Veracode Reviews

We use Veracode to scan our websites at the beginning of the development process. When we are ready to launch a new application on the website, we upload it to Veracode for scanning. Veracode finds any vulnerabilities in the code and returns the results to us. We must then resolve all of the vulnerabilities and mitigate any risks before we can publish the application. We have also set up recurring scans, so that any time we release a new version of the same application, Veracode will automatically scan it again to ensure that we have not missed any vulnerabilities. We have been using Veracode for six or seven of our websites.

Veracode's ability to prevent vulnerable code from entering production is comprehensive and effective.

Veracode has been very helpful as a preliminary step to launching our products to ensure that they are secure. It has also helped our developers learn the security checkpoints that we need to follow so that they can code with security in mind.

It provides visibility into the status of our applications at every phase of development throughout the software development lifecycle. We heavily use the Veracode Greenlight plugin for Visual Studio to scan and check our code as we write it. Veracode also helps us to develop our applications securely. We have configured our QA websites to be scanned by Veracode so that we do not push anything into production that is insecure.

I recently encountered a Veracode false positive, but we immediately mitigated it on our end. Veracode also filed the case and will include it in their code to mark it as a false positive. We took action after that.

False positives are rare. Veracode provides us with enough information about the issue, so we can usually identify them as we go through the report. We are also learning from the issues and from Veracode itself. If a false positive is reported, it is fine and does not have a significant impact on us.

Veracode has been incorporated into our process, which helps us fix flaws. Whenever we develop external websites, we consider the code, the scanning, and everything else involved. This ensures that we are prepared and have enough time to receive the scan results and fix any issues. We have essentially incorporated this into the lifecycle of our project, which I believe is very valuable.

We like the fact that all the issues are identified and that Veracode provides sufficient information on how to resolve them. This is very helpful if we need to troubleshoot problems ourselves, as we have plenty of information at our disposal. Additionally, we appreciate the option to request a consultation directly from the issue itself. Whenever there is a problem, there is a small button that says "Reach out to a consultant." We can then schedule a call with a consultant who can help us resolve the issue.

Veracode provides us with some usage metrics. These metrics are based on the number of times we use Veracode, which is tied to our static scans. We only use static scans when we make changes to our code, and we have a part of our pipeline that runs the Veracode scan whenever we make a change or deploy the code. However, we don't deploy code very often because we have 20-30 websites in our company and we don't dedicate a lot of time to each individual website. So, when we do make changes, we will run the scan because it's part of the pipeline, but this has been affecting our usage metrics. We're not sure why Veracode's usage metrics are designed this way, but maybe they can provide some insight. We use these metrics, but we're now thinking about getting different metrics from Veracode. I started looking into setting up some dashboards myself so that we can have our own dashboard and statistics, such as how many flaws we've resolved in the past six months or how many issues we've identified when we're deploying a new website. We're more interested in these types of statistics than in how many times we're using Veracode because fixing flaws is the value that we're getting out of Veracode. Maybe setting up a new dashboard would be helpful, but that's something that Veracode can provide clarity or insight on.

I have been using Veracode for four years.

Sometimes, the scans halt or drop for some reason, and we need to get help from Veracode to fix it. However, this is not a major issue.

I opened a support ticket to use Veracode's consultant feature. When the consultant called me, the consultation was very smooth and easy. He had already reviewed the flaw that I had mentioned, my description of the issue, and the issue itself. He was able to provide good insight and help me resolve the issue quickly. I have done this a few times before, and the consultants are always well-prepared and give me all the suggestions I need. They already have a lot of information on their website, but they also go above and beyond by providing additional information and specific instructions when I schedule a consultation call. They have been very helpful in the past.

Positive

The deployment was straightforward. Three people were involved in the deployment.

The implementation was completed in-house.

I would rate Veracode nine out of ten.

