Veracode Reviews

When we develop an application with source code built on Java, JavaScript, and mobile technologies such as Android and iOS, we ensure that the source code is free from security vulnerabilities before sending it to production. To achieve this, we package our source code and scan it using Veracode. This scanning process is our primary use case.

We set up pipelines for this purpose, and the warehouse operates on a cloud provider. To make the Veracode API calls for support, we utilize Veracode API libraries which use the URL that is hosted on the cloud. We then initiate a scan on our source code, which goes through different stages, including scan, upload, rescan, validation, and finally, we obtain the results.

Veracode provides visibility into the status of applications at every phase of development to a certain extent. Veracode scan reports present a comprehensive view of planned releases that are scheduled to go live in the coming days. To keep the team informed, we run a scheduled deployment, sending email notifications twice a week for each application. This alerts the team to any issues that may need fixing. However, it's worth noting that the system is not fully integrated into the pipeline and notifications. Nevertheless, Veracode offers an API. This interface allows us to obtain the XML result file, and subsequently, I can extract and analyze the values from the XML. Once the scan is complete, Veracode API will fetch the XML report and store it in my workspace within the pipeline. From there, I can execute an XML parser function to obtain the application status results.

Veracode has been helpful in reducing our developers' time by around fifty percent. For an application to meet internet safety standards, the code must achieve the VL4 level in Veracode. According to Veracode reports, our developers can focus more on resolving the issues rather than trying to identify them.

The most valuable feature is the seamless automation of Veracode via the pipeline, in comparison to other solutions like Fortify SSC, which are complex to integrate through the pipeline. Although there is a lot of coding involved in writing each end, Veracode breaks the process down into multiple steps. We first package our source code and upload it, after which a pre-scan is conducted. If the pre-scan identifies any files that don't conform to the Veracode format, it will display a warning or prompt us to correct the issues before proceeding. This allows us to have programmable control; in fact, we can program Veracode so that after the upload is completed, it automatically scans the files to check if they are all in Veracode format.

For example, my ZIP file contains a hundred files. Out of these, ninety files meet Veracode's criteria, while ten files are incorrect. I can instruct Veracode, through pipeline automation, not to wait for manual action and continue with the scan or upload the scan results. Veracode can automatically proceed with the selected files in this scenario. All of this can be controlled programmatically. Furthermore, once the scan report is generated, it becomes available in the workspace, and we can send an email with this report as an attachment. This type of report is referred to as a detailed Veracode report and can be customized. Typically, we prefer the customized report, while some developers may also opt for XML reports. The ability to manage this sequence of steps in the Veracode scan is programmable and can be handled accordingly.

Veracode's false positives have room for improvement. For example, if there is an applicant named ABC in Veracode. I have uploaded my Java file, which contains a hundred lines of code. I suspect that the ninetieth line includes a hard-coded password. Thus, during the scan, it will identify the presence of a hard-coded password on the ninetieth line and suggest how to mitigate and resolve this issue. In the next scan, I added fifty more lines of support and fixed the password-related problem. However, the line containing the password is no longer at the ninetieth position; it has moved to the hundredth line. Despite these changes, the next scan still detects the password flaw. Even though I encrypted the password and added the required string, the issue continues to be flagged. This constant flagging of the issue, even after resolving it, is one of the major drawbacks. To overcome this problem, we decided to create another application. This action was taken to prevent the recurrence of such issues. In the future, when I have a release in the coming months, I cannot keep encountering this problem repeatedly, as it still flags the issue as long as the code is in a different line. We have spoken to the vendor several times about this issue and scheduled a work order consultation call, but we did not receive a response.

In order to achieve software consolidation and analysis reports for Android applications, we need to utilize a third-party utility called SourceClear along with Veracode scanning. This complicates the market and has room for improvement. 

When scanning a file that is over one gigabyte in size, there is a high chance that Veracode will continue scanning. When we initially encountered this issue and investigated it, we raised a ticket. As a result, a Database Lock occurred, causing Veracode to become stuck.

I have been using Veracode for almost four years.

I would rate the stability at seven out of ten, considering the false positive issues we are experiencing.

Veracode is scalable.

