Veracode Reviews

Veracode is a cornerstone of our Development Security Operations Program, particularly scanning automation and remediation tracking.

We've been able to monitor the release cycle and verify our Security Standards are met by setting policy and ensuring scans are taking place. If a scan fails to meet our standard the build breaks and the flaws are remediated before releasing to Stage and ultimately Production -  where the potential impact is much more costly. 

We have discovered opportunities to make our code even better thanks to Veracode!

Veracode has improved our Application Security program by providing numerous integrations and tools to take our AppSec/DevSecOps to the next level. 

Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence.

In many ways, Veracode has increased productivity, helped build and improve security and development departmental relationships as well as enabling developers to consider and care about application security. 

Greenlight - Developers can test their code before they commit. They are able to privately scan their code and correct any mistakes before it is committed into the build and scanned with the other components.

SAST - During a build process, we have integrated the Veracode Static Scanning (SAST) component which provides an excellent first glance at the code moving through environments.

SCA /SourceClear - Veracode SCA / Source Clear has given us excellent visibility into potential vulnerabilities found in third-party components, packages, frameworks, and libraries.

Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk. Right now I have to jailbreak an iPhone and Root an Android to intercept and fuzz requests with a Burp Suite Proxy.

That is a very time-consuming process and there are lots of dependencies. It would be very helpful if we can upload and .ipa or .apk into a Veracode simulator, provide credentials and run a Dynamic scan accordingly. Fuzzing functionality on API resources, HTTP Methods, and Parameters would also be very useful in testing our Web and API Application Firewalls, response pages, and other WAAF actions.

I have been using Veracode for about two years now.

It seems to be very stable, no problems thus far.

It has lots of growth potential, lots of room for improvement.

Exceptional!

Previously used Burp Suite, OWASP Zed Attack Proxy, Python scripts / Powershell and Batch, Retire.JS, Vulners, and Wappalyzer browser plugins.

The initial setup very straightforward and integrations were up and running in a matter of days after purchase.

Implementation was in-house (Deployment, Automation Engineers, Myself)

Unknown - productivity and time are measurable, possibly as much as 20%. Improvement in cross departmental relations is priceless!

We also evaluated WhiteHat Security.

Our primary use cases are for comprehensive security assessment using static analysis, dynamic analysis, source code composition, and manual penetration tests. We also use it for security training for developers.                         

Veracode is a valuable tool in our secure SDLC process.                                                        

Source code composition analysis for vulnerabilities and license compliance is the most valuable feature.                                                                                                 

It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects.  

I have been using Veracode for one year.

We also evaluated Synopsys.

We primarily use the solution for article scanning.

The article scanning is excellent. 

The composition analysis and common CBEs attached to it are quite good.

The solution offers a lot of really great analysis. There's lots of good data support.

The licensing model could be improved. 

If they can provide an automatic upload model, that would be really good. Right now we have to upload the NK bucket hosting to get through the analysis. That is kind of cumbersome.

The documentation is poor and the technical support isn't helpful.

We've been using the solution for three or four years.

We don't plan on increasing usage. We are a product company. We have three products that are built. All of them go through this solution. We are not a services company. 

We have about 80 people on the solution currently. They are all developers.

We did previously reach out to technical support. When we had to set up all of the automation, we contacted them for assistance. Their documentation is awful and their response time wasn't ideal.

The initial setup was not complex. It was pretty straightforward. However, the integration and automation of the CI cloud was a nightmare. 

Deployment varies. sometimes it takes three months. Sometimes it only takes one hour. The average is one hour, but we have experienced much, much longer deployment times.

I have no idea what the licensing costs on the solution are. Our IT team handles the details.

We were part of the initiation when the company started. They introduced it and we began using the solution. We're just a customer.

For those companies hoping to automate the solution, I would not recommend it. It's too difficult for those heavily dependant on automation. However, for those companies who want to manually use it, I can recommend the solution. In those cases, it's easy to use even if you won't build it as a part of your automation test tools or on any internet server.

I'd rate them eight out of ten. I'd rate them higher, but they have bad automation and terrible documentation. Other than that, they are very good.

The primary use case for us was looking for web applications that might have vulnerabilities that could be compromised. Specifically, I was managing a team and we had built a lot of applications as well as having purchased applications from vendors. We were working with a security team to go through and scan those applications for vulnerability using Software Composition Analysis. We were trying to avoid situations where somebody could do something that they should not be able to do like get at data.  

The product helped improve our organization by helping us to identify potential problems in applications and fix them before they were used in a way that they should not be. In essence, it helped enhance our security. I think another thing is that it did is it did kind of helped us with the general education level of staff working on the projects. Developers or technical stakeholders specifically were presented with the opportunity to understand things that maybe they did not before.  

We were not doing the training piece of the process when we were onboarding the product, but just adopting the platform definitely increased their awareness and knowledge about potential issues in development and application vulnerabilities.  

