about the stability at all or the frequency of the scans. It's all taken care of by the Veracode platform.

It is scalable. We had about 500 applications, out of which 200 were being scanned regularly. It was in the AWS infrastructure and it was quite scalable. The elasticity was all taken care of. We were scanning a huge set of enterprise products.

We had roughly 2,000 Veracode users. Generally they were developers but there were QA people, as well as the program managers because they needed to add the vulnerabilities and see the health of the product. We also had security champions to advise the product teams on their scanning and vulnerabilities. In addition, general security also accessed it to provide consultation on how to fix vulnerabilities. We were able to give privileges and access control based on each individual.

We stopped our use of Veracode on November 1st, 2020, about 30 days ago. But when we were using it for the three-and-a-half years, the usage was very extensive.

The customer support was two-pronged. One was the security consultation and that was top-notch. The security support helped teams understandable the vulnerabilities 

The regular customer support for issues was quite prompt and had good SLA turnarounds.

Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license. It's a good return on investment because it improves the application security for all the different types of scans.

It reduced the cost of AppSec for our organization because otherwise we would have had to go through multiple vendors for application security. With Veracode, one solution fit all our needs. It reduced the AppSec cost by reducing the numbers of vendors. Typically, you would have different products for different types of scanning. For static analysis you might use one tool, and for dynamic another, and for third-party software composition analysis you might use another. And after using all those tools, you might still have to consult with another vendor. Veracode combines all this into a single solution.

I would estimate that it saved us $500,000 a year.

We have been using the Synopsys tool from Coverity for our static analysis.

Veracode is superior in terms of infrastructure because it is cloud-hosted. We don't have that with Coverity on-premise. We need to take care of capacity planning, infrastructure procurement. Also, with Coverity we have to invest some time to enable various checkers. The security profile configuration takes time compared to Veracode.

Coverity, on the other hand, is more robust and it works with the C programming languages.

We use it for dynamic scanning and Static Code Analysis as well as for Software Composition Analysis (SCA).

We do use this solution's support for cloud-native applications.

We are a startup with 350 employees. The AppSec program initially was focused and aligned with regulatory audit, and compliance. However, over the past two years, we have "shifted left" : integrating AppSec early in our SDLC process. Having this tool has fast-tracked our response times in terms of scanning the code for third-party library vulnerabilities. 

The SCA, which detects vulnerabilities in third-party and open source libraries, was something new for us and is very well done. It provides guidance for fixing vulnerabilities. 

When we go from the dynamic scan to static scan to SCA, there is a huge change in the UI. This was not relayed to us when we were buying the product nor during the demo. They mentioned, "Yeah, this was an acquisition. The third-party library scanner was an acquisition from SourceClear."

You can see there is a huge difference in the user experience in terms of both the display as well as the usability of the product. That is one of our pet peeves: They are not normalizing the UI across the three product segments. We had numerous calls with them early on because we were new to the platform. The sales team is not aligned with the support team. The support team keeps telling us to use a different UI versus the one that the sales team showcased during the sales cycle.

There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed. It is ironic that they claim themselves as agile AppSec tool, but their UI doesn't reflect that.

We had a couple of consulting calls, and perhaps it may be the engineers that we got, they were not really up to speed with our frameworks. They were very focused on .NET and Java, which are legacy frameworks for us. We don't use these at all in our code base. We are using the newer, modern web frameworks, like Django. They have very little coverage or knowledge base on these, especially on the mobile side.

There are a lot of faults with the Static Analysis Pipeline Scan tool. Their tool seems to be very good with legacy products, which are developed in .NET and Java frameworks, but there are false positives when it comes to using modern web frameworks, like Python and Django. The C++ code doesn't even scan. We have spent at least three weeks worth of time going back and forth because it won't support the use cases that we have.

We have been using Veracode for over a year now.

It hasn't gone down. Nobody has complained about the Pipeline Scan being broken. The couple of times that they have, it was more to do with our ineptitude than with the platform capabilities. Once we understood how the platform is working and the gotchas associated with it, we were able to have a workaround within its constraints.

For our use case, it is sufficient. It has been up and running for quite some time and we haven't had any downtime experience with it. We get proactive notifications from Veracode about any upcoming maintenance, batch schedules, and other things. They have been pretty good with that. 

There haven't been any issues with multiple users logging in and slowing it down. It has just been inherently slow. 

We clearly mentioned during our purchase cycle that we have C++ code, a Swift code from a US perspective, Python libraries, etc. We were given assurances that these were absolutely covered under the solution. However, when we started investigating through support tickets, they admitted that these were not supported. We have very limited support for C++ code scans and other things. That was a bummer from my perspective.

