Veracode Reviews

We test two mission-critical web applications (C# Web forms).

We used to revise code with free tools (like VCG) but they are not even in the same universe. Veracode static analysis allows us to pinpoint issues - from a simple hard-coded test password, to more serious issues - and saves us lot of time. For example, it raises a flag about a problematic third-party DLL before development invests time heavy using it.

Also, from the very relevant results and issues that were pinpointed by Veracode, I can say that our customer security was greatly enhanced by its use.

It is great to have such insight into code without having to upload the source code at all. It saves a lot of NDA paperwork. The Visual Studio plugin allows the developer to seamlessly upload the code and get results as he works, with no manual upload. The code review function is great. It allows you to find flaws in source code, but the source code never leaves your workstation, it is all client side, no NDA needed.

It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help (but not now, now that I've learned it).

No, we did not detect a single glitch or fault in a year. We once had a periodic maintenance activity on the Veracode platform during a deadline, but it was clearly announced in advance, so we just went around it and had no issues.

No, you don’t have such concerns on Veracode. The process is really "launch and forget" (and wait for results).

The team that assists us with it is just great, especially considering there is a language barrier for some of our employees. Veracode did its best to get those employees in the loop with the chance to attend the meeting, as well with the aid of written English.

VCG (Visual Code Grepper) but I am not even going to compare them. VCG is as good as they come, but Veracode is a different breed. An application went through VCG and we were pretty confident. Then, Veracode results just blew us out of our shoes.

I manage the Veracode suite for my company, and I was personally walked through the various steps. Once I was up and running, we had another two-hour session to explain to us how a proper Veracode assessment should be planned (developers, code reviewers). As a result, I believe we have not only a pretty solid code review process up and running, but this was all provided to us at no additional cost.

What we felt is that the Veracode guys want to enjoy and use their solution first. They are not pushing to get consultancy time if that can be avoided. If you need consultancy time you can have it and the prices are convenient. We did not. All the help came at no additional cost.

It is difficult to assert, but it helps a lot with maintaining compliance with our main customers, and helps us to pinpoint some specific issues. The cost of not having Veracode would be pretty high for us.

The licensing and prices were upfront and clear. They stand behind everything that is said during the commercial phase and during the onboarding phase. Even the most irrelevant "that can be done" was delivered, no matter how important the request was.

The licensing is fair, it is time-limited (e.g. one year) but there is a size cap for every app. If your applications are big (due third-party libraries, for example) you should discuss this beforehand and explore suitable agreements.

Competitors were evaluated but seemed, at once, too bloated or not relevant to all our specific requests. We were not interested in buying a product (such as a standalone program) rather we were interested in getting a tool for creating a process, and Veracode is that.

In terms of integrating Veracode into our existing software development lifecycle, as our two existing applications are quite mature, and not changed often, we have not taken steps to have Jenkins or another CI tool that would allow us to get the full power from the Veracode environment. We look forward doing it, starting with the next app that gets developed from scratch.

CA Veracode provided AppSec best practices and guidance to our security and development team during the kickoff phase. They offered assistance on specific code issues that were hard to fix, and guidance on preparing a credible set of rules for Veracode policy, all this at no additional cost.

As Veracode licensing is generally time-related, I suggest you start the subscription once everything is ready for consumption, assign a specific person to it and declaring it mandatory at the policy level. Losing two months of great value because the devs are too busy, or because they think they don’t need it, or they fear the results, or because no one is taking charge of the Veracode process, is really a pity. Once the clock starts ticking, try to take advantage as much as you can.

I would recommend Veracode to anyone involved in high-risk environments.

Application security management.

We've been able to provide reports to our clients that show applications are either flaw-free, or in the process of being remediated, and give them timely status updates on how those flaw remediations are going on.

Our customers have benefited by being able to have a little bit more assurance from us, from a trusted authority, that our code is properly flaw-free and remediated.

The most important features, I would say, are the scanning abilities and the remediation abilities within the product. Scanning because, obviously, we want to make sure that our application code is flaw-free. And the remediation tools are helpful to the developers to help them track and manage their flaws.

We have been able to integrate Veracode through many of the IDEs that our developers use, using the Veracode APIs, or they've been actually been doing this manually as part of their SDLC.

Reporting. Some of the reporting features of Veracode do need improvement. They do not have the most robust access to data. That would be a bit more beneficial to a lot of our clients as well as our actual in-house staff. I've been talking to our program management at Veracode about that, and that is actually on their radar to have that improved, I think actually this year.

That would probably be the biggest area, access to more granular data that we could pull and use on a regular basis. Better dashboards. That kind of information.

It's stable, absolutely. They do regular maintenance schedules. Aside from that, I can't really think of a time where it has not been a stable product or unavailable. 

No issues with scalability.

We engage their support teams quite often actually. Part of our licensing package is a good number of hours per month for our development teams to work with their support teams at Veracode, to help solve remediation issues, troubleshoot some of the flaws that they encounter or can't understand. Their support teams have been able to work with our development teams very well.

