I worked as a security tester for a service-based Indian IT company. I had the admin right on the application where I used to provide access to other developers so they could execute unit-level tests directly from their console. There are many types of security testing activities, such as false positive analysis or looking into the code from a secure point of view, getting the mitigations done, and then retesting the applications.
Security Engineer at a tech services company with 5,001-10,000 employees
Good for legacy technologies but the DAST engines are primitive
Pros and Cons
- "The solution can scan old databases and old code written 20 years back."
- "One of the most important areas that need improvement for Veracode is its DaaS. Veracode's DAST engines are primitive."
What is our primary use case?
How has it helped my organization?
We initially had more than 15,000 vulnerabilities. Veracode helped us to regulate all the teams. I gave the consult level access and a basic level of access to developers. My manager and I trained the developers in secure coding practices.
DevSecOps is a process that helps improve security in software development. From a DevSec perspective, it is a great way to improve security in software development. However, from a DAST perspective, it is not as good because the results cannot be easily integrated into the CI/CD pipeline. Integration with Jenkins is seamless. It didn't make much of a difference for us, but it could be different for other applications of the latest technology. Veracode has the feature of issue creation in the Jira portal itself. For example, if we're scanning an application and Veracode reports 15 issues after the security scan is complete, the solution will automatically create Jira tasks related to security, which can be assigned to the appropriate developers. Veracode is good from that perspective, but it needs more evolution. The solution needs moderation because if by some chance a big module or issue pops up, we could get 10,000 issues. That would be a real complication from the Jira point of view.
When it comes to false positives, I used Veracode for two-and-a-half years and it has been fine and fair.
When our developers find a false positive it doesn't make much of a difference. They are just happy knowing what is wrong and right. Developers know how to code, but they don't know secure coding. We are generally there to guide them and most of the time, I used to do the false positive analysis by myself and not leave it to the developers. The developers would get a refined and concrete number of vulnerabilities to quickly work on. In some cases, the developers also find issues that we missed because we have to work on multiple applications at once.
I don't believe there's any cost related to the machine-learning side of Veracode, but it takes a lot of time because SaaS issues are those that couldn't be resolved by a junior or intermediate-level developer generally. Most of the time, these issues are resolved by people with five-plus years of experience because there are security issues. To understand the security complications, we need to have some knowledge of the architecture and design levels of the application. If we don't have design-level information, it's difficult to correct. Without a senior-level developer to guide us, it can cost us a lot. The senior resources getting deployed could be used elsewhere for more development activities. However, the mitigation is provided by Veracode and the detailed report is very good.
Veracode has helped fix flaws affecting our organization by making the applications a lot more secure.
What is most valuable?
We use a code review-based tool, so the unique aspect of Veracode is that it is really good for legacy or old technologies. It can scan old databases and old code written 20 years back.
Depending on the technology we are working with, the solution's ability to prevent vulnerable code from going into production whether it is Java-based code or ASP.net, the efficient number of identification codes is the best in the market for legacy technologies. I would use Fortify or Checkmarx to test accordingly using the latest code.
The best feature I like about Veracode is the ability to give low-level access to accounts. The identity access management system is really good and we can even integrate it with the ID. For example, if we're coding in Eclipse or something similar we can push the code from the ID directly into Veracode's backend to have its security tested. It is cloud-hosted and the downtime is very minimal. We could check the results anywhere, anytime. This makes the platform's independence very good.
The solution provides visibility into application status at every phase of development. We can see and make adjustments accordingly at each level.
Veracode is a great solution for old applications. I would only recommend Veracode for older applications.
What needs improvement?
One of the most important areas that need improvement for Veracode is its DAST. Veracode's DAST engines are primitive. They need to work on that. It needs to be their number one priority.
The number of vulnerabilities and quality of the latest technology when compared to other scan engines such as Fortify and Checkmarx is not as good.
Veracode has multiple sides when it comes to dynamic testing. They offer software composition analysis, dynamic scans, and static scans. However, I would not recommend Veracode for dynamic testing because it wasn't able to scan many of our applications properly. Some of the other solutions were really efficient and proactively reported a lot of vulnerabilities. The Veracode scanner was not able to properly scan the applications because of authentication issues and login issues. HP Web Inspect and Microfocus Web Inspect allow us to make scripts by ourselves, which will then enable the scanner to scan the website in a more proper and systematic way. There were a lot of complications with Veracode's dynamic point of view, and a negligible amount of vulnerabilities were reported. On the other hand, when I tried Next Parker or Micro Focus Web Inspect, things were really good.
If we have to scan the latest code, for example, if we have written a piece of code in Angular or Node.js, we can't consider the solution because it is not as good as other solutions using newer code.
Buyer's Guide
Veracode
February 2023

Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: February 2023.
686,748 professionals have used our research since 2012.
For how long have I used the solution?
I have been using Veracode for two and a half years.
What do I think about the stability of the solution?
Veracode is stable, but every now and then something breaks. From a stability standpoint, I would give the solution a seven out of ten.
What do I think about the scalability of the solution?
Veracode is scalable. I give the scalability a ten out of ten.
How are customer service and support?
The technical support is really slow. Their availability is sparse. It sometimes takes two months to have a resolution.
How would you rate customer service and support?
Negative
Which solution did I use previously and why did I switch?
I started my career with Veracode, a DAST review tool. I worked there for two-and-a-half years.
How was the initial setup?
The solution is not deployed on our systems. It is cloud-based and only requires logging on.
What's my experience with pricing, setup cost, and licensing?
The requirements for the code determine whether Veracode is the best option or not. If the code is 15 to 20 years old, and it is very important, then Veracode is the best option. If the code is very new, then I wouldn't want to spend any money on the solution. It all depends on the requirements.