Veracode has a bit of a learning curve to get used to its different modules, such as our integrations, APIs, and our policies, as well as getting insights. However, my experience is that once everything is set up and scanned on the website, I really like the process of reviewing the flaws that Veracode lists and responding to the resolution steps that it provides. I also appreciate the ability to set up a consultation call and have the issue resolved. I think these are the steps that I really like, and they are helpful to me as a developer. Veracode helps me to learn about security considerations first and foremost, both while creating an app and after, and that has been a good experience for me.

We were looking into compliance. I'm a consultant, and we're looking at it from the perspective of using Veracode to ensure that the organization we were consulting for was meeting its compliance expectations.

The solution has helped to improve the time to identify and remediate vulnerabilities that come from software - mostly through the static code analysis tool - as well as the ability to effectively communicate why the vulnerabilities are important.

The feature I've used the most is the static code analysis. It was incredibly easy to start using. As a new user, there wasn't a lot of lead time to understand the software work. It was also very easy to communicate the vulnerabilities that Veracode found to the engineering teams that needed to remediate the issues.

We have used the software bill of materials. This feature is good for helping us manage your supply chain, security, and licensing. That comes into play a lot when we are working with federal contracts where certain materials or processes are not allowed within contracts with the federal government. We would use that to ensure that the software itself is compliant. It is easy to create these reports using this feature.

The product’s policy reporting for ensuring compliance with industry standards and regulations is great. It took its own compliance quite seriously, which is something I always look for when dealing with the vendor. There are certain vendors out there that aren't as serious about their own security. I was comfortable with what the product was doing.

Veracode provides visibility into application status at every phase of development throughout your software development life cycle. It definitely improved the efficiency of it. One of the key things Veracode can do is it can rank the vulnerability defined based on the severity. That allowed us to hone in on what was the highest vulnerability and then work our way down. Therefore, it definitely improves the efficiency of those operations.

Veracode's false positive rate, as far as I remember from my experience, wasn't that bad. Usually, what it will do is it will identify a vulnerability, and then it will explain why the vulnerability is important, and then through those explanations, the engineers and I were able to see if something is an issue or if it is a false positive. When it comes to eliminating false positives, you're never going to have 100%. While it did introduce a little frustration, what did remediate that was the explanations that the software provided.

The false positive rate affected the time we spent on tuning these policies somewhat, however, it wasn't too bad. It wasn't anything to complain about.

For the clients I work with, it has a significant impact on improving the ability to identify and then fix flaws. The tool itself does offer strategies to remediate the efforts if, for whatever reason, the engineering team doesn't understand how best to approach them. Usually, they do, however, it is nice that they offer that service.

Veracode helped our developers save time. From my experience, what would normally take two days we're able to get done in an afternoon. That allows our team to work on more efficient work and more impactful work.

The product has had a positive experience on the overall security posture of our organization. It has definitely improved it. Hands down, it is easy to say that the solution has had a positive impact on the security posture of the organizations I consulted for.

Veracode reduces the cost of dev backups. That said, it's hard to put a number on it. It reduces the dev set time and the work they do can then be allocated effectively to other items. 

It would be ideal if it was able to demonstrate higher levels of cybersecurity certifications like becoming FedRAMP compliant or working in those areas. That way we could use it on higher level contracts. That would be a good business opportunity for the solution.

I've used the solution for two years. 

I've never run into any stability issues. I haven't heard of anyone else running into any either. 

The solution is highly scalable. We did run quite large programs through Veracode, and we also ran quite small programs through it too, and we didn't encounter any issues in either case.

I've never needed to contact technical support. 

I cannot recall working with other solutions. I do have experience with a more traditional way of looking at code and identifying errors. That's where this product came in with the ability to just automatically catch those errors.

I was not involved in the deployment of the solution. It doesn't require any more than ordinary maintenance. That's not a big concern. 

