Veracode Reviews

My main use case for Veracode is related to code scanning as well as third-party library scanning. In addition to my main use case with Veracode, I also used it for penetration testing.

The best features Veracode offers in my experience include product discovery, specifically library discoveries as well as remediation timelines, pull requests, and others. I also explored sandboxes.

The Remediation Timelines feature helps us in our workflow by ensuring we abide by certain compliance regulations, and it helped us prioritize high or critical vulnerabilities beforehand so that we pass the compliance checks.

For Library Discovery with Veracode, it was effective in terms of finding transitive dependencies, which allowed us to identify what libraries we need to update and recognize both direct and indirect vulnerabilities.

Veracode has positively impacted our organization by giving us a good chance to focus on development as we don't need to focus as much on compliance-related matters after we have ensured this level of security on the security posture management for our application. Veracode helped us focus on development by reducing our manual work, and the suggestions for fixes were valuable.

Veracode could be improved in terms of the UI platform as it could be more seamless, and if they allow different sessions in different browsers at the same time or in different tabs that would help tremendously. I feel Veracode doesn't need any additional improvements beyond what we have discussed.

I have used Veracode for about two years in my previous organization.

Veracode is stable for me with no issues with uptime or reliability that I have experienced.

Veracode handles growth and increased usage effectively.

The customer support with Veracode is good, as I have interacted with their support team. I would rate the customer support of Veracode an eight on a scale of one to ten.

Positive

Before using Veracode, we used SonarQube.

We did see a return on investment with Veracode, as we segregated our remediation efforts, which reduced our time to delivery as well as the number of engineers needed to help us in delivering a secure solution.

My experience with pricing, setup cost, and licensing for Veracode is that it is fairly moderate.

We did not evaluate other options before choosing Veracode; we directly moved to Veracode.

I would advise others looking into using Veracode to go for code scanning as well as library scans, and I would recommend adopting it. I would rate this review an eight out of ten.

I'm the manager of DevOps and cloud architecture.

This product has given us the ability to investigate and understand the black zones in our system. 

Veracode can emulate the most sophisticated attack and create unique or specific use cases around automatic penetration testing. It gives us the ability to investigate any sensitivities to vulnerabilities that we may have.

Security can always be improved. I'd like to know how we can better prevent intrusions to our systems and create risk analysis use cases and understand them. What is the level of risk for what we want to do? How can we understand the process better? I'd like to have a better overview of what's going on. 

I've been using this solution for five years. 

The solution is stable. 

The solution is scalable.

There are three layers of technical support and we have used all of them over time. We are happy with the service they provide. 

It's important to understand your environment and know the specific use cases for your organization. Creating good orchestration application metrics is very important.

I rate this product eight out of 10.

We use both the static and the dynamic scanning. What we do is run the code through the scanner once we make any modifications. And periodically, we also run the dynamic to connect several applications. We use Veracode to check for specific vulnerabilities such as cross-site scripting. When we are checking for those vulnerabilities, we take a portion of code that is going to be generated and we run the scanner.

We work a lot with open sources. Using the Static Analysis, the Dynamic Analysis, and the scan module, we can control everything we do via Veracode. Moreover, because all our applications are security applications, keeping a high security standard is really important.

The visibility into application status across all testing types in a single dashboard is helpful because, even if you are running different types of scans, you have everything in one place. You have a unique dashboard to control all the applications, and that is good.

Overall, we've never had any problem with vulnerable code going into production. It's quite a solid tool. We have a really good feeling with this solution.

The most valuable feature is actually the support provided by Veracode. Once you start to use the platform, you can mount the IDE plugin for your script. The advantage is that you can run the scan and check what the problem is and you can fix it yourself. Support could be used to address something that could go beyond your skills. If you use Veracode Greenlight, you have a small pop-up that you can use to interact directly with the team and you can ask a consultant to advise how an issue can be fixed. One of the good things about the Greenlight plugin is that it is very simple. There are several guides that tell you how to install it. It's a matter of one or two minutes and you are ready to go.

Once you check something, they provide links, not manually, it's all automated. When you want to check into a vulnerability you click and open the website where there is a description. If this is not enough of an answer, you can ask directly by scheduling an appointment with a Veracode guy.

Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced. They don't teach you how to develop in Java, Python, PHP or C#, but they instruct you about the best practices that should be adopted for secure code developing and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool. And as far as I know, there are no other competitors that offer it.

The best stuff is the training: this enables your team to adopt the same programming approach, although these people have a different background or joined the projects in a different phase. Doing that, they can take the training and be aligned so that they all write code in a good way.

We also use the Static Analysis Pipeline Scan and it's quite good. They provide several of the most common templates for pipelines. You see the process, while you program, right up until you package an application, and that the platform is able to detect things that are a blocking point. Before deploying to the production, you already know what is doing. And the speed of the Pipeline Scan is quite good.

Another good feature is the policy reporting for ensuring compliance with industry standards and regulations. We test compliance for medical devices, for GDPR, and for payment methods. These are all good. If you are not correctly prepared on one of these sets of regulations, you know that Veracode is going to take care of it using pre-prepared templates. But we can also customize our own policy if we are facing a unique use case. Even if it's not really common, we can take a regulation and build it the way we want it to look.

In addition, you can check everything from the dashboard. Veracode provides a web portal that is connected with your account and through that you can check the status of all the deployments that were run. And suppose you also have an application that is quite complex. You can deploy and upload it through the portal. When it is ready, you receive a notification from the portal that the job has been done and that you can check the results. When you go to the dashboard, you have the OWASP vulnerabilities. There is a really simple graphic with the colors showing how many vulnerabilities have been found and how much these vulnerabilities are repeated in your code. It also tells you the potential effect, if it is a backdoor data breach, for example, etc. It also suggests what you can do to remediate. It might suggest modifying code or changing the status of some part of the development, or updating a third-party.

And if you have people on different projects, there is also a role management feature, so you can select, for example, that people who are working on a given project can only see that project. If you are running something with different levels of classifications, for example, if you have an external consultant, it does not affect the confidentiality of the system. When people are collaborating, not all people are at the same level of an NDA. It is good that each person can see only their part implementing Need-To-Know.

It also integrates with developer tools. We use IntelliJ and Eclipse, among others.

They should invest in mobile security.

I have been using Veracode since 2017.

We have never faced a problem or any downtime.

We haven't perceived any issue when it comes to scalability. But it's true that if you have more tenants, the response of the scanners is going to get released quicker.

I would rate Veracode's technical support at nine out of 10. They would probably deserve a 10 but it is not as quick as it should be. They need to increase the support workforce. The support people are well-prepared, but it can sometimes take one or two days to get the right guy to do support.

The previous solution that we were working with was mainly focused on the quality of the coding. We are happy with Veracode because it's focused on security.

The initial setup is very simple. The Veracode guy who accompanied us made it appear really straightforward.

It's a SaaS solution so once it's prepared on the Veracode side, to deploy onsite may take up to a couple of hours to get everything prepared, mainly due to the configuration, for a simple implementation. Overall, setting up the product is quite straightforward. 

In terms of managing the code, it's quite simple for us because we are all technical guys. Once we saw it working, it was really easy to manage. We have three people who use the solution and they are all developers.

The Veracode team is replying fast and the proved a strong expertise in every challenge.

We could save some money having an on-premise solution, but the fact that this is a SaaS means we can be sure that it's updated. It's outsourced. In terms of cost, I don't see a big advantage, but in terms of operations there is because we don't have to take care of it. We know that if, somewhere else in the world, somebody detects a vulnerability, a few minutes later we will already have a patch. This is extremely important for us. Nobody in our company has to touch anything to get this.

If we had to designate one or two people to take care of maintenance of an application, at some moment one of them might not be updating things. With Veracode, we know that we don't have to worry. We just have to focus on our development. We don't consider maintenance at all because it's all managed.

The pricing is quite standard. It's not cheaper, it's not more expensive.

We looked at other vendors but we selected Veracode because it had a top rating in industry reviews. For us, that was like a warranty.

We were skeptical about running scans with a cloud-based solution, but then we saw the benefits. Everything is up to date without us having to lift a finger. We know we don't have to take care of maintenance. 