There is a fee to scale up the solution, which I consider expensive.
Which other solutions did I evaluate?
We did POCs and collaborated with Fortify, Veracode, and Checkmarx to see who gives the best results for all the applications. Veracode gave the best results, so we chose them for our organization.
What other advice do I have?
I give the solution a six out of ten.
Veracode has not directly helped our developers save time. There was no interaction between the Veracode team and us, so it was minimal whenever some issues such as false positives are reported by the solution. There were some issues with the Veracode engines a few times that required customer support to resolve.
I used to go to Veracode's website and log in. It was updated automatically, and I could access it from multiple devices. I'm not sure which cloud they were using, but it was managed by Veracode.
We have around 18 people using Veracode and two of them are administrators.
Veracode is accessed via a website on the internet. Their backend team takes care of any maintenance that is needed.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Jan 10, 2023
Flag as inappropriate
Program Analyst at a tech services company with 10,001+ employees
Helps developers look at things with a different, more secure, perspective, decreasing the flaw rate
Pros and Cons
- "It pinpoints the errors. Its accuracy is very interesting. It also elaborates on flaws, meaning it provides you with details about what is valid or not and how something can be fixed."
- "There is also a size limit of 100 MB so we cannot upload files that are larger than that. That could be improved. Also, the duration of the scan is a bit too long."
What is our primary use case?
In my previous company, we had a healthcare app. We used Veracode to run a spontaneous static analysis as well as dynamic analysis, to resolve our vulnerabilities. We were releasing versions every month. Each month we were looking at the results of Veracode and fixing the problems.
How has it helped my organization?
It helps fix a lot of flaws and bugs. As a developer, you look at things with a different perspective with the Veracode results. You can see that certain things can be implemented in another way, how they can be more secure. As a result, it helps improve your level of understanding and decrease the number of production issues.
Using Veracode, it was very interesting to see the difference when I compared things over a three-month timeline. During the initial three months, when I started using Veracode, I found the percentage rate of flaws was around 60 to 70 percent in the entire file we were uploading. After using Veracode over the next three months, our score decreased to a 30 to 40 percent flaw rate. We were able to do our quarterly development in a very secure way.
For example, we recently encountered a flaw that might be exploited. We implemented a function to store passwords that were encrypted. That functionality was written in a pretty vulnerable manner. By looking at the code, we could see, "Okay, this might be exploited." But when Veracode pointed out multiple times, "This might be vulnerable," and "This might be vulnerable," it helped us improve our developer standards. It gave us a brief idea of how this particular code implementation could be improved.
There is also a feature called Veracode Pipeline Scan which provides instantaneous feedback. That was a major addition to our process and has worked out very well. Developers get instant feedback about their flaws, making them easy to fix while in pre-production. That is one of the major boosts that we have implemented. It enables our developers to fix things in parallel, and that has saved time, about 20 to 25 percent, and resulted in better coding. As a security guy, I can see the differences between the initial processes and the processes we have six to eight months after implementing Veracode Pipeline Scan and Veracode in general.
Overall, it has reduced the time that we used to spend working manually to pinpoint the issues that we found. Veracode makes it an automated process. Also, we can use it in parallel. If Veracode is the main "hub," we can have "sub-hubs" such as static analysis and Veracode Pipeline Scans. Both can be done simultaneously, reducing the manpower required by a lot, and providing correct results. And it has improved our understanding of the different kinds of flaws and vulnerabilities that are in the report. Veracode, as a tool, has made things better.
In terms of security posture, when I had just joined my previous organization, there was a meeting about client feedback. Initially, their comments were that things were not very stable. They said it was easy to steal data. After using Veracode, and as our developers adapted the tool and developed secure code, the client's feedback was that things were pretty stable and good. At first, the feedback was very ruthless. We were not up to security standards. But once we started using Veracode, it became the main pillar of our security. We overcame certain challenges and the client feedback was pretty good.
What is most valuable?
It yields around 90 percent accurate results. It pinpoints the errors. Its accuracy is very interesting. It also elaborates on flaws, meaning it provides you with details about what is valid or not and how something can be fixed.
Another valuable feature is in the dynamic analysis, which provides information on which libraries are outdated so that we can improve them and get them up to date. We found a lot of outdated libraries in use in our organization. As a result, it has improved our stability. The software composition analysis keeps you updated on each kind of data it reports on, including libraries and third-party DLLs.
What needs improvement?
There is a sandbox limit of 10 so any company using Veracode needs to plan for only having those 10 sandboxes. If they increased that to 25 or 30, the scan time would decrease and the results should be more effective.
There is also a size limit of 100 MB so we cannot upload files that are larger than that. That could be improved.
Also, the duration of the scan is a bit too long.
For how long have I used the solution?
I used Veracode in my previous company but recently changed to a new company. Overall, I have used it for around 1.5 years.
What do I think about the stability of the solution?
Its stability is fine. On a scale of one to 10, I would give it a seven for stability.
What do I think about the scalability of the solution?
It's a scalable solution.
We have it implemented in two offices, the main office in the US and a single office in India. There are only 10 to 12 people using it in our organization, meaning in India. I am not aware of how many users there are in the US.
How are customer service and support?
Their support team needs to respond in less time. It takes a lot of time for them to respond. When we reach out, we are waiting, most of the time, for two or three weeks to get a reply from them. That is the one major piece of feedback I have for Veracode.
Their technical support is very good, except for the response time. When we are stuck with something technical, they explain how to use it in multiple ways. They are supportive and that is pretty good.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We were using a couple of other tools along with Veracode. One was SonarQube and the other was Acunetix.
