Veracode Reviews

We use Veracode to scan our codes for vulnerabilities and risks.

Veracodes' ability to prevent vulnerable code from entering production works very well and it can detect the type of script used.

The software bill of materials helps us understand the industry that we are in and ensures we have a stable solution.

We can easily create a report using a software bill of materials because it has good templates that we can use.

Veracode has improved our organization by allowing us to fix the flows quickly for our clients by making data coding easy.

Veracode provides visibility into all phases of development.

The visibility into our development provides confidence to our DevSecOps that they will be able to deploy on time with no errors.

The false positive rate is good but we require a lot of skills to utilize it properly.

The false positive helps our DevOps troubleshoot every stage of development and increase their efficiency which boosts their confidence.

Veracode has helped our developers save around 20 percent of their time.

It has increased our organization's ability to fix flaws. We can scan code in a video which reduces costs and risk.

Veracode has increased security in our overall security posture because it detects flaws during scans.

We have saved around $500 a month in DevOps with Veracode.

Code scanning is the most valuable feature. 

The templates allow us to create wonderful reports.

The software bill of materials feature helps our supply chain security.

The backend support team of Veracode requires improvement as they are difficult to reach when we encounter issues.

The UI is not user-friendly and can be improved.

The speed of our internet connection affects the scanning process, which may take a considerable amount of time to finish. As a result, this can lead to challenges in planning and reporting, causing confusion.

I have been using the solution for three years.

It is stable.

Veracode is scalable.

The support is slow to respond.

Neutral

The initial setup was straightforward. I deployed the solution myself within three days.

The implementation was completed in-house.

We have seen a 32 percent return on investment with Veracode.

The licensing cost for Veracode is fair.

I give the solution an eight out of ten.

Veracode is user-friendly depending on how we use it. 

We have seven people using the solution.

Veracode does not require any maintenance on our end.

Veracode is a secure, reliable, and sustainable tool that all organizations should use for scanning code.

For every application we develop, we want both static and dynamic security scans done before deploying them.

The solution helps us to verify if our code is error-prone or has any OWASP security flaws. It has also reduced our scanning time, but it's difficult to say by how much.

Also, the scanning process helps a lot when it comes to improving standards and best practices. If we scan multiple times and we get the same warnings again and again, it helps us to identify that there's something we need to rectify, overall, in our standards and processes.

In addition, the solution has helped to increase our security and development teams' productivity.

On the whole, Veracode has improved the quality of our code and the end product. It has reduced our security debt by 40 or 50 percent. It helps protect our application from external attacks.

It scans for the OWASP top-10 security flaws at the dynamic level and, at the static level, it scans for all the warnings so that developers can fix the code before we go to UAT or the next phase.

It also gives us a centralized view of issues and that is important because security is key to any application. We want to identify the flaws as early as possible. The centralized view means that everybody can see the report and remediate accordingly.

I would like to see improvement on the analytics side, and in integrations with different tools.

Also, the dynamic scanning takes time.

We have been using Veracode for more than six years.

It's a stable product.

We have about 30 to 40 developers using the solution. We use it on a weekly basis but I can't comment on whether we will increase our use of it. That depends on our product.

Technical support is average. They take some time to respond.

Neutral

We didn't use anything prior to this.

The ROI for us is that it improves our code quality and helps remove security flaws. It is an essential tool.

It does root analysis, but fixing things is up to us. Also, it doesn't require much maintenance.

I would highly recommend it.

We use software composition analysis and static code analysis. We use a software composition analysis component to identify third-party vulnerabilities in our software. And then we use the static composition analysis to analyze flaws within our application on the front-end and the back-end.

We also use Veracode for static composition and software composition analysis and static code analysis because we need a way to identify vulnerabilities and flaws in the application and relay that information to our developers.

The manual penetration testing is not really used as much.

Having a centralized view is probably one of the most important aspects of the platform. We need to have some way of looking at all the flaws and all the vulnerabilities in one centralized view. 

Having this has improved our visibility into application status. It's very important because it's the way that we communicate flaws to our developers. And without it, we'd be missing out on an opportunity to explain what seems to be fixed and what needs to be managed.