Also, if you work in the domain of medical devices, payment methods, or other things that are related to privacy, Veracode provides all these modules. This is a big advantage.

Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly.

False positives are not a main problem. The platform does try to overprotect but, of course, a system like this can only understand the syntax and not the semantics. So it's overprotective when there is a doubt. Sometimes, we ignore some of the advice received.

We utilize it to scan our in-house developed software, as a part of the CI/CD life cycle. Our primary use case is providing reporting from Veracode to our developers. We are still early on in the process of integrating Veracode into our life cycle, so we haven't consumed all features available to us yet. But we are betting on utilizing the API integration functionality in the long-term. That will allow us to automate the areas that security is responsible for, including invoking the scanning and providing the output to our developers so that they can correct any findings.

Right now, it hasn't affected our AppSec process, but our 2022 strategy is to implement multiple components of Veracode into our CI/CD life cycle, along with the DAST component. The goal is to bridge that with automation to provide something closer to real-time feedback to the developers and our DevOps engineering team. We are also looking for it to save us productivity time across the board, including security.

It's a SaaS solution.

Our needs are primarily foundational and Veracode provides the efficiencies that we need.

The product is being used to replace another solution and we recognize in our early implementation that Veracode DAST is identifying more vulnerabilities in application code than our previous solution did.

Also, at this juncture, I have received no feedback of false positives from our development team. It seems to be fairly good in that regard and probably has minimal false positives. We haven't gotten feedback one way or another from developers about how the false positive rate affects their confidence in the solution, but if there were significant false positives, or even one in our environment, we would certainly be engaged with the vendor to discuss it. But that has not been the case so far.

Overall, I think that if it's implemented correctly for the business, Veracode is highly effective in preventing vulnerable code from going into production.

The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code.

Because we're so early in our implementation, we have had minimal feedback in terms of room for improvement. We have seen some minor things within the interface itself that we would love to see some improvements on.

One of those is scheduling, which can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had. We have to change that over to a one-time scan. It would be lovely if we could run ad hoc scans without changing our recurring schedule. That can be a little painful because it happens a lot, unfortunately. I think that will change, so I don't want to knock them completely. Right now, we run a manual configuration setup, but once we integrate this via API into our CI/CD life cycle, that issue should go away.

We have been using Veracode for four months.

So far, my impression of Veracode's stability is very good.

It appears to be very efficient when it comes to scalability. We're a smaller shop, so I may have a different interpretation of what scalability is. We're under 100 licenses at this point, but so far we have had success.

There are some great, positive things about Veracode and the relationship they try to form with the clients.

Regarding tech support, I've mostly had positive engagements, especially because they have one engineer who is, frankly, a rock star. I cross my fingers that I get him every single time because he's very thorough, he's educational, and he is quick. For the most part, it has been positive, especially when I do get assigned that particular engineer. I had a little frustration in the early days because they didn't quite understand the situation, but that was the only time I had a negative engagement with Veracode on support.

Positive

Our previous solution was difficult to configure. Setting up the login process was very difficult, as it was tied to your browser and there were a lot of hoops you had to jump through. The reporting was also hard to follow sometimes and didn't provide a good view into previous findings versus new findings. That made things difficult too. Once we did the evaluation of our old solution against Veracode, it was very clear that it was finding fewer vulnerabilities, which lowered our confidence level in that tool.

The initial setup was straightforward for us, and minimal, since it is a SaaS product.

The major component is being granted access to the tool. They then engage a customer success manager to help you understand and give you an overview of the interface itself and to walk you through some example setups. We were able to work with the CSM to configure a couple of our production scans. He did some hand-holding for us through the process until we felt that we understood it enough and had repeated it enough to do it on our own. He also provided detailed reviews of reporting, et cetera.

Deployment took less than an hour, although we have a small environment today. It would, obviously, take much more time with a larger organization.

Because we were migrating from one solution to another, it was an easy migration path. We just needed to collect the information from the previous solution and replicate that within Veracode.

One thing that can be difficult—and it was in our previous solution—is creating the login component for the scans. The learning about how to create that was a little daunting at first, because you have to create what they coin a "login script," but it is really just a recording of a login. Once you get it down, creating those "login scripts" takes less than a minute.

