Veracode Reviews

We use the Static Analysis, Dynamic Analysis, and SCA, the software composition analysis.

The Static Analysis has identified flaws.

From a developer point of view, it has really helped me to know about many security best practices that I need to follow.

There are also security specialists, although it's not my area, who work on strategy to mitigate flaws. It classifies things into three levels: high, medium, and low, the latter being the ones that you can live with. It tells you which are very critical and you need to fix. That helps management to determine the strategy of what to fix next.

When you reach a level of security in your application and you get verification from Veracode that your app is secure, that helps in selling products. Mitigating flaws and being sure that your product is secure is going to give you higher credibility with clients and better performance.

In our use case, some of our products have dependencies in separate apps. Before going into production, each dependency has its own sandbox to help us identify the vulnerabilities in that certain dependency. Then there is the software composition analysis, the SCA, that helps us scan all the vulnerabilities when those modules are integrated with each other. Before deploying the whole app into production, we fix the flaws and increase the score. We have a whole company policy that some high-level security experts put in place. Before we move on to the next level of scanning we need to get to a certain score. That has really helped us. Each time, they make the analysis a little harder, to dive deeper into the code and go through different scenarios to find more flaws. That has really helped us have the minimum required number of issues and security flaws, when we go into production.

The most valuable features are the application analyses: 

• Static Analysis
• Dynamic Analysis
• SCA, the software composition analysis, to scan all the models together. 

These are the three features we've mostly been using.

It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail. 

You can detect which line is causing the issue and it gives you some insights about, for example, if you have a dependency problem in your inputs or some known vulnerabilities. It even gives you an article so that you can read about it and know how to mitigate it in some cases. Sometimes there are well-known flaws in third-parties and you should upgrade to another version to resolve your issues. Veracode guides you.

I haven't tried any other platforms, but from what I have seen, it is really fast. You just upload the files, which is easy to do, and you can follow the scanning progress on the platform. Once it's done you get an email and you just access the platform. I don't know what other tools are like, but for me, Veracode is user-friendly.

I would like to see them provide more content in the developer training section. This field is really changing each day and there are flaws that are detected each day. Some sort of regular updates to the learning would help. 

I would also like to see more integration with other frameworks. There were some .NET Core versions that weren't supported back when we started, but now they're providing more support for it.

I've used Veracode since October, 2018.

The solution we are using is stable. So far, it seems to be really practical.

In our company, other products are using it, not just our product. So it's surely being used by other developers. There is also management between the applications. Each team has its own hierarchy in the company and the organizational levels are handled well in the solution. We have an upper manager and the administrator of the app. And each product has its own dashboards and its own access rights, so I cannot see the results of other people.

There was a time when we needed support from them. We organized a call because the license the company had included the possibility to have a support call with one of the Veracode guys, when we first started using it. They were very helpful, showing us how to use it. They provided support on how to integrate the extension. We had a one hour call with them and they were really helpful.

They also asked for some feedback. It feels really good to have that community working together. We feel engaged with the whole Veracode community.

I've participated in some of the online courses, which helped. There are some levels that the team should have. You follow some courses, you get to level one, and then you move on to the next level. Each level of certification was really useful to learn about some of the flaws and some of the vulnerabilities that we could face. They give you some great use cases and how to remedy things in C# and many different languages. The online course also shows you how a developer can make some mistakes in his code, and how those mistakes can be used to bypass app security. By knowing that, you can avoid doing it in the future.

There were also some events organized recently—security labs—and they were also useful. There were tasks and I even had to work on them outside of work, but they were really helpful and a challenge.

The training also helped us to identify the existing vulnerabilities in our code and some of the third-parties that we are using that have vulnerabilities in them. We know we need to upgrade them.

My advice is that you should follow the training, initially. It was really helpful, even at the first level. Then, go on and read all the detailed documentation online. There are even some video tutorials which are really helpful. These are the steps that I followed.

There is a section on the supported frameworks. Veracode supports a wide variety of languages, but it would be good to check that before diving into the analysis and why it's not detecting your code.

I have been really satisfied with the areas of Veracode that I have had a chance to work with.