What other advice do I have?
The false positive rate is pretty low. When I started using Veracode, there were a lot of false positives, but that number became notably smaller. There are some false positives because new types of flaws are generated for each new version.
Initially, in general, whenever you see any kind of false positives or true negatives, it reduces your confidence. But whenever the reports are generated by Veracode, as developers we can understand that they show certain patterns of what might be a false positive. So we get an idea that this kind of a flaw might be a false positive while this kind might not be a false positive. We get clarity about the reports sent by Veracode. At a certain point, we might be sure that we can explain all the false positive data to management so that they can look into them and understand: If this kind of data or this kind of code flaw comes up, it is a false positive. We can easily associate these scenarios with false positives because they are normal and common.
During the initial phase, false positives affect our time because we can't deduce any conclusions. Static analysis is the kind of process in which you will encounter false positives in certain cases. But after a couple of implementations of machine learning, the results should be pretty accurate and the false positives should decrease.
Preventive maintenance is critical. Per my experience with Veracode, there are certain maintenance issues, but they are the normal types of things.
I would highly recommend Veracode, but initially, don't do a deep dive into the tool. Take a couple of licenses to start adapting to the tool and work out how it works and whether it's suitable for your development processes and developers, and get their feedback. I highly recommend it because it's a real time-saver, provides stability, and improves your organization's productivity.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Feb 7, 2023
Flag as inappropriateBuyer's Guide
Veracode
February 2023

Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: February 2023.
686,748 professionals have used our research since 2012.
Software developer at Appnomu Business Services
The solution provides visibility at every phase of development, which is helpful because it keeps us focused
Pros and Cons
- "I like the ability to integrate Veracode with other coding platforms like Visual Studio, which helps you write code quickly by implementing already inserted code. For example, if we have tags you want to put in the software, it is effortless to choose which programming language you want to use in the integrated development environment."
- "Veracode could improve their documentation. They don't update the knowledge base when they release a new feature or module. The information in the knowledge base often doesn't match how the latest version works. Veracode should update the knowledge base to tell you how to use and configure the latest modules."
What is our primary use case?
I use Veracode to develop solutions faster while ensuring my code is secure and doesn't have vulnerabilities. I can deliver a stable, scalable product to users and our partners, and security is our top priority.
How has it helped my organization?
The primary benefit we get from Veracode is security. We can provide a stable, secure solution that protects our users' privacy. When developing a solution many people will use, you need to consider your clients' security framework.
Veracode has also reduced the time we spend developing projects. You can cooperate with a team on a project, identify vulnerable code, and resolve the issue faster. It speeds up the development process.
It's excellent for regulatory compliance. If you know your product's target industry and country, Veracode can help you meet the standards with a click. You don't need to do much research or consult a lawyer. The policies are in one place, so one piece of software will keep you compliant.
Veracode provides visibility at every phase of development, which is helpful because it keeps us focused. I know if I'm on target or behind on an issue. In the next update or lifecycle of my software, I can develop faster because I am aware of past issues and can avoid them. Veracode is transparent and saves time tracking your lifecycle and the timeframe for developing your code.
It helps us fix flaws by identifying every issue in our code. You know what you need to fix and the steps you must take. It helps us deliver stable and scalable platforms that large corporate clients can trust. Veracode saves us money in the long run because we see fewer issues once our clients use our product. We spend less time debugging faulty software or taking support calls from users complaining it doesn't work.
Veracode also saves our developers time. On average, we spend about 30 percent less time on a project than we would've without Veracode. It cuts our DevSecOps costs by about 40 percent per project.
What is most valuable?
The first feature that I like about Veracode is its security. With Veracode, I can rest assured that the platform is safe. Second, I enjoy integrating Veracode with other coding platforms like Visual Studio, which helps me write code quickly by implementing already inserted code. For example, if we have tags we want to put in the software, choosing which programming language we want to use in the integrated development environment is effortless.
The solution is highly user-friendly. Veracode detects vulnerable code and alerts you, so removing those security issues from the code is easy. It's essential for any company or individual trying to develop a stable solution.
The new Software Bill of Materials feature integrates easily with your in-house applications, helping you determine whether you are compliant based on where you produce your services or products.
The Software Bill of Materials also secures your code from external access before production. Only teams with permission can access your code. You have a private code that can be shared without the risk that errors might be added to the code before it goes into production.
You don't need much integration or technical skill to leverage SBOM. Even if you lack data skills, the feature is straightforward. It's easy to create reports to share internally or externally. The feature is straightforward if you have data and the right inputs.
What needs improvement?
Veracode could improve their documentation. They don't update the knowledge base when they release a new feature or module. The information in the knowledge base often doesn't match how the latest version works. Veracode should update the knowledge base to tell you how to use and configure the latest modules.
The user interface could also be optimized for smaller screen sizes. It displays well on a screen that is around 14 to 15 inches. It isn't a mobile-friendly tool. The usability and user interface need to be improved. It has limitations on some browsers, as well. I find it easier to use Veracode in Chrome than in other browsers like Microsoft Edge. It should work perfectly in any browser.
For how long have I used the solution?
I've used Veracode for three years.
What do I think about the stability of the solution?
We haven't experienced any downtime since we implemented Veracode.
What do I think about the scalability of the solution?
I rate Veracode a ten out of ten for scalability.
How are customer service and support?
I rate Veracode's support a ten out of ten. The support team is highly experienced, and you don't need to explain much to them. They can quickly determine where you have gotten lost. Veracode support listens patiently and tries their best to follow up.
How would you rate customer service and support?
Positive
How was the initial setup?
I deployed Veracode with one other colleague. The deployment didn't go well at first, but it was straightforward after we got some help from the support team.