I am not entirely satisfied with the technical support because I believe we have been waiting to send our code to production and waiting for an update from the vendor to resolve the issue. When we raise a support case, there is no response, and even after it happens two or three times, I don't know if they read the details of the issue when a ticket is raised. If someone has already attended to the same call, they will not attend again; instead, a new person handles it. Consequently, we have to explain everything all over again to the new person. We are aware that they know they don't have a solution for this problem. However, by the time we explain it to the new person, they ask the same questions again. Each consultation lasts 40 to 45 minutes, and we are billed for them, but we spend most of the time repeating what the issue is.

Neutral

The initial setup is straightforward. Even the pipeline setup is easy because there is an API, so we don't need instructions. Veracode is hosted in the cloud, so we need to set up a firewall to connect to it via proxy. The deployment took a few weeks because we had to figure out how to perform the scanning from the pipeline, enable the scan, and upload the scans for each Veracode API. Additionally, we had to seek assistance from HR to implement all the steps, which took some time.

I give Veracode a six out of ten.

We cannot simply create one policy and claim it is compliant unless all my issues are thoroughly flagged based on that compliance and the complaint. As technology improves and we move forward, bugs and certain issues may arise, and we may not always know the solutions or the severity level of their impact. Considering this perspective, Veracode is acceptable. I will illustrate this with another tool, Fortify SSC. Suppose there are newly added licenses or rules for software compliance in their security scanning tool. In Veracode, if I wish to update the new compliance tools or checks that the algorithms run against it, I must obtain approval from the architect. This approach has its advantages. However, in the case of the tool I am currently working on, Fortify SSC, there is something called a 'rule pack' for each language. I have the option to keep the existing version of the rules or upgrade to the latest rule pack. This feature works as a toggle option in Veracode.

Tuning policies is essentially the application of specific policies. When we deploy a policy, it affects all our scans and issues. The new policies applied are divided by Veracode and, when implemented, impact all the applications. Therefore, most of the time, when we apply a new policy, there is a chance that if there are three flaws, we can assume there are thirteen million flaws in my current scan. If a policy is applied, there are definitely ten to fifteen additional issues in the new scan after implementing the updated policy. Thus, there is always an increase in the number of flaws when there is a new policy update.

There are certain flaws. For example, I am releasing a package into production, and I conducted a Veracode scan against the source code, which is stored in the bin bucket. So, even if I fix the issue on my own, the same issue will be flagged again due to the change in client number. This is a significant problem because we cannot explain to the higher management that the report contains the password, and we have already taken measures to mitigate the issue. We cannot claim that this issue has already been fixed, as it continues to resurface. It is a Veracode issue, not one originating from us, but it becomes complicated when higher management sees a report indicating the same issue from the previous month. We don't know what to do. One of the ways we addressed the issue was by reducing the number of times the same issue occurs. For instance, in my previous work at a bank, we had applications specific to each country, like one for Singapore, one for Malaysia, and so on for most Southeast Asian countries. Although our master bank application was the main source, we created individual applications for each country in Veracode. As a result, the number of false positives or issues that were previously mitigated or closed and kept reappearing from month to month was reduced, but they were not completely eliminated. By switching to a different application for each country the false positives were reduced by around seventy percent.

Our organization was approached to adopt Snyk; however, it is a startup solution, and the bank prefers something that is well-established. Currently, we are using Fortify SSC. 

We have a five-person IT team that is responsible for all the DevOps tasks, including Veracode.

Compared to Fortify SSC, which has a complicated setup requiring three installations, Veracode is easier because the app is hosted in the cloud. All we need is a support license, and they will create a project for us. We can create a firewall proxy, and the API pipeline is already in place. To create a scan for another application, we simply copy and paste the code and change the application's name. 

We use Veracode to identify vulnerabilities in code to ensure the security and integration of the apps.

Veracode effectively identifies vulnerabilities within the code. My role is to analyze these vulnerabilities and assign a severity level before forwarding them to the development team. This allows them to address the issues before deployment to production.

Whenever Veracode releases a new feature, we seek the expertise of Veracode's application security consulting team to understand its functionality and how it contributes to code security. The team demonstrates exceptional responsiveness and promptly addresses our questions, eliminating the need for unnecessary back-and-forth communication.

