Veracode Reviews

We use Veracode primarily for three purposes:

1. Static Analysis, which is integrated into our CI/CD pipeline, using APIs. 
2. Every release gets certified for a static code analysis and dynamic code analysis. There is a UAT server, where it gets deployed with the latest release, then we perform the dynamic code scanning on that particular URL.
3. Software Composition Analysis: We use this periodically to understand the software composition from an open source licensing and open source component vulnerability perspective.

For the issues that are being reported by Veracode, normally we collect those issues, and at least once a quarter, we have an awareness session with the developer. We then explain that what is the vulnerable pattern that has been caught and how to avoid it in the future, so they will not introduce it in the first place.

The main benefit of Veracode is it can give you a report in various formats, e.g., PCI compliant. That is very helpful for us. It gives our customers confidence because they trust Veracode. When we submit a report generated by Veracode, they accept it. We have seen in the past that this has helped us during the pre-sales cycle, and from that aspect, it is pretty powerful.

The centralized view of different testing types helps reduce our risk exposure. The development teams have the freedom to choose their own libraries and languages. What happens is sometimes developers feel like a particular library is okay to use, then they will start using it, developing some functionality around it. However, as per our mandate, for every new repository that gets added and scanned, a report gets published. Based on that report, we decide if we can continue. In the past, we have found, by mistake, some developers have used copyleft licenses, which are a bit risky to use. We immediately replace these with more permissive, open-source licenses, so we are safe in the end. 

The static code analysis, which is integrated into the CI/CD environment, is a valuable feature. We get quick results of what has gone into the environment in terms of any vulnerability in the code and for the Eclipse plugins of Veracode. This is one of the more valuable features because a developer can get a sense at the line level if there are any issues. 

It is pretty efficient when creating secure software. For one or two particular applications, the dynamic code analysis can take too much time. Sometimes, it takes three days or more. That is where we find speed getting dragged. Apart from that, it is pretty efficient for us to get results and make our software secure.

If the dynamic scan is improved, then the speed might go up. That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us.

They could probably provide some plugins for the Visual Studio code.

Five years.

It is pretty stable with no issues.

If they need to scale back-end infrastructure to make the scan faster, then they should do it. Apart from that, there are no issues to mention.

One person can just start a scan. In our case, the DevOps team does it. They configure it once, then do it. However, the cycle takes time, depending on the codebase size, to look at an issue, identify if there are true positives, and then work on it. It is one person's almost full-time job.

I have a team of around six security professionals team who work on Veracode and use the tool. Two of them are team leads, two of them are senior developers, one is a DevOps engineer, and another one is a junior developer.

We normally create a ticket for Veracode support, then they respond back within 24 hours. Our experience with them is generally very positive.

Normally, the report that we get is self-explanatory, but sometimes there are false positives or some issues that we don't understand. For those, we schedule a consultation call, where they then come on a call and provide guidance on how to fix them. That is pretty cool.

Before Veracode, we had a manual process where we hired white hat hackers. They used to do all the scanning, then submit a report. That process was pretty lengthy. It sometimes could go on for three to six months. Nowadays, for static code scanning, we are doing it on regular basis. Since there are not many issues reported, we can fix them on the fly. For dynamic code analysis, it still takes a week's time because the scanning itself takes three days sometimes. Then, once the scanning is done, we check if there is an issue, fix it, and then start the scan. That is a week-long process, but the rest is pretty under control.

At the time that we set it up, it was quite complex. Now, they have made it pretty simple to use and a brief process. However, we felt the process was quite complicated when we did it. For example, when we initiated the static scan for the JavaScript, we needed a lot of instrumentation. That specific instrumentation that needs to be done at the JavaScript layer. Now, they can accept the bundle as it is and still identify the issue at the line number level. So, that is an enhancement.

They have done some improvements on the triage screen where you can look at all the issues. You can perform various actions over there, like mitigations or adding comments. They have simplified that interface a bit and made it a little faster. Earlier, we used to take quite a time for the check-in and check-out operations. However, now, it is quite fast. If we had to redeploy it from scratch, it would take around 30 minutes.