We were not using a previous vendor prior to this. We've used other vendors like Nessus for pen testing. We still use those. Veracode was just more of an addition.

The setup has been more of a phase-in approach, and it's been gradual. It's been kind of a "trial-by-fire" setup with a lot of our development teams because most of our development teams aren't used to doing this. So, it's been a trial, I guess more so on our side, to get the adoption going on. It's just part of training our team to actually know there's something they need to do on a regular basis.

Regarding any cost savings relating to code fixes since we implemented Veracode in our development process, I can't say I have that information off the top of my head.

Just do your research. Make sure you're getting the best price on this. It can be expensive to do this, so I would just make sure that you're getting the proper number of licenses. Do your analysis. Make sure you know exactly what it is you need, going in. Then just see if it can work. Try and make sure you get the best price possible.

I was not part of the evaluation team on this, unfortunately. But I believe the other options were evaluated as well, but I don't have access to that information.

In terms of Veracode providing AppSec (application security best practices) and guidance to our teams, they've been able to adapt their scanning and remediation in their SDLC, which is something we did not have really before. It's been a little bit of "not the best honeymoon" so far, doing this with our developers, but they've started coming along here in the past year and a half.

The advice I'd give is look around, make sure it's the right fit for you. Make sure that the tools they offer are a good fit for your organization. And make sure this is something that you really feel would be good for your company. If you aren't currently doing this kind of analysis on your code, I would take a strong look at whether this is something that you really should be doing. It's a different world out there right now.

I would recommend Veracode very highly, especially since the program management staff that I work with from Veracode are some of the best people that I've worked with in this industry.

Static code scan.

We have used the results of scans to train our people and make them more sensitive to security issues during development, although we haven't done any specific integration of Veracode into our software development cycle. Engineers are better trained, so we hope to see increased compliance with our security guidelines.

We do incorporate the suggested course of action from the Veracode report (AppSec best practices and guidance) in our best practices.

Also, our customers benefit from the fact that the application is more secure.

We use the results of the scan to identify vulnerabilities in the product.

Calypso (our application) is large and the results take up to two months. Further, we also have to package Calypso in a special manner to meet size guidelines.

No issues with stability.

Because our application is large, it takes a long time to upload and scan.

Based on limited usage, we are satisfied.

We did not have a previous solution. We picked this product because our partner (SAP) uses it.

Straightforward.

There are no directly measurable cost savings. We see security improvement as a key part of our product development.

When asked, we let our customers and partners know that we use Veracode and that we are happy with it.

Static code analysis for internally developed critical systems.

When we expanded our definition of critical systems to include an internal application to be scanned by Veracode, we had initial scans that produced hundreds of vulnerabilities. We expected this, based on how the code was treated previously, but the Veracode platform allowed us to streamline our identification of these items and develop a game plan to quickly address them. This has also lead to better overall code quality for the team, by pointing out some dated practices that needed updating.

We have required that our critical systems pass a Veracode scan prior to code being deployed into production. We also have included a step in the development stage to run specific code through a Veracode Sandbox to encourage better code quality, early on in the development lifecycle.

Veracode has helped us meet the requirements of our yearly external audits and has improved code quality, leading to less down time and less buggy code that users will encounter.

• Code analysis tool to help identify code issues before entered into production.
• Vulnerability Management and mitigation recommendations help with resolution of issues found, prior to deployment to production.
• Developer Sandboxes help move scanning earlier within the SDLC.
• The platform itself has a lot of AppSec best practices information, especially in the mitigation recommendation process. They have also offered cybersecurity e-learning for our team. 

The only notable problem we have had is that when new versions of Swift have come out, we have found Veracode tends to be a bit behind in updates to support the new language changes.

Also the Greenlight product that integrates into the IDE is not available for PHP, which is our primary language.

No issues with stability.

No issues with scalability.

We have rarely needed to use tech support, and when we have it has performed as expected.

Straightforward. Just add the applications in the portal and start scanning.

We don’t have the metrics to track specific dollars, but Veracode has saved us the cost of hundreds of employee hours by streamlining our vulnerability discovery process in legacy code, and by improving the quality of code released into production. 

As we support our organization's customer-facing digital channels by writing higher quality code, we have reduced the amount of bugs or downtime a user experiences using our systems. This saves in employee time and also increases engagement with our digital channels.

Pricing seems fair for what is offered, and licensing has been no problem. All developers are able to get the access they need.

Yes, but too long ago to remember which ones.

I would definitely recommend CA Veracode.

Just make sure you define a process for your developers prior to implementing the technology.

We use it for a lot of things and they're all primary: SAST, DAST, and Greenlight.

By using this product, we can point out not only any potentially insecure coding, but how to fix it. It's a requirement, a legal requirement. So we benefit by not breaking regulatory law.