One of the struggles we have had with that recording process is that we have had to redo it more often than not if our developer has changed, even in some minor way, the way they collect information for the login. That does affect the script. That can be a little frustrating at times, but unfortunately, it is a known behavior apparently. It's just the nature of the beast if you do make any modifications to login.

As for admin of the solution, we have one person involved and it probably takes a quarter of their time or less. There is no maintenance since we have the SaaS product, other than ensuring that the scans that we have set up are still scanning successfully and that we don't have any failures.

Veracode has not reduced the cost of AppSec in our organization yet, but that's only because we are very early in the implementation.

We primarily looked at Netsparker as an alternative. 

My advice would be to understand how you want Veracode to function within your environment from a workflow perspective. That way, you can potentially start taking advantage of a lot of the functionality it offers out of the gate, which is something we are not doing yet. We're on a delay until 2022. That is really important. 

Also, in introducing the product to those who will be receiving the output, the findings reports, it would be great to include them in some conversation and collaboration on the move down that Veracode path or, frankly, any path that leads to scanning applications.

Veracode provides guidance for fixing vulnerabilities, although we haven't actually had to utilize that. But as a part of our licensing model, they provide us a certain number of opportunities to engage with someone for consultation.

We are not focusing on using the solution to enhance developer security training right now, although it is a part of our roadmap. We are banking on being able to utilize that aspect of Veracode because we are an Agile environment and we want developers to be able to engage that training. Also, when there are findings, we want our developers to get that assistance in real-time. That is a part of our 2022 strategy. 

We have started out with a much more narrow policy for ourselves because we are just learning about how the tool works and how it functions. But we did evaluate some of Veracode's policies, out of curiosity, and they seem to be very aligned and very helpful. However, I would not be able to speak to whether they are on the money for utilization against compliance frameworks.

I'm an automation practice leader and we are customers of Veracode.

The valuable features are the static analysis and the dynamic analysis. The security is also a good feature.

The solution has issues with scanning. It tries to decode the binaries that we are trying to scan. It decodes the binaries and then scans for the code. It scans for vulnerabilities but the code doesn't. They really need two different ways of scanning; one for static analysis and one for dynamic analysis, and they shouldn't decode the binaries for doing the security scanning. It's a challenge for us and doesn't work too well. 

As an additional feature I'd like to see third party vulnerability scanning as well as any container image scanning, interactive application security testing and IAS testing. Those are some of the features that Veracode needs to improve. Aside from that, the API integration is very challenging to integrate with the different tools. I think Veracode can do better in those areas.

I've been using this solution for four years. 

I haven't had any issues with the stability. 

The solution is scalable but if we scale too far then the performance is impacted. We have around 300 developers using Veracode. 

The technical support is good. Whenever we have any vulnerability issues, we can easily contact them and then have a triage with the technical support team.

The initial configurations were okay, but then the integration to the CI/CD pipeline was not so smooth. We had multiple rounds of calls with the Veracode engineers to get it up and running.

Veracode is very, very expensive, one of the most expensive security scanning tools available.
We pay an annual license fee that is over $1 million. 

For any company wanting to use Veracode and buying vendor binaries from third party vendors, it's important to get the legal and compliance clearance from the vendor as well. Some vendors have a policy that they're selling you the binary of a particular software but you're not supposed to decode it. Those are the general terms and conditions that every vendor gets you to sign but Veracode does decode and then scans for the vulnerabilities. It's a challenge for any company purchasing the solution from vendors.

I rate the solution six out of 10.

In my previous organization, we used to use Veracode throughout all verticals. It is a cloud-based platform, and you need to upload the code for static analysis. The code has to be uploaded as per the compilation guide provided by Veracode. So, for different languages, you have to combine the code as per the instructions in the guide.

We used to own and manage the platform. We also used to manage the users. If there was a particular project team that needed to use Veracode to do their code scan, they used to approach us. We used to create the user accounts for them so that user accounts were limited to just the code. We also used to guide and train them on how to upload the code on Veracode, how to combine the code, and how to initiate the scan. After the scan is completed, we used to tell them and guide them about how to treat the vulnerabilities in that code, how to fix and mitigate them, and what's the next process. Apart from that, we used to create a project team to build their CI/CD pipeline, where we used to create DevSecOps automation.