We used it for initial discovery and analysis and for reviewing the product. We were doing a trial. We had uploaded code on the Veracode server for analysis.

We used the cloud service or the cloud website where you could interact and identify the artifacts that you wanted to be reviewed, analyzed, and reported on. There was a plugin that we used with some of our IDs. It probably was Greenlight.

It pointed out some areas to be improved that we were not aware of. That was very helpful because if you don't know that there is a problem, you can't fix it.

The analysis of the vulnerabilities and the results are the most valuable features.

It can have more APIs and capabilities to handle other things well. We were doing a trial for it. There were two things that I looked at: one was uploading some Java-related content and the other was uploading database SQL files and having the review done on the quarterback. 

The Java portion of it worked fine, and it was pretty seamless, but the database portion was not. We uploaded some files to use for vulnerabilities, and the tell-all portion of it was pretty easy. We uploaded a war file and Java files, and we got the reports back on these. They were pretty clear to understand. We did the same thing for the database portion for the most part. However, the content wasn't getting uploaded in a predictable fashion, and it was slow and hard to get done. We had to do it over and over. After it indicated that the content was uploaded, there were no results. There were zero search findings. It was possibly a user error, something that we didn't do correctly, but they had acknowledged that it was something they were currently enhancing. This is something that could be made easier if they haven't already done that. I don't know how many releases they've had in that timeframe. I haven't looked at it since then. It was a trial period.

It seemed fairly stable other than the database portion where the SQL files didn't seem to get uploaded.

I didn't think there would be any concerns. We didn't exercise that. We didn't, in other words, try to upload gazillion artifacts and files. We just uploaded a few just to see how they handle it. It seemed fairly robust.

There were about ten Java and database developers who were using this solution. We were all collectively reviewing it and getting feedback on it.

We didn't use their technical support.

There was no other solution.

I wasn't that involved in the setup. I was basically a reviewer after it was all done.

I don't think there was any in-house work. I think it was just all on their server. We didn't have any equipment or any software per se other than just downloading a plugin or IDE, which essentially did the same sort of code analysis.

Its cost for what we needed it for was too high. It wasn't too high for other companies and it was competitively priced, but for us, it just didn't fit. We did plan to use it and increase the usage. In the end, it may have been abandoned because of the cost, but I'm not a hundred percent sure. So, even though we had planned on using it more and more, because of the cost and the business conditions of things, we didn't have the opportunity to really use it more.

There were a few other solutions we had looked at, but they didn't seem to be as robust. They also didn't have good reviews. That's why we chose this solution.

It is a robust software service for security analysis. It seemed to be pretty full-featured. We didn't exercise every single thing. Just a few of the features didn't seem to be up to snuff for our needs.

I would rate Veracode Manual Penetration Testing an eight out of ten.

We use Veracode to ensure that the software we are building is secure.

The most valuable feature is the dynamic application security testing.

It takes a while to get a response to the software composition analysis. It is within an acceptable range but it could still be improved.

In the future, I would like to see the RASP capability built-in.

We have been using Veracode SCA for three months.

SCA is pretty stable.

Scalability doesn't really apply to a software composition analysis tool.

The technical support is pretty good. When I requested help they contacted me within an hour. I don't have any issues with them.

The initial setup is pretty straightforward.

In summary, I think that this is a good tool and I recommend it for helping with security in software development.

I would rate this solution an eight out of ten.

This was intended to scan all of our custom development efforts to ensure a certain level of (secure) code quality. Right now the scope of that effort is limited to web exposed systems but with maturity, we hope to increase that scope.

The Veracode platform probably hasn't improved our organization overall, although through no fault of theirs. Veracode is just one more tool that generates work for our developers.

The source composition analysis component is great because it gives our developers some comfort in using new libraries.

I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan. For instance, we have CI scans that run automatically, and sometimes the files don't get upload and/or processed by Veracode. Now, there's a static scan that hasn't been completed, which blocks all future scans. The only way we know this is an issue is going into the Web UI, check each application, and look for stalled scans. This is time-consuming and frustrating.