The support has been good. However, we work in an agile environment and our release cycles are literally every two weeks. Their response times have been very delayed, especially as we are in the Pacific Time Zone and they are in the Eastern Time Zone. 

They have a great support portal to do self-service. We have been pretty impressed with that, but we soon realized that anything you pick is 10 days to two weeks out. That has been a non-starter for us. We had to constantly escalate through our account team to get an engineer on the call, because we were in the middle of a release and needed to scan the product at the moment.

At this point, we are doing sandbox scanning. We have implemented it with our Jenkins CI/CD tool to really scan the code, upload, etc. It took awhile for us to figure it out because the support wasn't really helpful. We had to hack our way into getting through the documentation. Since the time they acquired SourceClear, they haven't really cleaned up or integrated the documentation well, and that may be one of the reasons. However, we were able to find the right combination of keys to make it work.

We were previously using WhiteHat Security. Their lack of customer service prompted us to switch. Every question that we asked was just going into a black hole. The only time that we got any response was when our account was up for renewal. We had a long discussion with them to get a rationale behind their lack of response, and that was the only time they listened. There was no follow-up. That is when we decided that this is not a partnership that we wanted to continue anymore.

Veracode has automated a lot of the manual stuff that we were doing in terms of scanning third-party libraries. With any given release, I was spending from eight to 10 hours manually scanning through all 3rd-party libraries for vulnerabilities. Now, it is all within the Pipeline. So, I am saving about 10 hours in a given month with it.

The initial setup was moderately complex. The onboarding of the tenant, single sign-on, and access control were easy, but when it came to the real work of integrating the Pipeline Scan and our ticketing system, that is broken at this point. I spend most of my time manually doing this, and if they could fix that portion, that would save me another two hours worth of my time with every release.

The deployment took two to three weeks.

Because this was a SaaS service, we just onboarded one team, then looked through some of the gotchas from login and access perspective. Once the pilot users were all cleared up for any potential issues, we then onboarded the rest of the team. We have a small team of 40 users from a development perspective.

It's pretty straightforward from an onboarding perspective because it is all SaaS. We just needed to whitelist some IPs from Veracode for scanning some of our code, which are not publicly available. Beyond that, everything was pretty straightforward.

The solution was implemented by an internal consultant and me.

The time savings has been tremendous. We saw ROI in the first six months.

It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent.

We bought the product for its expected benefits, in terms of all the bells and whistles that we saw during the sales cycle. When it came time to really implement it, that is where we have been having buyer's remorse.

We evaluated Micro Focus, Black Duck, SonarSource, and Coverity. We felt Micro Focus was the closest to really addressing all three of our needs, which is SAST, DAST, and the third-party software composition analysis. Micro Focus had the most complete execution from an implementation perspective, but it was very expensive for us. We went with Veracode because it was within our price point. 

We are getting huge value out of the dynamic scan and third-party library scanning. However, the initial euphoria has died down at this point, so we will be looking at additional tools to augment some of the solution's shortcomings.

It is good for third-party scanning and if your code base is all modern web frameworks. It is also great for the third-party analysis. However, the Software Composition Analysis is not good if you have C++ code or anything legacy, as it does not cover that. It also does not cover iOS code. It has a lot of constraints.

The solution’s policy reporting for ensuring compliance with industry standards and regulations is fine. We are using it for internal reporting, but we haven't really dug into the policy definitions and tweaking them. We are using its default policies.

As part of our validation and testing, we are able to catch vulnerable code early on. That has been helpful. Automating some of the process has been really helpful, at least from our team's effort perspective. The tool highlights the risk associated with vulnerabilities. That effort is very much automated with this tool.

I would rate this solution as a six out of 10. If you have legacy applications, the solution is great. Their SaaS scanning is geared towards that. If you have modern frameworks, the SaaS scanning and dynamic scanning don't provide much value. My advice to anybody looking at Veracode: Use them for third-party scanning. They are really good at that because of their SourceClear acquisition. For the rest of their products though, just keep looking.

We use it to scan our web applications before we publish them to see if there are any security vulnerabilities. We use it for static analysis and dynamic analysis.

Veracode has helped immensely with developer security training and in building developer security skills. Before we implemented it, we would find a lot more vulnerabilities in our applications. Now, with Veracode, the developers have started doing a lot more secure coding and they have much better coding practices.