It is a cloud-based platform, so every organization or every security team in the organization is concerned about uploading their code because ultimately the code is intellectual property. The most useful thing about Veracode is that if you want to upload the code, they accept only byte code. They do not accept the plain source code as an input. The code is converted into binary code, and it is uploaded to Veracode. So, it is quite secure. It also has the automation feature where you can integrate security during the initial stages of your software development life cycle.

Veracode provides integration with multiple tools and platforms, such as Visual Studio, Java, and Eclipse. Developers can integrate with those tools by using Jenkins. The security consultation or the support that they provide is also really good.

Its user management is also good. You can restrict the users for a particular application so that only certain developers will be able to see the code that has been scanned. 

Their reporting model is really good. For each customer, they provide a program manager. Every quarter, they have their reviews about how much it has scanned. They also ensure that the tool has been used efficiently. 

There are few languages that take time for scanning. It covers the majority of languages from C to Scala, but it doesn't support certain languages and the newer versions of certain languages. For example, it doesn't support SAP and new JavaScript frameworks such as Node.js and React JS. They can include support for these. If you go to their website, you can see the list of languages that are currently supported.

The false-positive rates are also something they can work on.

I have been using Veracode for the last four years.

From my perspective, it is really good. It is one of the best SaaS solutions that I have come across. Veracode is also a leader in Gartner Quadrant.

It is pretty good in terms of scalability. There are many users of this solution. There are also many customers of Veracode. We had around 1,000 plus users.

The support that Veracode provides is really fabulous. They are very responsive. They provide you with a thorough analysis. If you have any questions or doubts, they help to clear them in a very simple manner.

I've used Checkmarx and HPE Fortify. Now, I am using Micro Focus. As compared to Veracode, Checkmarx takes input as plain text. It takes the code as it is and does not compile the code. This is the main difference between Checkmarx and Veracode. Checkmarx also has an on-prem solution, but Veracode does not have an on-prem solution. 

There is also a major difference in the cost and licensing model. Veracode's license model is quite complex. Comparatively, Checkmarx's license model is straightforward. You can upload any amount of code. For example, it could be 1 Gig or 2 Gig. They charge based on the number of applications, but Veracode's licensing model is pretty different. They charge based on the amount of code that has been analyzed.

It is pretty much straightforward. It is a cloud-based solution. So, creating a user in Veracode is pretty much easy. It involves just a few clicks. Uploading the code is also pretty much easy. It is user-friendly and developer-friendly.

When I used to maintain this for 1,000 developers, two or three people were enough to maintain it.

Veracode is costly. They have different license models for different customers. What we had was based on the amount of code that has been analyzed. The license that we had was capped to a certain amount, for example, 5 Gig. There would be an extra charge for anything above 5 Gig.

Veracode is well-suited for modern programming languages. Veracode is not for scanning large legacy applications with a huge codebase. It also doesn't support some unique languages such as SAP. This could be a challenge for certain people. 

More organizations are taking the left shift approach for application security and trying to integrate security early into their software development life cycle. Veracode is good for such automation.

I would rate Veracode Static Analysis a nine out of ten.

We use this solution for Digital Health.

This solution has helped us in developing a secured product.

Veracode is fantastic! All of the features are valuable.

My experience with Veracode across the board every time, in all products, the technology, the product, the service, and the salespeople are fabulous. They are engaging.

I would suggest charging the developer for training, as it's not very expensive.

Only charge for developer training because it's a service you give now and they may need to be technical support. 

It costs them money to do that, but with the technology, an incremental user is negligible incremental costs, which doesn't really cost them. That's software economics.

I would like to see them only charge for developer training for the qualified startups and start charging for the licensing once the product goes into production, and available.

I have several years of experience working with Veracode.

When we used this solution a year ago, we used the most current version.

It's a stable solution. I would rate stability a ten out of ten.

It's a scalable product. My rating out of ten would be a ten, scalability-wise.

We have a software development manager and three other people who are using it.

Technical support is phenomenal. They are fabulous and very responsive, it's amazing.