What was our ROI?
I estimate our ROI at about 45 percent. Veracode provides multiple modules under one license for functions that we would normally buy from other vendors. It covers coding, security, and compliance, so you spend less than you would by buying multiple software solutions.
What's my experience with pricing, setup cost, and licensing?
Veracode's price is reasonable. It depends on your goals for the solution and the size of your company. It's affordable in our case. However, it might be too expensive for smaller companies without a large budget or a significant market for their products. The licensing model is transparent. They don't license their products per module. You get all the modules for one annual license.
Veracode's price isn't so high if your goal is to save time while delivering secure, stable, and compliant products to your client. It might be hard for a startup to justify the cost if they haven't been in the industry for long and can't predict the size of their customer base a year from now. You should consider the market and what you hope to achieve using Veracode.
Which other solutions did I evaluate?
We wanted to use a different solution. Unfortunately, it was more expensive and required more technical skills, so we opted to use Veracode instead.
What other advice do I have?
I rate Veracode a ten out of ten. If you plan to implement Veracode, you should have an in-house tech team that knows Veracode. It will be hard if you don't have one set up. You also need to ensure you have the budget to cover Veracode.
Overall, Veracode is a stable solution I recommend to any serious enterprise, especially those in finance, charity, and or any other field with stringent data protection requirements. I recommend Veracode for DevOps teams, and it's the only stable solution I have used so far that I would suggest to someone else.
The prices are constant throughout, and Veracode's support team is there to help you resolve any issue. They can help you resolve issues faster if you have some knowledge about Veracode. Do some planning before you implement the solution. Get to know Veracode, how it is used, and where it is applied. Everything will be smooth.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Last updated: Mar 22, 2023
Flag as inappropriateTechnical Program Manager at a university with 201-500 employees
Affordable, fully automated, and helpful in understanding the issues we need to focus on
Pros and Cons
- "The findings of their security analysis are wonderful. You can easily go through all the analyses done by Veracode. You can see what are the flaws and what could be the best possible resolution to minimize those flaws in the application. When an application is being used by the public, security is a challenge. Veracode helps us to analyze all the security flaws, discrepancies, and vulnerabilities inside the application. It provides good reports."
- "The UI could be better. Also, there are some scenarios where there is no security flaw, but the report indicates that there is a security flaw. The report is not perfectly accurate. So, the accuracy of the scanning reports needs improvement."
What is our primary use case?
Veracode is used to perform the dynamic analysis of our applications for security flaws. We have applications that are being used by millions of users. We needed a security analysis tool to secure the application. Veracode is helping us with the analysis of all the security flaws and discrepancies.
It is software-as-a-service. It is in the cloud.
How has it helped my organization?
Earlier, we did not have any such dedicated tool for the security analysis of our application. It was quite challenging for us when on a day-to-day basis, it was accessed by the users because there could be security flaws making it prone to any third-party attacks, malware, unauthenticated access, etc. Veracode gives us a complete scanning report, which is very useful. It is informative and helpful to understand the things that we need to focus on.
Within three months of its implementation, we realized that it is a very powerful solution, and it works perfectly for all the use cases of our applications. Scanning through the application code is a very big task, and Veracode does that perfectly. It enhances the development and the coding work and is helpful for the development team and the product team.
Now, there is peace of mind. All the static and dynamic scans are done by Veracode, and we are making sure that there are no security flaws in the application. The automation of the analysis is helpful and saves our time and cost.
What is most valuable?
It is fully automated. I love the automation feature.
The findings of their security analysis are wonderful. You can easily go through all the analyses done by Veracode. You can see what are the flaws and what could be the best possible resolution to minimize those flaws in the application. When an application is being used by the public, security is a challenge. Veracode helps us to analyze all the security flaws, discrepancies, and vulnerabilities inside the application. It provides good reports.
What needs improvement?
The UI could be better. Also, there are some scenarios where there is no security flaw, but the report indicates that there is a security flaw. The report is not perfectly accurate. So, the accuracy of the scanning reports needs improvement.
It currently takes too much time to scan all the vulnerabilities in the applications and code. The time should be reduced. The scanning engine in Veracode needs some improvement in terms of performance and efficiency.
For how long have I used the solution?
It has been two years.
What do I think about the stability of the solution?
The product is stable. There is no issue with that. It mostly works as expected. Sometimes, scanning analysis is not up to the mark because of some bugs or unstable releases, but 90% to 95% of the time, it works fine.
What do I think about the scalability of the solution?
Its scalability is good. It is cloud-based. Whenever the application load increases, it is scaled automatically without an issue. We have plans to increase its usage in our future application process.
There are 35 to 50 users based in diverse geographical locations. We have Java, Python, and .NET applications running in the cloud. We also have some in-house cloud-based applications running on the AWS platform.
How are customer service and support?
Their technical support people are good, but sometimes, they don't have complete knowledge of the software. So, they need some time to resolve the queries because they have to confirm or do knowledge sharing with their superior team members. I would rate them a 9 out of 10.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We didn't use any other solution previously. All our security scans were run manually by a third party, which cost a lot of money and time. We had to place a request to them, and then they used to schedule that.
How was the initial setup?
I was involved in negotiating with the vendor and implementing the right solution. I worked with the team members and the end-users of the solution.
Its deployment is straightforward. They have to once go through the complete application analysis and review. They need to sit with the product development and the engineering team to go through the requirements, development environment, and IDE environment of an application. Once done, it is perfectly implemented in one go.
It took one month to have initial discussions, do the requirement analysis, and finalize the requirements. It took 15 days to get it implemented. So, it took 30 to 45 days.