One of the best things about the solution is that I think it is kind of easy to get started using it. The pain of adoption is low. Once you got the code scanned, there is a lot of information that you have to plan time to go through and work with other teams to get things resolved or disposition.  

I think that it was easy to get started, but there was also definitely a learning curve in terms of people needing to understand what the reports meant and what to do about the information that they were getting.  

There is a concept called false positives where things might come up as a potential issue but they really are not. In our case specifically, we might get a false positive when a potential vulnerability is discovered through Veracode analysis, but the way that the application is built makes it so what appears to be a vulnerability is not really an issue. Stated a different way, even though there might be something that prevents that particular event from ever happening, the product does not correctly detect the safeguards or the impossibility of the issue arising.  

When a false positive gets reported by the Composition Analysis, it results in more work for you to do than you should have to. There is a lot of information to go through and so some of it is due to those false positives. You either have to do work to eliminate the false positives being identified, or you have to look at the alert and determine that it is harmless.  

As far as what might be added in future releases, more artificial intelligence capabilities would be desirable. I do not know if they have it now. Maybe one example could be to make more focused suggestions or give more information in the reports to locate the cause of the issues. It should be something that improves results over time so that people do not have to do as much work to understand the details.  

I have been using Veracode Software Composition Analysis for probably around three years.  

I would say it is definitely stable. There were no problems with the platform itself. It has been reliable. We never had issues where we needed to call support.  

I think the opportunities for scalability are good because we did not come upon issues that caused us to wonder about its limitations. We have not really pressed to find scalability problems. So my impression is that scalability is good. We did not experience issues due to bottlenecks or anything like that.  

Our group of users contained a mix of roles. It was developers, project managers, testers, information security analysts, and engineers. It was probably a total of around 30 to 40 people.  

For deployment and maintenance, there were really just like a couple of people. There was not a full-time dedicated need for it.  

There were times when we had to deal with support when we ran scans and we were reviewing results. There were times when we needed to either open a ticket or talk to somebody who had some expertise in a specific area. That process was timely and they were responsive. So that was good.  

Veracode actually has a separate subscription that you can participate in that is something like a learning management catalog. I think that the training piece of support has definitely improved over the course of when we used it.  

We did have a different product, but it was a little bit for a different purpose. We were using a different product but complemented the Veracode product. 

The initial setup was pretty straight forward. That is part of it being an easy solution to get started with.  

The deployment started smaller in employing the product to analyze a subset of our applications. It initially was being employed to look at the vendor applications that we had. I would probably say that initial period was about three to six months. That effort was focused on one group and did not really include all of the technical people and developers.  

Once we saw what it could do, it got adopted and we rolled it out to more people. So we kind of employed it in stages. The first part, which was essentially a test period, was three to six months. Then pushing it out for broader adoption in the next part was another three to six months.  

We did not use integrators. We did have the training and we did have professional services in the form of customer support from Veracode.  

I do not remember the licensing costs off hand. I would probably estimate it to be between 50,000 to 75,000 in our case.  

The advice that I would have for people who are new to the product would be to start with a proof of concept. This will help you to see how the product works with your process and people.  

The biggest lesson I have learned from using this solution is that it definitely increased my education on how to prevent application vulnerabilities earlier on and how not to repeat them. It also helped me as a manager to better understand how to guide and coach people.  

On a scale from one to ten where one the worst and ten is the best, I would rate this product probably as a  seven, if I am going back in time. I thought that there was room for improvement, but at the same time, it did what we needed it to do. We got what we expected. So I thought it was good, but I also think there were some additional manual steps or work involved that we should not have needed to do. That is really why I do not rate it with a higher number.  

The primary use case was scanning a single-digit number of applications. We scanned them about twice a year and that's about it. It was just to get the results. We used the results to gauge our security health.

The feature that was most valuable to us was the ability to point locally in a quorum.

The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified. 

The solution needs to be more flexible. It needs to work with clients more effectively. 

Right now, the licensing model is based on the number of applications as opposed to being flexible and based on the number of developers or based on some other parameters. This constrains our company in terms of defining what an application is and doing the scans. We have an application with multiple deposit rates, but Veracode has a hard time recognizing the different components sitting in different depositories as one application. 

The solution is pretty similar to others. There wasn't anything that was so startlingly different it would make us want to stay.

I had been using the solution for a while, but I am currently in the process of moving off of it.

The solution is stable. we've never had any issues surrounding its stability.

There's nothing to scale. Asking if the solution is scalable or not isn't applicable in this case. It's not an active load balancer. It's just a static scan. If it was dynamic, there may be a question around scalability, but it is not.

Technical support team is quite good. However, if we're talking in terms of how Veracode recognizes clients and deals with them, I'd rate them as bad.

We did not previously use a different solution. We've only used Veracode.

The initial setup has a moderate level of difficulty. It's neither simple or complex.

We handled the implementation ourselves.

The solution recently doubled in price over the past year, which is why I've decided to move away from it. The price jump doesn't make sense. It's not like there was a sudden influx in new features or advancements.