In today's digital world, cybersecurity is more important than ever. Veracode offers a comprehensive suite of features that help developers secure their code through automated scanning. This scanning identifies vulnerabilities and detects malicious code, preventing it from entering production.

Veracode has helped reduce our time to remediate security flaws.

The policy reporting for ensuring compliance with industry standards and regulations has been positive for our organization.

Veracode provides visibility into application status at every phase of development.

It has been instrumental in enhancing our organization's ability to fix flaws while simultaneously reducing our manpower requirements allowing us to focus on other issues.

Veracode has helped our developers save 20 percent of their time.

Implementing Veracode has significantly bolstered our security posture. We can uncover more vulnerabilities and streamline our detection process. We've become more proactive in identifying and addressing security threats. This allows us to focus on building secure applications with confidence.

Veracode has proven to be a solid choice for our organization's shift-left security strategy, compared to other solutions like Darktrace.

To ensure secure software from development to deployment, we leverage Veracode throughout our CI/CD pipeline, enhancing our app security at every stage.

Veracode helps us prevent vulnerable code from entering production, strengthening our third-party application security.

Among Veracode's features, vulnerability scanning stands out for its effectiveness in identifying and remediating security weaknesses, ultimately mitigating threats to our applications. 

The integration capabilities have positively affected our existing development tools when integrating with other cloud solutions. It is easy to integrate and the support team is helpful during the integration process.

Veracode helped improve our compliance posture with our existing solutions.     

The automation of Veracode is great because we no longer have to run manual testing. 

The weekly report logs are great because we can address any vulnerability issues that are detected quickly.

Veracode runs comprehensive scans and links the vulnerable code to the weekly reports identifying what services are affected and forecasting the next steps.

The GUI requires significant simplification, as its current complexity creates a steep learning curve for new users.

I would like Veracode to introduce more sophisticated AI features.  

I have been using Veracode for one year.

I would rate the stability of Veracode nine out of ten.

Veracode supports scaling up whenever we want to keep up with our growing app portfolio.

I would rate the scalability of Veracode eight out of ten.

The experience I had with their technical support has been great.

Positive

I recently changed companies, and my current employer does not use Veracode. However, I have discussed implementing it with them because it offers more mature features compared to other solutions.

The initial deployment took around four months and required five people.

Veracode is affordable for large organizations, but its pricing may be out of reach for small and medium companies.

I would rate Veracode an eight out of ten. Veracode's pricing hinders my overall rating of the solution. 

Veracode was deployed in two regions with 25-plus users.

Veracode requires some maintenance to keep the scanning accurate.

While I highly recommend Veracode, affordability for smaller organizations may be a significant hurdle due to its pricing structure. It's crucial to carefully evaluate their budget constraints and explore alternative solutions if necessary.

My use case for Veracode is for a front-end application, specifically an agent compensation calculation engine. That application is deployed through an EAR file, and then Veracode scans the EAR file and gives me the scan report to help me change and improve the file for future deployments.

What I found most valuable in Veracode is that it gives me a part-by-part report of the entire EAR file and lets me set up the application for a limited time. For example, I'm running an application via the dev ops pipeline. Hence, I need to create a pipeline application and a sandbox to connect with Veracode and then add my application. When you create a sandbox, you can create it full-time or for a limited time, so I created it for a limited time. Once that expires, Veracode allows you to automatically renew it, which is one of the features I find remarkable in Veracode.

I also like that for each integration in Veracode, there's documentation.

I also find the Veracode support team extraordinary because the team goes above and beyond to ensure you get the best experience.

I find Veracode essential in preventing vulnerable code from going into production because if there's a vulnerability, the solution finds it. For example, my code has many JavaScript front-end and EAR files with some vulnerabilities. Right now, I'm deploying my code, but in the future, I may have to improve it and change it to ensure the servers are secure, so in that way, Veracode becomes more important for the industry today.

Policy reporting in Veracode is good in terms of ensuring compliance with industry standards and regulations. I like that the solution is more flexible when working with applications, mainly because my organization has a good firewall. Veracode is flexible and allows the organization to connect to the firewall in various ways. The Veracode policy is flexible and has an entire page and record that connects with my application, industry, company, and server in different ways. It does not disturb my policies so that I can get my application to work.