What about the implementation team?
There were team members from the engineering, product, and consulting for procurement, implementation, and final roll-out of the solution.
Its maintenance is a part of the implementation pricing plan and subscription. They are providing the maintenance and upgrade of the system. Because it is cloud-based, it is not managed by us. Veracode currently manages all the upgrades and updates. For any operational issues or additional change management, there is an additional cost.
There are 10 to 15 people in our networking infrastructure and the cloud team who are responsible for handling all the issues and the requirements for the developers. I'm also responsible for that. We are coordinating with their sales team and the account management team for any new requests or ongoing issues.
What was our ROI?
We have definitely seen an ROI. It helps the developers and testers to go through all the security flaws in their code or application repository in a very unique way. There are no chances of any security flaws or issues in the application. It helps the organization and the team. So, ultimately, it provides a positive return on investment.
What's my experience with pricing, setup cost, and licensing?
It is quite good. If you adapt it for the whole organization, it is quite affordable. The pricing plans are good as compared to the other competitors, and any small, medium, or big company can easily adopt Veracode. Its cost includes deployment, training, and support for one year.
Security is a major concern for any organization. The developers do hard work in developing code, but if that code has some security flaws, it would be a challenge for any organization.
Which other solutions did I evaluate?
At the time, we evaluated GitLab, SonarQube, and Micro Focus, but we didn't go for them because of various reasons, such as price concerns, pricing plans, and the availability of the solutions.
What other advice do I have?
Every organization should use some kind of security-analysis solution for making their product stable, reducing time and effort, and saving costs.
I would fully recommend this solution to prospective buyers if they have a requirement for an analysis of the security flaws in their application and code. They will find it very useful if they can manage their budget for implementing this solution in the organization. It works perfectly well, and it will meet their expectations.
Overall, I would rate it a 9 out of 10. No solution is perfect, and a few improvements are always required in any solution.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Last updated: Sep 14, 2022
Flag as inappropriateIT Project Manager at Orange España
Identified security loopholes and gives our developers confidence in their code
Pros and Cons
- "It has the ability to statically scan your source code before it goes to production. It can be scanned within your testing or development environment, and that is very useful. And good explanations of all the vulnerabilities in your source code help take care of those issues in future code implementation as well."
- "There should be more control for administrative users so that we can add and delete any functionality or module within the platform. We should not have to reach out to Veracode's customer support every time. We should be able to customize our modules."
What is our primary use case?
Veracode is being used to check our application source code, whether it is working well or not, and to track changes in the code from different developers and engineering teams.
How has it helped my organization?
It flags the vulnerabilities in your source code before going to production, as well as when code does not meet compliance. It provides a report on which areas in the software have issues so that we can make measurable corrections.
Our DevSecOps people are now very happy because before, we had no solution with these kinds of functionalities. It minimizes our work in doing static analysis manually because Veracode is now doing the job. Our team has been minimized in terms of headcount and the overall time it takes because it has automated all the static analysis. Earlier, we had hired two or three members just to do analysis of the source code. Veracode has saved us on those costs. We have seen a positive return on investment with organizational savings of 15 to 20 percent. Overall, it has been a good experience, maximizing the efficiency of our developers.
And now, our developers are not concerned about security flaws when code is deployed in production. We have a different development environment in which we are running our code from testing to production and Veracode provides our team the functionality to do that analysis in one go.
And when it comes to our security posture, Veracode has identified security loopholes, giving us detailed reports on vulnerabilities. It gives our developers confidence and provides summary reports of the vulnerabilities and security flaws to our clients as well as to us.
What is most valuable?
Among the most valuable features are that
- its overall user interface is good
- the static scanning process is wonderful
- it analyzes vulnerabilities in your source code, which is very helpful
- it explains very clearly about the vulnerabilities that we have in our code, in terms of security and compliance.
It has the ability to statically scan your source code before it goes to production. It can be scanned within your testing or development environment, and that is very useful. And good explanations of all the vulnerabilities in your source code help take care of those issues in future code implementation as well.
Veracode also has built-in functionality called the Software Bill of Materials. It is very useful if you are arranging the details regarding all your bills of materials within your code and your licensing. Using SBOM it is very easy to create reports. You just click on it and you can easily extract a report.
Veracode provides regular updates to the platform, updates that support rapid changes in technology and our development practices. It provides SAST analysis in the pipeline very quickly so that we can easily identify issues. It can also integrate with different pipelines, DevOps tools, and platforms. It is a highly efficient tool in terms of security vulnerabilities and reporting on them.
It provides an easy way to track flaws, tying them together with an explanation. There is an easy-to-use plugin for Visual Studio for the validation of code without having to do a complete, separate scan. It has the functionality to scan IDE methods.
For compliance reporting, you can configure your organization's data privacy policies and your country's policies. If those policies are breached, it provides you notification that something is not meeting the policies that you have set, so you can easily identify those cases and take corrective measures.
What needs improvement?
There should be more control for administrative users so that we can add and delete any functionality or module within the platform. We should not have to reach out to Veracode's customer support every time. We should be able to customize our modules.
Also, the analytics reporting should be improved. It should provide bar graphs and full visualizations so that people who are not as technical can understand things.
For how long have I used the solution?
We have used Veracode for more than three years.
What do I think about the stability of the solution?
It is stable. Many Fortune 500 organizations are currently using it. There is no issue with stability.
What do I think about the scalability of the solution?
It is scalable.
It is used by our North American region, EAMA, and Asia-Pacific, with 40 to 50 users.
How are customer service and support?
Their overall support and services are good.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We have used Armor, as well as a tool from Palo Alto. We switched to Veracode because of the product's stability, the community it has, the vendor services and support, and because it has the functionality that we required.
