Veracode Reviews

To have a third-party analyze our code and make recommendations from a security perspective.

We do not pass our release without performing a static and a dynamic scan, and mitigating the flaws identified.

In terms of how our customers have benefited from the added application security of our applications, they are aware of our development process and it makes them comfortable that we have implemented industry best practices.

All the features provided by Veracode are valuable.

We use Ruby on Rails and we still don't have any support for that from Veracode.

The static scans on Java lack microservices architecture scanning. We have developed an in-house pattern for this and the scans can't take care of it as a single entity.

No issues with stability.

No issues with scalability.

The support is good but has room for improvement. Issues don't get acknowledged quickly, repeated updating is required.

The cost savings are the efforts that it would take to do this at a stretch if this was not implemented early on in our development cycle.

I think licensing needs to be changed or updated so that it works with adjustments. Pricing is expensive compared to the amount of scanning we perform.

WhiteHat.

We have made process changes and improvements, although Veracode is not tightly integrated into our CI/CD platform yet.

I am very likely to recommend to colleauges that they work with CA Veracode.

Static analysis.

It has allowed us to integrate with it through automated processes, which saves us a lot of time and effort.

Also, our customers benefited from the added application security assurance of our software, as they’ve been able to identify OWASP top-10 application vulnerabilities without a manual tester.

Static analysis scanning engine, because we need to do static analysis; that’s why we bought the product.

• Better APIs
• Reporting that I can easily query through the APIs
• Preferably, a license model that I can predict

It would save us time when integrating with the APIs. Difficult APIs are annoying to work with and we have to trial/error our way through the integrations. The more straightforward and friendly they are, the less we have to trial/error.

No issues with stability.

Aside from the licensing, no issues with scalability.

Good.

IBM Security App Scan. In looking at Veracode vs IBM Security App Scan, I switched because of the CI/CD offerings of Veracode.

The APIs are a bit nonsensical, but otherwise straightforward.

It has not really resulted in any cost savings related to code fixes.

The worst part about the product is that it does not scale at all. Also, microservices apps will cost you a fortune.

IBM, Coverity.

Regarding measures taken to integrate Veracode into our existing software development lifecycle, we have 100% API integration. We use the Jenkins plugin as a last resort, but we are moving away from that.

The AppSec best practices and guidance to our security and development teams are manifested in the static analysis it provides.

In terms of advice to others looking into implementing this project, I would say don’t use the UI, and do what you can to have license conversations up front.

It depends on the use case and budget, but I would recommend CA Veracode to colleagues.

Scalability and its optimization of security inspections. At the end of the day, I like the fact that it is all prim. It does not require a lot of support on our side. We get the benefit of security inspections and it scales with our community, which is global. 

It has the ability to scale, and the fact that it doesn't produce a lot of false positives.

Number one, I need analytics, analytics, and more analytics. It is all about risk based management and better decision support, that is why. 

It is rock solid, we have used it now for seven years.

On a scale of one to 10, I would give it an eight. 

We had no previous solution. We didn't know we needed to invest in Veracode. It worked out that way through our evaluation process that it was the right solution for us.

I never give 10s. I would give it a nine. It does nearly everything, but penetration testing. It covers such a broad breadth of our portfolio. In our business, we have applications written in so many different languages. Finding something that can consistently scan and not generate false positives across the paradigm or the whole ecosystem of languages, that is impressive. It is speed of inspection, the accurateness of the inspection outcomes, and frankly, it has fairly good business analytics embedded on the platforms. So, it does a lot more for us than not.

Software security, static code scanning.

It has performed very well.

The benefits are quick discovery and understanding of software vulnerabilities that we are putting in our own code. By discovering them quickly enough, we can triage them and determine the best ways to remediate them and prevent them from happening in the future.

It helps us gain confidence that the applications we're putting out in the hands of millions and millions of people have that industrial-strength quality to them; that we don't need to worry about as much as we used to. 

• Completeness, comprehensiveness
• speed
• ease of use

We have such a wide variety of users for Veracode, including security champions, development leads, developers themselves, that the ease of use is really quite important, because we don't assume anything about what those people might already know, or need to know. It just makes it very useful for anyone who has to engage with it.

I'd like to see an improved component of it work in a DevOps world, where the scanning speed does not impede progress along the AppSec pipeline.

Three to five years.

Stability has been great. I've never seen any downtime, in four years.

We went from 50 applications in 2015, we're now up to over 400. There seems to be no limit on how quickly it can scale and operate.