Without getting too specific, I'd say the average yearly cost is around $50,000. The costs include licensing and maintenance support.

I handle software composition analysis. Currently, I'm moving away from Veracode.

I don't know which version of the solution I am using currently. It's not quite the most up-to-date version.

If a company is looking for a long-term partner, and not just a transactional solution, I'd suggest a different company.

I'd rate the solution eight out of ten.

I am a consultant and SourceClear is one of the solutions that I use to provide services.

This solution is used by people who want to verify the security of their own applications.

The most valuable feature is the efficiency of the tool in finding vulnerabilities.

A high number of false positives are reported and this should be reduced.

I have been using SourceClear for about a year and a half.

This is a stable solution.

We have no complaints about scalability. We have between 200 and 300 clients.

We have not been in touch with Veracode's technical support.

We have also used Checkmarx, where you can train the tool for false positives and ultimately reduce them.

The initial setup is a little bit complex.

It would be better to have some assistance when implementing this solution.

Overall, SourceClear is working fine for us and our main complaint is in regard to the high number of false positives. Nonetheless, I would recommend Checkmarx over SourceClear.

I would rate this solution a six out of ten.

We used it for performing security checks. We have many Java applications and Android applications. Essentially it was used for checking the security validations for compliance purposes.

Technically there is nothing wrong with Veracode. The only issue that we have here is uploading the code, the process of actually uploading and getting our results back. All of that is a little cumbersome. 

Technically there is nothing wrong with Veracode. The only issue that we have is uploading the code, the process of actually uploading and getting our results back. All of that is a little cumbersome. 

One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications. So we would like to see a kind of a graphical representation of the problem areas. I would like to know which file is the biggest source of issues for me so that I can focus on resolving the issue, as a project manager. With how it is now, I am able to do this but I have to take out the whole PDF file and extract it. It takes up a lot of my time. I would like to see better strategic reporting. It would be great to get better graphical reporting.

Stability is very good and there were no issues. I will give it five stars.

It's very good; really very good. I would strongly recommend that. Technically I would be expecting a double concept for Veracode. I would still say this is one of the best products ever on that website. I don't have any issues with the scalability. 

I had no technical issues at all.

The initial setup can be a little complex for people or for organizations that don't have technical skills. Another small thing is that you need to have one person who's fluent and technically knowledgeable to help during the upload process. But otherwise, it's pretty much straightforward. It's not an issue, it's perfect.

I would strongly recommend doing an internal analysis first, before setting it across to Veracode to proceed and to use it more as a final verification point. My point is that Veracode is very good, and I would strongly recommend it. I have seen other solutions on the market and that's why I say: don't waste your time on other products, just get Veracode.

I would rate it an eight out of ten. Not a ten because of the reporting issues I mentioned that I would like to see improved.

I have used this solution in multiple projects for vulnerability testing and finding security leaks within the code.

We were embracing Veracode as a process in our DevSecOps, although I have not personally used this solution for the past eight months.

This is not a very elaborate application. I think that the suggestions are between thirty-five and eighty percent accurate, with most cases being about seventy-five percent. Some of them are references where you have to go and determine whether they are direct threats, or not.

At the point in time when we were using this solution, we had older coders and the way Veracode tests for vulnerabilities may have been affected by the code style. I found that there were far too many warnings and some false positives. Of course, this comes with every product, and there are multiple tools that are used.

Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them.

In the context of a dev or UIT environment, I'll say that it is fairly stable. However, I would not be able to give ratings for stability in a production environment because I have no experience with it.

Technical support was good and I was very happy with them.

We did not have that many issues to start with. They conducted training, and there was an architect that was working directly with me to answer everything. He was fairly knowledgeable. In the beginning, when we wanted to understand the product, he gave us great pointers. He provided very nice documentation that we followed and we were able to establish with the infrastructure team.

I have used multiple tools similar to Veracode that integrate with the IDE.

The initial setup was straightforward. What I recall is that it was not really difficult and we had optimal support. They also provided us with documentation to help set up integration with tools such as Jenkins.

When it comes to DevSecOps, in the industry it is still under adoption. With the advent of the cloud and code being there, or on other public platforms, many people have embraced it or are in the process doing so. 

My advice for anybody interested in implementing this solution is to be really careful when choosing your tools. Be very proactive and up-front on the requirements of your systems, because no tool is perfect. You need to find the best fit for each particular use case. I would do a thorough analysis.

As a solution architect, I do small POCs and run initiatives on products to find out various aspects. For example, the technical feasibility of the product is an important aspect. Other important ones are usability, testing, and implementation. Normally, I select at least three products and do a comparative analysis based on the POC. After this, I recommend a particular solution.

I would recommend Veracode. There are plusses and minuses to this solution, but given the chance to use it again I would definitely do so. Every product has its own flaws, but for my use case, it did fit very well.

I would rate this solution an eight and a half out of ten.