Veracode Reviews

We use Veracode to scan custom-developed code for flaws.

• The volume of unmitigated flaws in our applications has been substantially reduced.
• In terms of AppSec best practices, the team at Veracode has provided industry benchmarks against which we are measuring our improvement.
• Our customers have benefited from the added security assurance of our applications, although they may not know it.

The identification of flaws.

We would like to see improvement in reporting, in particular, end dates on mitigations.

The solution is very stable.

It has handled all the expansion we have required from it.

Technical support is highly competent.

It was already implemented when I joined the organization. However, we have expanded greatly.

We are about to enter discussions for renewal. I have heard there may be some changes to pricing. I will reserve judgment until the discussions are complete.

I would recommend it. It covers all our custom-developed applications and will expand as new applications and services are added.

We have 50-plus users of Veracode. Their roles include InfoSec, developers, development managers, QA, and configuration management. In terms of deployment and maintenance, we have four people in configuration management and InfoSec.

Application development and secure code development.

We do automated scanning, so we use it as part of our development cycle. We do both automated security scanning as well as our own automated testing. We run the two in parallel and treat both outputs of, let's say, a sales functionality test. A security vulnerability is just a defect that needs to be resolved before we release the product.

We do an automated upload to the Veracode platform for all of our applications - we have about 35 applications. For all of them, it's automatically done, pre-configured, pre-compiled, based on scripts that we worked out with Veracode. And then on a scheduled basis, the upload and scanning is done, in some cases, twice a month. In some of our applications, two to three times a week, we just constantly scan and look for exposures, and continue to feed that back to the development team and make sure that they don't release product that's not ready for market.

We have found that our developers have become a lot more knowledgeable about how to develop secure code, and that was very important to us. We also became more knowledgeable about vulnerabilities in the market, which are the most critical to address. You could say it helped us to apply the right investment in the right place.

In terms of best practices and guidance, we do quarterly reviews with Veracode, where they're analyzing our information alongside of us and providing feedback to our executive team to suggest strategic changes in certain approaches. We've also done benchmarks with them, where we've compared our maturity model to the industry's model, as far as security practices go and best practices for security and such. In some cases, we've made adjustments to improve, and in some cases we are confident we're ahead.

Regarding our customers, for one, they can move to market faster, we can move to production faster. Also, we discuss our security program and the software development life cycle with them in pre-sales discussions, post-sales discussions, implementation approaches. What it does is, it gives them the confidence to move ahead in a more direct fashion, with one less headache for them to worry about.

• The static scanning of the software is very important to us.
• The ability to set policy profiles that are specific to us. 
• The software composition analysis, to give us reports on known vulnerabilities from our third-party components.

It's really hard to criticize something that has become somewhat seamless for us. If they wanted to expand their capabilities into other areas of security, that would be fine. They're a very knowledgeable group of people. We do meetings with them on a pretty regular basis. We gain insights from their perspectives.

To me, if they just broadened their footprint into the areas that their feet feel comfortable going into, we'd have no problem pursuing that.

No issues with stability.

None.

Tech support is very effective. We can do online requests for read-outs with their tech support - but the more common support would be for security advisory, when we're looking at certain vulnerabilities that we're struggling with how to remediate. We can get online with one of their security engineers, and they provide advice to us some best practices on making the code changes to secure the system. They do a very good job of that.

Prior to working with Veracode, we used a self-applied application. That is, we had the solution on-premise, but just could never quite get the routine approach that we've developed with Veracode. The program management features that Veracode offers to help us get our program up and going, along with the low false-positive rates that their solution provides - versus what we had done in the past - gave us some immediate traction. I think that we were able to make progress in the first five or six months working with Veracode, that we had not made in four or five years with previous approaches.

It was a dynamic scanning solution but, again, it was on-premise. Veracode is a cloud-based platform, where they manage all the back-end, and they do a lot of analysis during the scans, and they do a lot of post-scan reconciliation, where the other solution was a good solution, but all of that work fell upon us to do for ourselves. Our focus is on developing features and functions for our application, and running an application security platform in-house is just not practical, just not our core competency.

It was straightforward. We went from signing a deal on December 30th, to performing that first scan on January 5th, to completing that scan and starting to remediate issues on about January 15th. And that is one of the fastest wrap-ups of any technology that I've been associated with.

By implementing Veracode in our development process, what we've done is cost avoidance, not necessarily savings. By getting ahead of it, and releasing product to the market that's more secure, we have very few, if any, reported issues by our customers. So we don't have to go and do a maintenance repair of those. That's an avoidance of cost. 

It's a pretty accepted standard that if you release a vulnerability or a flaw into the market, it's going to cost you 10 times more to address it after the fact than if you prevent it. I'd say that that, plus the automation of the scanning, has also reduced the amount of capacity or full time equivalence we have to apply to repair and scan.