They're outstanding. Best in class. Absolutely. They bend over backwards to help us. We'll come up with questions and within minutes, we'll get answers. It's amazing. It's truly amazing.

It was very straightforward. Veracode was very helpful, hand-holding - anything that we needed - they were right there and made it very simple.

We had been evaluating various different types of source-code scanners. It was a fundamental element of the program and we knew we had to have the best one that would meet a wide variety of applications: development, apps, as well as a wide variety of geographic dispersion of the people writing these apps. 

We had IBM, we had Fortify, we had PMD, and there was one other scanner at the time that we were evaluating. Veracode came out on top, in almost every category.

By using a cloud-based scanner, we really had no issues with where the developers are geographically located. So we didn't really have setup problems at all. It just kind of happened, and scales fairly naturally, organically.

The most important criteria when selecting a vendor are

• reliability
• customer service.

Take advantage of all of the help that Veracode provides, for implementation, operations, and maintenance, because they absolutely know what they're doing.

The primary use case is application security and application security testing, specifically static and dynamic analysis, and software composition analysis. It has performed excellently.

The benefits are the fact that it identifies our vulnerabilities, and it has improved us by allowing us to pull everything to the left in agreement with our SDLC and with our developers, and have them not only get buy-in because they can run sandbox scans that allow them not to generate metrics, but also run policy scans where we identify what the policy is and what is acceptable. So, it has helped us secure our company and our applications.

1. The ability on static scans to be able to do sandbox scans which do not generate metrics.
2. Gives us every vulnerability that has been identified, so there is no human intervention. Therefore, we can actually look and prioritize our own vulnerabilities as opposed to having someone else try to get in between.

I would love to be able to do a dynamic sandbox scan. I think that that would allow us to really get a lot more buy-in from the software development teams. We would be able to scan our applications, identify the vulnerabilities, not generate metrics, which would allow the teams to address the vulnerabilities earlier in the cycle, and then have cleaner scans later on.

Also, I would maybe like to see a better report engine.

It is extremely stable.

So far, extremely scalable.

We do have ongoing technical support. We use them more as a backstop. My team handles most of the calls and issues that any of the developers might have. 

CA support has excellent time frames. They are knowledgeable and get back to you with an actual solution, which is always a plus.

The initial setup was very straightforward.

1. It is SaaS, so we did not have to install anything locally.
2. We were able to give our privileged users better roles because it is role-based, and to do multi-factor authentication. All we have to do, once we set up our trust relationship, we have single sign-on and we white-listed everything. So, it is everything that we wanted from a security point of view, and it is easy to roll out.

PoC is in progress.

• Application testing
• False positives challenges
• Wide range of platforms and technology assessments

It needs to reach the level of Checkmarx's and Fortify Software's capabilities and service levels, or may further loosen the market share.

No.

No.

Customer Service:

A three out of 10.

Technical Support:

A two out of 10.

Quality levels, service offerings, pricing, and mainly the features and abundance of technologies provided by others made us switch to a different solution.

In-house.

The pricing is pretty high.

Yes. Checkmarx, SonarQube and Fortify Software.

We used the application for the web. Static, dynamic, and manual scan features were all very useful for us. All of them helped us fix many security flaws.

It made us change our approach to coding. We tried to make sure our application stayed secure and safe.

The current features were enough for us. Although reports are well documented, it was difficult for us to understand them at first.

We have been using the solution for about a year.

We did not encounter any issues with stability.

We did not encounter any issues with scalability.

We didn't use the technical support, so I can't comment on this question.

We did not use a previous solution. This was the first security application we used.

It was very easy to setup. Everything on the website was clearly explained.

I don't know about the prices.

We did not evaluate any alternative solutions.

If it's the first time you are using a security application, be ready for some new tools which you will require you to revitalize the flaws reported.

Reports are very well documented. Once you understand what it means and you get used to it, you will see that it is detailed and clearly explained.

Allows developers to run their own scans.

Reduced dependency on the security team to run scans. It helped the organizations to scan a large number of applications on a regular basis.

I would like to see the following:

• Correction of the regularly received false positives
• Options to manage comments and mitigations
• Better UI functionality

We have used this solution for a year.

A few months ago, there were issues with the scanners and tickets were opened. However, they were resolved. This is a stable product.

There have not been any scalability issues yet.

I would give technical support a rating of 8/10. At times, we have not seen the best support in terms of issues faced during a scan.