Previously, I did not use another solution. Because I knew Veracode for many years, my approach with the company was that it was a startup and we need to do it securely. This is s why we went with Veracode.

The initial setup was straightforward. It was extremely easy and took only a few hours to deploy.

We have a team in-house to implement this solution.

The pricing for qualified startups such as Neo4j could be improved.

It allows startups to develop a secure product, but it takes time for startups to get money for the products. 

Veracode could provide the services, at a significantly lower price during that period with a condition that the moment that it becomes production, Veracode has to be paid.

If they would change that, it would be phenomenal for the entire industry and for them.

Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward.

At the time that we used this solution, we were a startup, the software may not have been that complex. It's not like Oracle.

My advice to others who are interested in using this solution is to pay attention to the full instructions.

I would rate Veracode Developer Training a ten out of ten.

We use Veracode for static analysis of source code as well as some dynamic analysis.

It's valuable to any business that has software developers or that is producing software that consumers use. You have to do some type of application security testing before allowing consumers to use software. Otherwise, it's risky. You could be publishing software with certain security defects, which would open up your company to the likelihood of a class action lawsuit.

I don't have any examples of how it improved the way our company functions. However, I did use a lot of the findings to put pressure on our vendors to try to improve their security postures.

Veracode has helped with developer security training and helped build developer security skills. Developers who get the tickets can go into it and take a look at the remediation advice. They have a lot of published documentation about different types of security issues, documentation that developers can freely get into and read.

The integration with JIRA helps developers see the issues and respond to them.

The most valuable features are that you can do static analysis and dynamic analysis on a scheduled basis and that you can push the findings into JIRA.

Static Analysis Pipeline Scan was able to find security defects in the software we were sending its way. For both Android and iOS that worked very well. It did have a lot of false positives though, but at least we knew it was working. The speed of the pipeline scan was completely reasonable. I don't have any complaints about the time it took.

The efficiency of Veracode is fine when it comes to creating secure software, but it tends to raise a lot of false positives. It will tell you about a lot of issues that might be hard for an attacker to actually manipulate. Because of that it's very difficult, sometimes, to sort through all of the findings and figure out what you actually ought to pay attention to. Maybe calling them false positives isn't entirely accurate. There were a lot of things that it would raise that were accurate, but we just didn't consider them terribly important to address because it would be very hard for an attacker to actually use them to do anything bad. I think it frustrated the engineers at times. 

Also, the policies you have, where you can tune the findings you get, don't allow you not to file tickets about certain findings. It will always report the findings, even if you know you're not that concerned about a library writing to a system log, for example. It will keep raising them, even though you may have a ticket about it. The integration will keep updating the ticket every time the scan runs.

We couldn't make it stop. We tried tuning the policies. We had several meetings with the Veracode team to get their feedback on how we could tune the policies to quiet some of these things down and nothing ever resulted in that. Ultimately we couldn't stop some of these alerts from coming out.

Even stranger, for some of the issues raised, such as the ones that were in the vendor code base, we would put the status in Veracode that we communicated this to the vendor, but then, the next time the scan was run, it would find the same issue. One time it would respect that update and the next time, afterwards, it wouldn't respect it and it would generate the issue again. It was really weird. It was reopening the issues, even though they should have been in a "closed" state.

Another significant area for improvement is that their scanning had a lot of problems over this last year. One of the biggest problems was at first it wasn't able to read packaged Go. When I say packaged Go, I mean packaged the way the Go programming language says you're supposed to package Go to deploy the software, when you're using multiple build modules together to make an app. That's a totally normal thing to do, but Veracode was not able to dig into the packages and the sub-modules and scan all the code. It could only scan top-level code.

Once they fixed that problem, which took them until August, we found that it kept reporting that there were no problems at all in our Go code base. That was even scarier because it would usually give all these false positives on our other repositories. I had the application security engineer write a bunch of known defects into some Go code and push it in there and scan it, and it didn't raise anything with any of that. They're advertising that they have a Go scanner, but it doesn't actually function. If our company was going to continue in business, I would have asked them for a refund on the license for the Go scanner at our next renewal, but since we're going out of business, I'm not renewing.