How was the initial setup?
The initial deployment was quite easy. All SaaS solutions are quite easy to implement, understand, and deploy. That is the core advantage of SaaS and cloud-based solutions.
Veracode doesn't require any maintenance. It is fully updated by Veracode.
What about the implementation team?
We worked with Veracode, without any third-party vendor involved. Their solution and architectural team, and their product demos team, gave us good product demos, and we had a chance to evaluate Veracode before fully implementing it in our organization.
On our side, it involved seven to eight people, because we have multiple applications and multiple source codes.
What was our ROI?
We have seen return on our investment in Veracode because security is a major issue and, before deploying source code into production, we need to make sure it is clean with no security flaws so that no issues are raised by customers.
What's my experience with pricing, setup cost, and licensing?
There are no setup or implementation charges. They offer a free trial and free consulting services. That was the first impression it made and something we liked about the Veracode.
The price depends on your requirements, your source code sizes, and how complicated your source code is. Prospective buyers should understand their requirements when it comes to source code and data size first, and how often they require security analysis of their source code.
What other advice do I have?
Overall, Veracode's false positive rate is good. In some cases, we have found some issues with reporting those kinds of flaws. It might be that the false positives were due to the wrong policy configuration in Veracode, but that was resolved with the help of their customer support.
I would recommend it because security should be a priority for any organization. Go for a trial and, if it fits all your needs, go ahead with it.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Feb 7, 2023
Flag as inappropriateBackend Engineer at a tech company with 1,001-5,000 employees
Interactive lab helps developers think like attackers and become more security-aware
Pros and Cons
- "It can be very hard to make a good lab environment with a console with log windows and code bases. What I like about Veracode is that they managed to do that. It has a very responsive graphical user interface and has worked very well. I was very pleased with that."
- "I would like to see more AI features. It's a current subject because with ChatGPT and other solutions being developed all the time, IT attacks will increase... To defend against those it's very important that the good guys use AI in ways that are good instead of bad."
How has it helped my organization?
Because Veracode is more interactive than Secure Code Warrior, the big benefit for our organization will be that the developers will not just get the blue team excited, but they will learn to think like the red team, like an attacker. The interactive labs will help developers see that some of the red team attack methods aren't that hard to do, and that will bring them more security awareness.
Because developers will see exactly how you do a certain type of red team attack or exploit, they will understand that it's important that they don't think, "Oh, this could never happen." And when they realize that some of the attack methods are not so hard to implement, they will secure the code base and fix the vulnerabilities that already exist.
For example, when I tried SQL injection labs, I learned new ways to make those, and that is extremely valuable for me because. If I'm working with a code base, I can know exactly how to mitigate SQL injection, because not all systems are using Hibernate. I've been on code reviews where I could actually point out things related to injection, which is something I wouldn't have been able to do without Veracode.
Another big benefit for our organization is that it is more interactive and fun, in a way, than Secure Code Warrior. Developers will engage and spend more time in Veracode.
It has had a good effect on my security posture because the labs are very informative with current information, showing you some of the things that could be done by attackers if your code is done incorrectly. I have retained more useful information in a fast manner.
And if we talk about scanning, we will see advantages there as well. For example, I'm working on a Java project and because Java is a high-level language, it's hard to make code errors. But if I worked with C or C++, the scanner tool would be very good. If you take the OWASP dependency checker, for example, it goes through all the third-party dependencies which are often where the trouble is in a Java project. However, I have heard that you can upload the necessary files and it will go through the third-party components as well and, in that case, it's very beneficial for the organization to have such a tool.
What is most valuable?
It can be very hard to make a good lab environment with a console with log windows and code bases. What I like about Veracode is that they managed to do that. It has a very responsive graphical user interface and has worked very well. I was very pleased with that.
I like the web interface of the interactive labs and the information there. It's very well done by those who developed it, and it works very well. It's very fun and you get to learn new things and think like an attacker. It's not like on TryHackMe, but the information I got from doing the labs here was information that I didn't have before. The quality of the information was really good.
When I started to use Veracode, there were a lot of policy documents and I actually have a habit of always reading those. I haven't made a list of all the regulations and policies and how well it complies with all the security regulations, but from what I could see, it is aligned with security regulations and certifications. And in the lab environment, they have divided things into different topics like OWASP top-10. That is very actual and follows the security guidelines that are commonly accepted by organizations today.
What needs improvement?
I would like to see more AI features. It's a current subject because with ChatGPT and other solutions being developed all the time, IT attacks will increase. I actually talked to the CEO of an IT security company in the United States because he ranked the top-10 IT security risks this year, and one of the biggest risks was new vulnerabilities or attacks would occur because of ChatGPT and similar services. To defend against those it's very important that the good guys use AI in ways that are good instead of bad.
For how long have I used the solution?
I have been using Veracode for about two weeks. I recently got access to Veracode to test it. I've been spending a lot of time on it, working with it in the lab environment. I have also tried out the scanning tools for code bases, but I mostly have experience working with it in the lab environment.
What do I think about the stability of the solution?
I haven't used it for very long, but I have never experienced any problems with the stability.
What do I think about the scalability of the solution?
We are an enterprise-size company and I know that our security employees are using Veracode and some of the developers as well, but I don't know to what extent developers are using it. It's pretty widely used across our organization.
How are customer service and support?
I give their technical support a very high grade. I was in contact with them with an inquiry I had, and there was a very fast response time. They took my request and prioritized it. They were nice as well, and that's how you want support to be, although not every support team is like that.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I was previously working with Secure Code Warrior which is very different, but it's within the security field.
Which other solutions did I evaluate?