I have witnessed an ROI while using the solution. It positively impacts our team's ability to get their job done, which reduces strain on employees and therefore reduces employee turnover, which, given the severity of the skill set that we look for, is incredibly impactful for us.

It does pay for itself given the pricing structure. Of course, the pricing structure changes based on the sales deal, et cetera. It definitely had a positive impact on the organizations we used it with. Financially, it does make a solid business case for itself.

I'd rate the solution ten out of ten. 

Potential new users should ensure that they take into account the amount of time their teams are spending on dev setups and consider what other work those people could be doing that might be more meaningful - rather than physically looking through code. Veracode has the ability to improve a team's operations as well as an employee's efficiency with doing complex work. Companies definitely need to consider how efficient their team is and consider what this tool could do to improve that.

We use Veracode to scan server applications, and we also use it for SCA functionality and to scan pipelines of our other projects.

The quality of our code is much better now with structured utils meant for improving various topics related to security. Those are being applied consistently to various modules of the application. It enforces a type of structure and code changes to support future transformation.

False positives are a problem. Sometimes the flow paths are not accurate and don't represent real attack vectors, but this happens with every application that performs static analysis of the code. But it's under control. The number of false positives is not so high that it is unmanageable on our side. Once they are identified, you can mark them as false positives, and they can be accepted by the security project lead. After that, life goes on, and those will no longer be reported.

The problem is the time that you spend analyzing a flow to be sure that it is a false positive. Every problem that is reported as a security vulnerability has to be treated with maximum care by the developers. It is good, in the end, when it's a false positive instead of having a real vulnerability.

Because we are working on a huge application with lots of dependent sub-projects, there are 9 to 20 data paths. We have to check all of the vectors from all of these paths. If we decide that an attack vector might be susceptible to that attack, we start fixing it. But for the others, the attack vector is not relevant.

There is always room for improvement in any product; it's not something related specifically to Veracode. But in the case of Veracode, maybe they could improve the scanner to reduce the number of false positive events so that they remain only with the valid data paths that represent real attack vectors. We understand that this is quite hard to determine by just scanning the code.

Also, the UI of Veracode could be improved to permit better visualization of the issues and the grouping of the issues, with better filtering.

We have been using Veracode for four years.

We have seen delays in results on the order of hours, but there haven't been any crashes of their scanner. The solution is quite reliable, and all of the results from the scanning can be easily tracked in terms of time frame. You can see how your scanning has evolved, and there are no deviations due to a bug in the scanner.

For small and medium-sized projects, it's quite scalable. You can use the sandbox scanner they provide, and it is fine. But for large applications, it is not scalable. We do manual uploads, and this is not scalable.

We haven't called their support because we know how to interpret the results provided by their platform and how to mitigate the vulnerabilities that they have reported.

However, we have exchanged several emails to discuss some technical details of the solution that we applied it to, and everything was straightforward. There are no complaints from my side regarding what they said. Everything went smoothly and quickly.

Positive

We have used certain plugins from Teamscale, which is also a static code analyzer, and it integrates with various plugins in Sonar. We have also used OWASP for static composition analysis, and we are still using the third-party application scanning from OWASP as a Maven plugin. We have also evaluated Black Duck.

Veracode was the first choice for doing static application security testing. It was ranked first a couple of times in the last few years, so it was a natural choice to go with the top product. Also, SAP has a partnership with Veracode for the application that they are selling. It was a win for us, SAP, and for Veracode.

It took us one day to get ready to use the solution. We built the image and copied it during the night to several machines. The following day, we were ready to put it into the container registry in Azure, and then it could be used. We had a huge procedure and scripting. It was not simple.

The team that did it had about six engineers involved.

It is an expensive solution, but it's the best solution available on the market. If you want something at the top, you have to pay a bit more than the average.

Regarding extra expenses, it depends on what you want to buy. They have certain bundles that provide support via a hotline system with customer service. They can provide you access to certain security laboratories. You can opt for several licenses to educate more developers to be responsible for the security of your applications. All of these change the initial cost.

