Try our new research platform with insights from 80,000+ expert users
Ashish Upadhyay - PeerSpot reviewer
Founder at BlockMosiac
Real User
Top 5Leaderboard
Identifies vulnerabilities, reduces false positives, and offers very good support
Pros and Cons
  • "It's good at identifying security issues. It can pinpoint issues very effectively."
  • "The interface is too complex."

What is our primary use case?

We're a blockchain-focused company specializing in data, visualization of finance applications. So our main motivation was to use the solution for the defense of finance applications. 

We use it for security and the integrity of data. It helps us with the dynamic analysis of code to help prevent potential exploits. We are able to check for vulnerabilities before and after our products have been published. It's a very secure and reliable solution. 

How has it helped my organization?

It's helped us with organizational success by increasing our security success. It's helping us to optimize performance and enhance efficiency. The user experience has been very good. It's helped us to streamline our CI/CD pipeline. It's also helped provide our team with actionable insights. It helps us deliver a robust, efficient, high-performance product.

What is most valuable?

It's good at identifying security issues. It can pinpoint issues very effectively. 

The solution helps us build and maintain trust between users and partners.

It's specifically designed to be customizable. We can maintain robust and secure code.

We can easily identify vulnerabilities. Many others, like Microsoft, aren't able to catch certain vulnerabilities. This is much more effective.

I use a variety of features in the solution. Many can be integrated with various software tools. There are good scanning capabilities and data analysis features as well. 

We use the software bill of materials feature. It helps us manage our risks. We've seen dramatic changes in our risk posture. The detection of security incidents has increased.  We also have noted a faster time to market for our features by 40%. 

The compliance reporting has been very good. It's very easy. We can do it within a couple of hours. It helps us stay in compliance with standards and regulations. 

The visibility and transparency we get through static analysis, dynamic analysis, software composition, analysis, and manual penetration testing through our SDRC are excellent.

The false positive rate is very low. Using this platform, we spend way less time performing investigations. It helps improve our employee's confidence rate in managing the static analysis. We're saving about 50% of our time now that we have fewer false positives.

We are able to efficiently fix flaws. We've mitigated potential vulnerabilities by 50% and reduced incidents by 30%.

It's helped us save time. Most tasks are done with much less time needed.

After implementing the solution, we've seen a much better security posture. The security incidents and associated costs have lowered substantially. 

I'd reduced the cost of DevSecOps in our company by 40% to 50%.

What needs improvement?

There are various areas that could be improved, including better integration. 

The false positives can be lowered. 

The interface is too complex. The UI needs to be improved. They need to make the learning curve lower. They should include more guidance in terms of usage.

The cost is high for smaller organizations. 

Buyer's Guide
Veracode
November 2024
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
817,234 professionals have used our research since 2012.

For how long have I used the solution?

I've been using the solution for six weeks.

What do I think about the stability of the solution?

It's a very stable solution. I'd rate the stability eight out of ten.

What do I think about the scalability of the solution?

We have not had any issues with scaling. It has a good amount of scalability for enterprises. It appropriately accommodates growing code. 

How are customer service and support?

The technical support is good. They have helped us a lot and their technicians are very knowledgeable. They are responsive and adaptable to our specific needs. They are committed to maintaining high standards. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I used to use Fortify before using Veracode. 

Veracode is more mature in its scanning features. It also has better security. It's very easy to use and has good cloud elements. The SaaS model is better as well. It has bigger advantages for a smaller company looking for a more straightforward deployment. The framework and programming language are far better in Veracode compared to Fortify.

How was the initial setup?

The deployment, if it's straightforward, takes around three to four hours. We had two to three people setting up the solution. You would not need more than that. The deployment was pretty straightforward and easy. The implementation process was exceptionally positive. 

What about the implementation team?

They do have dedicated professionals who demonstrate a deep understanding of unique challenges. 

What was our ROI?

We have witnessed an ROI. We've noted a reduction in incidents, for example, and our company has witnessed a 20% growth in the time we have used it.

There is no maintenance required.  

What's my experience with pricing, setup cost, and licensing?

The pricing is okay for us, however, it can be high for others. it can cost more than $1000 per application which can be a lot for smaller companies. However, it is cheaper than Fortify. While it could be cheaper, it is worth the price. 

What other advice do I have?

I'm a customer.

While the pricing is high, it can improve a company's ROI.