As I said, we have 35 applications, and instead of having 35 different people preparing their packages for upload and scan, it's automated. We don't have to spend money doing that as well. 

So avoiding the cost of releasing vulnerabilities into the market that get caught by customers and reported back, is a big one; and then, reducing the investment of performing the continual scans.

We're very comfortable with their model. We think they're a good value.

We worked very closely with Veracode on understanding their license model, understanding what comprises the fee and what does not. With their assistance in design, we decomposed our application in a way where we are scanning a very significant amount of code without wasting their capacity and generating redundant reported issues. You scan in profiles, per se. And we work with them, in their offices, to design the most effective approach.

So the advice I would have for customers is, you can get up and live fast, but work closely with Veracode to refine the method you use for scanning and the way you compile the applications. There's a concept called entry-point scanning, and that's probably not used well by the rest of their customers. We see our licensing as a good value because we leverage it heavily. I'd say many customers might not quite go to that level. But that's their choice.

I'd rather not give out competitor names.

But the method we were using in the past was what is called dynamic scanning, or DAST. That required we have an environment that was up and running with the application, and then we could proceed to scan. You can see that if we have 35 applications, that means we've got 35 environments running our application internally, just for scanning purposes. That's a lot of hardware, whereas this methodology uses static scanning, where we upload the compiled code and we don't invest any hardware in doing that. The scanning capability not only does the scanning but contains the application code for us. There are a lot of complexities with trying to do a dynamic scan on-premise, versus a static scan on a platform.

You almost can't compare the two. False-positive rate in the dynamic scanning was very high - 30 percent, maybe - and the false-positive rate for the static scanning is very low - maybe two to four percent. That is a significant value, because you don't have to spend a lot of time sorting through reported issues to determine if they're valid or not. We're pretty well assured that as we start investigating one, it's more than likely valid. We don't have that doubt entering in.

It was a different approach. Two concepts: 

1. That it is a cloud-based solution, which is very valuable to us, we don't need that hardware running our scans and hosting the environment to be scanned.
2. The technology, the static scanning versus dynamic scanning produces a much better result, a more accurate result.

We recommend Veracode to colleagues all the time.

I'd give the advice of not getting hung up on trying to compare the static scanning to the dynamic scanning, that's number one. Don't even compare them. If you're doing neither, do statics first. It'll get the majority of your exposures addressed. Then you come in, in a second round, and do dynamic. Dynamic really becomes more of a confirmation of security.

The other piece of advice I'd give is to "follow the directions." Make sure they understand how they're supposed to compile code. Take the advice of the program management team with their code, and follow their lead, and you'll come out in a very good position very quickly.

I'd give Veracode a 10 out of 10 because the rate at which we gained control of our security posture, from a development perspective, was fast. There is a lack of wasted time on our developer organization in chasing down erroneously reported vulnerabilities. The erroneous reported vulnerabilities is very low, and that means that our developer time is very effective as we investigate a reported issue. As I said, it's 96, 98 percent probability it is real. So our developers gain confidence and don't second-guess the results. 

The level of detail that we are provided for a given vulnerability - the data path that it follows, the precision with which the justification is provided - is very high. Again, you're highly confident in the result. You are provided a tremendous amount of detail about the vulnerability it found. And the rate at which you can ramp up and be productive is very fast.

Static code analysis is a valuable feature.

We were able to easily integrate static code testing into the SDLC process. We moved from the waterfall to the agile methodology, and were still able to integrate Veracode testing within both methodologies.

It's been over a year since I used the product. But when I did, I found there were too many false positives.

I used it for one year.

No issues encountered.

No issues encountered.

No issues encountered.

8/10

8/10

We are planning on introducing a static code analysis tool to support a DevOps effort in our environment. The objective of the solution is to allow the team to identify vulnerabilities in the source code and improve the hygiene of the developed code before deployment.

This is currently still under evaluation, and it is pending review and assessment against other static code analysis solutions.

The solution provides the capability for the application teams to track remediation and the handling of identified vulnerabilities. The system provides workflow capabilities for the application teams to send the completed scans to the security teams for their review. In addition, the security team can track the remediation and risk acceptance statistics.

The solution currently does not support Dynamic Application Security Testing which is an important facet of application security testing. In addition, the current version of the application does not support testing for API.

Security scanning of the applications, of software that my company built.

We have a large developer base at our company ranging in a variety of skills sets. Some are very security aware, others really don't have the knowledge. What Veracode provides is really good feedback on what vulnerabilities were found in their code: examples, definitions, ways to mitigate. One of the huge benefits we've seen is just a bigger security awareness within our development staff.

Further, with the tools that Veracode provides, they're actually able to comprehend what the vulnerability was and then resolve it. So a lot of knowledge has been grown as a result, around security, with our developers.