The false positive rate for Veracode is about seventy-thirty because it gives the most accurate report. For example, my organization depends on the Veracode analysis to ensure the code is on point, so the organization is building the next BI based on the Veracode analysis.

Veracode has also helped my organization save time because, without the report, the development team would spend a lot of time figuring out what is wrong and why the application is vulnerable. Veracode points out what is happening and why the file size must be reduced, so it helps reduce mistakes in terms of time.

An area for improvement I found in Veracode is the connectivity because currently, my company uses a plugin for the dev-ops cloud-based connectivity. A pretty helpful feature would be if Veracode gives a direct code for connecting to the Oracle server directly and authenticating it via a unique server. Currently, my organization has to find a roundabout for that and then needs to build a separate pipeline and then connect that pipeline for Veracode to start.

I've been using Veracode for the past two months.

Veracode has always been stable. It has good stability.

I found Veracode scalable because it supports a variety of platforms. Though the support for other platforms is less, Veracode has been incorporating more support over time and offering other solutions as well.

If you're unable to set up the solution, the Veracode team has a consultation call to help you set up the solution. The team would even raise set-up-related issues with the Veracode engineering team, which was how I reached Veracode Technical Support, which was a good experience.

I found Veracode Support extraordinary. I've been having an issue for the past month, and the team reached out to me and has been working with me for the past month, giving me various solutions to figure out how to solve the issue. It turns out it was a firewall issue, and I just had to go to the back-end and allow the back-end application, and now it is working fine.

The Veracode Support team was helpful and escalated my situation from level one to level two to level three, and finally, had the appropriate team reach out to me based on my issue. Then, within the span of two weeks, the team finally figured out the issue I was facing and gave me the final results and how I could fix it, so I found support good, fast, and responsive.

Overall, I had a pleasant experience with Veracode Support, so I rate support as eight out of ten.

Positive

I didn't use a previous solution before Veracode.

I wasn't involved in the initial deployment of Veracode.

I have no information on the pricing or licensing cost for Veracode.

I've not used the Software Bill of Materials in Veracode.

I'm unsure how the false positive rate affects developer confidence in Veracode on fixing vulnerabilities because I'm more of a DevOps user and don't work on development but automation.

I'm also unsure of the effect of Veracode on my organization's ability to fix flaws because I've not used it directly to fix any flaws. I report to the dev team, who then takes the report and fixes the flaws accordingly.

I'm unsure of the impact Veracode had on the overall security posture of my organization, as I didn't use it for that.

In my organization, Veracode has a hybrid cloud deployment.

The solution doesn't require any maintenance.

My rating for Veracode, overall, is eight out of ten.

What I'd tell others looking into buying the solution is that as far as DevOps is concerned, Veracode is a must-have. It's been helpful for my organization DevOps-wise, though I have no information on other Veracode offerings. I recommend that others buy Veracode.

My organization has a business relationship with Veracode. It's a Veracode partner.

My company uses Veracode Static Analysis for scanning purposes and static analysis. I am a DevOps engineer configuring automation for multiple teams in our company using Veracode Static Analysis. Our company uses the product to identify vulnerabilities in third-party libraries that our teams use internally to secure our products before moving the product outside of our company. The aforementioned features of the solution are used mostly in our company. Most of the teams within my organization use Veracode's static analysis part. My company did not procure the license for Veracode Dynamic Analysis.

From the market, my company could identify some of the libraries that were outdated and had severe vulnerabilities. Our company wishes to secure its products before moving out for production, for which we find Veracode helpful. Our company sees value in Veracode Static Analysis.

The most valuable feature of the solution is Veracode's library, which supports the automation of Veracode's scanning process.

The major benefit of Veracode Static Analysis is that you can schedule a scan on demand. We found the delta approach in scanning to be super quick in terms of returning results in our company, even though we had to make uploads of certain things, but it would be longer if the size of the scanning part were huge, making it one of the drawbacks.

If Veracode develops a plugin for multiple orchestration tools, it will be easy for us to use the product in our company.