It excels in providing robust vulnerability testing. It's great for app or web development, among other uses. Users need to make the most out of the product by taking advantage of their service and support.

I'd rate the solution nine out of ten. 

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Boyapati Sivannarayana - PeerSpot reviewer
Devops Engineer at Accenture
Real User
Good scanning, manages security risks, and prevents vulnerable code from going into production
Pros and Cons
  • "The deployment mode is very useful."
  • "The pricing is worth it."
  • "It's taking too much time to do a quality scan."

What is our primary use case?

We have data deployments for B2B and B2C with the product. Before we used a deployment center like Jenkins. We use it for backend content.

What is most valuable?

We've only used the solution for a year; it hasn't been that long.

The deployment mode is very useful.

We like that it can prevent vulnerable code from going into production.

We use the low-level elements and do greenlight deployment through Veracode.

It helps us manage our licensing and security risks. However, we are in the implementation process right now. So far, it's okay and working fine.

It's good that we can do a full code scan, front to back, or vice versa.

We mostly use the policy scan and vulnerability scan mostly. 

The security is okay.

What needs improvement?

The reporting can be difficult. It's not very easy.

It's taking too much time to do a quality scan. It hasn't saved us much time. Deployment was three or four months ago. We did a policy scan using a greenlight deployment. When we do the deployment in Jenkins, we can do it faster. In Veracode, it can take four hours or even eight hours.

We don't like how long it takes to do a deployment. It should deploy more quickly.

For how long have I used the solution?

I've used the solution for a year.

What do I think about the stability of the solution?

While there is no lagging or crashing, it takes too much time to deploy. 

What do I think about the scalability of the solution?

We haven't had any issues with scalability. That said, currently we are not scaling. Previously it was fine. Currently, we're not scaling. 

How are customer service and support?

Currently, we do not use support. We don't communicate with them. 

Which solution did I use previously and why did I switch?

We have used SAP and Jenkins in the past.

How was the initial setup?

The deployment takes too long.

I was not directly involved in the deployment of Veracode. I generally use Jenkins only.

Two people are typically involved in the deployment. 

Every week, on Friday, we put the servers down, and every Monday, we put them back up, to save on costs.

What about the implementation team?

The deployment is automated using Jenkins. We just need some parameters to deploy the code to the environment.

What's my experience with pricing, setup cost, and licensing?

The pricing is worth it. However, users need to go through the documentation first to get a handle on the implementation. Users might need the help of a support platform.

Which other solutions did I evaluate?

We did not evaluate other options before choosing this solution.

What other advice do I have?

I'm not sure how much visibility we are getting using the solution. 

The false positive rate we haven't really looked into. We need to learn more about it.

We are just end users, not partners. 

I'd rate the solution eight out of ten. 

It's a good idea to look at the documentation. Be very cautious when implementing servers.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Veracode
November 2024
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
817,234 professionals have used our research since 2012.
Shashank Niranjan - PeerSpot reviewer
Senior Software Engineer at Capgemini
Real User
Top 20
Provides visibility into the application status at every phase of development which makes it easier for our DevSecOps to do their jobs
Pros and Cons
  • "Being able to scan our applications and identify all codes and defects is an extremely valuable feature."
  • "Scanning large amounts of code can be a time-consuming process and there is scope for improvement."

What is our primary use case?

We use Veracode for application scanning.

How has it helped my organization?

Veracode is able to prevent vulnerable code from going into production.

Veracode has helped us to identify the vulnerable code in our applications before we put them into production.

The solution allows us to ensure compliance with standards and regulations.

Veracode provides visibility into the application status at every phase of development which makes it easier for our DevSecOps to do their jobs.

I give a nine out of ten for Veracode's ability to identify false positives. The false positive rate has increased our developer's confidence.

Veracode has enhanced our capability to address flaws by identifying bugs that may not have been detected through static analysis data.

Veracode has had a positive impact on our organization by providing us with greater insight into our data.

Veracode helps our developers save approximately ten percent of their time by detecting code issues and enabling them to promptly fix bugs before releasing the information into production.

Veracode helps secure our private data which improves our overall security posture.

What is most valuable?

Being able to scan our applications and identify all codes and defects is an extremely valuable feature.

What needs improvement?

Scanning large amounts of code can be a time-consuming process and there is scope for improvement.

For how long have I used the solution?

I have been using the solution for nine months.

What do I think about the stability of the solution?