It has also helped our organization to review code quicker, about 50 percent quicker, and to deploy more secure code.

And when it comes to the solution's ability to prevent vulnerable code from going into production, so far, I haven't seen any instances in which we've had false negatives. So it's pretty effective at that.

Among the most valuable features are the ability to 

• submit the software and get automated scan results from it
• collaborate with developers through the portal while looking at the code
• create compliance reports.

Otherwise, we would have to do working sessions with developers and pull together all the different findings and then probably manage it in a separate mechanism like Excel. And to have to go through source code manually would be quite time intensive and tedious.

The solution also provides you with some guidance as well as best practices around how vulnerabilities should be fixed. It points you in that direction and gives the developers educational cues.

In addition, the policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards.

The solution also integrates with developer tools such as Visual Studio and Eclipse.

It's pretty efficient, but sometimes the static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools. In some cases, they might have other mechanisms which would deal with a particular vulnerability, but it wouldn't be captured in the code. I would estimate the false positive rate at about 20 percent.

Upon review, the developers understand the solution. But when they get the initial list of findings, it can be a bit daunting to them if it's not managed appropriately.

Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved. There are times when we need a quick turnaround but it will take a little while. We might have something scanning and not get a result until the following day. It's not too critical, but it does increase the delay. Most of the time, when developers submit their code, because of the way that we use it, it's because in their minds they're ready to have that code deployed into production. But the security testing, especially with the feedback, introduces additional time into the project, especially if a security fix is needed.

I have been using Veracode for about two years.

There have been no issues with the stability. We haven't had any outages or any unavailability of the system, so far.

We have about 40 developers but we use this product per project rather than per developer. All our projects will pass through this product. At any given time we have about 10 to 12 projects going on. Outside of developers, it's just the five security team members who also use Veracode.

Any increase of usage will be based on the business and if there are more software projects. Whenever there are additional software projects, we will then increase our usage.

Their technical support is good, but we haven't really had to use it much, so far.

The initial setup was pretty straightforward but, depending on the type of applications or the types of code that you're using, the setup requirements may be a little different. It takes a little getting used to, based on the environment in which you're working.

For example, for Visual studio, it might have specific requirements that are needed to package an application for scanning, whereas an Angular application would have different requirements. For me, as a non-developer, the issue would be around understanding those different requirements for each development environment.

Our deployment didn't take long; it took a couple of days. There were three people involved in, including a developer, someone setting it up, and a code reviewer. By "setting it up" I mean putting in the applications, saying what the application does—providing the business rules of the application.

We didn't have a specific strategy for deploying it. The software is pretty straightforward, once you have the application bundles to be scanned. There's not a whole lot to do after the packaging.

Maintenance-wise, it doesn't take much because it's SaaS. We don't really do much on our end.

We did it in-house with Veracode. Working with Veracode for the deployment was pretty easy, pretty straightforward.

We've seen ROI in that we've cut down on the number of penetration tests we've been doing by about 50 percent, and also because of the stage at which the vulnerabilities are found, before they get into production. That means the risk has also been reduced.

It has reduced the cost of application security for our organization, but more than it has reduced the cost, it provides better software assurance.

In addition to the standard licensing fees there's a support cost and an implementation cost at the beginning.

This year I looked at other vendors in the market, including Synopsys, Contrast, and Checkmarx. What I didn't like about them is that their licensing models are based on how many developers you have. That wasn't a good fit for me. In addition, Checkmarx didn't have a SaaS solution.

If you are doing pipeline-based implementation, it would be more complex than the way that I'm doing this, but I didn't see any real challenges that would be tool-specific or vendor-specific, with implementation.

Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive. But if you have maybe one or two developers doing many projects, then you might look more towards software that has a developer-centric model.

We don't use the Static Analysis Pipeline Scan because of the build process that our  developers use. They don't really have an automated build pipeline in which they push the code to production. Also, with the false positive rate, it's a bit tricky when you implement that into the pipeline, as it might stop a developer from pushing code out to test. We use it more like a gate. The developers submit the code to us and then we scan it and review it with them.

The biggest lesson I've learned from using Veracode is that you need to manage it with the developers, so that you speak through the findings with them. It's not just a tool that you throw down their throats.

Overall, I would rate it at seven out of 10. Ideally, I would prefer a product that had the interactive testing, as well as the ability to scan a little faster.

We have three use cases. We have the dynamic scans that we use to scan the production, public-facing URLs. We also use the static scan where we work with the Dev team and scan the code base for the web application and the mobile application on both iOS and Android. Our third use case is manual penetration tests, which my team manages. We do annual manual penetration tests.