Of course, if you add more things, you can benefit from a better price. It depends on your negotiation skills and the number of licenses you want to buy.

The price can vary from year to year, and prices usually go up. Maintenance for the servers that do the scanning takes money, as do CPU, power, and memory. And there are the reports that are kept in the history for checking and for ISO certification. Those costs build up during a year.

For example, we have to manually upload the application that we are scanning because it's quite big, and it takes one day to be scanned. That means their scanner runs for a day on this application, and then we get the results back. That means our application is heavily consuming resources of that cloud server. Those resources are no longer paid for directly by us. We delegate this job to Veracode to do it for us, and we pay for it. But we free up our servers locally and can do other jobs with them.

We aren't trying to reduce our costs. We are trying to improve the security and quality to be sure that we and our customers don't have security issues. At the end of the day, security is the most important part. With every new release and with every new year, we allocate more and more to these operations, to improve our overall security.

Not every such application is able to prevent everything from going to production, but several issues can be spotted via the scanning of the code and resolved, and they are valid. There are many others that can be detected with additional tooling from OWASP, Sonar, et cetera.

We are not using the SBOM functionality from Veracode. We use another tool to create the software bill of materials. That solution is also able to scan Docker images, and it also provides details about what is inside the layers of the Docker image file.

In terms of visibility into application status at every phase of development, it depends on how able you are to scan your application. For large applications, you have to do manual uploads, which is the case for us. We don't do manual uploads on every build, but we trigger it at certain times when we want to create releases for customers. That helps with our accuracy, but it doesn't represent the exact moment when there is a problem in the application. We still have to analyze the commits and history, track things, and match them with the new flaws that have been found in the latest report.

Veracode doesn't save us time. We have to spend a lot of time fixing security issues, especially those that impact lots of dependencies, dependent code, and sub-projects. But in the end, we can sleep well at night knowing that we have closed a possible security leak within the code, which is better for everybody. Even if there is no real problem at that moment and you don't see any probability of that vulnerability appearing in production, it is better to take some time to fix it, and then you feel better.

It has provided what we were looking for in such an application, meaning static application security testing functionality. That was what we were interested in.

We used Veracode for code scanning and source composition analysis.

Veracode can block vulnerable code from going into production.

The SBOM is a good option for companies that are asked about their SBOM.

The SBOM helps manage our risk.

Generating SBOM reports is not difficult, but setting up the necessary infrastructure for analysis takes time.

The policy reporting is incredibly robust.

Veracode provides visibility into application status in every phase of development.

The source composition analysis had very good reporting.

Veracode's long scan time for vulnerable code can hinder productivity. There is room for improvement in this area.

Veracode produced a lot of false positives.

Veracode's ability to fix flaws is less sophisticated than that of its competitors. For example, Veracode's static analysis scanning workflow for flaws is not as highly developed as Checkmarx's or Snyk's. Veracode would often provide incorrect sources and fail to identify the source of malicious user input coming to the team.

The process of bundling binaries or code for scanning could be improved.

I trialed Veracode for two weeks. 

In our short trial period, we did experience some stability issues.

Veracode scales sufficiently.

I worked with Veracode's technical consultation staff and found the agent to be incredibly knowledgeable and sophisticated in their use of Veracode, as well as in vulnerable load patterns.

Positive

The deployment was complex.

Ten people were involved in the deployment.

We used the experience of engineers who had used Veracode in the past, as well as feedback from Veracode's engineers.

Veracode's pricing is competitive.

I believe Veracode would be willing to negotiate decent terms for organizations that are concerned about the pricing.

We also evaluated Checkmarx and Snyk, respectively. This puts them at a slight disadvantage in terms of identifying execution paths and their ability to comprehensively show how vulnerable code is executed in our solution.

I would rate Veracode six out of ten.