I would also love to see them make it easier to debug the JIRA integration. Right now, all of the logs that are generated from the JIRA integration are only visible to the Veracode engineering team. If you need to debug this integration, you have to have a live meeting with them while they watch the debug messages. It's utterly ridiculous. Their employees are really nice, and I appreciate that they would go through this trouble with me, but I think it's terrible that we have to bother them to do that.

I have been using Veracode for about a year.

It's highly stable.

It scaled fine. We didn't have any problems with it not being available or going down during our scans. We have used it 100 percent, meaning we've taken advantage of every license we bought.

Their support was really good. I would give them a B+ and maybe an A-. The only thing that's really taking support down is the product itself. You and the support team are fighting against the product. The people at Veracode were great though.

We didn't have a previous solution. 

The initial setup was pretty complex. We had to integrate it with our CI/CD pipeline. This required writing custom code. Once it was integrated there, we had to have the development team make some changes to how they pushed a release to a special branch so it would go to Veracode on a weekly basis. And once it started raising the issues, we had to work on that JIRA-Veracode integration, which was not straightforward at all and required a lot of debugging help from the Veracode engineering team. They provided that and that was great, but ideally it would show you the error messages so that you don't need their help.

The initial deployment took about two or three weeks and then we had to come back and tune it several times, so there were another two to three weeks of tuning. Altogether, it was about six weeks of effort on our part.

Initially, we had one person working on the deployment, and then I started working on it as well. Later, there were four of us working with Veracode during these calls to try to do the policy tuning and figure out if we could make it work better for everyone.

We had six people using the solution: four software engineers and two security engineers.

I'm not sure if we have seen ROI. We didn't have any high-severity security defects being raised by Veracode, and that's just a function of the development team members we had. It helped in protecting ourselves from potential class action lawsuits.

The pricing is really fair compared to a lot of other tools on the market.

It's not like a typical SaaS offering. Let's say you got SaaS software from G Suite. You're going to get Google Docs and Google Drive and Google Sheets, etc. It's going to be the same for everybody. But in Veracode, it's not. You buy a license for specific kinds of scanners. I had two licenses for static analysis scanners and one license for a dynamic analysis scanner. 

I chose Veracode over others because it supported the programming languages we're using. It had the best language support. A lot of the other solutions might have supported one of the languages we're using, but not all of them.

My advice would be to definitely have some code that has a lot of security defects embedded into it and to run it through the scanner to test it early on in the process, ideally during the evaluation process. If your company works in five programming languages, you would want to create some code in each of those languages, code that has a lot of security defects, and then run the scanner over it to just make sure it can catch the security vulnerabilities you need it to catch and that it's consistent with how it raises those vulnerabilities.

Veracode provides guidance for fixing vulnerabilities but that doesn't enable developers to write secure code from the start. The way the product works is it scans code that has already been written and then raises issues about the security problems found in the code. That is the point at which the developer sees the issue and can look at the remediation advice Veracode gives, and the possible training. But it doesn't allow them to write secure code in the first place, unless they really remember everything. It does educate them about it, but it's usually after the fact.

The solution provides policy reporting for ensuring compliance with industry standards and regulation. While those features were not applicable to us, they were in there. I think they would be very useful for anyone working in a high-compliance industry.

It also provides visibility into application status across all testing types, including SAST, DAST, SCA, and manual penetration testing, in a centralized view. If you buy the SAST and DAST license, of course you'll see those scan results inside that view, but to see the pen testing that means you'd have to buy pen testing from them as well. Seeing those testing types in one view didn't really affect our AppSec. It's nice for the security team, but it's just not that important because they weren't in there everyday looking at it. Since we had the JIRA integration, the defects would flow into JIRA. The software engineers would take a look at it and categorize whether it was something they could fix or something that was in a vendor's library. The software engineers would prioritize the things that they could fix, and if it was in a vendor's library, I would batch those up and communicate them to the vendor.

Overall, I would grade Veracode as a "B" when it comes to its ability to prevent vulnerable code from going into production. It will find everything that's wrong, but it doesn't have enough tuning parameters to make it easier for organizations without compliance burdens to use it more effectively.

Overall, it's pretty solid. I would give it an eight out of 10.