I have been using Veracode for three years.

Our primary use cases are for comprehensive security assessment using static analysis, dynamic analysis, source code composition, and manual penetration tests. We also use it for security training for developers.                         

Veracode is a valuable tool in our secure SDLC process.                                                        

Source code composition analysis for vulnerabilities and license compliance is the most valuable feature.                                                                                                 

It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects.  

I have been using Veracode for one year.

We also evaluated Synopsys.

We primarily use the solution for article scanning.

The article scanning is excellent. 

The composition analysis and common CBEs attached to it are quite good.

The solution offers a lot of really great analysis. There's lots of good data support.

The licensing model could be improved. 

If they can provide an automatic upload model, that would be really good. Right now we have to upload the NK bucket hosting to get through the analysis. That is kind of cumbersome.

The documentation is poor and the technical support isn't helpful.

We've been using the solution for three or four years.

We don't plan on increasing usage. We are a product company. We have three products that are built. All of them go through this solution. We are not a services company. 

We have about 80 people on the solution currently. They are all developers.

We did previously reach out to technical support. When we had to set up all of the automation, we contacted them for assistance. Their documentation is awful and their response time wasn't ideal.

The initial setup was not complex. It was pretty straightforward. However, the integration and automation of the CI cloud was a nightmare. 

Deployment varies. sometimes it takes three months. Sometimes it only takes one hour. The average is one hour, but we have experienced much, much longer deployment times.

I have no idea what the licensing costs on the solution are. Our IT team handles the details.

We were part of the initiation when the company started. They introduced it and we began using the solution. We're just a customer.

For those companies hoping to automate the solution, I would not recommend it. It's too difficult for those heavily dependant on automation. However, for those companies who want to manually use it, I can recommend the solution. In those cases, it's easy to use even if you won't build it as a part of your automation test tools or on any internet server.

I'd rate them eight out of ten. I'd rate them higher, but they have bad automation and terrible documentation. Other than that, they are very good.

The primary use case for us was looking for web applications that might have vulnerabilities that could be compromised. Specifically, I was managing a team and we had built a lot of applications as well as having purchased applications from vendors. We were working with a security team to go through and scan those applications for vulnerability using Software Composition Analysis. We were trying to avoid situations where somebody could do something that they should not be able to do like get at data.  

The product helped improve our organization by helping us to identify potential problems in applications and fix them before they were used in a way that they should not be. In essence, it helped enhance our security. I think another thing is that it did is it did kind of helped us with the general education level of staff working on the projects. Developers or technical stakeholders specifically were presented with the opportunity to understand things that maybe they did not before.  

We were not doing the training piece of the process when we were onboarding the product, but just adopting the platform definitely increased their awareness and knowledge about potential issues in development and application vulnerabilities.  

One of the best things about the solution is that I think it is kind of easy to get started using it. The pain of adoption is low. Once you got the code scanned, there is a lot of information that you have to plan time to go through and work with other teams to get things resolved or disposition.  

I think that it was easy to get started, but there was also definitely a learning curve in terms of people needing to understand what the reports meant and what to do about the information that they were getting.  

There is a concept called false positives where things might come up as a potential issue but they really are not. In our case specifically, we might get a false positive when a potential vulnerability is discovered through Veracode analysis, but the way that the application is built makes it so what appears to be a vulnerability is not really an issue. Stated a different way, even though there might be something that prevents that particular event from ever happening, the product does not correctly detect the safeguards or the impossibility of the issue arising.  

When a false positive gets reported by the Composition Analysis, it results in more work for you to do than you should have to. There is a lot of information to go through and so some of it is due to those false positives. You either have to do work to eliminate the false positives being identified, or you have to look at the alert and determine that it is harmless.  

As far as what might be added in future releases, more artificial intelligence capabilities would be desirable. I do not know if they have it now. Maybe one example could be to make more focused suggestions or give more information in the reports to locate the cause of the issues. It should be something that improves results over time so that people do not have to do as much work to understand the details.  

I have been using Veracode Software Composition Analysis for probably around three years.  