Once Veracode is fully configured, the maintenance should be relatively minimal.

Veracode's best advantages are detailed reporting for industries such as government work, or other industries that may require exceptionally detailed reports or secure security verifications. However, I would suggest that people look out for the accuracy of results and the usefulness of findings on a large scale. Additionally, Veracode has a difficult-to-navigate user interface.

It is a broad and integrated platform. It provides multiple test scenarios and has the ability to do CI/CD pipeline integration. It is used for application security and vulnerability assessment.

Veracode provides guidance to develop secure software. It is one of the valuable features.

On-premise implementation is not available.

I have been using the solution for ten years.

It is stable.

The tool is scalable.

The technical support is good.

Neutral

The product is deployed on the cloud. We have a multi-cloud environment.

The solution is expensive.

Veracode’s policy reporting for ensuring compliance with industry standards and regulations is good. The product's false-positive rate is low. If the tool is used effectively, vulnerable codes do not go into protection.

The SBOM feature helps identify risks in all third-party software. It is quite easy to create a report using the SBOM feature. It is an important feature. The solution provides visibility into application status at every phase of development. We have not integrated it.

Veracode has a good effect on our organization’s ability to fix flaws. Veracode has helped our developers save time. Veracode has a good impact on our organization’s overall security posture. The solution is probably not worth the money. The developers are more confident while fixing vulnerabilities due to the solution’s low false-positive rate.

Overall, I rate the tool a six out of ten.

We use it for security, to analyze our code.

It changes the DevSecOps process because we find flaws much earlier in the development life cycle, and we also spot third-party software that we don't allow on developers' machines.

It's bringing clarity to the flaws that we can mitigate, and that's the main purpose. We can have a brisk conversation about the flaws. Not all flaws need to be fixed because there might be other protection measures implemented.

Veracode has increased our level of security to the highest possible standard, so we have been able to be ISO certified and meet Microsoft compliance. We have met many industrial standards from a compliance perspective by having this high level of security and trust in our application. That applies to our platform as well, because the dynamic analysis has opened up vulnerabilities in the platform.

We are using three of the features. Static analysis, dynamic analysis, and the code composition for third parties. We also use their Security Labs for training.

Veracode does a great job of preventing vulnerable code from going into production, and its policy reporting for compliance is also very good. It meets our needs.

And if you use it correctly and bring early feedback into the developers' environment, it provides visibility into application status at every phase of development. But if you only use it as an analysis after the product has been built, then you don't have the whole life cycle. So it really depends on how you integrate Veracode. For us, it gives full insights.

There might be room for improvement in the in-app guidance and the tips and tricks for the developer about how to progress. We would like more insight into the development environment, where they would get guidance on how to avoid flaws.

I have been using Veracode for the last three years.

We use SonarCloud, which does a different type of analysis on the static code but not on the compiled code. It's a different way of detecting security flaws.

I was involved in the deployment of the solution all the way through, from purchase to acquisition and deployment. It involved a lot of new learning. But we had a very good implementation consultant from Veracode assigned to us who made it pretty simple for us. I don't think we could have done it ourselves.

We did a proof-of-value exercise, which included educating two senior developers. The total implementation time was about two months. We focused on one area of our application and got the scanning process up and running and stable. Then we started applying it to more applications.

We only used two people from our organization to complete the work. Then we educated all the developers about using the extension with the EDI. We then found a person who would be responsible on each delivery team who ensures that their application is maintained within our policy level. Each team is responsible for keeping their application within those standards.

We got help directly from Veracode. I would rate their help at eight or nine out of 10. They helped us implement it into our pipelines, daily processes, and software. And they helped us understand how to mitigate the flaws and how to open up consultation hours if there was something we disagreed with, such as false positives. They gave us very good onboarding and implementation.

From a commercial perspective, the impact that the Veracode certification has had on our ability to sell to large enterprises is non-debatable. The return on investment has been met, for sure. It took six months and occurred when we had finished implementing and got the certification.