If you schedule two parallel scans under the same project, one of them will be a failure. It would be good if Veracode could provide two different site codes since if another code scan gets triggered while the scanning for one code is going on, the newly triggered code scan fails, stating that there is already a scanning process in progress. If Veracode can handle a newly triggered second code scan in their sequence instead of making it fail and take it up later or on a wait so that they can trigger it after the first code scan gets completed, then it would be a nice improvement. There is no queuing mechanism for scanning right now.

Module selection is manual. If somebody adds a new module, it is not detected automatically, and moreover, it ignores that module and moves forward. You have to go and include that module manually, so if it is made dynamic in the future, it will be nice.

I have been using Veracode Static Analysis for two years. Almost six years ago, I used Veracode Static Analysis for a year. In total, I have three years of experience with Veracode Static Analysis. My company procured the solution, so I am an end user.

It is a stable solution. The speed of the solution was good in the past, and they have worked constantly to improve the speed.

It is a scalable solution.

Though Veracode Static Analysis is primarily available in the USA, we scan our company from multiple locations. The solution may have a huge number of users, but our company supports 30 projects with the help of the solution, which includes scanning for 30 microservices. I am unsure of the actual numbers regarding the solution's use since it is handled by someone else in my company.

I contacted the solution's technical support during the automation part, and it went well, after which I never faced any issues.

My company used Code Insight, a very similar solution to Veracode Static Analysis, but not the same.

Code Insight scanned even first-party libraries, which includes what we used to develop in our company.

Code Insight's vulnerabilities in the database completely differed from Veracode Static Analysis, but I can't recollect where it differs. If both Veracode Static Analysis and Code Insight were the same, we would not have used both in our company, so there is a difference between them. Veracode wasn't of any support when it came to dynamic scans in the past, though Veracode has recently started to support it, which I haven't used yet. I don't see any drawbacks with Veracode, so I am satisfied with whatever Veracode offers.

The solution is deployed on the cloud.

Depending on the number of users, my company makes payments toward the solution's licensing costs.

Veracode handles the maintenance part of the solution. Veracode's side may be down at times for maintenance.

I recommend Veracode Static Analysis to those planning to use it, but the scans should not be carried out daily since it can get too costly. I recommend not doing the frequent scans to save on the costs.

I rate the overall solution an eight out of ten.

We are a software company providing software to paper manufacturing organizations, and we have an extensive ERP product along with many add-on products.

With the need to increase security awareness and vulnerabilities, we decided that we needed to scan our software, so that was how we started using Veracode.

We found Veracode eye-opening because we had many third-party libraries in our application, and we found vulnerabilities and had to upgrade those libraries or seek alternatives.

Our use cases for Veracode were to make our software more secure and provide a better competitive advantage over our competitors by telling our clients that we have secure software.

What we found most valuable in Veracode is the ability to do automatic scans of our software. We've incorporated the solution into our SDLC process, so we take our builds before they get released and put them through scans to ensure any new vulnerabilities haven't occurred.

We found Veracode good at preventing vulnerable code from going into production.

We also use the Software Bill of Materials (SBOM) as we run many applications through Veracode. We use SBOM to discover all the different vulnerabilities and what that stack looks like.

We also found Veracode very good in helping us manage risks, such as supply chain, licensing, and security. The solution allows us to see where the risks are and if updates are available and identify how to remediate our software quickly.

Our company also found it moderately easy to use Veracode when creating a report via the Software Bill of Materials. There may be a bit of a learning curve, but once users have done it, they'll run the same report.

As for policy reporting in Veracode to ensure compliance with industry standards and regulations, we have not used the solution that way. Instead, we rely on the different statuses to achieve the levels we want to achieve and be able to use that on marketing material.

Veracode offers visibility into the application status at every development phase throughout the software development life cycle, but we have not implemented that. That feature is built into the development tool, so developers will get alerts as they code, but we plan to do that in the coming year.

We found a moderate false positive rate in Veracode. There were a few false positives. Veracode can identify vulnerabilities, which we found nice. We could flag false positives on Veracode so they don't continue to pop up and hunt them down, and the solution will ignore those in the future.

The false positive rate in Veracode doesn't affect developer confidence in the solution when fixing vulnerabilities because we realized that our application is huge. False positives will happen in large applications just because of the different ways of implementation and features. No toolset can handle all those different features and interactions, so we can't say they relate to vulnerability.

