Veracode Reviews

Static code analysis is a valuable feature.

We were able to easily integrate static code testing into the SDLC process. We moved from the waterfall to the agile methodology, and were still able to integrate Veracode testing within both methodologies.

It's been over a year since I used the product. But when I did, I found there were too many false positives.

I used it for one year.

No issues encountered.

No issues encountered.

No issues encountered.

8/10

8/10

We are planning on introducing a static code analysis tool to support a DevOps effort in our environment. The objective of the solution is to allow the team to identify vulnerabilities in the source code and improve the hygiene of the developed code before deployment.

This is currently still under evaluation, and it is pending review and assessment against other static code analysis solutions.

The solution provides the capability for the application teams to track remediation and the handling of identified vulnerabilities. The system provides workflow capabilities for the application teams to send the completed scans to the security teams for their review. In addition, the security team can track the remediation and risk acceptance statistics.

The solution currently does not support Dynamic Application Security Testing which is an important facet of application security testing. In addition, the current version of the application does not support testing for API.

We used it for performing security checks. We have many Java applications and Android applications. Essentially it was used for checking the security validations for compliance purposes.

Technically there is nothing wrong with Veracode. The only issue that we have here is uploading the code, the process of actually uploading and getting our results back. All of that is a little cumbersome. 

Technically there is nothing wrong with Veracode. The only issue that we have is uploading the code, the process of actually uploading and getting our results back. All of that is a little cumbersome. 

One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications. So we would like to see a kind of a graphical representation of the problem areas. I would like to know which file is the biggest source of issues for me so that I can focus on resolving the issue, as a project manager. With how it is now, I am able to do this but I have to take out the whole PDF file and extract it. It takes up a lot of my time. I would like to see better strategic reporting. It would be great to get better graphical reporting.

Stability is very good and there were no issues. I will give it five stars.

It's very good; really very good. I would strongly recommend that. Technically I would be expecting a double concept for Veracode. I would still say this is one of the best products ever on that website. I don't have any issues with the scalability. 

I had no technical issues at all.

The initial setup can be a little complex for people or for organizations that don't have technical skills. Another small thing is that you need to have one person who's fluent and technically knowledgeable to help during the upload process. But otherwise, it's pretty much straightforward. It's not an issue, it's perfect.

I would strongly recommend doing an internal analysis first, before setting it across to Veracode to proceed and to use it more as a final verification point. My point is that Veracode is very good, and I would strongly recommend it. I have seen other solutions on the market and that's why I say: don't waste your time on other products, just get Veracode.

I would rate it an eight out of ten. Not a ten because of the reporting issues I mentioned that I would like to see improved.

We use Veracode to scan custom-developed code for flaws.

• The volume of unmitigated flaws in our applications has been substantially reduced.
• In terms of AppSec best practices, the team at Veracode has provided industry benchmarks against which we are measuring our improvement.
• Our customers have benefited from the added security assurance of our applications, although they may not know it.

The identification of flaws.

We would like to see improvement in reporting, in particular, end dates on mitigations.

The solution is very stable.

It has handled all the expansion we have required from it.

Technical support is highly competent.

It was already implemented when I joined the organization. However, we have expanded greatly.

We are about to enter discussions for renewal. I have heard there may be some changes to pricing. I will reserve judgment until the discussions are complete.

I would recommend it. It covers all our custom-developed applications and will expand as new applications and services are added.

We have 50-plus users of Veracode. Their roles include InfoSec, developers, development managers, QA, and configuration management. In terms of deployment and maintenance, we have four people in configuration management and InfoSec.

We used Barracuda for scanning containers. And in all in DevOps workflow.

The coverage of backdoors attacks on security that's the most valuable for my clients.

There is room for improvement in documentation. Maybe the documentation about how to configure something. It is difficult to get the expected result. 

I have been using this solution for two years. 

It's stable. It works very well in the parameter like an enterprise solution. We don't have any problems with that.

We are very pleased with the support.

Positive

I would rate my experience with the initial setup a six out of ten, where one is difficult and ten is easy to set up. 

We work on the deployment process. The solution is deployed both on-prem and in the cloud environment.

The solution doesn't require any maintenance. 

It took two years to see ROI for our clients.

Veracode is expensive. But the solution is worth it. 

Overall, I would rate the solution a nine out of ten. It is a good solution for security. In my personal opinion, there are not many products like Veracode in the market. 

I'm the manager of DevOps and cloud architecture.

This product has given us the ability to investigate and understand the black zones in our system. 

Veracode can emulate the most sophisticated attack and create unique or specific use cases around automatic penetration testing. It gives us the ability to investigate any sensitivities to vulnerabilities that we may have.

Security can always be improved. I'd like to know how we can better prevent intrusions to our systems and create risk analysis use cases and understand them. What is the level of risk for what we want to do? How can we understand the process better? I'd like to have a better overview of what's going on. 

I've been using this solution for five years. 

The solution is stable. 

The solution is scalable.

There are three layers of technical support and we have used all of them over time. We are happy with the service they provide. 

It's important to understand your environment and know the specific use cases for your organization. Creating good orchestration application metrics is very important.

I rate this product eight out of 10.

Our development team use this solution for static code analysis and pen testing.

The runtime code analysis could be improved so that we can see every element in one place.

I have used this solution for two years. 

I would rate this solution an eight out of ten. 

We test each major release of our software using Veracode static and dynamic testing. We also do manual penetration testing annually.

Ensures our code and system are 100% compliant. In terms of APPSec best practices and guidance to our team, the Knowledgebase available on the Veracode system is a great resource for our developers.

For our customers, the added security assurance is a requirement.

• Ad-hoc scanning during the development cycle
• Reports for audits

In terms of integrating Veracode into our existing software development lifecycle, there are regular milestones in the SDLC to perform Veracode scans.

• Entering comments for internal tracking
• Entering a priority
• Reports that show the above

No issues with stability.

No issues with scalability.

Excellent.

We did use a previous solution. It didn't satisfy our needs technically, and the customer service and its cost were not satisfactory.

Easy.

We don't do a detailed enough analysis to reflect on any cost savings relating to code fixes made since we implemented Veracode.

Negotiate some, but their prices are reasonable.

HPE Fortify.

Have them guide you through your first scan - make sure to add hours to your initial contract for that.

I am very likely to recommend Veracode to colleagues.