To start a static code scanning, do an upload, and start a scan, it hardly takes 10 minutes.

We do the setup and implementation ourselves.

Veracode has definitely helped us close deals with the software being compliant to our customers' various standards. 

Before we had Veracode, customers might have demanded some scanned compliance reports, which we didn't have. Because of that, we might have lost some customers during the pre-sales cycle. That cost is huge compared to what we are paying for Veracode.

It has saved our developers' time from six months to two weeks.

If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount.

We also used Contrast Security for real-time scanning on an experimental basis. If that is successful, we will probably roll that out. Contrast Security is very focused on run time scanning. Veracode also has some kind of module for this that we have not explored. However, the Contrast Security tool was suggested to us by one of our customers. We have not compared Veracode and Contrast Security yet.

The other tool which we use is Burp Suite for performing some manual verification. This is apart from what Veracode is not able to. Our customers are also reporting some vulnerabilities because they have their own scans. To verify those types of issues, we use Burp Suite. Burp Suite is pretty handy when you want to quickly do some penetration testing and verify some vulnerabilities. It is definitely a unique tool, and I don't think there is this kind of module with Veracode.

I'm pretty confident about Veracode's ability to prevent vulnerable code from going into production when I'm using it.

When you use Veracode, instead of using it as a manual tool, you should integrate it into your CI/CD pipeline. This way, every build is certified. Then, if there is an issue, you will know about it earlier in the development cycle, not later. Because as the time passes, it becomes more difficult to fix that issue.

With Veracode's support for cloud-native applications, there are some components of our application (which are cloud-native), that we treat in the same way as regular software, e.g., the source code and dynamic URLs. We don't have a model where we can do the real-time scanning. This is something which is currently in talks for maintaining the security of the distributed application. Hopefully, that should get implemented in about two months' time.

The reports that they share have been pretty informative, but someone has to go through them and read them quickly. In the early days, they might have offered some kind of training plan, but we did not opt for that.

Veracode has a plugin which we use, and it works with developer tools.

While there are false positive, there aren't much (around 10 percent). We normally farm these to the Veracode team, who act accordingly. Our developers still report 90% valid issues, and this is satisfactory for us.

Biggest lesson learnt: Security should not be an afterthought. 

I would rate this solution as an eight out of 10. I took off points due to the extra time that it takes to do the dynamic scan.

We focus on these two use cases: 

1. Our first use case is for Static Analysis (SAST). The purpose of it is to scan our code for any vulnerabilities and security breaches. Then, we get some other reports from the tool, pointing us to the problematic line of code, showing us what is the vulnerability, and giving us suggestions on how to fix or mitigate them.
2. The second use case is for the Software Composition Analysis (SCA) tool, which is scanning our open sources and third-party libraries that we consumed. They scan and check on the internal database (or whatever depository tool it is using), then they return back a report saying our open sources, the versions, and what are the exposures of using those versions. For any vulnerability, it suggests the minimum upgrades to do in order to move to another more secure version.

Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely.  By adopting their suggestions, we are fixing this vulnerability.

Once you run the tool and realize that it is not secure to use a certain method or function, then you fix it. Next time that you want to add new code, you don't want to repeat that mistake. So, you're already adopting the original suggestion, then writing more security code.

If we continued to scan and fix issues, which is an ongoing battle because every day as there are new vulnerabilities, we are on the safe side.

It is faster to adopt and use because it's a SaaS software. As a service tool, we didn't have to deal with any installation emails. We also didn't have to download packages, upgrade, or maintain their on-prem machine, which is usually the case for on-prem solutions. This is a critical point that we needed to consider when adopting the right tool. So, SaaS was a deal breaker for us. 

I don't have any complaints about the policy reporting for ensuring compliance with industry standards and regulations. It is good and a mandatory part of our process.