We haven't really done any price checks on the competitors.

We purchased a Security Labs license to keep our developers trained in new security practices.

Every development company is different. If someone is looking at Veracode but concerned about the price, it probably depends on their technology stack. There are pros and cons for every decision. As a happy customer, I can say that the service level that I have received from Veracode has been high and understandable every time That also counts a lot. And it's not about the software; it's about how we actually utilize the software best.

We had three or four other candidates from the reports that we evaluated from a user review site, but we ended up deciding to use Veracode because it had the best price and match for our technology stack.

At that time, Veracode's advantage was predominantly because it was SaaS-based software, and the implementation team was very supportive in making sure that we got it properly integrated into our processes.

The false-positive rate is constantly maturing. It's very much based on how many respond back. It's learning based on the false positives. My team thinks that it's better to have a false positive many times than miss a real one. The effect on developer confidence in the solution when fixing vulnerabilities is that it sometimes leads to frustration because they find that it's slowing them down, but the way that the engine is constantly maturing means it is becoming better and better.

I don't think any security or quality analysis tool brings speed. But it increases the quality, both from a risk/security and reliability perspective. But if you're looking at productivity, none of these tools bring productivity. They mitigate risk. It has not made our development process faster.

We use it to scan third-party libraries to check for vulnerabilities.

Our company relies on Veracode to prevent vulnerable code from going into production. 

And it reduces post-deployment bug fixes. Before Veracode, the application was deployed to the production server and there would be a lot of bugs and issues. Once we implemented the Veracode scan, the full deployment issues were drastically reduced. In a month we do 10 releases and we used to get five or six post-deployment issues. Now, we barely get one or two.

Veracode has also significantly saved us time, around 30 to 40 percent, and we can concentrate on new features instead of fixing the old ones.

We use the full code analysis and the recommendations from the Veracode report.

One concern is that scans take a long time to run. We scan at the end of the day because we know it will take a lot of time. We leave it to run and the report will be generated by the next day when we arrive. The scanning time could be reduced.

I have been using Veracode for the last three months.

It's very stable. I've never seen any downtime with Veracode.

We use it on-prem, so I'm not sure whether it can be scaled. It's just one endpoint that multiple people access.

We have two scanning stages. The first one uses SonarQube, which only does code analysis. It doesn't scan third-party libraries that we use in our code. Veracode is the second level of check. We work on a banking project. The bank trusts Veracode and they recommended Veracode to scan our products.

The initial deployment was pretty straightforward. It's on-prem so there was no deployment strategy to follow. It took one to two days to deploy and check everything. A team of three to four people worked on the deployment. It depends on the project's complexity as well. As a DevOps engineer, I support a lot of projects within our organization, and the deployment varies from project to project.

In my department, we handle six to eight projects and each one needs a Veracode scan before deployment. As a company, we have multiple locations and departments but only the DevOps team of eight people has access.

The way we work with Veracode is that we have integrated it with Jenkins. We upload the artifacts to the server, trigger the Jenkins job, and the Veracode scan is generated. We have set everything from the Jenkins pipeline. The scan is automated using Jenkins, which means there is no need for maintenance. If there are new steps implemented in the pipeline, there might be some overhead, but it doesn't need any maintenance. We just set the port and everything works fine.

Other than the scanning time, I would give it a solid eight out of 10.

We use Veracode mainly for identifying any vulnerabilities in the software. We do a lot of development, and before we deploy any product to our client environment, we want to make sure there are no vulnerabilities in the code and also follow best practices. 

We run scans to identify the criticality of these bugs and vulnerabilities, and we try to mitigate them. If it's not possible, we get an exception. At least we are aware of the vulnerabilities in our code, making sure our code is secure and not exposed to any threats like hacking.

In my organization, we have a policy in place. Every company has a different policy; at least our company has specific requirements where we expect everyone to build the tool or the software to some extent, following some best practices. 

