We changed our name from IT Central Station: Here's why
reviewer1360617
Sr. Security Architect at a financial services firm with 10,001+ employees
Featured Review
Real User
Top 20
Gave us much higher quality dynamic scanning with very few false positives and a robust static scanning solution
Pros and Cons
  • "Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution."
  • "One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive."

What is our primary use case?

We are using Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Static Component Analysis (SCA). We use different types of scanning across numerous applications. We also use Greenlight IDE integration. We are scanning external web applications, internal web applications, and mobile applications with various types/combinations of scanning. We use this both to improve our application security as well as achieve compliance with various compliance bodies that require code scanning.

How has it helped my organization?

Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution.  

Our Veracode license includes a "people component" that allows developers to request an in-person session to be scheduled to review a defect. This has helped our application security personnel pool to free up time for other pursuits. I'm not sure if this is included in all licenses or is an add-on.

What is most valuable?

Being cloud-based is a huge plus. All of our scans are always using up-to-date scan signatures and rules, and there is nothing for us to maintain.  Veracode has been spot-on with notifying about planned downtimes for maintenance and upgrades.  In my years of using the product, unplanned downtimes have been minimal (in fact I can't remember one.)

The API integration that allows integration with other tools, such as defect trackers and automated build tools, is also a benefit. We also like the integrated, available "in-person" support sessions to review and ask questions on discovered defects.

What needs improvement?

We've had one occasion where a sub-product upgrade required action on our part faster than we initially understood it needed to happen.  This ended up being relatively minor.  

One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive. 

Separately, I find the results console somewhat confusing.  When you are running multiple scan types for the same application, I've sometimes found it difficult to sort out where issues came from when I need that information.

For how long have I used the solution?

We have been using Veracode for over four years.

What do I think about the stability of the solution?

Our solution is highly stable with minimal downtimes.  (In fact I don't recall the last time there was an unplanned Veracode cloud outage that impacted us.)  We previously had occasional issues with the scan appliance model, but the relatively recent switch to the ISM model has been much more stable.

What do I think about the scalability of the solution?

Given that is is cloud based, coupled with their newer app-based internal scan model, we are pleased with the scalability and have not experienced any issues with scale.

How are customer service and technical support?

As mentioned in prior comments, Veracode is simply put our best vendor in terms of relationship, value-add, and customer service/technical support. We get responsive answers from support, and their support resources clearly understand the product, and issues are resolved quickly.

Which solution did I use previously and why did I switch?

Yes. We used a legacy, heavyweight dynamic scanning product. It would produce hundreds of pages of (mostly) false positives that were nearly impossible to digest and tune. We also didn't have a static scanning product. Moving to Veracode gave us much higher quality dynamic scanning with very few false positives (in part due to their model of human-assisted tuning, provided by them) and a robust static scanning solution.

How was the initial setup?

The setup was easy and straight forward. We had some issues with API calls from our build automation tools, but this was related to networking issues in reaching the Veracode servers on the Internet, not the Veracode product itself.

What about the implementation team?

We implemented with all in-house resources.

What was our ROI?

We achieve greatly improved security, earlier detection of security defects in the lifecycle, and as well as neatly meeting compliance requirements.

What's my experience with pricing, setup cost, and licensing?

For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.

Which other solutions did I evaluate?

Checkmarx and SonarQube.

What other advice do I have?

Of all the tools vendors I have relationships with, Veracode is simply our best vendor in terms of partnership, value add, and support responsiveness. 

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Project Manager at a computer software company with 501-1,000 employees
Real User
Comprehensive features and good integrations but needs better documentation
Pros and Cons
  • "It's comprehensive from a feature standpoint."
  • "The reports on offer are too verbose."

What is most valuable?

The SAST feature is the most valuable aspect of the solution.

The stability has been quite good overall. The performance is reliable. 

The scalability on offer is good. I don't see any constraints.

From a usability standpoint and the way it can be integrated into the pipelines, etc., it's very good.

It's comprehensive from a feature standpoint. 

What needs improvement?

The reports on offer are too verbose. They might want to consider t restructuring their reports to better give a very good summary or overview in the first five or so pages and then go ahead and drill into the details of each and every vulnerability beyond that.

The documentation could be improved. They could, for example, provide more details in terms of how to fix issues related to sign-ups. There isn't enough detailed information out there to assist users.

For how long have I used the solution?