We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it.

About six months.

The technical support was good. Even with the time zones changes, they took the examples that we provided about how our call works and investigated them. When they didn't get an answer initially, they contacted someone else to assist. Overall, our experience was good.

The turnaround time and response times are good. We always got a response, even if they said, "It will take a while, as we are still investigating." One day after always, we always got a response, even if it was, "We need time to investigate." 

I would differentiate between the initial response time for our needs and the resolution time for the issue. The representative themselves respond pretty quickly to our needs. We exchange phone calls with them or email, and they responded quickly. Some of the issues that we experienced were due to our specific code languages and packages that didn't work smoothly with the tool. For those, the representative had to approach the Veracode R&D team. It took more time to involve R&D, but we eventually got a resolution from them after a few days.

To get into the solution, it took some tries to understand the structure of our repository and the code that we were using to write dependencies, etc. So, it took a bit of time, but then in the end, the solution was easy to connect.

It took about a month until we completed integration of Veracode tools into our own systems. Eventually, the tools needs to scan our code that resides on our machines in our on-prem environment. The integration of Veracode on the cloud with the on-prem repository and our processes took time. We worked with the Israeli representative of Veracode to help us. However, it was about a month overall until we stabilize it.

An Israeli sales representative for Veracode came to our office and worked very closely with us. They escorted us through the process of doing the PoC, examining the results and tools, and how to use them. We found it straightforward. There were some hiccups and some problems in the beginning, but not something significant in the general overview. It was easy and fast to adopt.

Our customers demand that we provide secure software. Veracode is giving us the mandate of claiming that our code is more secure because we are using an external third-party, neutral tool to examine our code and expose vulnerabilities. By fixing them, Veracode takes some of the responsibility, which is kind of a diploma that we can wave when we are negotiating with our customers.

We compared it with other tools as part of our proof of concept to adopt the right tool. Eventually, we selected Veracode because the tool provided us the easiest, fastest solution for our two use cases.

When we did the PoC to compare it with other tools, before we decided to adopt Veracode, one of the benefits that we saw is its reports are more focused on real issues. Other scanning tools that we tried, they produced much bigger reports with hundreds of vulnerabilities. That is too many vulnerabilities, so you cannot manage them nor decide where to focus. Using Veracode helps us focus where we need to.

We have used a Checkmarx tool, which is a competitor of Veracode. We have also examined Micro Focus Fortify and some other monitoring tools, which gave us a partial solution, had only static code analysis, or had only the open sources for composition part. We wanted one tool which does everything; we found Veracode all-encompassing.

The solution is efficient when creating secure software. Though, it depends on how you adopt the tool and how frequently you're running it. As long as you keep it as part of your routine and frequently run the tool, you will catch vulnerabilities closer to real-time. Eventually, you will improve the security of your software.

We haven't seen a lot of false positives. However, the tool points us to vulnerabilities to fix, which because of our behavior or software, we don't necessarily need to fix because we have other protections.

We are not using it for cloud software. Our solution is only on-prem.

I would rate this solution as an eight out of 10.

We use it to scan our biggest applications, our bread and butter. We've got a lot of developers using it in our organization, and we've got quite a few applications using it as well.

The solution has helped with developer security training and has helped build developer security skills. It has definitely opened their eyes and made them more aware of things they should look for. I try to get my developers to go to the Veracode seminars if there are new things to learn or if Veracode has made an improvement or they're going to announce something new. They have participated in those quite often, a few every month.

One of the features they have is Software Composition Analysis. When organizations use third-party, open source libraries with their application development, because they're open source they quite often have a lot of bugs. There are always patches coming out for those open source applications. You really have to stay on your toes and keep up with any third-party libraries that might be integrated into your application. Veracode's Software Composition Analysis scans those libraries and we find that very valuable.

We like their Dynamic Analysis as well. They changed the engine of the Dynamic Analysis and it does a better job. It scans better.