I've been using the security platform TryHackMe a lot, which also has a web console, but I wouldn't pay for the kind of console window that TryHackMe had. It has a lot of good aspects, so no disrespect to them; I learned a lot from it. But I understand how hard it is to create that and Veracode has managed to do so in a responsive way that works well. It's very impressive.
What other advice do I have?
Scanning tools are a big safeguard for getting vulnerable code out of production. It's almost mandatory today to scan applications because there are so many attacks happening in the world right now, no matter which solution you use.
I was very pleased when I tried Veracode because I hadn't heard about it before, but it was much better than I thought.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Last updated: Mar 13, 2023
Flag as inappropriateTechnical Specialist at Accenture
Provides detailed analysis and reports of code vulnerabilities throughout the SDLC
Pros and Cons
- "The user interface is excellent, the code review process is quick and provides great analytics to understand our code better, and the SAST scan is high-speed."
- "Sometimes we get a lot of false positives even after configuring our policies, so that could be improved."
What is our primary use case?
Our primary uses are for reviews of our code and overall software environment, bug fixes, and detection of security flaws.
We use the solution across multiple locations and regions, including Asia Pacific, EMEA, and North America. Our user base consists of 5200 individuals.
How has it helped my organization?
The solution has given us real results when it comes to improving our overall security posture; it provides the best security and reports, indicates any flaws that may be present, and allows us to take steps to rectify them. The tool is now a part of our DevSecOps, and we truly rely on it.
Regarding our ability to fix flaws, Veracode is very helpful; it provides a sense of confidence to our developers and a summary of reports that we can share with stakeholders such as our clients and senior management. The solution identifies security loopholes and gives us detailed feedback reports, allowing us to take action to remedy our security vulnerabilities.
Veracode helped our developers save time; two or three development team members were previously dedicated to code security. By automating this task using the solution, those developers can reallocate their time to core software development, which is an excellent result. The time saved is in the region of 25%.
Static Analysis' false positive rate positively affected time and costs related to tuning, leveraging data, and machine learning. Tuning data is essential as it gives us update optimization within our database, which is helpful for any organization. Veracode is the industry leader in being a one-stop shop security solution; it takes care of every aspect.
What is most valuable?
The user interface is excellent, the code review process is quick and provides great analytics to understand our code better, and the SAST scan is high-speed.
Veracode is excellent at preventing vulnerable code from going into production; the scans are speedy and give us a detailed analysis of our code.
We use the Software Bill of Materials feature; it's essential and advantageous. We can't do a bill of materials manually, so it's excellent that Veracode provides this. SBOM helps us manage our risks, as every company has software that needs to be run appropriately throughout the user and client base. It's necessary to have a security audit or security compliance in such applications, and Veracode enables this functionality so we can easily identify security flaws and take measurable action.
Creating a report using the SBOM feature is straightforward, and it's important to our organization because it provides a return on our investment. Previously, we sometimes required a third-party resource to create reports, but with Veracode, it's easier to take care of that on our end.
The solution's policy reporting allows us to set our standards, group policies, and regulations, so ensuring code compliance is part of its analysis. Veracode notifies us if any flaws are detected, allowing us to take action to correct them.
The solution provides visibility into application status at every development phase throughout the SDLC; we can use Veracode during the development, design, testing, and implementation phases. We can easily analyze our code before commencing large production deployments and fix any issues.
What needs improvement?
Sometimes we get a lot of false positives even after configuring our policies, so that could be improved.
There is an issue where the UI occasionally breaks in between uses of the application, which can be improved. The UI could also be more catchy for the benefit of the less technical users.
It would be good if the configuration of dynamic scanning could be less complex.
For how long have I used the solution?
We've been using the solution for over three years.
What do I think about the stability of the solution?
The solution is stable. It wasn't before, as different organizations required new group policies and configurations. The product has yet to mature fully but has developed enough to adopt a stable position in the market.
What do I think about the scalability of the solution?
The solution is as scalable as required, but we must pay for that.
How are customer service and support?
The technical support is good; I rate them nine out of ten.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We previously used some open-source software, but our developers generally manually performed code-checking. Our requirement is for a solution that takes care of our software code and security throughout the SDLC. Following evaluation, we found Veracode more useful in terms of licensing, pricing, and features.
How was the initial setup?
The initial setup was straightforward; it took seven to ten days, including gathering all requirements, overall deployment, and the final implementation. The deployment team consisted of four to five members.
The product doesn't require any maintenance; operations and support are primarily handled by Veracode, as it's a fully managed service.
What was our ROI?
We have seen an ROI with Veracode regarding time, money, and overall organization reports. Our ROI is in the region of 25-30%.
The solution reduced the cost of our DevSecOps by lowering the headcount for those previously dedicated to security throughout the SDLC. They can now spend more time improving their code base and focusing on development.
What's my experience with pricing, setup cost, and licensing?
The pricing and licensing are reasonable, and relatively straightforward, and different licensing and subscription models are available.
To someone considering Veracode but concerned about the price, it can be a challenge for small and mid-sized organizations, but it's a good choice for larger enterprises. If security is a primary concern for any organization, they should consider Veracode; they won't be disappointed.
Which other solutions did I evaluate?
We evaluated GitLab, Micro Focus, and SonarQube.
What other advice do I have?
I rate the solution nine out of ten.
Regarding the tool's false positive rate, the analysis is good but can be affected by data and code not supported by Veracode. In these cases, we can experience some challenges, but other than that, the false positive reporting is good. In cases of unsupported code, developer confidence can be affected, as we know there may be some flaws we can't control. If they are minor enough, we can ignore them.