It's deployed to our platform infrastructure, which is in a public cloud.

We have some major clients using Veracode. It saves us time when it comes to doing annual pen tests. When we say we're using Veracode and they are also using Veracode, we don't have to run the test twice. They accept what we have because they know the framework is going to be the same.

A pen test can take a month; it really depends on the number of flaws that are found. So when we don't have to run a pen test twice it saves a lot of time. It not only saves time for my team, but for other teams as well, because when we run a third-party pen test for clients, I not only need to have my team coordinating it, but it requires documentation and it requires my technical support to be involved. So it saves a lot of time for a number of teams.

The report content is very good because the reports are structured in a way that they explain the scope of the scan and what the policy is. A report shows, right at the beginning, if we have passed the scan for the policy or not. That's very helpful when sharing that report externally. It's something that we didn't have before and having that now is extremely useful because it avoids a lot of back and forth with clients. If we share a report and there is no further explanation necessary on how the scan works and what we're doing to fix the flaws, it saves additional manual work that would otherwise be needed to update that information. With Veracode, we can do it automatically, just by pulling a report from the dashboard. In addition, whatever they have on the reports meets industry expectations.

Veracode provides visibility into application status across all testing types, including SAST, DAST, SCA, and manual penetration testing, in a centralized view. I manage the team, I'm not involved in the daily operations. But as a manager, it's extremely helpful, because I just log in to my Veracode instance and, on the homepage, it shows the status of all the scans. If I want more information about something, it's one click. From a managerial perspective, it's extremely helpful. The centralized view helps reduce risk exposure. If there is something wrong with a scan, if a scan doesn't run or a scan is not complete, I know about it from the main dashboard.

In addition, the solution integrates with developer tools. That creates more efficiency in the workflows because they don't need to duplicate work.

Overall, its ability to prevent vulnerable code from going into production is very good. We recently onboarded a new application into the static scan and we had almost 1,000 flaws in the first scan. We were able to mitigate all of them in less than three months. The result was amazing, enabling us to find everything that could potentially create a problem for us.

All of its features are valuable to us. We are ISO certified and we also do annual SOC 2 audits. We deal with personal, identifiable information and we host confidential information from our clients. Our use of Veracode is based on our clients' requirements and on ISO requirements. It is something that we have in place to comply with what is required. In that context, the manual penetration test is a requirement from all our clients and we do it once a year.

In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application. The dynamic scanning is mostly used to make sure that whatever is deployed to production is secure.

Veracode provides guidance for fixing vulnerabilities. This doesn't enable developers to write secure code from the start, but Veracode provides guidance through security consultants. We can book consultations in case developers cannot fix a specific flaw, and they guide us through the process based on the CWE.

The efficiency of the solution when it comes to creating secure software is good. For us, it works well. Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers.

Its policy reporting for ensuring compliance with industry standards and regulations is very helpful. We can create our own policy, based on our internal risk management guidelines, and run the scans against our own customized policy. That way we can set expectations to fix flaws based on our internal timeline, and we can issue reports based on that. We usually share those reports with clients. That's very useful.

They are also always updating the types of threats and that's very useful.

In addition, they provide analytics on how we're doing in terms of fixing flaws and mitigating issues.

All of the services that Veracode provides are necessary for the type and the level of security and confidentiality that we need.

Whenever there is a mitigation that is submitted through the platform, I'm the one who approves it. The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most.

I have been using Veracode for a year.

The stability is good. We have never had problems.

We will be using more of our products in Veracode starting in January. We added one more application into the dynamic scan and we added a couple more manual penetration tests to our projects. Once you understand how it works, it's very easy to deploy to different applications.

In terms of increasing our usage of the solution, we probably won't for the next couple of years, but we never know. It really depends on the requirements that we have from clients and the requirements of the standards and the regulations. Now, we are covering most of the applications and use cases that we need. We are doing 100 percent of the code base. We are doing dynamic scans on all the URLs in production, and the manual pen tasks are also covering all the applications.

We are doubling the ACV with Veracode for 2021, and that's a lot. After that, we're going to be good for the next couple of years, unless there is something new and the Dev team needs to use some other feature that I'm not aware of at this point.

For the dynamic scans I have a couple of people from the technical support team and one person from operations. For static scans, I have my entire iOS and Android team because, depending on the type of flaw, the ticket is given to different developers. I have about 20 to 25 Veracode users.