We use the solution’s Static Analysis Pipeline Scan. It's really good for assessing security flaws in the pipeline. Sometimes my developers have a hard time understanding the results, but those are only certain, known developers in my organization. I typically direct them to support, especially if I cannot answer the question, because I have full confidence in that process. 

The speed of the static scan is good. Our bread and butter application, which is our largest application, is bulky, and it's taking four hours. That's our baseline to compare the Static Analysis Pipeline and its efficiency. If that's only taking four hours, I have no doubt about our other applications and the solution's static analysis efficiency.

The solution’s policy reporting for ensuring compliance with industry standards and regulations is really good as well. We're a state agency and we always look to be NIST compliant. We're always looking at the OWASP and CWE-IDs, and Veracode does a really good job there. I've used it often in trying to get my point across to the developers, telling them how bad a vulnerability might be or how vulnerable the application is, based on a vulnerability we may be finding. 

If Veracode was more diversified, as far as the number of platforms and the number of applications it could do in our favor, we would be using it even more. But there are a number of platforms it doesn't support. For example, I know they support C+, .NET, and Java, but there are certain platforms they don't support and that was disappointing.

They have a pretty unique process to get guidance. It's not like you send them an email. You could do that, but if you want to set up a consultation call, you have to go to the website and give them a certain amount of detail so that they can study the problem and the detail and be ready to meet with you. It's not as simple as doing an email. You have to go to their website and you have to click on the "consultation" button and pick a time to talk with an engineer. Sometimes an engineer is not available for quite a while. You have to wait at least a couple of days before you can meet. Having to wait for two days is not that efficient. You should be able to set it up within 24 hours.

And regarding announcements from Veracode, I've tried to get them to let my developers know directly, and I'm not sure if that's happening. I want to tell Veracode to make sure that happens. I don't want them to send an announcement to me and then I have to disseminate that information to my developers. I want it to go directly to them. They've got the developers' names and emails in their database so those announcements should go directly to them.

I believe the company got Veracode at the end of 2012. However, my association with Veracode has only been since about the end of 2014. So we had it for a couple of years before I got my hands on it and then I gradually started to use it and implement it to the point where it's at right now. Early 2016 is when I began administering it. I do other tasks, so it's not my full-time job. Veracode is just one of many hats that I wear. Nobody else administers it with me in our company.

Veracode support is really good. I get a lot of help from them. I've been on a few calls with my developers and they're very competent engineers. If they don't have the answers, they'll get back to you.

I feel that management would not approve it if we were not getting our money's worth out of it. We have definitely seen ROI from Veracode.

Going forward, though, what may bring that into question is our transition to the cloud. We're not getting any benefit from those applications in the cloud. I think that should be addressed sooner rather than later.  We're moving to the cloud more, and for our applications in the cloud we usually only go with FedRAMP-certified cloud vendors. So we're not actually even scanning those applications in the cloud with Veracode. Not all our applications are there, but close to 30 percent of them are there now.

And they have to address not being compatible with certain platforms that we use. That has to be addressed because the ROI question may be coming up sooner rather than later.

The solution is very pricey.

The product is very good, very reliable, and they've made a lot of improvements to the dashboards and the reports. They've made the product easy to use. There used to be a lot of things that you had to search for and maneuver to dig deep down for them, but you don't have to do that anymore. Many of the things are now at your fingertips, including performance reports. Those things are easy to get to. 

We use the Veracode SAST solution to scan the Java, Node.js, and Python microservices as part of our CI/CD pipeline, wherein we are using our CI/CD server as Bamboo, Jenkins, and GitLab CI/CD. 

We have teams for both our cloud pipeline and on-prem pipeline, and both teams use this solution. We are using Veracode to constantly run the internal application source code and ensure the code's security hygiene.

Before, the pentesting was happening at later part of the SDLC. Now, we have been getting early feedback about insights from Veracode, including traction around the application security aspects. Developers keep coming to us and asking the questions. Vericode has built a bridge between the development and security teams, which is something really helpful in an organization.