Veracode is stable.

What do I think about the scalability of the solution?

Veracode is scalable. We have between 300 to 500 users.

How are customer service and support?

The technical support is responsive.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously used some open source solutions and the management teams decided to switch over to Veracode.

What other advice do I have?

I give the solution an eight out of ten.

We have Veracode deployed in multiple locations.

Maintenance is only required when updating the solution.

You should evaluate multiple solutions, but I suggest considering Veracode if it aligns with the organization's requirements.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Alice William - PeerSpot reviewer
Senior Web Developer at a insurance company with 1,001-5,000 employees
Real User
Top 20
Provides detailed visibility, prevents vulnerable code, and has great support
Pros and Cons
  • "We like the fact that all the issues are identified and that Veracode provides sufficient information on how to resolve them."
  • "Sometimes, the scans halt or drop for some reason, and we need to get help from Veracode to fix it."

What is our primary use case?

We use Veracode to scan our websites at the beginning of the development process. When we are ready to launch a new application on the website, we upload it to Veracode for scanning. Veracode finds any vulnerabilities in the code and returns the results to us. We must then resolve all of the vulnerabilities and mitigate any risks before we can publish the application. We have also set up recurring scans, so that any time we release a new version of the same application, Veracode will automatically scan it again to ensure that we have not missed any vulnerabilities. We have been using Veracode for six or seven of our websites.

How has it helped my organization?

Veracode's ability to prevent vulnerable code from entering production is comprehensive and effective.

Veracode has been very helpful as a preliminary step to launching our products to ensure that they are secure. It has also helped our developers learn the security checkpoints that we need to follow so that they can code with security in mind.

It provides visibility into the status of our applications at every phase of development throughout the software development lifecycle. We heavily use the Veracode Greenlight plugin for Visual Studio to scan and check our code as we write it. Veracode also helps us to develop our applications securely. We have configured our QA websites to be scanned by Veracode so that we do not push anything into production that is insecure.

I recently encountered a Veracode false positive, but we immediately mitigated it on our end. Veracode also filed the case and will include it in their code to mark it as a false positive. We took action after that.

False positives are rare. Veracode provides us with enough information about the issue, so we can usually identify them as we go through the report. We are also learning from the issues and from Veracode itself. If a false positive is reported, it is fine and does not have a significant impact on us.

Veracode has been incorporated into our process, which helps us fix flaws. Whenever we develop external websites, we consider the code, the scanning, and everything else involved. This ensures that we are prepared and have enough time to receive the scan results and fix any issues. We have essentially incorporated this into the lifecycle of our project, which I believe is very valuable.

What is most valuable?

We like the fact that all the issues are identified and that Veracode provides sufficient information on how to resolve them. This is very helpful if we need to troubleshoot problems ourselves, as we have plenty of information at our disposal. Additionally, we appreciate the option to request a consultation directly from the issue itself. Whenever there is a problem, there is a small button that says "Reach out to a consultant." We can then schedule a call with a consultant who can help us resolve the issue.

What needs improvement?

Veracode provides us with some usage metrics. These metrics are based on the number of times we use Veracode, which is tied to our static scans. We only use static scans when we make changes to our code, and we have a part of our pipeline that runs the Veracode scan whenever we make a change or deploy the code. However, we don't deploy code very often because we have 20-30 websites in our company and we don't dedicate a lot of time to each individual website. So, when we do make changes, we will run the scan because it's part of the pipeline, but this has been affecting our usage metrics. We're not sure why Veracode's usage metrics are designed this way, but maybe they can provide some insight. We use these metrics, but we're now thinking about getting different metrics from Veracode. I started looking into setting up some dashboards myself so that we can have our own dashboard and statistics, such as how many flaws we've resolved in the past six months or how many issues we've identified when we're deploying a new website. We're more interested in these types of statistics than in how many times we're using Veracode because fixing flaws is the value that we're getting out of Veracode. Maybe setting up a new dashboard would be helpful, but that's something that Veracode can provide clarity or insight on.

For how long have I used the solution?

I have been using Veracode for four years.

What do I think about the stability of the solution?

Sometimes, the scans halt or drop for some reason, and we need to get help from Veracode to fix it. However, this is not a major issue.

How are customer service and support?