I advise others considering the product to go with it if it fulfills their requirements. Veracode is a tested name in the market for application security and detecting flawed code. They should evaluate other options if they fit the needs better, but I highly recommend Veracode.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Last updated: Feb 27, 2023
Flag as inappropriateFull Stack Software Developer at DreamDev
The team can anticipate and correct issues earlier instead of waiting for someone to discover it when your application is attacked
Pros and Cons
- "Veracode creates a list of issues. You can go through them one by one and click through to a new window with all the information about the issue discovered."
- "We get some false positives with JavaScript languages like React, TypeScript, and Angular. The problem is rooted in the build process of JavaScript, not the code we are using. This is something we spend lots of time trying to resolve. When we point to a specific library and review that on the code, we can see it is a part of the build that isn't going into production. It's only a part of the build because JavaScript has a different build process."
What is our primary use case?
I am a software engineer, and one of my clients needed Veracode for security requirements. We needed to send the code through some security tools to see if there are breaches or malicious code that could attack the company. In this case, the client used Veracode to scan third-party libraries from our application. Veracode was running on a private cloud using Azure.
How has it helped my organization?
Veracode helped us prevent possible security breaches. The team can anticipate and correct issues earlier instead of waiting for someone to find the issue or discover it when your application is attacked.
The report is good because it has lots of security information. It isn't related to the code itself, like the line of the code or the connected library that contains an issue. It's sometimes difficult to figure out how to solve that.
Veracode saves time in the development process because we can anticipate security issues in an application. On the other hand, from a software development perspective, it could be a technical increase in depth. After we develop a feature in the application and run Veracode, we might find some security issues we need to fix.
For example, we spent a month building a feature on an application, but during this month, Veracode found a security issue in the third-party library we were using and reported it. If we had found the issue mid-development, we would need to rebuild the solution. Sometimes, it might increase the technical depth of the application because this type of security flaw was not found previously in our daily work.
What is most valuable?
Veracode creates a list of issues. You can go through them one by one and click through to a new window with all the information about the issue discovered.
What needs improvement?
We waste a lot of time figuring out which results are false positives, and it has affected our trust in the tool. After we've spent time training and setting up the tool correctly, we need to scan our code and remove all the false positives. Finally, it's good enough to identify our security issues.
We get some false positives with JavaScript languages like React, TypeScript, and Angular. The problem is rooted in the build process of JavaScript, not the code we are using. This is something we spend lots of time trying to resolve. When we point to a specific library and review that on the code, we can see it is a part of the build that isn't going into production. It's only a part of the build because JavaScript has a different build process.
This hasn't happened in .NET or C# because we use can all the libraries used when coding. In JavaScript, it's tough, and we spend tons of time trying to find the issue. However, it's not a problem because it's a pre-compiled language. This isn't unique to Veracode. Black Duck does the same thing.
Maybe Veracode could automatically detect the language type first and improve the way it scans JavaScript to reduce the false positive rate for this specific language. Also, in the reporting area, it could connect to the source code Veracode uses for the third-party library.
When Veracode finds security issues, it creates a report with the number and description of the issues. Sometimes, we are not able to connect that issue with the third-party library containing the code and applications the developers are building. The relationship between the flaw in the code and the third-party library could be more apparent because developers may not realize that the root cause is the library, not the code itself.
The compliance features are good, but it's pretty picky in terms of what it considers a security issue. I and the other developers struggle to understand what is flagged as a security vulnerability. If you can see a security issue in there, you can see all the documentation, but it's difficult to relate that to the code to determine why the issue happened. It could be clearer how to find the issue in the structure of the code.
For how long have I used the solution?
I'm not using Veracode anymore, but I used it for eight months in the last year.
What do I think about the stability of the solution?
Veracode is stable overall. When we start the process on the Veracode side, the report generates in less than a minute, and we can see the issues. I don't have any problems with stability.
Which solution did I use previously and why did I switch?
I used a tool called Black Duck when I worked for another company two years ago. The client chose to use Veracode. It wasn't my option.
How was the initial setup?
We put Veracode in our pipeline, so the process runs automatically during development. It isn't something we can run manually. There are scripts that run when we start. There isn't any maintenance on the developer side. A designated team takes care of all this.
What was our ROI?
I don't think we've seen a return on this, but it's hard to calculate because you have to estimate the value of a breach that hasn't happened. This is the main benefit of using this tool. I don't know how to measure that.
What other advice do I have?
I rate Veracode eight out of 10. It can help you improve your security by identifying and preventing issues faster. At the same time, you should know that using Veracode will lengthen the development process because the team needs to check and correct issues. It could increase your development costs.
Using Veracode has challenged us to be more conscious of security. Sometimes, developers just want to build code. This tool allows you to check if the code or libraries are secure enough to add.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Jan 10, 2023
Flag as inappropriate
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros
sharing their opinions.
Updated: February 2023
Popular Comparisons
SonarQube
Checkmarx
Micro Focus Fortify on Demand
OWASP Zap
SonarCloud
Coverity
Mend
HCL AppScan
Qualys Web Application Scanning
Snyk
Fortify WebInspect
Acunetix
Sonatype Nexus Lifecycle
GitLab
PortSwigger Burp Suite Professional
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What is the biggest difference between Veracode and Checkmarx?
- Which gives you more for your money - SonarQube or Veracode?
- Checkmarx or Veracode. Which should we choose?
- Would you recommend Veracode? What are some of your use cases?
- Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
- If you had to both encrypt and compress data during transmission, which would you do first and why?
- When evaluating Application Security, what aspect do you think is the most important to look for?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- What are the Top 5 cybersecurity trends in 2022?
- We're evaluating Tripwire, what else should we consider?