Veracode has helped us build security training in our clients' organizations.

The solution’s policy reporting for ensuring compliance with industry standards and regulations is very helpful. We use Veracode to scan for vulnerabilities. This help us comply with regulatory standards for the European region. While the policy scanning takes time, it is very good from a compliance point of view.

There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic. 

We are using the Veracode APIs to build the Splunk dashboards, which is something very nice, as we are able to showcase the application security hygiene to our stakeholders and leadership. 

We have been using Veracode Greenlight for the IDE scanning. 

Veracode has good documentation, integrations, and tools, so it has been a very good solution. 

Veracode is pretty good about providing recommendations, remedies, and guidelines on issues that are occurring.

It is an excellent solution. It finds a good number of the securities used, providing good coverage across the languages that we require at our client site.

We have been using the solution’s Static Analysis Pipeline Scan, which is excellent. When we started, it took more time because we were doing asynchronous scans. However, in the last six months, Veracode has come with the Pipeline Scan, which supports synchronous scans. It has been helping us out a lot. Now, we don't worry when the pentesting report comes in. By using Veracode, the code is secure, and there are no issues that will stop the release later on in the SDLC. 

The speed of the Pipeline Scan is very nice. It takes less than 10 minutes. This is very good, because our policy scans used to take hours.

Veracode is good in terms of giving feedback.

We would like to see fewer false positives. 

Sometimes, I get feedback from a developer saying, "They are scanning a Python code, but getting feedback around Java code." While the remediation and guidelines are there, improvement is still required, e.g., you won't get the exact guidelines, but you can get some sort of a high-level insights.

Veracode has a little bit of noise. Sometimes you will get a lot of issues, which you just need to triage. While the solution is excellent, it does come with a little bit of noise.

We have been using the solution for a year and a half.

The stability is good, except every month it needs maintenance. So far, we haven't had an outage during UK working hours, e.g., where we are unable access the platform. There were some issues out-of-the-box, but now it's pretty much fine.

More than 100 people are using the Veracode solution in our organization. Mostly, the guys who use Veracode are developers, QA engineers, product owners, Scrum Masters, and some data scientists.

We have a three-person team of security guys who maintain the entire service. The security guys have automation skills and can write the code. We are one squad in a company out of 21 squads. We are a security who helps other development teams with Veracode as part of their DevSecOps.

We have adapted Veracode across three line of our client's business. In the future, we may expand Veracode into more lines of business. 

The technical support sometimes takes 48 hours to get back to us. Some of the support staff are not that great. There is no extra support on Slack channel nor is there a chat. Instead, we just have to wait for an email. They gave us a mobile number, which sometimes doesn't work. Then, if it does, it takes time. The technical support is something that needs to be improved.

Veracode's application security team is very helpful. If we are not getting the answers that we need, this team will come and assist us. For example, we had a call with their application security team who helped us determine best practices. They are good and very professional. 

Their account team is helpful and knowledgeable.

We use the solution’s support for cloud-native applications, like AWS Lambda. We have a cloud pipeline, where some of our microservices functions are getting developed there. Less than five of our squad use this service.

Because of my consulting background, I have used other solutions prior to the use of Veracode. However, Veracode was the first solution implemented of its type. Before Veracode, developers didn't know how they could develop secure software. After Veracode was implemented, developers knew when they wrote code that they could scan it in their IDEs. Also, while pushing a deployment, they can get feedback from the Pipeline Scan.

The initial setup is straightforward. It took us three months to deploy the entire solution across all the squad at our site via Pipeline Scan as well as have the squads adopt it. If you are familiar with security, you can be up and running with the solution in a week's time.

Our implementation strategy was to give the Greenlight ID plugin to all the developers and enable the microservices. Then, we wanted to let the non-human account use the new unlimited account and all the source code. This has helped us in last year and a half, as we have over 150 microservices being scanned by the Veracode platform.

Customer support was amazing during the evaluation phase.