I opened a support ticket to use Veracode's consultant feature. When the consultant called me, the consultation was very smooth and easy. He had already reviewed the flaw that I had mentioned, my description of the issue, and the issue itself. He was able to provide good insight and help me resolve the issue quickly. I have done this a few times before, and the consultants are always well-prepared and give me all the suggestions I need. They already have a lot of information on their website, but they also go above and beyond by providing additional information and specific instructions when I schedule a consultation call. They have been very helpful in the past.

How would you rate customer service and support?

Positive

How was the initial setup?

The deployment was straightforward. Three people were involved in the deployment.

What about the implementation team?

The implementation was completed in-house.

What other advice do I have?

I would rate Veracode nine out of ten.

Veracode has a bit of a learning curve to get used to its different modules, such as our integrations, APIs, and our policies, as well as getting insights. However, my experience is that once everything is set up and scanned on the website, I really like the process of reviewing the flaws that Veracode lists and responding to the resolution steps that it provides. I also appreciate the ability to set up a consultation call and have the issue resolved. I think these are the steps that I really like, and they are helpful to me as a developer. Veracode helps me to learn about security considerations first and foremost, both while creating an app and after, and that has been a good experience for me.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Sr. Development Manager at RWS Holdings PLC
Real User
Top 20
We're finding fewer and fewer issues through external security scanners or penetration testers
Pros and Cons
  • "It's hard to say that any single feature is the most essential. There are many errors and vulnerabilities in software today in the standard libraries for different vendors because. We don't need to reinvent the wheel every time because we're using standard libraries, and it's important to know that your security isn't compromised because you are using libraries with vulnerabilities."
  • "Sometimes Veracode gives us results about small glitches in the necessary packages. For example, we recently found issues with Veracode's native libraries for .NET 6 that were fixed in the next versions of those libraries. But sometimes you do not know which version of the library particular components are using. The downside of that is that one day, the solution found some issues in that library for the necessary package we spent. Another day, it found the same issues with another library. It will clearly state that this is the same stuff you've already analyzed. This creates some additional work, but it isn't significant. However, sometimes you see the same issue for two or three days in a row."

What is our primary use case?

Veracode is part of our overall security program. We use it to scan our daily build pipelines and all our fielded releases. The primary features we use are static application security testing and software composition analysis.

We analyze third-party libraries for known vulnerabilities and taking action. Veracode is also part of our release procedure. We put the artifacts from the record and attach them to the release documentation to provide our customers with those documents if needed. 

How has it helped my organization?

Veracode has improved our product because we're gradually finding fewer and fewer issues through external security scanners or penetration testers. It plays an important role in the continuous integration quality assurance chain. We started using Veracode when it was supporting a 2017 standard. When the security standard changed to 2021, we received new issues. 

We adjusted the policy and no longer have any medium-priority issues in our scan results. It has increased the quality of our security while enabling us to pass the two historical standards and maintain compliance. We have analyzed and cleaned up several thousand issues since we started using Veracode. 

We use our internal policies for the WAF Security Standard, but it isn't an industry-wide policy. We do not use PCI DSS, etc., but it shouldn't be a problem to comply with that stuff. For example, PCI DSS isn't applicable to our case because we aren't managing any credit card data, working with medical devices, or doing anything involving the military. Some standards aren't applicable. 

Veracode offers visibility into vulnerabilities at every step of the pipeline. Every night, we build source code and mark everything that was merged during the day. We check those reports once weekly and correct some issues that were detected. For software composition analysis, it's even easier because every time the record updates, Veracode sends emails to the security team. It also makes me aware of some newer capabilities in software composition and analysis. 

It showed us a lot of flaws in various parts of our product and helped us visualize a lot of issues that we previously didn't know about. We had static code analysis, which is a bit different than Veracode. We were using a static code analyzer from Visual Studio, and it was mostly about development best practices. When we started using Veracode, we realized there were more problems that static analysis alone wasn't catching. It's an excellent tool for showing the vulnerabilities in your software. 

It helps us save time and effort for a portion of our production. For example, if  you're scheduling to release product improvements in the spring, you don't want to fix anything after it goes into production. From that perspective, fixing things before the code is released saves us time. It also protects our reputation because fewer issues enter production. 

It sometimes saves our customers some time because they don't need to perform their own secret analysis because we've already analyzed the product and can provide them with the results much faster. 

What is most valuable?

