Veracode Reviews

I am a consultant and SourceClear is one of the solutions that I use to provide services.

This solution is used by people who want to verify the security of their own applications.

The most valuable feature is the efficiency of the tool in finding vulnerabilities.

A high number of false positives are reported and this should be reduced.

I have been using SourceClear for about a year and a half.

This is a stable solution.

We have no complaints about scalability. We have between 200 and 300 clients.

We have not been in touch with Veracode's technical support.

We have also used Checkmarx, where you can train the tool for false positives and ultimately reduce them.

The initial setup is a little bit complex.

It would be better to have some assistance when implementing this solution.

Overall, SourceClear is working fine for us and our main complaint is in regard to the high number of false positives. Nonetheless, I would recommend Checkmarx over SourceClear.

I would rate this solution a six out of ten.

We used it for performing security checks. We have many Java applications and Android applications. Essentially it was used for checking the security validations for compliance purposes.

Technically there is nothing wrong with Veracode. The only issue that we have here is uploading the code, the process of actually uploading and getting our results back. All of that is a little cumbersome. 

Technically there is nothing wrong with Veracode. The only issue that we have is uploading the code, the process of actually uploading and getting our results back. All of that is a little cumbersome. 

One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications. So we would like to see a kind of a graphical representation of the problem areas. I would like to know which file is the biggest source of issues for me so that I can focus on resolving the issue, as a project manager. With how it is now, I am able to do this but I have to take out the whole PDF file and extract it. It takes up a lot of my time. I would like to see better strategic reporting. It would be great to get better graphical reporting.

Stability is very good and there were no issues. I will give it five stars.

It's very good; really very good. I would strongly recommend that. Technically I would be expecting a double concept for Veracode. I would still say this is one of the best products ever on that website. I don't have any issues with the scalability. 

I had no technical issues at all.

The initial setup can be a little complex for people or for organizations that don't have technical skills. Another small thing is that you need to have one person who's fluent and technically knowledgeable to help during the upload process. But otherwise, it's pretty much straightforward. It's not an issue, it's perfect.

I would strongly recommend doing an internal analysis first, before setting it across to Veracode to proceed and to use it more as a final verification point. My point is that Veracode is very good, and I would strongly recommend it. I have seen other solutions on the market and that's why I say: don't waste your time on other products, just get Veracode.

I would rate it an eight out of ten. Not a ten because of the reporting issues I mentioned that I would like to see improved.

I have used this solution in multiple projects for vulnerability testing and finding security leaks within the code.

We were embracing Veracode as a process in our DevSecOps, although I have not personally used this solution for the past eight months.

This is not a very elaborate application. I think that the suggestions are between thirty-five and eighty percent accurate, with most cases being about seventy-five percent. Some of them are references where you have to go and determine whether they are direct threats, or not.

At the point in time when we were using this solution, we had older coders and the way Veracode tests for vulnerabilities may have been affected by the code style. I found that there were far too many warnings and some false positives. Of course, this comes with every product, and there are multiple tools that are used.

Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them.

In the context of a dev or UIT environment, I'll say that it is fairly stable. However, I would not be able to give ratings for stability in a production environment because I have no experience with it.

Technical support was good and I was very happy with them.

We did not have that many issues to start with. They conducted training, and there was an architect that was working directly with me to answer everything. He was fairly knowledgeable. In the beginning, when we wanted to understand the product, he gave us great pointers. He provided very nice documentation that we followed and we were able to establish with the infrastructure team.

I have used multiple tools similar to Veracode that integrate with the IDE.

The initial setup was straightforward. What I recall is that it was not really difficult and we had optimal support. They also provided us with documentation to help set up integration with tools such as Jenkins.

When it comes to DevSecOps, in the industry it is still under adoption. With the advent of the cloud and code being there, or on other public platforms, many people have embraced it or are in the process doing so. 

My advice for anybody interested in implementing this solution is to be really careful when choosing your tools. Be very proactive and up-front on the requirements of your systems, because no tool is perfect. You need to find the best fit for each particular use case. I would do a thorough analysis.

As a solution architect, I do small POCs and run initiatives on products to find out various aspects. For example, the technical feasibility of the product is an important aspect. Other important ones are usability, testing, and implementation. Normally, I select at least three products and do a comparative analysis based on the POC. After this, I recommend a particular solution.