The ROI seems good so far. The client is happy with what they invested in Veracode. Having our developers now think about security is also helping us out.

The solution has reduced the cost of AppSec a little bit for our organization through the automation of pentesting.

We have seen a 30 percent reduction in pentesting. Using Veracode, we can do faster releases.

Veracode's price is high. I would like them to better optimize their pricing. 

Veracode's price is a little higher than other tools. However, they are the market leader.

Micro Focus Fortify doesn't have good APIs. Instead, they are relying on CLI. Whereas, Veracode is more API and DevSecOps friendly. Veracode's scanning time is better than Fortify's. 

It is an excellent solution. I would recommend adopting it. If you come from a security background, Veracode is an easy solution. If you don't come from a security background, the adoption of Veracode will take a bit of time.

Veracode has been integrated with our IDEs. It has been also integrated with our DevOps CI/CD server, which is Bamboo, Jenkins, or GitLab CI/CD. It is all pretty neat and clean. 

I would rate this solution as a nine out of 10.

We're required to make sure we have no high or very high security issues in our code. Veracode is a code reviewer to prevent hacking and other bad things from happening.

The way it helps our company is that the code is secure. It also helps with our customers because I believe they can request a copy of the report. It lets them know that we're doing the best we can to provide secure software.

The solution has helped build my security skills as a developer. Now, as I proceed forward, I know what to look for when coding items. I'll be coding a little bit more defensively from what I've learned, from all the errors that it has found. Some of the stuff I wasn't even aware of. I also became aware of things that Veracode verified, but I really couldn't fix.

The policy reporting for ensuring compliance with industry standards and regulations is excellent. It identified most of the issues that our penetration testers look for and gave me a way to look at the line numbers of the code that needed fixing, and that was a huge help. It also gave me samples of code for what was going wrong and it enabled my supervisors and me to go through the whole project and fix 99 percent of the issues we had.

It provides visibility into application status across all testing types in a centralized view. The report is very good at showing that. We are not allowed to install anything until it passes the Veracode test. We have to fix all errors before we can install our software. It absolutely helps reduce risk exposure for our software.

I haven't come across any false positives.

The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up. We've had very few issues that we have actually had to contact Veracode about.

It does give some guidance, up to a point, for fixing vulnerabilities. It does a pretty good job of that. We went from a bunch of errors to a handful that I needed help with, and that was mostly because they provided some good information for us to look at. If I had been using this product a long time ago, I would have been able to anticipate a lot of things that Veracode discovered. The product I'm working on is about 12 years old and this was the first time we ran scans on it using Veracode. It identified quite a few issues. If you're starting a new project, it would be a good place to start. Once you get used to what people like penetration testers are looking for, this is a good tool to prevent having a pen test come back bad.

The Static Analysis Pipeline Scan is very good. It found everything that we needed to fix.

The triage indicator was kind of hard to find. It's a very small arrow and I had no idea it was there.

We have been using Veracode for about three months.

The stability seems pretty good. There was only one instance where the site was down.

I don't think Veracode has any problems with scalability. My company is very big. There are about 1,000 of us, all developers, using the solution. It's being used throughout the company for all our products.

I would give their technical support five stars out of five. They were on point and they helped us identify resolutions for some of our issues that we couldn't figure out.

We used Fortify. I was not involved in the decision to switch.

I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good. It's just a good product, overall.

The biggest lesson I have learned from using Veracode is that there isn't an answer for everything. But when an area needs to be mitigated the mitigation process is fairly easy.

It's pretty efficient, but in my case it took a long time to upload my information. It was a very big project, so I was not surprised that it took a long time, but it was mostly because of the internet around here. It would take a long time to upload the DLL and run the static analysis. It would take about two hours, but again, it's a large project.

Overall, it does a very good job of preventing vulnerable code from going into production. It identified issues that were not detected in penetration tests and allowed us to lock them down.

We use Veracode to ensure that the software we are building is secure.

The most valuable feature is the dynamic application security testing.