SAST, DAST, and Greenlight are the most important features because today it's important for our regulatory compliance law to keep our product coding relatively secure.

For our rapid, secure DevOps cycle, we have integration of the Vericode API into our build tool, and Greenlight into our IDE.

I think they are doing pretty well. It would help if there were a training module that would explain how to more effectively integrate the SAST product into the build tool, Jenkins or Bamboo. I think that's a real good idea.

No issues with stability.

No issues with scalability, other than making sure that our people know how to use it.

Excellent.

Never. I've been using it for 20 years. I tried others, like HPE's and IBM's, when I was with Visa, but this is the best.

I think it's simple, but sometimes it would help to have more training for developers to help them set it up.

I can't give you exact numbers, but it's a lot cheaper to do it sooner rather than later.

Pricing is worth the value. 

They didn't have products before this one. This one pre-dated them.

I recommend CA Veracode all the time. I am a public speaker, frequently on the speaker circuit, and I recommend it all the time. There are really three solutions at the top of the industry ratings, and Veracode is the best, in my opinion.

We are a good customer and we had been for a long time. I actually am a bit of an evangelist for them when I'm doing public speaking.

Dynamic and static scanning.

We're being much more security conscious whenever we're writing code, and we're trying to make sure it's giving us a benchmark, and to make sure we meet that, on a release cycle.

In terms of AppSec best practices, it has made everybody more conscious about what they're trying to accomplish, because they know at the end of the release cycle we're going to be running scans. They basically need to make sure they adhere to all the rules.

Our customers have benefited from the added application security we offer because they're more confident that our software isn't going to expose their organizations to any risk.

The ability to run scans. It's a critical piece of why we use the platform. We use it to get our scan results and see where our software is vulnerable or not vulnerable.

It's part of our SDLC now.

The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but sometimes it causes more work on our end.

No issues with stability.

Not that I know of.

I have not contacted tech support.

It seemed straightforward. I didn't actually do the work, but from what I was told, it seemed like it was fairly easy to get going.

I cannot give numbers on any cost savings related to code fixes since implementing CA Veracode in our development process.

It's worth the value.

We did evaluate other options, but I can't remember who we looked at.

I would be highly likely to recommend working with CA Veracode to colleagues. 

I rate it an eight out of 10. It's a good product - I can't say that it's lighting my world on fire - but it does what it needs to do.

Just be prepared that it's going to take effort from all aspects of the business to be able to utilize and achieve the goal that you're looking to achieve with the product.

To have a third-party analyze our code and make recommendations from a security perspective.

We do not pass our release without performing a static and a dynamic scan, and mitigating the flaws identified.

In terms of how our customers have benefited from the added application security of our applications, they are aware of our development process and it makes them comfortable that we have implemented industry best practices.

All the features provided by Veracode are valuable.

We use Ruby on Rails and we still don't have any support for that from Veracode.

The static scans on Java lack microservices architecture scanning. We have developed an in-house pattern for this and the scans can't take care of it as a single entity.

No issues with stability.

No issues with scalability.

The support is good but has room for improvement. Issues don't get acknowledged quickly, repeated updating is required.

The cost savings are the efforts that it would take to do this at a stretch if this was not implemented early on in our development cycle.

I think licensing needs to be changed or updated so that it works with adjustments. Pricing is expensive compared to the amount of scanning we perform.

WhiteHat.

We have made process changes and improvements, although Veracode is not tightly integrated into our CI/CD platform yet.

I am very likely to recommend to colleauges that they work with CA Veracode.

Static analysis.

It has allowed us to integrate with it through automated processes, which saves us a lot of time and effort.

Also, our customers benefited from the added application security assurance of our software, as they’ve been able to identify OWASP top-10 application vulnerabilities without a manual tester.

Static analysis scanning engine, because we need to do static analysis; that’s why we bought the product.

• Better APIs
• Reporting that I can easily query through the APIs
• Preferably, a license model that I can predict

It would save us time when integrating with the APIs. Difficult APIs are annoying to work with and we have to trial/error our way through the integrations. The more straightforward and friendly they are, the less we have to trial/error.

No issues with stability.

Aside from the licensing, no issues with scalability.

Good.

IBM Security App Scan. In looking at Veracode vs IBM Security App Scan, I switched because of the CI/CD offerings of Veracode.

The APIs are a bit nonsensical, but otherwise straightforward.

It has not really resulted in any cost savings related to code fixes.

The worst part about the product is that it does not scale at all. Also, microservices apps will cost you a fortune.

IBM, Coverity.

Regarding measures taken to integrate Veracode into our existing software development lifecycle, we have 100% API integration. We use the Jenkins plugin as a last resort, but we are moving away from that.

The AppSec best practices and guidance to our security and development teams are manifested in the static analysis it provides.

In terms of advice to others looking into implementing this project, I would say don’t use the UI, and do what you can to have license conversations up front.

It depends on the use case and budget, but I would recommend CA Veracode to colleagues.