Veracode helps us embed those policies into the scan. When we run the scan, the administrators have already set the policy, defining what needs to be checked and what can be ignored. It helps us when we run the scan because it provides a score based on the policy level. This score certifies how well the tool has scanned the code. 

We can then show this certification to demonstrate that the product meets the required standards and can be trusted without any issues. So, we are working with the solutions policy reporting to ensure compliance with the industry standard.

For our product, we use static analysis. We're not using any agent-based solutions, but we are planning to hook it into the CI/CD pipeline in the future.

Veracode has been helpful because, in the past, we used to integrate Veracode scanning into our CI/CD pipeline. Sometimes, what happens is a junior developer sees a third-party library and thinks, "Oh, this tool is helpful," and they bring it into our system to build something.

However, even if it's a third-party tool, we don't know what vulnerabilities that code may have. At least now, whenever we push code, Veracode can catch any vulnerabilities, and if it fails our build, it prevents us from deploying that code into our environment. It clearly states, "This code has a vulnerability; I can't deploy it." So, it effectively blocks us from deploying risky or vulnerable code in our tool. It helps us quickly assess the risk of third-party tools and take action promptly instead of building something and realizing two months later that we need to go back and fix it. That's not going to happen; we can identify and resolve issues within a day.

The tool is great in terms of ensuring our code is clean, recommending best practices, and capturing the flaws in third-party components.

Veracode has an impact on our organization's overall security posture. Because when we do development for internal purposes, we don't run a Veracode scan very often. But when we work in a client environment, if they want us to build something for them, we absolutely need to ensure that we haven't introduced any flaws or problematic code into their system.

Veracode helps us maintain the reputation and branding of our company, which is crucial for us. It's important to ensure the code is free from vulnerabilities and not exposed to hacks. It is very important to us.

The most valuable feature is Veracode SDP, which allows for something related to third-party vulnerabilities. When we build a product, we use a lot of third-party libraries instead of building everything from scratch. We just use a library which has already been built; we just use that component in our product. Sometimes, these libraries may have bugs or issues, and it's hard to keep track of them because we use thousands of them.

Veracode's tool scans every single library and gives a dashboard showing the number of libraries, high and low criticality issues, and whether a product has any issues. It helps us assess the libraries and decide whether to resolve the issues or replace the library to minimize risks.

I like the solution's ability to prevent vulnerable code from going into production. It does a pretty good job in most cases, but I have seen a few false positives in the code scan. It means that sometimes, like recently, we run a scan where we encounter a part of JavaScript code where it's just a string evaluation. Despite not posing any real threat, the system flagged it as a potential vulnerability, suggesting it could be exploited to hack into the system. We looked into that code and found it wasn't the case; it was a false positive. It wasn't a big issue because we reported it to Veracode, and they made an exception and resolved it. It does a pretty good job, but sometimes it can be very misleading.

However, the solution's false positive is not a big deal because it's very minimal. Veracode does a very good job, but 99% of the time, it works well. Only, like, 1% - 2%. Like, sometimes we manage false positives. It's not a big blocker as well. Every software is not perfect. Also, these are very minimal fixes. Sometimes, if we raise a support ticket to mitigate this issue, the response is also pretty good, and it can be resolved within one or two days. So it's not that big of a deal.

One area for improvement is the navigation in the UI. For junior developers or newcomers to the team, it can be confusing. The UI doesn't clearly bundle together certain elements associated with a scan. While running a scan, there are various aspects linked to it, but in the UI, they appear separate. It would be beneficial if they could redesign the UI to make it more intuitive for users.

In future releases, I would like to see some features. For example, there's a library we use as a third-party library. Sometimes, Veracode indicates that we can't use a particular tool because it has a lot of vulnerabilities in the code. It would be nice if Veracode's scan could show an alternative library to use instead of the one flagged as problematic

So instead of us having to go back and research, trying to figure out what other tool we can use as an alternative, if Veracode could provide those recommendations within the tool itself, it would be nice.