Veracode provides application security best practices and guides our security and development teams because most of the time, in the issues that it opens, it has lots of links and details in there. There are also regular emails and newsletters and they send out about trends. So, there's a fair amount of communication and there are also a lot of details within the issues that they find. There's always plenty of material that they link to in issues. They do a really good job of providing a lot of communication and detailed documentation around our application security tools.

Our customers have benefited in the fact that know that we put security right in front, as a priority. It's not an afterthought. They're a lot more aware that we're security conscientious, instead of just, "The software works, here you go."

We also have reports. Some of our customers have asked for various types of reporting and security related stuff. Now, we're also able to give them these reports, essentially from Veracode's scans of our software. So, we have a lot more documentation about it. Instead of answering one-off questionnaires from our clients, we actually have a canned report we can provide. Again, all this material, we didn't have a year ago. We were just ad hoc answering things and hoping that they didn't question it anymore, and we really didn't have any good evidence. They were just taking us at our word.

The most important one is the static scanning analysis, and the reason is that it can tell us vulnerability in that code, right before we go ahead and push something to production or provide something to a client.

We pair that with dynamic scanning, which actually hits our Web applications, to try to detect any well-known Web application vulnerabilities as well. It's really just a way for us to stay ahead of it and provide some assurances and security with the software that we deliver.

Also, Veracode has a nice API that they provide to allow for custom things to be built, or automation. We actually have integrated Veracode into our software development cycle using their API. We actually are able to automatically, every time a new build of a software is completed, submit that application, kick off a scan, and we get results in a much more automated fashion. So the API is a huge thing that we use from Veracode, in addition to those two types of scans.

In terms of integrating Veracode into our existing software development life cycle, we heavily use JIRA today for bug tracking issues, time management, and the like, for our development team. When those scans kick, Veracode integrates back into our JIRA and actually open tickets with the appropriate development teams. We can use that as a measurement of vulnerabilities opened, closed; we can tie them to releases. So, we get a whole lot more statistical information about security in our software products. That's really what we use in measuring there, the integration back to JIRA in issues found.

From a technical standpoint, I'm pretty happy with everything. The one thing I'd like to be able to do is schedule dynamic scans. Today we're kicking those off manually, but I believe that it's something have on their roadmap.

Other than that, I don't really get too involved in the cost sides of things that's in my job, I'm more of a technical focus, but I have heard from my manager and a couple other people that the solution is quite expensive. So that is possibly one factor that could turn somebody away from Veracode. But, like I said, I really don't know much more about that. Technically, I'm very impressed and happy with what they've had to offer.

I have not run into one issue with stability with it. I'm throwing stuff at it all day and I can't think of one time where I've had an issue with submitting a scan or getting a scan to complete. It's been pretty flawless.

The one thing we hit was some licensing limitation. Again, it went back to cost, I believe. We had to go back and change our licensing model with Veracode to be able to scan all the things that we wanted to. I think there was some confusion up front with their licensing or cost. 

Like I said, that's really the only area that I've heard some gripes about, but I'm far removed. I'm not sure if it was scalability or a licensing mishap, but we did have some issues early on, with the amount of things that we wanted to scan and what their limits were for us. But ever since whatever was straightened out there, I have not had an issue of scalability.

Initially, I had some questions back and forth and I was able to get everything resolved, mostly via email. Overall, I thought the response time was good, the answers were concise and accurate. Within 24 hours I was getting a response via email from their support. For what I needed to set up, I really thought their support was great and really sharp.

I don't work with the support that often, now that things are established. But to get off the ground running, they were extremely helpful.

We had never done anything like this in the past. This was the solution that we chose. We didn't really evaluate anything else. I know that my boss has been a fan of some CA products in the past and really recommended this one. I did some digging on it, from a technical standpoint, and I said I believed it would be able to scan all our stuff, support our platforms, the languages that we write our applications in, so that's how we landed on Veracode.

Without the API, it would have been extremely complex. It would have been very painful because it would have been a very manual process of submitting applications. 

I am fortunate enough that I have a pretty strong development background, so I do a lot of coding myself. For the person without development experience, using the API would have been very difficult. Where I work, we're a little unique in that sense.

But the rest of it, it's a cloud-based solution. I'm kicking off all my stuff over to Veracode and it's running in their environments and producing results. There's not a whole lot of setup besides that. It's not a big cost on an any infrastructure that we have to run or support. So, pretty painless really.

I wish I had some numbers - this is really not my area. I would assume that it's got to be a fair amount of cost savings, only because we're touching things earlier. We didn't have anything before. I don't have good stats to provide except for the fact that now we have something in our process, where before we didn't. Before, security things were only being addressed if somebody actually found something or, even worse, if a customer found something. We don't have a lot of historical data but it's got to be substantial.