Their technical support is usually very quick. They usually get back to us in less than 24 hours. We had a problem recently and it was the first time that we had a problem with Veracode support. We didn't get an outcome for three weeks and it created a major problem, but they usually get back to us in 24 hours.

Their Knowledge Base, their help site, is very useful. Most of the time we can find the information that we are looking for there. Sometimes we consult with their support team, but we can usually find information in their help site.

We were using WhiteHat. We switched because the dashboard was very bad and there were no analytics. The UI was also very bad, so it was not easy to manage it. Also, most of our big clients were using Veracode and asking us to migrate to Veracode. It was a combination of things.

The setup was straightforward. It takes some time in the beginning to onboard, but our onboarding process was easy from the moment that we actually connected the Dev team with Veracode. It's normal to have a certain degree of difficulty in the beginning but we didn't have any major problems.

Our deployment took between a month and 45 days.

We migrated from another vendor, so we first picked the services that we needed and the type. We started with the same scans that we had with the other vendor, and then we divided the work between the different teams. We had to have the iOS team onboard and the Android team onboard. I presented the new tool to them and created the accounts and, after that, we had parallel projects to onboard the different scans. It was definitely easier because I had different teams taking care of each one of the scans, meaning I could do everything in parallel.

For the dynamic scans we had one person involved from the technical support team. It was super-straightforward and super-easy to do. It took us a couple of hours to do it. The static scan takes a little bit more time because you have to prepare the packages. But we already had the packages ready because we migrated from another vendor. It took us some time to adjust the scans, but the actual work of uploading the packages took less than a week.

There is no direct ROI. There is a cost of security, overall. It saves a lot of time and it allows us to have the certifications and comply with the clients' requirements, but it's very hard to have a direct ROI. It's a cost for compliance and security that is worth it.

Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive.

There is also a fee for the support package, which I think is extremely expensive. We used to have the premium support and we didn't use most of it, so we're downgrading to the basic support, and even the basic support is expensive.

We evaluated BitSight. The main advantage of Veracode was the UI, the dashboard. It's very easy to use and to manage.

I can give advice to other managers. If they are willing to properly manage, but they don't have the time or the bandwidth to actually operate, it's a very good tool. It's easy to get access to information and it's easy to understand what's going on with your application without much of a burden. You don't have to waste a lot of time trying to understand a complicated report. Everything is accessible. And the amount of information that Veracode gives based on the flaws is very straightforward and makes it easy for the Dev team to fix them.

I would rate it at eight out of 10. The tool itself is a very good tool. The way they work to update the flaws and the findings is very effective. But the support is a little bit expensive and it could be a little bit better. And there are few things that could be updated in the UI, but overall it's a very good tool.

We use Veracode primarily for three purposes:

1. Static Analysis, which is integrated into our CI/CD pipeline, using APIs. 
2. Every release gets certified for a static code analysis and dynamic code analysis. There is a UAT server, where it gets deployed with the latest release, then we perform the dynamic code scanning on that particular URL.
3. Software Composition Analysis: We use this periodically to understand the software composition from an open source licensing and open source component vulnerability perspective.

For the issues that are being reported by Veracode, normally we collect those issues, and at least once a quarter, we have an awareness session with the developer. We then explain that what is the vulnerable pattern that has been caught and how to avoid it in the future, so they will not introduce it in the first place.

The main benefit of Veracode is it can give you a report in various formats, e.g., PCI compliant. That is very helpful for us. It gives our customers confidence because they trust Veracode. When we submit a report generated by Veracode, they accept it. We have seen in the past that this has helped us during the pre-sales cycle, and from that aspect, it is pretty powerful.

The centralized view of different testing types helps reduce our risk exposure. The development teams have the freedom to choose their own libraries and languages. What happens is sometimes developers feel like a particular library is okay to use, then they will start using it, developing some functionality around it. However, as per our mandate, for every new repository that gets added and scanned, a report gets published. Based on that report, we decide if we can continue. In the past, we have found, by mistake, some developers have used copyleft licenses, which are a bit risky to use. We immediately replace these with more permissive, open-source licenses, so we are safe in the end. 

The static code analysis, which is integrated into the CI/CD environment, is a valuable feature. We get quick results of what has gone into the environment in terms of any vulnerability in the code and for the Eclipse plugins of Veracode. This is one of the more valuable features because a developer can get a sense at the line level if there are any issues. 

It is pretty efficient when creating secure software. For one or two particular applications, the dynamic code analysis can take too much time. Sometimes, it takes three days or more. That is where we find speed getting dragged. Apart from that, it is pretty efficient for us to get results and make our software secure.