It takes a while to get a response to the software composition analysis. It is within an acceptable range but it could still be improved.

In the future, I would like to see the RASP capability built-in.

We have been using Veracode SCA for three months.

SCA is pretty stable.

Scalability doesn't really apply to a software composition analysis tool.

The technical support is pretty good. When I requested help they contacted me within an hour. I don't have any issues with them.

The initial setup is pretty straightforward.

In summary, I think that this is a good tool and I recommend it for helping with security in software development.

I would rate this solution an eight out of ten.

We are using Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Static Component Analysis (SCA). We use different types of scanning across numerous applications. We also use Greenlight IDE integration. We are scanning external web applications, internal web applications, and mobile applications with various types/combinations of scanning. We use this both to improve our application security as well as achieve compliance with various compliance bodies that require code scanning.

Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution.  

Our Veracode license includes a "people component" that allows developers to request an in-person session to be scheduled to review a defect. This has helped our application security personnel pool to free up time for other pursuits. I'm not sure if this is included in all licenses or is an add-on.

Being cloud-based is a huge plus. All of our scans are always using up-to-date scan signatures and rules, and there is nothing for us to maintain.  Veracode has been spot-on with notifying about planned downtimes for maintenance and upgrades.  In my years of using the product, unplanned downtimes have been minimal (in fact I can't remember one.)

The API integration that allows integration with other tools, such as defect trackers and automated build tools, is also a benefit. We also like the integrated, available "in-person" support sessions to review and ask questions on discovered defects.

We've had one occasion where a sub-product upgrade required action on our part faster than we initially understood it needed to happen.  This ended up being relatively minor.  

One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive. 

Separately, I find the results console somewhat confusing.  When you are running multiple scan types for the same application, I've sometimes found it difficult to sort out where issues came from when I need that information.

We have been using Veracode for over four years.

Our solution is highly stable with minimal downtimes.  (In fact I don't recall the last time there was an unplanned Veracode cloud outage that impacted us.)  We previously had occasional issues with the scan appliance model, but the relatively recent switch to the ISM model has been much more stable.

Given that is is cloud based, coupled with their newer app-based internal scan model, we are pleased with the scalability and have not experienced any issues with scale.

As mentioned in prior comments, Veracode is simply put our best vendor in terms of relationship, value-add, and customer service/technical support. We get responsive answers from support, and their support resources clearly understand the product, and issues are resolved quickly.

Yes. We used a legacy, heavyweight dynamic scanning product. It would produce hundreds of pages of (mostly) false positives that were nearly impossible to digest and tune. We also didn't have a static scanning product. Moving to Veracode gave us much higher quality dynamic scanning with very few false positives (in part due to their model of human-assisted tuning, provided by them) and a robust static scanning solution.

The setup was easy and straight forward. We had some issues with API calls from our build automation tools, but this was related to networking issues in reaching the Veracode servers on the Internet, not the Veracode product itself.

We implemented with all in-house resources.

We achieve greatly improved security, earlier detection of security defects in the lifecycle, and as well as neatly meeting compliance requirements.

For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.

Checkmarx and SonarQube.

Of all the tools vendors I have relationships with, Veracode is simply our best vendor in terms of partnership, value add, and support responsiveness. 

This was intended to scan all of our custom development efforts to ensure a certain level of (secure) code quality. Right now the scope of that effort is limited to web exposed systems but with maturity, we hope to increase that scope.

The Veracode platform probably hasn't improved our organization overall, although through no fault of theirs. Veracode is just one more tool that generates work for our developers.

The source composition analysis component is great because it gives our developers some comfort in using new libraries.

I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan. For instance, we have CI scans that run automatically, and sometimes the files don't get upload and/or processed by Veracode. Now, there's a static scan that hasn't been completed, which blocks all future scans. The only way we know this is an issue is going into the Web UI, check each application, and look for stalled scans. This is time-consuming and frustrating.

I have been using Veracode for three years.