I've used the product for almost three to four years, but it's been a while since I haven't used the tool. But I started using this solution again. I started working on it again in the past month.

Veracode is 100% stable. We haven't encountered any issues.

It is a scalable solution. Veracode has a concept called Sandboxes, which is an amazing feature and pretty useful. I can kick off multiple scans, and they all run independently. There's no interference between scans. So, it's highly scalable, and we haven't had any issues with it. It is good.

For our team, we currently use it for two projects.

I've personally interacted with the customer service and support recently for a few issues, and their support is amazing.

Positive

The initial setup is very easy. It's not that complicated.

Moreover, the false positive rate of static analysis can affect the time spent on tuning policies. It took at least one day for me to raise that mitigation and approval ticket to look into it. Veracode needed to spend, like, six to eight hours, which essentially goes up to a day to resolve it.

The solution has 100% helped our developers save time. 100% right now in terms of ensuring the code is good and deploying it safely. Veracode definitely helps us be very confident when we go for product releases. It has helped our developers save time.

As a lead developer, it takes me one or two days to set up everything in Veracode scan. Once it's set up, the junior developers don't need to do a single thing. They just push their code, and they don't even realize that a scan is running in the background. So they don't need to worry about it. However, in terms of readiness for the production release, Veracode definitely helps us be confident and quickly identify the risks. There's a huge benefit in that area.

In the beginning, two or three years back, we were pretty new to Veracode, and we did seek help from the Veracode consulting team. Their support is amazing. If I send an email for any help, they respond within 30 minutes. Their response time is good, and they provide clear guidance.

I've personally interacted with them recently for a few issues, and their support is amazing.

So, initially, we did take consultation when we set it up, but once we became comfortable and familiar with the process and the documentation was also clear, we started managing it ourselves.

For the implementation process, a developer pushes changes to the master branch or a feature branch the first step is to trigger the Veracode scan in the CI/CD pipeline. We use Azure DevOps for this.

The next step is to include the code in the Veracode scan. This is the second step. Before going into further steps like building the Docker image and containerizing the application for deployment, we have a condition in place. If the Veracode scan doesn't complete successfully, we don't proceed to the next step, and the entire build fails.

We don't need a lot of members for the deployment part. It's only me and my technical expertise, like, one or two people. Any DevOps is enough.

We don't see much need for maintenance. It's pretty easy to manage. Veracode is also maintained by a dedicated team internally, and they provide support for everyone within the organization. So, if there are any upgrades or maintenance required, they take care of it. But from our team's perspective, there's no need for ongoing maintenance. We set it up once, and that's it.

The solution reduced the cost of the development setups for your organization. It is a key feature of Veracode. Once you set it up for the first time and integrate your CI/CD pipeline with our DevOps cycle and the Veracode scan, it takes two or three days to set it up initially. 

But after that, it's a one-time effort. You don't need to do anything further. You need to kick off the pipeline, and it runs the scans automatically, providing artifacts for you to review in the report. So it helps in the long run. Once you have your project set up correctly, there's no need for manual intervention at all once it's hooked up. It's a significant long-term benefit.

We have a dedicated team that handles research, but I personally have only used Veracode for scanning. Our team used to use SonarQube.

Our company used to run both Veracode and SonarQube scans for certain projects. Sometimes, some of the scans were not included in Veracode, so the team used SonarQube for those. However, this was quite a while ago, about two years back.

I would suggest starting Veracode scans at the earliest stage of development. It's crucial to catch vulnerabilities and risks early on so you don't invest too much time building something only to realize later that it can't be used due to a lot of issues, especially with third-party components. Using these tools as early as possible will benefit you in the long run and allow you to ship your product more quickly.

Overall, I would rate the solution a nine out of ten.