It's hard to say that any single feature is the most essential. There are many errors and vulnerabilities in software today in the standard libraries for different vendors because. We don't need to reinvent the wheel every time because we're using standard libraries, and it's important to know that your security isn't compromised because you use libraries with vulnerabilities. 

We use Veracode as a quality gate. We do not do continuous delivery or continuous deployment. We're releasing about twice a year, so we use it as a quality gate in this situation. We should analyze various types of patch software. From my observations, it has been an excellent tool so far. We also have an external penetration testing effort, and the testers have not found any issues, so that tells us that Veracode has been successful at preventing issues from entering production.

I use the software bill of materials. Our product consists of many systems and components and redundancies that must be processed manually. We are in contact with the Veracode guys, and I think the next release will have this software bill of materials added. It isn't a problem with Veracode. It's a problem with the way we upload and build sources. In the implementation stage, we want the results as fast as possible, and we've done it in a way when we upload. It can be optimized when we upload it to Veracode. 

What needs improvement?

Sometimes Veracode gives us results about small glitches in the necessary packages. For example, we recently found issues with Veracode's native libraries for .NET 6 that were fixed in the next versions of those libraries. But sometimes you do not know which version of the library particular components are using. 

The downside of that is that one day, the solution found some issues in that library for the necessary package we spent. Another day, it found the same issues with another library. It will clearly state that this is the same stuff you've already analyzed. This creates some additional work, but it isn't significant. However, sometimes you see the same issue for two or three days in a row.

In our project, we use a lot of limited packages that link to another library, and there may be issues in those reference libraries. For example, one library might be referenced by several Google packages. When it shows you a vulnerability in one library, you will not see the issues in all libraries. We've discussed the issue with the Veracode team, and they investigate a way to fix this. Hopefully, it will not be an issue. 

For how long have I used the solution?

I have used Veracode for several years. I've led our product toward Veracode standard certification.

How are customer service and support?

I rate Veracode support eight out of 10. We had to contact support several times in the early years about a licensing issue we faced. We had some false positives in the licensing report from Veracode, so we raised a ticket with the support team, and they resolved it relatively quickly. We have regular meetings with a dedicated representative from Veracode, but we also get help from our colleagues on staff. At the moment, I'm happy with their support. They provide us with the necessary level of quality.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We used SonarQ, but it's somewhat different because it's a pure static code analysis tool. Veracode has a stronger focus on web security, and we produce a web-facing product, so that's important to us. SonarQ is strictly a static code analysis tool. 

How was the initial setup?

Veracode's setup was pretty straightforward, but there were a few challenges integrating it with our continuous integration system because there are lots of components. We wanted our source code scanned daily, so we had to change our build process. It's a bit tricky getting it to work with various parts of our solution. Our product is too complex, and there are lots of applications and flavors.

We did it ourselves because we have sufficient expertise. We're still tuning up our build process and reports. They have comprehensive documentation. We had help from Veracode support, who answered our questions about integrating the solution with our software. It was mostly building and tuning a little to build our software in debug mode and deploy it back into our cloud.

What was our ROI?

We can measure our ROI in the amount of issues we discover and remedy. From a quality control perspective, a problem is more expensive if a customer reports it. If we take price into consideration, we've decreased the net cost of security because we're receiving fewer issues from our customers. You must also consider the reputational cost if the customer needs to implement the fix. 

If we find the issue after the fact, we need to provide our customers with the fix, and that may require some additional processes on the customer side. However, it's hard to calculate how much money it saved us.

What's my experience with pricing, setup cost, and licensing?

We are not using the licensing much because we have a strict internal licensing policy. We mostly avoid GPL licenses and their flavors. Managing the licenses can be tricky. Sometimes you add a library and build some functionality around it, so it may cause some problems to remove it from its source. 

Cost is an issue at every stage because you need to evaluate what you're spending and what you expect from the project. You should use common sense and clearly understand the pros and cons. It's hard to say whether the solution is cheap or expensive because it depends on your company's needs. Some companies need Veracode for compliance requirements, and it doesn't matter how expensive it is. It's costly, but it's the best in the industry. You can get something that does the job but it's like a car. You might buy a clunker for a few hundred dollars or an Infiniti for a hundred thousand. 

Which other solutions did I evaluate?

We tried another solution before we started using Veracode. I believe it was HCLAppscan.

What other advice do I have?