Veracode dramatically impacted our company's ability to have security awareness and achieve a level of confidence that we can put out to the marketplace.

We also saw how Veracode affected our company's overall security posture, explicitly being able to put the solution into automatic scanning mode, then through our SDLC cycles, and achieve a Veracode-verified status. We can use that as a marketing advantage and say that we've achieved Veracode-verified status with one of the leading vendors of security scanning software. We've reached a level of status with them, and we continually scan our software so our clients can be confident that our software has been scanned for security files before implementing a new software release.

An area for improvement in Veracode is the time that it takes to scan large projects, as that makes it difficult to fit into our CI/CD pipelines.

One of our app scans times out after two hours, which requires uploading and scanning that particular application manually. Still, there's no visibility into the CI system with the vulnerabilities found. My company cannot incorporate that into the automatic cycle and has to scan manually, so Veracode could improve on that.

I've been using Veracode for about two years.

Veracode is very stable. I have no concerns with its stability.

Veracode is very scalable from the perspective of ERP applications, though we aren't sure if other clients have applications larger than ours. For reference, we have five million lines of code in our application.

I've contacted the Veracode technical support team and found the support responsive. The team also got back to me quickly. I didn't find any issues with Veracode support.

I would rate technical support as eight, just because you still need to do manual scans, as Veracode still has not addressed that issue.

Positive

We used a product called Mend.io, formerly WhiteSource, before Veracode to look at vulnerabilities.

I was part of the initial deployment of Veracode, and it was straightforward because Veracode had excellent training programs and onboarding procedures. The Veracode team also helped along the way and was very supportive in answering questions and keeping my team plugged into any new offerings.

We implemented Veracode in-house with only three people involved.

I found Veracode very expensive, though I'm not the person paying for it. I was surprised to find out how much the subscription costs and that the executive board approved it, but it was a no-brainer because now my company has better security scans.

What I can tell others looking into Veracode but concerned about its price is that the price or cost is justified. After all, you can tell potential clients that your software is better than competitor software because you're scanning it and Veracode-verified.

The verification levels of Veracode are essential because you can use Veracode to start climbing up the ladder to say that your software's even more secure than anybody else because it achieved this level of verification.

In terms of Veracode reducing the cost of DevSecOps in our company, we find that tough to determine because we never had a real concentration on DevSecOps before Veracode. It was forced on us by the fact that the industry was becoming more vulnerable, so now we are experiencing an increase in price in DevSecOps because we're paying attention to it now. We used to skate by and weren't affected by vulnerabilities. Still, because the industry had more vulnerabilities, our customers asked if we were scanning our software, so we had to find a solution and add DevSecOps to address industry needs.

I did a Gartner search on the top three solutions and looked at their reviews, and Veracode came out to be the leader, so I just went with the leader from a partner perspective.

My company has a hybrid Veracode deployment. It's a cloud-based solution, so it's tied to the company's automatic build cycles, where you can access and do scans through the cloud.

Veracode doesn't require maintenance. The only maintenance my company performs is fixing vulnerabilities found by Veracode.

Overall, my rating for Veracode is seven out of ten.

I advise others looking to evaluate Veracode to utilize the presales marketing side first. For example, my company was able to utilize Veracode in a presales environment and do the scans to find out how vulnerable my company's software is and compare Veracode with the previous tool, WhiteSource. My company found additional vulnerabilities and was able to do that before signing the contract. It may be best to do a test run of Veracode to find out what the tool is all about and how it looks to your company.

We use Veracode for its code analysis features, which include static code analysis, dynamic code analysis, and checking for security flaws in our code. Mainly, we utilize Veracode for application security, making code security one of our primary use cases.

Since implementing Veracode, we have seen significant improvements in our code's security and the overall code development process. Veracode has been instrumental in enhancing our code security and streamlining the development workflow. In the past, we relied heavily on third-party applications that were not directly aligned with our codebase. However, now we can seamlessly integrate Veracode into our application process, saving a substantial amount of time. Veracode has not only improved our security setup but also enhanced the overall security of our organization.

