Nachu Subramanian - PeerSpot reviewer
Automation Practice Leader at a financial services firm with 10,001+ employees
Real User
Top 5
Offers good static and dynamic analysis but there are problems with scanning
Pros and Cons
  • "Good static analysis and dynamic analysis."
  • "The product has issues with scanning."

What is our primary use case?

I'm an automation practice leader and we are customers of Veracode.

What is most valuable?

The valuable features are the static analysis and the dynamic analysis. The security is also a good feature.

What needs improvement?

The solution has issues with scanning. It tries to decode the binaries that we are trying to scan. It decodes the binaries and then scans for the code. It scans for vulnerabilities but the code doesn't. They really need two different ways of scanning; one for static analysis and one for dynamic analysis, and they shouldn't decode the binaries for doing the security scanning. It's a challenge for us and doesn't work too well. 

As an additional feature I'd like to see third party vulnerability scanning as well as any container image scanning, interactive application security testing and IAS testing. Those are some of the features that Veracode needs to improve. Aside from that, the API integration is very challenging to integrate with the different tools. I think Veracode can do better in those areas.

For how long have I used the solution?

I've been using this solution for four years. 

Buyer's Guide
Veracode
November 2022
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
656,474 professionals have used our research since 2012.

What do I think about the stability of the solution?

I haven't had any issues with the stability. 

What do I think about the scalability of the solution?

The solution is scalable but if we scale too far then the performance is impacted. We have around 300 developers using Veracode. 

How are customer service and support?

The technical support is good. Whenever we have any vulnerability issues, we can easily contact them and then have a triage with the technical support team.

How was the initial setup?

The initial configurations were okay, but then the integration to the CI/CD pipeline was not so smooth. We had multiple rounds of calls with the Veracode engineers to get it up and running.

What's my experience with pricing, setup cost, and licensing?

Veracode is very, very expensive, one of the most expensive security scanning tools available.
We pay an annual license fee that is over $1 million. 

What other advice do I have?

For any company wanting to use Veracode and buying vendor binaries from third party vendors, it's important to get the legal and compliance clearance from the vendor as well. Some vendors have a policy that they're selling you the binary of a particular software but you're not supposed to decode it. Those are the general terms and conditions that every vendor gets you to sign but Veracode does decode and then scans for the vulnerabilities. It's a challenge for any company purchasing the solution from vendors.

I rate the solution six out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
IT security architect at a consumer goods company with 10,001+ employees
Real User
Effective static analysis, plenty of tools, but needs better support for languages
Pros and Cons
  • "The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools."
  • "The solution could improve the Dynamic Analysis Security Testing(DAST)."

What is our primary use case?

We are using this solution for static analysis.

What is most valuable?

The main feature that I have found valuable is the solution's ability to find issues in static analysis. Additionally, there are plenty of useful tools.

What needs improvement?

The solution could improve the Dynamic Analysis Security Testing(DAST).

There could be better support for different languages. It is very difficult in some languages to prepare the solution for the static analysis and this procedure is really hard for a pipeline, such as GitHub. They should make it easy to scan projects for any language like they do in other vendors, such as Checkmarx.

We have found there are a lot of false positives and the severity rating we have been receiving has been different compared to other vendor's solutions. For example, in Veracode, we receive a rating of low but in others solutions, we receive a rating of high when doing the glitch analysis.

For how long have I used the solution?

We have been using this solution for approximately six years.

How are customer service and technical support?

We have not had much free expert support from the vendor. We have had to have a team of highly skilled individuals to make the solution work.

How was the initial setup?

The initial setup is difficult. For example, in Android, if I need to scan an ordinary APK Android application, we need to generate the APK and when you are working in GitHub, you need to do a lot of work to make these combinations able to be scanned by Veracode.

What about the implementation team?

We did the implementation ourselves.

Which other solutions did I evaluate?

I have previously evaluated Checkmarx.

What other advice do I have?

The solution is good at finding issues and provide some very useful tools. I would advise those wanting to implement this solution to purchase professional support from the vendor. If you do not, you run the risk of having many problems such as the ones we have faced.

The DAST tool is very useful and is used in preproduction.  

I rate Veracode a six out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.
Updated: November 2022
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.