I rate Veracode eight out of 10. You should evaluate at least two vendors based on the company's needs. A host of issues need to be addressed, and it's a significant task. Veracode shows you many issues, but you must develop processes to address them. It was impressive when we first scanned our sources and found a thousand, but we had to develop compliance policies to deal with them. My advice is to not make the policies too strict. For example, you can start with high-priority issues. 

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Technical Architect at Orange España
Real User
Top 5Leaderboard
Identified security loopholes and gives our developers confidence in their code
Pros and Cons
  • "It has the ability to statically scan your source code before it goes to production. It can be scanned within your testing or development environment, and that is very useful. And good explanations of all the vulnerabilities in your source code help take care of those issues in future code implementation as well."
  • "There should be more control for administrative users so that we can add and delete any functionality or module within the platform. We should not have to reach out to Veracode's customer support every time. We should be able to customize our modules."

What is our primary use case?

Veracode is being used to check our application source code, whether it is working well or not, and to track changes in the code from different developers and engineering teams.

How has it helped my organization?

It flags the vulnerabilities in your source code before going to production, as well as when code does not meet compliance. It provides a report on which areas in the software have issues so that we can make measurable corrections.

Our DevSecOps people are now very happy because before, we had no solution with these kinds of functionalities. It minimizes our work in doing static analysis manually because Veracode is now doing the job. Our team has been minimized in terms of headcount and the overall time it takes because it has automated all the static analysis. Earlier, we had hired two or three members just to do analysis of the source code. Veracode has saved us on those costs. We have seen a positive return on investment with organizational savings of 15 to 20 percent. Overall, it has been a good experience, maximizing the efficiency of our developers.

And now, our developers are not concerned about security flaws when code is deployed in production. We have a different development environment in which we are running our code from testing to production and Veracode provides our team the functionality to do that analysis in one go.

And when it comes to our security posture, Veracode has identified security loopholes, giving us detailed reports on vulnerabilities. It gives our developers confidence and provides summary reports of the vulnerabilities and security flaws to our clients as well as to us.

What is most valuable?

Among the most valuable features are that

  • its overall user interface is good
  • the static scanning process is wonderful
  • it analyzes vulnerabilities in your source code, which is very helpful
  • it explains very clearly about the vulnerabilities that we have in our code, in terms of security and compliance.

It has the ability to statically scan your source code before it goes to production. It can be scanned within your testing or development environment, and that is very useful. And good explanations of all the vulnerabilities in your source code help take care of those issues in future code implementation as well.

Veracode also has built-in functionality called the Software Bill of Materials. It is very useful if you are arranging the details regarding all your bills of materials within your code and your licensing. Using SBOM it is very easy to create reports. You just click on it and you can easily extract a report.

Veracode provides regular updates to the platform, updates that support rapid changes in technology and our development practices. It provides SAST analysis in the pipeline very quickly so that we can easily identify issues. It can also integrate with different pipelines, DevOps tools, and platforms. It is a highly efficient tool in terms of security vulnerabilities and reporting on them.

It provides an easy way to track flaws, tying them together with an explanation. There is an easy-to-use plugin for Visual Studio for the validation of code without having to do a complete, separate scan. It has the functionality to scan IDE methods.

For compliance reporting, you can configure your organization's data privacy policies and your country's policies. If those policies are breached, it provides you notification that something is not meeting the policies that you have set, so you can easily identify those cases and take corrective measures.

What needs improvement?

There should be more control for administrative users so that we can add and delete any functionality or module within the platform. We should not have to reach out to Veracode's customer support every time. We should be able to customize our modules. 

Also, the analytics reporting should be improved. It should provide bar graphs and full visualizations so that people who are not as technical can understand things.

For how long have I used the solution?

We have used Veracode for more than three years.

What do I think about the stability of the solution?

It is stable. Many Fortune 500 organizations are currently using it. There is no issue with stability.

What do I think about the scalability of the solution?

It is scalable.

It is used by our North American region, EAMA, and Asia-Pacific, with 40 to 50 users.

How are customer service and support?

Their overall support and services are good.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We have used Armor, as well as a tool from Palo Alto. We switched to Veracode because of the product's stability, the community it has, the vendor services and support, and because it has the functionality that we required.

How was the initial setup?

The initial deployment was quite easy. All SaaS solutions are quite easy to implement, understand, and deploy. That is the core advantage of SaaS and cloud-based solutions.

Veracode doesn't require any maintenance. It is fully updated by Veracode.

What about the implementation team?