Before implementing Veracode, the same process that used to take one hour now only takes 15 to 20 minutes.

Veracode's policy reporting for insurance compliance with industry standards and regulations is good. We can integrate numerous reports, and the positive reporting feature is also highly commendable.

Veracode provides visibility into the application's status at every phase of development.

Veracode works very well overall, and our security has been greatly improved, significantly impacting our ability to fix flaws.

The security process has been improved. Before using Veracode, we used to perform it manually. However, at that time, there was no application that could be integrated with the code. Now, with Veracode, we can directly integrate it with our code. As a result, security checks are being done automatically, saving us 30 to 40 percent of our time.

Veracode offers various security features. Veracode performs the analysis using three different methods: static analysis, dynamic analysis, and software composition analysis. These security features are the best, and the most valuable features.

Veracode's ability to prevent vulnerable code from going into production is commendable. However, we have encountered numerous cases of false positives that need improvement.

The technical support service has room for improvement. There are times when we rely on them, but we are not receiving an adequate response.

The stability has room for improvement.

I have been using Veracode for one and a half years.

Veracode is stable, but there is room for improvement.

Veracode is highly scalable. We have not had any issues with scalability. 

Before I joined my organization, they used a third-party application to check code. Since I joined, we have been using Veracode.

The initial setup was somewhat complex. The deployment took a couple of weeks because we needed to resolve numerous technical issues that we had to understand first. We had six people involved in the deployment.

Veracode's price is reasonable.

I would rate Veracode an eight out of ten. I recommend Veracode to others.

Veracode's false positives significantly impact our developers. When we encounter numerous false positive cases, we are required to conduct extensive reviews. How much it affects our developers depends on the number of false positive cases we are encountering and the significance of addressing them concerning the criticality of writing the code.

Veracode can save time in our DevSecOps process, but it may not significantly reduce costs.

Organizations that have security flaws in their code and seek to enhance their core security can consider Veracode as one of the best options for investment. Veracode is easy to implement and can effectively address the flaws in the code, provided that cost is not a significant concern.

Maintenance is required from time to time, specifically regarding false positives. We need to verify whether the system is functioning properly and communicate with the support team. The intervals for these checks occur after approximately 30 or 60 days, which we have selected, and we must strive to improve the system during these instances.

Veracode is deployed at two locations within our organization.

We have multiple verticals and products, and we use Veracode to perform static analysis on our hosted applications across all the platforms. We also perform static and software composition analysis on a couple of products.

Our offices are spread out across North America, South America, Europe, and Cyprus. We also have offices in Australia that use the solution. About 25 to 30 people use the solution regularly. 

Veracode has greatly improved the security posture of our applications because we can identify and mitigate vulnerabilities that we couldn't have without the solution. Veracode provides compliance reporting so we can identify issues without having to rely on complaints. Veracode has been extremely effective at fixing flaws in our applications. We have multiple applications across multiple verticals

Veracode or any other solution like it doesn't prevent anything. The product provides insight into the vulnerabilities, but it's up to the end-user to mitigate that and move it into production. If we fail to remedy the issue and move the code into production, it isn't Veracode's failure. We can't judge the product based on whether it could do that. The product is doing what it should be doing.

In addition to dynamic and static analysis, we can perform software composition analysis, which involves going into the various libraries to retrieve details about that. We see a few false positives in Veracode but not many. It's negligible. 

Veracode has saved our developers time by identifying and reporting flaws. The developers don't need to spend time checking the code by hand. It reduces the time spent on these tasks by about 10 to 20 percent. 

I believe the static analysis is Veracode's best and most valuable feature. Software composition analysis is a feature that most people don't use, and we don't use SCA for most of our applications. However, this is an essential feature because it provides insight into the third-party libraries we use.

We have some constraints interacting with Veracode self-support. I'm not talking about their technical support. I'm talking about self-support. We sometimes have a hard time communicating with them.

I have used Veracode for the last five or six years, but the company has used it for nearly 10. 

Veracode is a highly stable product.

I haven't had a scenario where we've had to scale it.

I rate Veracode technical support nine out of 10. They are excellent. When we have problems, they provide a solution every time. 

Positive

We had been using a third-party service for vulnerability checking. 