I joined this company very recently. Therefore, I've only used the solution for a few months. However, this company has used Veracode for at least the last two to three years. They've had it for a while.

What do I think about the stability of the solution?

The stability overall is quite reliable. There are no bugs or glitches. It doesn't crash or freeze. Its performance is very good.

What do I think about the scalability of the solution?

The solution can scale well. If a company is considering expanding, it should be able to do so without issue.

We do have a limited amount of users on the solution right now.

How are customer service and technical support?

I've never had a need, up to this point, to reach out to technical support. I haven't really come across any technical issues during my short tenure with the product. Therefore, I can't speak to how helpful or responsive they are. I don't have any insights I could share. 

How was the initial setup?

We have a few team members that specialize in the solution.

Our team handles the maintenance of the solution.

What's my experience with pricing, setup cost, and licensing?

I don't have enough information to be able to comment on the cost of licensing the product. That's more of a sales question. I don't handle any aspect of that part of the solution.

What other advice do I have?

We are customers and end-users. We don't really have a business relationship with Veracode.

I'm more from the performance testing side of things. I've just added the security testing to my list of responsibilities recently.

We're using a mix of deployment models. We use both on-premises and cloud deployments. 

It's a good tool. I've done some comparisons with both SAST and DAST. It gives us this end-to-end sort of feature that we appreciate. Therefore, rather than you doing SAST with one tool and DAST with another tool, I prefer going with Veracode, which offers both. 

You can learn both static and dynamic scans with a single tool. You could effectively negotiate a price and do that. If you got some simple apps, from a CAC standpoint, I'd recommend folks to use Veracode.

I'd rate the solution at a seven out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Riley Black
Senior Security Analyst at a wellness & fitness company with 1,001-5,000 employees
Real User
Increased productivity, helped build and improve security and development departmental relationships
Pros and Cons
  • "Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence."
  • "Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk"

What is our primary use case?

Veracode is a cornerstone of our Development Security Operations Program, particularly scanning automation and remediation tracking.

We've been able to monitor the release cycle and verify our Security Standards are met by setting policy and ensuring scans are taking place. If a scan fails to meet our standard the build breaks and the flaws are remediated before releasing to Stage and ultimately Production -  where the potential impact is much more costly. 

We have discovered opportunities to make our code even better thanks to Veracode!

How has it helped my organization?

Veracode has improved our Application Security program by providing numerous integrations and tools to take our AppSec/DevSecOps to the next level. 

Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence.

In many ways, Veracode has increased productivity, helped build and improve security and development departmental relationships as well as enabling developers to consider and care about application security. 

What is most valuable?

Greenlight - Developers can test their code before they commit. They are able to privately scan their code and correct any mistakes before it is committed into the build and scanned with the other components.

SAST - During a build process, we have integrated the Veracode Static Scanning (SAST) component which provides an excellent first glance at the code moving through environments.

SCA /SourceClear - Veracode SCA / Source Clear has given us excellent visibility into potential vulnerabilities found in third-party components, packages, frameworks, and libraries.

What needs improvement?

Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk. Right now I have to jailbreak an iPhone and Root an Android to intercept and fuzz requests with a Burp Suite Proxy.

That is a very time-consuming process and there are lots of dependencies. It would be very helpful if we can upload and .ipa or .apk into a Veracode simulator, provide credentials and run a Dynamic scan accordingly. Fuzzing functionality on API resources, HTTP Methods, and Parameters would also be very useful in testing our Web and API Application Firewalls, response pages, and other WAAF actions.

For how long have I used the solution?

I have been using Veracode for about two years now.

What do I think about the stability of the solution?

It seems to be very stable, no problems thus far.

What do I think about the scalability of the solution?

It has lots of growth potential, lots of room for improvement.

How are customer service and technical support?

Exceptional!

Which solution did I use previously and why did I switch?

Previously used Burp Suite, OWASP Zed Attack Proxy, Python scripts / Powershell and Batch, Retire.JS, Vulners, and Wappalyzer browser plugins.

How was the initial setup?

The initial setup very straightforward and integrations were up and running in a matter of days after purchase.

What about the implementation team?

Implementation was in-house (Deployment, Automation Engineers, Myself)

What was our ROI?

Unknown - productivity and time are measurable, possibly as much as 20%. Improvement in cross departmental relations is priceless!

Which other solutions did I evaluate?