I would recommend Veracode. There are plusses and minuses to this solution, but given the chance to use it again I would definitely do so. Every product has its own flaws, but for my use case, it did fit very well.

I would rate this solution an eight and a half out of ten.

Our primary use case for this solution is application security.

The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs.

This solution does a good job, but it is limited to only a few technologies. I would like to see expanded coverage for supporting more platforms, frameworks, and languages.

Specifically, I would like to see support for mobile frameworks like Xaramin and React JS, as well as extended support for iOS applications.

This solution is quite scalable.

We have approximately fifty users, but we definitely have plans to add more.

I have used their technical support and they are quite good.

We did not use another solution prior to this one.

The initial setup of this solution is straightforward.

This solution is on the pricey side. They have just streamlined the licensing and they have a number of flexible options available, so overall it is quite good, albeit pricey.

We evaluated other options, but we chose Veracode.

My advice for anybody who is interested in implementing this solution is to ensure that your technology is actually supported because the coverage is quite patchy. It is possible that if you use a framework or a language that Veracode does not support then it will give quite poor results.

I would rate this solution a six out of ten.

We use Veracode to scan custom-developed code for flaws.

• The volume of unmitigated flaws in our applications has been substantially reduced.
• In terms of AppSec best practices, the team at Veracode has provided industry benchmarks against which we are measuring our improvement.
• Our customers have benefited from the added security assurance of our applications, although they may not know it.

The identification of flaws.

We would like to see improvement in reporting, in particular, end dates on mitigations.

The solution is very stable.

It has handled all the expansion we have required from it.

Technical support is highly competent.

It was already implemented when I joined the organization. However, we have expanded greatly.

We are about to enter discussions for renewal. I have heard there may be some changes to pricing. I will reserve judgment until the discussions are complete.

I would recommend it. It covers all our custom-developed applications and will expand as new applications and services are added.

We have 50-plus users of Veracode. Their roles include InfoSec, developers, development managers, QA, and configuration management. In terms of deployment and maintenance, we have four people in configuration management and InfoSec.

We use it for static checking.

We are a state agency, we're not a private-sector company. What we're able to do is take our main web-based application, which is not only for internal use but which the citizens of Ohio also use, and we can run this application, and others as well, through Veracode to ensure that we've done our job, our due diligence.

We print out a report, we see the rating of the vulnerabilities that have been found: "critical" and "high", "moderate" and "low." We've been able to go from having critical vulnerabilities to where we're now into the more moderate range. We've shown improvement through the years. We can provide that information to our superiors, and to people who come in and audit us, to show that we've made progress on scanning.

When we find a vulnerability, we do pass it on to our developers and they've been able to go in and adjust the code so that the vulnerability is no longer there. The goal, of course, is that these findings will help them as they develop new code so that these vulnerabilities are not a part of the next application. We run a follow-up scan to make sure the vulnerability has been cleared.

The benefit, at this point, has been more internal than for our customers. Obviously we don't want them to have a problem so that they could then, theoretically, actually see the benefit. We try to be proactive.

• Having the option of static scanning. Most tools of this type are centered around dynamic scanning. Having a static scan is very important.
• Utilizing the software as a service. We do the scanning of the compiled code ourselves but it's on their servers, which is a plus.
• Technical support is available if needed and that is advantageous.
• Having online education and training is also advantageous. 

I attended a meeting of one of the security organizations I am associated with. At the meeting were security professionals from several major retail companies. The topic of discussion happened to be application development security. When the question was asked concerning what tools are being used, many of these major retail companies said they are using Veracode. However, they were quick to comment that the product is too expensive and that there are too many false positives which take too much time to remediate.

The stability is very good. They haven't had too many updates or upgrades. They did a major upgrade several years ago but it came out just fine. It has been a really good product.

I'd call us a "mid-range" agency, so it's not like we have a ton of applications that we're changing and updating. It's good for us, but I can't really answer how scalable it is because we're not really big.

I don't believe that the team has had any problem going on to the website, downloading the static code, or running scans. They do it quite often without any issue and are able to read the report and rectify whatever vulnerability has been discovered. There has not been a problem walking through those steps. It's been pretty straightforward. And if our team has any problems, we've got access to someone that we can schedule a call with to work out the issues.

We haven't had to call tech support too often, but when we have had to call them, support has been good in terms of resolution time.

I was involved, on a cursory level, with the setup. Our implementation strategy was to focus on our main web-based application. The way that they developed the application here was under one static set of code, so we could scan this code and, in essence, be able to check the vulnerability of most of the applications from the different business in our agency.