The deployment is a little complex. There is a small learning curve, but it isn't too difficult. The installation isn't hard, but we need to configure the dynamic analysis where it connects to a hosted application and performs checks. We have to configure the console and set a schedule. It takes a couple of hours to configure a new application.

We have been able to mitigate lots of flaws and vulnerabilities, so Veracode has had a positive effect on our products. It's hard for me to quantify. Our company has a large footprint across Asia, North America, South America, and Europe. 

Veracode is fairly priced. 

I rate Veracode eight out of 10. I would recommend Veracode to other users. However, I suggest doing a proof of concept before moving forward with any solution. 

We use Veracode for static code analysis scans for our clients.

Veracode is deployed both on the cloud and on-premises.

Veracode helps prevent vulnerable code from being deployed into production by identifying problematic code. It enables us to send a report to the application developer, allowing them to address the vulnerabilities based on their criticality level. The developers are given six months to address medium-level issues and three months for critical ones. If the criteria are not mapped with the higher critical alerts present in those applications, we can enforce the build field and proceed without deploying it into production.

Veracode has helped improve our customers' organizations through the scanning taskbar, which identifies vulnerabilities in code. We have worked with ten clients, all of whom used Veracode to identify vulnerable code early in the development stage and resolve the issues. Additionally, Veracode offers Greenlight ID, which developers can integrate into their development process, providing clarity during the development phase. Veracode can also generate reports that developers can resolve, facilitating the quick resolution of security concerns.

The policy reporting for ensuring compliance with industry standards is excellent. The report helps us maintain our compliance.

It offers visibility into the application's status at every phase of development, including static analysis, dynamic analysis, composition analysis, and manual penetration testing throughout the Software Development Life Cycle.

Visibility aids the DevSecOps process by offering a clear framework for all involved departments, including the steps for handling severities.

Veracode assists our clients in addressing flaws by simplifying the process. The security team can review the code, approve or reject it, and developers can utilize the reports to promptly rectify the flaws.

It assists developers in saving approximately 20 percent of their time, primarily in the static part, as they no longer need to review all the code. Regarding the dynamic part, Veracode scans all the URLs, eliminating the necessity for developers to use additional tools. For third-party dependencies, developers depend on the reports and the Greenlight ID plug-in to streamline their workflow and save time.

Our clients depend on Veracode to improve their security stance.  

The CI/CD integration is the most valuable feature of Veracode. This feature is not present in other solutions.

The analytics dashboard is not user-friendly and can be improved to assist us with the application size and enable modifications, whether for static or dynamic scans. This is currently missing in Veracode.

Veracode needs to improve its integration with other tools.

We have requested an enhancement for Veracode because it does not support scanning the static and dynamic elements of code created by MuleSoft. Furthermore, it does not support these aspects for the new generation of applications and we have to use other tools.

I have been using Veracode for over seven years.

If there is an issue, I am unable to access all the logs due to insufficient permissions, which causes delays.

Veracode is scalable. To increase the scale, we simply need to increase the number of licenses.

The technical support team's response time is inadequate. Typically, they fail to provide assistance beyond the initial call due to the limited knowledge and inability of the first-level support to resolve issues effectively. I have been dealing with a single issue for three weeks without any resolution.

Neutral

The vendor handles the deployment, and we simply need to install the ISM agents on our network. The deployment time depends on the size of the application. Large applications may take up to five days to scan, but on average, it takes one or two days.

The pricing depends on the functionality each client desires. For example, one of our clients only wishes to scan two applications, so they pay for that specific service in addition to our organization's third-party access to their system.

I give Veracode an eight out of ten.

20 to 30 percent of the false positive rates are vulnerabilities. Sometimes, almost 50 percent of the reports are false positives, which affects the time spent on tuning policies.

The false positives increase the amount of time our developers need to spend investigating the reports. 

Veracode offers static analysis, dynamic analysis, and composition analysis all in one place.

We are a team of five individuals who assist in deploying and managing Veracode, along with handling other tasks.

Our client base varies depending on their budgets, but we serve a large number of organizations in the financial industry.

I recommend Veracode. The solution is on par with the others, and organizations can read the reviews and run some tests before making a purchase.