We also evaluated WhiteHat Security.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: January 2022.
563,327 professionals have used our research since 2012.
Founder & CEO at a healthcare company with 1-10 employees
Real User
Top 5Leaderboard
Easy to install, stable, scalable, and they have phenomenal and responsive support
Pros and Cons
  • "My experience with Veracode across the board every time, in all products, the technology, the product, the service, and the salespeople is fabulous."
  • "The pricing for qualified startups such as Neo4j could be improved."

What is our primary use case?

We use this solution for Digital Health.

How has it helped my organization?

This solution has helped us in developing a secured product.

What is most valuable?

Veracode is fantastic! All of the features are valuable.

My experience with Veracode across the board every time, in all products, the technology, the product, the service, and the salespeople are fabulous. They are engaging.

What needs improvement?

I would suggest charging the developer for training, as it's not very expensive.

Only charge for developer training because it's a service you give now and they may need to be technical support. 

It costs them money to do that, but with the technology, an incremental user is negligible incremental costs, which doesn't really cost them. That's software economics.

I would like to see them only charge for developer training for the qualified startups and start charging for the licensing once the product goes into production, and available.

For how long have I used the solution?

I have several years of experience working with Veracode.

When we used this solution a year ago, we used the most current version.

What do I think about the stability of the solution?

It's a stable solution. I would rate stability a ten out of ten.

What do I think about the scalability of the solution?

It's a scalable product. My rating out of ten would be a ten, scalability-wise.

We have a software development manager and three other people who are using it.

How are customer service and technical support?

Technical support is phenomenal. They are fabulous and very responsive, it's amazing.

Which solution did I use previously and why did I switch?

Previously, I did not use another solution. Because I knew Veracode for many years, my approach with the company was that it was a startup and we need to do it securely. This is s why we went with Veracode.

How was the initial setup?

The initial setup was straightforward. It was extremely easy and took only a few hours to deploy.

What about the implementation team?

We have a team in-house to implement this solution.

What's my experience with pricing, setup cost, and licensing?

The pricing for qualified startups such as Neo4j could be improved.

It allows startups to develop a secure product, but it takes time for startups to get money for the products. 

Veracode could provide the services, at a significantly lower price during that period with a condition that the moment that it becomes production, Veracode has to be paid.

If they would change that, it would be phenomenal for the entire industry and for them.

Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward.

What other advice do I have?

At the time that we used this solution, we were a startup, the software may not have been that complex. It's not like Oracle.

My advice to others who are interested in using this solution is to pay attention to the full instructions.

I would rate Veracode Developer Training a ten out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Nachu Subramanian
Automation Practice Leader at a financial services firm with 10,001+ employees
Real User
Top 5Leaderboard
Offers good static and dynamic analysis but there are problems with scanning
Pros and Cons
  • "Good static analysis and dynamic analysis."
  • "The product has issues with scanning."

What is our primary use case?

I'm an automation practice leader and we are customers of Veracode.

What is most valuable?

The valuable features are the static analysis and the dynamic analysis. The security is also a good feature.

What needs improvement?

The solution has issues with scanning. It tries to decode the binaries that we are trying to scan. It decodes the binaries and then scans for the code. It scans for vulnerabilities but the code doesn't. They really need two different ways of scanning; one for static analysis and one for dynamic analysis, and they shouldn't decode the binaries for doing the security scanning. It's a challenge for us and doesn't work too well. 

As an additional feature I'd like to see third party vulnerability scanning as well as any container image scanning, interactive application security testing and IAS testing. Those are some of the features that Veracode needs to improve. Aside from that, the API integration is very challenging to integrate with the different tools. I think Veracode can do better in those areas.

For how long have I used the solution?

I've been using this solution for four years. 

What do I think about the stability of the solution?

I haven't had any issues with the stability. 

What do I think about the scalability of the solution?

The solution is scalable but if we scale too far then the performance is impacted. We have around 300 developers using Veracode. 

How are customer service and technical support?

The technical support is good. Whenever we have any vulnerability issues, we can easily contact them and then have a triage with the technical support team.

How was the initial setup?

The initial configurations were okay, but then the integration to the CI/CD pipeline was not so smooth. We had multiple rounds of calls with the Veracode engineers to get it up and running.

What's my experience with pricing, setup cost, and licensing?

Veracode is very, very expensive, one of the most expensive security scanning tools available.
We pay an annual license fee that is over $1 million. 

What other advice do I have?