We worked with Veracode, without any third-party vendor involved. Their solution and architectural team, and their product demos team, gave us good product demos, and we had a chance to evaluate Veracode before fully implementing it in our organization.

On our side, it involved seven to eight people, because we have multiple applications and multiple source codes.

What was our ROI?

We have seen return on our investment in Veracode because security is a major issue and, before deploying source code into production, we need to make sure it is clean with no security flaws so that no issues are raised by customers.

What's my experience with pricing, setup cost, and licensing?

There are no setup or implementation charges. They offer a free trial and free consulting services. That was the first impression it made and something we liked about the Veracode. 

The price depends on your requirements, your source code sizes, and how complicated your source code is. Prospective buyers should understand their requirements when it comes to source code and data size first, and how often they require security analysis of their source code.

What other advice do I have?

Overall, Veracode's false positive rate is good. In some cases, we have found some issues with reporting those kinds of flaws. It might be that the false positives were due to the wrong policy configuration in Veracode, but that was resolved with the help of their customer support.

I would recommend it because security should be a priority for any organization. Go for a trial and, if it fits all your needs, go ahead with it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Vikas Agrawal - PeerSpot reviewer
DevOps Lead at HealthEdge Software, Inc.
Real User
Top 20
We have fewer vulnerabilities and bugs, and we get security information daily
Pros and Cons
  • "The SCA, agent-based analysis, is valuable. SAST and DAST take time, while this is quite fast. It gives the results very quickly. We have implemented it into our CI/CD pipeline."
  • "We connected with Veracode's support a couple of times, and we got a different answer each time."

What is our primary use case?

We use Veracode for SAST and SCA. We are moving towards dynamic analysis as well. We use it now to scan our artifacts and reports, and very soon we are going to use the Veracode plugin for our IDE to have immediate results for security analysis purposes.

How has it helped my organization?

Before integrating Veracode, we were getting so many security vulnerabilities on higher branches. We integrated it to fix that. It prevents vulnerable code from going into production. We have fewer vulnerabilities and bugs.

We are getting the security vulnerability results on a day-to-day basis. Our pipeline is running every hour, and we are getting early feedback, giving us a shift-left approach. On a daily basis, we are able to rectify issues rather than find them in production or pre-production.

It provides visibility into application status at every phase of development. We have our initial feature branch, or low-level branch, and then we commit. The pipeline is running, so we will know about things immediately. This is quite valuable for us.

What is most valuable?

The SCA, agent-based analysis, is valuable. SAST and DAST take time, while this is quite fast. It gives the results very quickly. We have implemented it into our CI/CD pipeline.

Another aspect that is quite good is the policy reporting for ensuring compliance with industry standards and regulations. Initially, we were using freeware tools, but we are quite impressed with how Veracode gives the most detailed and latest vulnerability and security information.

For how long have I used the solution?

I have been using Veracode for almost a year.

What do I think about the stability of the solution?

It's a stable solution. There are no problems. The stability is a seven or eight out of 10.

How are customer service and support?

We connected with Veracode's support a couple of times, and we got a different answer each time.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We used to use Snyk and other tools. The switch to Veracode was an enterprise-level discussion, and I was not involved.

What was our ROI?

It took some time to see the benefits, around six to eight months.

What other advice do I have?

Although Veracode doesn't scan source code, only binary code, I'm not concerned because we can scan the source code with an SCR tool.

Veracode hasn't yet helped our developers save time. Their development time has increased because, initially, we were only taking the security and vulnerability issues on the higher branches. Now it is on lower branches as well, so the development time has increased. In the local branches, if a report indicates something has not passed, we are not allowing them to merge their code into higher branches.

We have it deployed in a multi-cloud and hybrid environment. We are using AWS, Azure, and VMware vSphere.

Overall, I would recommend Veracode. It is quite helpful.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Alex Fuglaar - PeerSpot reviewer
Manager at a financial services firm with 1,001-5,000 employees
Real User
Top 10
Good visibility and policy reporting with the ability to help developers save time
Pros and Cons
  • "The product’s policy reporting for ensuring compliance with industry standards and regulations is great."
  • "It would be ideal if it was able to demonstrate higher levels of cybersecurity certifications like becoming FedRAMP compliant or working in those areas."

What is our primary use case?

We were looking into compliance. I'm a consultant, and we're looking at it from the perspective of using Veracode to ensure that the organization we were consulting for was meeting its compliance expectations.