If the dynamic scan is improved, then the speed might go up. That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us.

They could probably provide some plugins for the Visual Studio code.

Five years.

It is pretty stable with no issues.

If they need to scale back-end infrastructure to make the scan faster, then they should do it. Apart from that, there are no issues to mention.

One person can just start a scan. In our case, the DevOps team does it. They configure it once, then do it. However, the cycle takes time, depending on the codebase size, to look at an issue, identify if there are true positives, and then work on it. It is one person's almost full-time job.

I have a team of around six security professionals team who work on Veracode and use the tool. Two of them are team leads, two of them are senior developers, one is a DevOps engineer, and another one is a junior developer.

We normally create a ticket for Veracode support, then they respond back within 24 hours. Our experience with them is generally very positive.

Normally, the report that we get is self-explanatory, but sometimes there are false positives or some issues that we don't understand. For those, we schedule a consultation call, where they then come on a call and provide guidance on how to fix them. That is pretty cool.

Before Veracode, we had a manual process where we hired white hat hackers. They used to do all the scanning, then submit a report. That process was pretty lengthy. It sometimes could go on for three to six months. Nowadays, for static code scanning, we are doing it on regular basis. Since there are not many issues reported, we can fix them on the fly. For dynamic code analysis, it still takes a week's time because the scanning itself takes three days sometimes. Then, once the scanning is done, we check if there is an issue, fix it, and then start the scan. That is a week-long process, but the rest is pretty under control.

At the time that we set it up, it was quite complex. Now, they have made it pretty simple to use and a brief process. However, we felt the process was quite complicated when we did it. For example, when we initiated the static scan for the JavaScript, we needed a lot of instrumentation. That specific instrumentation that needs to be done at the JavaScript layer. Now, they can accept the bundle as it is and still identify the issue at the line number level. So, that is an enhancement.

They have done some improvements on the triage screen where you can look at all the issues. You can perform various actions over there, like mitigations or adding comments. They have simplified that interface a bit and made it a little faster. Earlier, we used to take quite a time for the check-in and check-out operations. However, now, it is quite fast. If we had to redeploy it from scratch, it would take around 30 minutes.

To start a static code scanning, do an upload, and start a scan, it hardly takes 10 minutes.

We do the setup and implementation ourselves.

Veracode has definitely helped us close deals with the software being compliant to our customers' various standards. 

Before we had Veracode, customers might have demanded some scanned compliance reports, which we didn't have. Because of that, we might have lost some customers during the pre-sales cycle. That cost is huge compared to what we are paying for Veracode.

It has saved our developers' time from six months to two weeks.

If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount.

We also used Contrast Security for real-time scanning on an experimental basis. If that is successful, we will probably roll that out. Contrast Security is very focused on run time scanning. Veracode also has some kind of module for this that we have not explored. However, the Contrast Security tool was suggested to us by one of our customers. We have not compared Veracode and Contrast Security yet.

The other tool which we use is Burp Suite for performing some manual verification. This is apart from what Veracode is not able to. Our customers are also reporting some vulnerabilities because they have their own scans. To verify those types of issues, we use Burp Suite. Burp Suite is pretty handy when you want to quickly do some penetration testing and verify some vulnerabilities. It is definitely a unique tool, and I don't think there is this kind of module with Veracode.

I'm pretty confident about Veracode's ability to prevent vulnerable code from going into production when I'm using it.

When you use Veracode, instead of using it as a manual tool, you should integrate it into your CI/CD pipeline. This way, every build is certified. Then, if there is an issue, you will know about it earlier in the development cycle, not later. Because as the time passes, it becomes more difficult to fix that issue.

With Veracode's support for cloud-native applications, there are some components of our application (which are cloud-native), that we treat in the same way as regular software, e.g., the source code and dynamic URLs. We don't have a model where we can do the real-time scanning. This is something which is currently in talks for maintaining the security of the distributed application. Hopefully, that should get implemented in about two months' time.

The reports that they share have been pretty informative, but someone has to go through them and read them quickly. In the early days, they might have offered some kind of training plan, but we did not opt for that.

Veracode has a plugin which we use, and it works with developer tools.

While there are false positive, there aren't much (around 10 percent). We normally farm these to the Veracode team, who act accordingly. Our developers still report 90% valid issues, and this is satisfactory for us.

Biggest lesson learnt: Security should not be an afterthought. 

I would rate this solution as an eight out of 10. I took off points due to the extra time that it takes to do the dynamic scan.