For any company wanting to use Veracode and buying vendor binaries from third party vendors, it's important to get the legal and compliance clearance from the vendor as well. Some vendors have a policy that they're selling you the binary of a particular software but you're not supposed to decode it. Those are the general terms and conditions that every vendor gets you to sign but Veracode does decode and then scans for the vulnerabilities. It's a challenge for any company purchasing the solution from vendors.

I rate the solution six out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
IT security architect at a consumer goods company with 10,001+ employees
Real User
Effective static analysis, plenty of tools, but needs better support for languages
Pros and Cons
  • "The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools."
  • "The solution could improve the Dynamic Analysis Security Testing(DAST)."

What is our primary use case?

We are using this solution for static analysis.

What is most valuable?

The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools.

What needs improvement?

The solution could improve the Dynamic Analysis Security Testing(DAST).

There could be better support for different languages. It is very difficult in some languages to prepare the solution for the static analysis and this procedure is really hard for a pipeline, such as GitHub. They should make it easy to scan projects for any language like they do in other vendors, such as Checkmarx.

We have found there are a lot of false positives and the severity rating we have been receiving has been different compared to other vendor's solutions. For example, in Veracode, we receive a rating of low but in others solutions, we receive a rating of high when doing the glitch analysis.

For how long have I used the solution?

We have been using this solution for approximately six years.

How are customer service and technical support?

We have not had much free expert support from the vendor. We have had to have a team of highly skilled individuals to make the solution work.

How was the initial setup?

The initial setup is difficult. For example, in Android, if I need to scan an ordinary APK Android application, we need to generate the APK and when you are working in GitHub, you need to do a lot of work to make these combinations able to be scanned by Veracode.

What about the implementation team?

We did the implementation ourselves.

Which other solutions did I evaluate?

I have previously evaluated Checkmarx.

What other advice do I have?

The solution is good at finding issues and provide some very useful tools. I would advise those wanting to implement this solution to purchase professional support from the vendor. If you do not, you run the risk of having many problems such as the ones we have faced.

The DAST tool is very useful and is used in preproduction.  

I rate Veracode a six out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
reviewer1359297
Software Engineer at a financial services firm with 501-1,000 employees
Real User
Source composition analysis component gives our developers comfort in using new libraries
Pros and Cons
  • "The source composition analysis component is great because it gives our developers some comfort in using new libraries."
  • "I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan."

What is our primary use case?

This was intended to scan all of our custom development efforts to ensure a certain level of (secure) code quality. Right now the scope of that effort is limited to web exposed systems but with maturity, we hope to increase that scope.

How has it helped my organization?

The Veracode platform probably hasn't improved our organization overall, although through no fault of theirs. Veracode is just one more tool that generates work for our developers.

What is most valuable?

The source composition analysis component is great because it gives our developers some comfort in using new libraries.

What needs improvement?

I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan. For instance, we have CI scans that run automatically, and sometimes the files don't get upload and/or processed by Veracode. Now, there's a static scan that hasn't been completed, which blocks all future scans. The only way we know this is an issue is going into the Web UI, check each application, and look for stalled scans. This is time-consuming and frustrating.

For how long have I used the solution?

I have been using Veracode for three years.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
reviewer1360623
VP Engineering at a tech services company with 201-500 employees
Real User
Source code composition analysis helps with vulnerabilities and license compliance

What is our primary use case?

Our primary use cases are for comprehensive security assessment using static analysis, dynamic analysis, source code composition, and manual penetration tests. We also use it for security training for developers.                         

How has it helped my organization?

Veracode is a valuable tool in our secure SDLC process.                                                        

What is most valuable?

Source code composition analysis for vulnerabilities and license compliance is the most valuable feature.                                                                                                 

What needs improvement?

It needs better controls to include/exclude specific sections when creating a report that can be shared externally with…

What is our primary use case?

Our primary use cases are for comprehensive security assessment using static analysis, dynamic analysis, source code composition, and manual penetration tests. We also use it for security training for developers.                         

How has it helped my organization?

Veracode is a valuable tool in our secure SDLC process.                                                        

What is most valuable?

Source code composition analysis for vulnerabilities and license compliance is the most valuable feature.                                                                                                 

What needs improvement?

It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects.  

For how long have I used the solution?

I have been using Veracode for one year.

Which other solutions did I evaluate?

We also evaluated Synopsys.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.