Veracode Reviews

Security scanning.

It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security.

In terms of application security best practices and guidance to our teams, their engineering staff is really excellent. They provide our developers with suggestions and they take those to heart. They've learned from the recommended remediation strategies provided by the Veracode security engineers. That makes all of their future code better.

As for our customers, it lowers the risk for people visiting our site.

Catching coding flaws before they go live.

Regarding integrating Veracode into our software development lifecycle, we started out with it being used only as a web interface, and now developers are starting to use it right in their IDE on the desktop.

It's a pretty dynamic product. It's changing all the time and improving.

The scanning is a little slow, but other than that it's fine. It's usually when the binaries get up into the multi-hundred-megabyte size.

We haven't encountered any scalability issues with Veracode so far.

They're awesome. Their timeliness is acceptable, but their expertise is phenomenal.

Veracode is the first professional solution I've used. It was in place when I got to the company.

We just use it as a cloud service for third-party developers.

In terms of cost savings relating to code fixes since implementing Veracode in our development process, I can't really give hard numbers.

I'm not the pricing guy.

Licensing is pretty flexible. It's a little bit weird, it's by the size of the binary, which is a strange way to license a product. So far they've been pretty flexible about it.

I recommend it all the time.

It's an important aspect of a complete security program. Not necessarily this product, but source code, fraud detection.

I'd give it an eight out of 10 because it's pretty straightforward, but you still have to mostly wrap it with organizational policies that encourages its use. It's not a product - and I don't think it's really a product category - that sells itself to the end-user. They see benefits, but they do have to be convinced to use it.

I use Veracode to run scans on .NET applications, web applications and Windows/fat form applications. I also use it to make deployments in three-tier environments: the application server tier, web server tier and the database tier.

• Veracode has improved our penetration testing process. 

• We use Veracode static analysis during development to eliminate vulnerability issues.

• I have found the user interface extremely helpful in prioritizing issues.

• It allows me to prioritize the work to help resolve an issue.

They should improve on the static scanning time.

SAST. We have not yet integrated it into our software development lifecycle as it doesn't have the feature that enables us to integrate it with our repository.

It helps in achieving secure programming. Veracode provides us with industry best practices according to OWASP, CERT, and SANS. Our customers get the security of bug-free code and assurance regarding the application.

Scanning of .war and .jar.

Raw file scans and dynamic scans would be an improvement, instead of dealing with code binaries.

No stability issues yet.

No scalability issues yet.

We used SonarQube but to improve security in SAST we choose this.

Setup is straightforward.

The pricing is good for static code analysis.

Checkmarx, SonarQube.

Implement this solution if you see WAF and SOC in your future.

Our primary use case for this solution is application security.

The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs.

This solution does a good job, but it is limited to only a few technologies. I would like to see expanded coverage for supporting more platforms, frameworks, and languages.

Specifically, I would like to see support for mobile frameworks like Xaramin and React JS, as well as extended support for iOS applications.

This solution is quite scalable.

We have approximately fifty users, but we definitely have plans to add more.

I have used their technical support and they are quite good.

We did not use another solution prior to this one.

The initial setup of this solution is straightforward.

This solution is on the pricey side. They have just streamlined the licensing and they have a number of flexible options available, so overall it is quite good, albeit pricey.

We evaluated other options, but we chose Veracode.

My advice for anybody who is interested in implementing this solution is to ensure that your technology is actually supported because the coverage is quite patchy. It is possible that if you use a framework or a language that Veracode does not support then it will give quite poor results.

I would rate this solution a six out of ten.

I am a consultant and SourceClear is one of the solutions that I use to provide services.

This solution is used by people who want to verify the security of their own applications.

The most valuable feature is the efficiency of the tool in finding vulnerabilities.

A high number of false positives are reported and this should be reduced.

I have been using SourceClear for about a year and a half.

This is a stable solution.

We have no complaints about scalability. We have between 200 and 300 clients.

We have not been in touch with Veracode's technical support.

We have also used Checkmarx, where you can train the tool for false positives and ultimately reduce them.

The initial setup is a little bit complex.

It would be better to have some assistance when implementing this solution.

Overall, SourceClear is working fine for us and our main complaint is in regard to the high number of false positives. Nonetheless, I would recommend Checkmarx over SourceClear.

I would rate this solution a six out of ten.

Dynamic and static scanning.

We're being much more security conscious whenever we're writing code, and we're trying to make sure it's giving us a benchmark, and to make sure we meet that, on a release cycle.

In terms of AppSec best practices, it has made everybody more conscious about what they're trying to accomplish, because they know at the end of the release cycle we're going to be running scans. They basically need to make sure they adhere to all the rules.

Our customers have benefited from the added application security we offer because they're more confident that our software isn't going to expose their organizations to any risk.

The ability to run scans. It's a critical piece of why we use the platform. We use it to get our scan results and see where our software is vulnerable or not vulnerable.

It's part of our SDLC now.

The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but sometimes it causes more work on our end.

No issues with stability.

Not that I know of.

I have not contacted tech support.

It seemed straightforward. I didn't actually do the work, but from what I was told, it seemed like it was fairly easy to get going.

I cannot give numbers on any cost savings related to code fixes since implementing CA Veracode in our development process.

It's worth the value.

We did evaluate other options, but I can't remember who we looked at.

I would be highly likely to recommend working with CA Veracode to colleagues. 

I rate it an eight out of 10. It's a good product - I can't say that it's lighting my world on fire - but it does what it needs to do.

Just be prepared that it's going to take effort from all aspects of the business to be able to utilize and achieve the goal that you're looking to achieve with the product.

We are Veracode partners/distributors in Quito, Ecuador. 

At this moment, I am reviewing the solution. 

It helps me to detect vulnerabilities.

I use the SAST feature the most.

All areas of the solution could use some improvement.

Scanning for code security vulnerabilities within our company's products.

Made our company aware of any potential code security vulnerabilities. Also, customers can use our products knowing they are verified by top organizations as safe.

Informing me of application security vulnerabilities. Bamboo build-automation with Veracode API calls are used.

• The user interface could be more sleek.
• Some scanning requirements aren't flexible.
• Some features take some time for new users to understand (like what exactly "modules" are).

No issues with stability.

No issues with scalability.

Great.

Somewhat straightforward. There was a little confusion about "missing modules" that are third-party files that we couldn't upload because we don't actually have them. That really confused us, but the technical support resolved the confusion.

I can't report on any cost savings relating to code fixes since implementing Veracode in our development process, but it makes us feel more confident about our code, which is awesome.

We are satisfied.

None. We might look into Checkmarx.

I am very likely to recommend Veracode to colleagues. Veracode is great.