How has it helped my organization?

The solution has helped to improve the time to identify and remediate vulnerabilities that come from software - mostly through the static code analysis tool - as well as the ability to effectively communicate why the vulnerabilities are important.

What is most valuable?

The feature I've used the most is the static code analysis. It was incredibly easy to start using. As a new user, there wasn't a lot of lead time to understand the software work. It was also very easy to communicate the vulnerabilities that Veracode found to the engineering teams that needed to remediate the issues.

We have used the software bill of materials. This feature is good for helping us manage your supply chain, security, and licensing. That comes into play a lot when we are working with federal contracts where certain materials or processes are not allowed within contracts with the federal government. We would use that to ensure that the software itself is compliant. It is easy to create these reports using this feature.

The product’s policy reporting for ensuring compliance with industry standards and regulations is great. It took its own compliance quite seriously, which is something I always look for when dealing with the vendor. There are certain vendors out there that aren't as serious about their own security. I was comfortable with what the product was doing.

Veracode provides visibility into application status at every phase of development throughout your software development life cycle. It definitely improved the efficiency of it. One of the key things Veracode can do is it can rank the vulnerability defined based on the severity. That allowed us to hone in on what was the highest vulnerability and then work our way down. Therefore, it definitely improves the efficiency of those operations.

Veracode's false positive rate, as far as I remember from my experience, wasn't that bad. Usually, what it will do is it will identify a vulnerability, and then it will explain why the vulnerability is important, and then through those explanations, the engineers and I were able to see if something is an issue or if it is a false positive. When it comes to eliminating false positives, you're never going to have 100%. While it did introduce a little frustration, what did remediate that was the explanations that the software provided.

The false positive rate affected the time we spent on tuning these policies somewhat, however, it wasn't too bad. It wasn't anything to complain about.

For the clients I work with, it has a significant impact on improving the ability to identify and then fix flaws. The tool itself does offer strategies to remediate the efforts if, for whatever reason, the engineering team doesn't understand how best to approach them. Usually, they do, however, it is nice that they offer that service.

Veracode helped our developers save time. From my experience, what would normally take two days we're able to get done in an afternoon. That allows our team to work on more efficient work and more impactful work.

The product has had a positive experience on the overall security posture of our organization. It has definitely improved it. Hands down, it is easy to say that the solution has had a positive impact on the security posture of the organizations I consulted for.

Veracode reduces the cost of dev backups. That said, it's hard to put a number on it. It reduces the dev set time and the work they do can then be allocated effectively to other items. 

What needs improvement?

It would be ideal if it was able to demonstrate higher levels of cybersecurity certifications like becoming FedRAMP compliant or working in those areas. That way we could use it on higher level contracts. That would be a good business opportunity for the solution.

For how long have I used the solution?

I've used the solution for two years. 

What do I think about the stability of the solution?

I've never run into any stability issues. I haven't heard of anyone else running into any either. 

What do I think about the scalability of the solution?

The solution is highly scalable. We did run quite large programs through Veracode, and we also ran quite small programs through it too, and we didn't encounter any issues in either case.

How are customer service and support?

I've never needed to contact technical support. 

Which solution did I use previously and why did I switch?

I cannot recall working with other solutions. I do have experience with a more traditional way of looking at code and identifying errors. That's where this product came in with the ability to just automatically catch those errors.

How was the initial setup?

I was not involved in the deployment of the solution. It doesn't require any more than ordinary maintenance. That's not a big concern. 

What was our ROI?

I have witnessed an ROI while using the solution. It positively impacts our team's ability to get their job done, which reduces strain on employees and therefore reduces employee turnover, which, given the severity of the skill set that we look for, is incredibly impactful for us.

What's my experience with pricing, setup cost, and licensing?

It does pay for itself given the pricing structure. Of course, the pricing structure changes based on the sales deal, et cetera. It definitely had a positive impact on the organizations we used it with. Financially, it does make a solid business case for itself.

What other advice do I have?

I'd rate the solution ten out of ten. 

Potential new users should ensure that they take into account the amount of time their teams are spending on dev setups and consider what other work those people could be doing that might be more meaningful - rather than physically looking through code. Veracode has the ability to improve a team's operations as well as an employee's efficiency with doing complex work. Companies definitely need to consider how efficient their team is and consider what this tool could do to improve that.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.
Updated: November 2024
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.