I would say it is definitely stable. There were no problems with the platform itself. It has been reliable. We never had issues where we needed to call support.  

I think the opportunities for scalability are good because we did not come upon issues that caused us to wonder about its limitations. We have not really pressed to find scalability problems. So my impression is that scalability is good. We did not experience issues due to bottlenecks or anything like that.  

Our group of users contained a mix of roles. It was developers, project managers, testers, information security analysts, and engineers. It was probably a total of around 30 to 40 people.  

For deployment and maintenance, there were really just like a couple of people. There was not a full-time dedicated need for it.  

There were times when we had to deal with support when we ran scans and we were reviewing results. There were times when we needed to either open a ticket or talk to somebody who had some expertise in a specific area. That process was timely and they were responsive. So that was good.  

Veracode actually has a separate subscription that you can participate in that is something like a learning management catalog. I think that the training piece of support has definitely improved over the course of when we used it.  

We did have a different product, but it was a little bit for a different purpose. We were using a different product but complemented the Veracode product. 

The initial setup was pretty straight forward. That is part of it being an easy solution to get started with.  

The deployment started smaller in employing the product to analyze a subset of our applications. It initially was being employed to look at the vendor applications that we had. I would probably say that initial period was about three to six months. That effort was focused on one group and did not really include all of the technical people and developers.  

Once we saw what it could do, it got adopted and we rolled it out to more people. So we kind of employed it in stages. The first part, which was essentially a test period, was three to six months. Then pushing it out for broader adoption in the next part was another three to six months.  

We did not use integrators. We did have the training and we did have professional services in the form of customer support from Veracode.  

I do not remember the licensing costs off hand. I would probably estimate it to be between 50,000 to 75,000 in our case.  

The advice that I would have for people who are new to the product would be to start with a proof of concept. This will help you to see how the product works with your process and people.  

The biggest lesson I have learned from using this solution is that it definitely increased my education on how to prevent application vulnerabilities earlier on and how not to repeat them. It also helped me as a manager to better understand how to guide and coach people.  

On a scale from one to ten where one the worst and ten is the best, I would rate this product probably as a  seven, if I am going back in time. I thought that there was room for improvement, but at the same time, it did what we needed it to do. We got what we expected. So I thought it was good, but I also think there were some additional manual steps or work involved that we should not have needed to do. That is really why I do not rate it with a higher number.  

The primary use case was scanning a single-digit number of applications. We scanned them about twice a year and that's about it. It was just to get the results. We used the results to gauge our security health.

The feature that was most valuable to us was the ability to point locally in a quorum.

The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified. 

The solution needs to be more flexible. It needs to work with clients more effectively. 

Right now, the licensing model is based on the number of applications as opposed to being flexible and based on the number of developers or based on some other parameters. This constrains our company in terms of defining what an application is and doing the scans. We have an application with multiple deposit rates, but Veracode has a hard time recognizing the different components sitting in different depositories as one application. 

The solution is pretty similar to others. There wasn't anything that was so startlingly different it would make us want to stay.

I had been using the solution for a while, but I am currently in the process of moving off of it.

The solution is stable. we've never had any issues surrounding its stability.

There's nothing to scale. Asking if the solution is scalable or not isn't applicable in this case. It's not an active load balancer. It's just a static scan. If it was dynamic, there may be a question around scalability, but it is not.

Technical support team is quite good. However, if we're talking in terms of how Veracode recognizes clients and deals with them, I'd rate them as bad.

We did not previously use a different solution. We've only used Veracode.

The initial setup has a moderate level of difficulty. It's neither simple or complex.

We handled the implementation ourselves.

The solution recently doubled in price over the past year, which is why I've decided to move away from it. The price jump doesn't make sense. It's not like there was a sudden influx in new features or advancements.

Without getting too specific, I'd say the average yearly cost is around $50,000. The costs include licensing and maintenance support.

I handle software composition analysis. Currently, I'm moving away from Veracode.

I don't know which version of the solution I am using currently. It's not quite the most up-to-date version.

If a company is looking for a long-term partner, and not just a transactional solution, I'd suggest a different company.

I'd rate the solution eight out of ten.