We did not use an integrator or a third-party. We did it with the help of Veracode.

We are a state agency, so we're not for profit. I tell everybody we don't make money, we spend money. To frame it in the context of the public sector, I think we are giving our citizens peace of mind. When they come in to write a permit, and we send them to a service that collects payment, that jumping-off point is secure and safe. It would be more in those terms, rather than the bottom line.

In the public sector, return on investment is not a term that is easily understood because we do not invest. But total cost of ownership is something that we can put our arms around. When we think about potential data breaches, Veracode has certainly helped us. When you think about the cost of the product and that I have one person, not ten people, running this tool, the total cost of ownership is low. I have no devices or servers, I didn't have to do any of that here onsite. It's all in the cloud. The total cost of ownership, given the services they provide, is very low, in my opinion.

We're always looking to save the taxpayers' money. I used to tell my vendors, sharpen those pencils and make the tip laser-sharp. When it can be, I want it to be less expensive, but you get what you pay for too. Vendors need to be fair and I think Veracode has been fair.

We use their SaaS solution and it's just an annual subscription.

The state of Ohio decided to bring AppScan in and that's an IBM tool. IBM became a major vendor in the state of Ohio. But what happened is that AppScan does not offer static code vulnerability checking; dynamic is something they do offer, but it's not as complete and comprehensive as a static scan is. Even the state has gone away from AppScan, but we were looking at it, we were starting to get set up for it. But evidently, other agencies haven't found it to be as useful. So we're not going that direction, we're staying with Veracode. 

There would have been cost savings associated with going with AppScan but we decided, because the state was not going that way, that we were not going that way either.

I would absolutely recommend Veracode. I've suggested to one of the larger agencies that they implement the solution and that they come to see what we've experienced and how we use the tool.

I really like Veracode. That is one of the reasons that we brought them onboard ten years ago. Of course, they were new back then. The different aspects of the offerings that Veracode provides to their customers are somewhat unique and, right now, I couldn't ask another thing from them.

We have approximately 30 Java developers and four or five testers. There are also project managers using it. We have one person who manages running of the scans and that person might have one or two other people to help.

We haven't really been utilizing it to its full potential. We probably utilize it once or twice per quarter. We are planning to increase the capacity that we've purchased. However, we're getting ready to elect a new governor in Ohio. With that election, things will change, according to his or her desires. Right now, we're in a holding pattern waiting for November to come and go.

In terms of integrating the solution into our existing software development lifecycle, because we started so long ago - before the software development lifecycle was fully implemented - we were doing Veracode testing just because it was a good idea. Then we actually developed a lifecycle. We got into scrums and it just naturally worked its way in, so when we actually hired a testing group, Veracode was already a part of the process.

We use it for security scanning of SaaS and mobile software that we develop: one server-side and two mobile applications. Most customers require SAST and DAST scanning in order to purchase.

It gives us more confidence in the application security of the products we scan. We use it as part of our AppSec best practices. 

It has an easy-to-use interface.

We would like a way to mark entire modules as "safe." The lack of this feature hasn't stopped us previously, it just makes our task more tedious at times. That kind of feature would save us time.

We have never had any problems with the solution.

It has always worked for us, we haven't found any issues. There have been no problems with scanning small and large objects.

Technical support is excellent. It meets our needs.

We had no previous solution. Our choice of Veracode was due to Veracode being a customer and requiring that we use their tool to scan our solution.

The initial setup was straightforward. As it's a SaaS solution, it took no time to set up. But because I didn't take training, I spent a bit of time figuring out the product. No implementation (or strategy for implementation) was required, beyond some simple configuration settings.

No issues, the pricing seems reasonable.

We evaluated no other products for SAST when we started using Veracode. 

Be aware that the first run will find a lot of issues, many of which are not real issues; it will take time to understand that. Don't change object names as that will confuse it. Make sure you get development buy-in early.

We're looking to expand its use within the development organization and are looking into another license. Currently, we have four users of the solution, myself (security) and developers. The four of us also maintain it.

Static application security testing, which is the primary use case. 

There were different web applications which were scanned using this tool.

Veracode scans provide a higher number of false positives. Also, the overall reporting structure is complicated, and it's difficult to understand the report.

Veracode provides faster scans compared to other static analysis security testing tools.

Veracode should provide support to more software languages, like ABAP.