I believe, from a technical standpoint, it's paying off for the rest of the organization. I think ethically it's the right thing to do. Educating our staff - I don't really know how you measure that in a dollar amount - but our developers are getting education and are becoming more aware of security in their software. Me being a technical guy, those two things are huge, and the dollars don't add up enough. I'm not sure how you would measure it.

It probably pays off more over time as well. We're still only a year into it. So we're still learning a lot ourselves.

If you're licensing, and you're looking at licensing models, you might want to ask Veracode about their microservice, depending on the company. If you are a microservice architecture, I would suggest asking them about their microservice pricing. I would suggest that you evaluate that with your code and their other licensing model, which is like a lump sum in size of artifacts, and just make sure that you price that out with them, because there might be some tradeoffs that can be made in price.

There were some, but we didn't get serious about them because they didn't have everything that we wanted.

I would advise that you figure out a way to integrate it into your software development lifecycle in a way that it's not intrusive to your developers. That was really something that I set out to do. I didn't want my developers to have to go into their code, and kick off scans, and upload their code. So, I would really suggest looking at your integrations, your JIRA, your Jenkins, all of your add-ons, and hopefully that fits into the SDLC process, and then automating via their API.

Essentially, what we were able to achieve is, my developers still live within JIRA and the issues get opened from Veracode into JIRA and they work on things that way. They can remediate it, kick it that way, and if they need to they can log into Veracode. But I'd suggest making the SDLC process integrated as much as you can to make it something that developers aren't having to spend a lot of time doing every day.

Overall, I would give Veracode a nine out of 10, just because nothing is perfect. But it does everything for us and it was so painless. I speak very highly of it for those reasons.

I would highly recommend CA Veracode. Every engineer that I've dealt with has been really sharp. The review process they have is really good and the knowledge they have has been tremendous. I really recommend working with them.

SAST vulnerability scanning. Veracode is embedded in our release pipeline.

It improved our security posture. In terms of cost savings relating to code fixes since implementing Veracode, I'm not sure there are any. How do you quantify reputational damage from a security breach? However, they have provided AppSec best practices and guidance to our security and development teams through our support agreement, weekly meetings, and annual review.

Because it is a SaaS offering, I do not have to support the infrastructure.

Some important languages are not supported.

No issues with stability.

We have encountered occasional issues with scalability.

Tech support is excellent.

The initial setup was extremely straightforward.

Negotiate for the best deal.

Fortify, App Scanner, Checkmarx.

Make sure the supported  languages align with your developers.

We test each major release of our software using Veracode static and dynamic testing. We also do manual penetration testing annually.

Ensures our code and system are 100% compliant. In terms of APPSec best practices and guidance to our team, the Knowledgebase available on the Veracode system is a great resource for our developers.

For our customers, the added security assurance is a requirement.

• Ad-hoc scanning during the development cycle
• Reports for audits

In terms of integrating Veracode into our existing software development lifecycle, there are regular milestones in the SDLC to perform Veracode scans.

• Entering comments for internal tracking
• Entering a priority
• Reports that show the above

No issues with stability.

No issues with scalability.

Excellent.

We did use a previous solution. It didn't satisfy our needs technically, and the customer service and its cost were not satisfactory.

Easy.

We don't do a detailed enough analysis to reflect on any cost savings relating to code fixes made since we implemented Veracode.

Negotiate some, but their prices are reasonable.

HPE Fortify.

Have them guide you through your first scan - make sure to add hours to your initial contract for that.

I am very likely to recommend Veracode to colleagues.

It has helped us be more secure, and it has helped us put a package together for our customers that will take into consideration training, all the way down to the coding level.

For us, it's the partnership. We have always been very strong partners with Veracode. They provide excellent training to our sales team, so we are able to work with our customers to show them the value of secure code training.

More integration into the specific application; an open API would be good. Aside from that, I think they do a really good job in terms of the features they have. 

Veracode has always been a very stable product for us, a very stable product for our customers, and it has been a very stable relationship as well.

We have customers of every size from several hundred to several hundred thousand. The product works well, regardless of the size of the company we are working with.

We have had customers - and it has been our own experience as well - tell us that the support is second to none. They are very quick to respond, very quick to answer questions in a really knowledgeable way.

We've had no comments from our customers other than that it is an easy setup.

When it comes to secure coding, Veracode is the only one we really considered.

For us, whenever we are selecting a partner, vendors to work with who are going to be working with our customers, we have to make sure that they align regarding customer support philosophy, and that is the reason we selected to work with Veracode.

I would definitely rate Veracode a 10 out of 10, based on our customer feedback. Whenever we know the relationship is going well between Veracode and our customers, it reflects very well on us.