Veracode helps us to reduce security debt. We're finding that issues like cross-site scripting injection, injection, and those sorts of vulnerabilities are getting addressed more quickly. And we don't really have to worry about where those are, whether that's being fixed or not because we can see them in the platform and we can see the score increase every time those get fixed.

The solution's ability to help create secure software is very valuable. We're a zero-trust networking company so we want to have the ability to say that we're practicing security seriously. Having something like Veracode allows us to have confidence when we're speaking to people about our product that we can back up what we're doing with a certification, with a reputable platform, and say, "This is what we're using to scan an application. Here's the number of vulnerabilities that are on an application. And here's the risk that we're accepting."

Using Veracode SCA helped increase productivity for our security and development teams. Every week we do a vulnerability report and we look at the flaws that were reported by Veracode. Our process essentially goes by meeting with developers, looking at the report, finding out which flaws are the most important ones to fix first. After we've done that, we set up a sprint and we have developers work out two to three of those tickets until they're complete. We've done that now for about six months. We increased our application score from a pretty low level all the way up to Veracode Level Three, so above 90. We don't have any high severity or high vulnerabilities and we don't have any mediums and applications anymore. Following that process is extremely helpful. We also utilize the Veracode dashboards as well. We use the Veracode dashboard to monitor our progress in triaging flaws. Then we want to make sure that things are actually getting fixed. And then we can count those metrics by looking at those dashboards.

It has definitely improved our security posture and communication with developers. I think that now developers are taking our security seriously, whereas before it was something that was always important, but there was no real way of actually tracking what was getting done. Now that we have the tool that we can use to track what's getting done, we're making objectives and setting goals, and working towards this.

We use the screening process to help our security professionals and developers fix flaws in the code. It's probably the most utilized security tool that we have at our company.

Scanning with Veracode SCA reduces scan times by a few seconds. It also helps to increase our fixed-rate by 14%.

The scanning process helps to significantly improve our standards and best practices.

The mitigation recommendations provided by the scanning engine of Veracode are important for developers to understand. They need to know how to fix things. So just giving them a blank vulnerability and saying, "this is the issue," doesn't really help. They need something that tells them how to fix the flaw and where to fix the flaw.

Veracode helped us with certification and audit. We're working towards Veracode Level Four right now, we've achieved Veracode Level Three status, and we're looking forward to reaching the next certification level. The goal of that is to eventually have all of our third-party vulnerabilities and mitigate them so that we're in good standing and we don't have anything coming from a third-party library that could possibly compromise our application. Once we get to that fourth certification Veracode Level Four, that would be great.

The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We don't want people to feel like they're missing out on something or that they're not following directions in the right way. And we have a process in place where there's a set of tickets and people can work on them. It just seems that people are more focused. They tend to pay attention to what they're doing and there's accountability. So having a more rigorous JIRA integration would be very helpful.

I have been using Veracode for over a year. 

It's a very stable product, and I think that the team at Veracode is constantly putting in more effort into trying to make it into a better platform. They take feedback seriously. They constantly improve the platform. They are working towards adding features that developers are requesting. So it's always changing, there's always something new being added to it, which is very good.

Large enterprises are probably following a very different practice from what we're following. I think that smaller organizations are going to have an easier time using something like Veracode because of the flexibility of the different API tools that they have available. An enterprise might have a more complicated time scaling it. The issue with that is that the enterprise is probably going to use a proxy and having to deal with the networking issues, it's going to become very difficult for that to scale. However, in a small company, those situations are mitigated pretty easily by getting two or three people together. So we move through those very fast, we're extremely agile. We're always forward moving. We're always rapidly developing. I think each company has its own specific way of handling scalability, it's always been easy just because we're a very collaborative team. We know how to work with each other and we're always receptive to each other's feedback. I can't really speak for other companies, but I can tell you that we find it pretty scalable. That's really just our culture though.

I run all of the administration and I direct people in what needs to be done. So, that's about it. In total, about seven people are really using it.

We are using it to its fullest extent. Even the manual penetration testing aspect of the platform is very useful. The manual penetration testing aspect of the platform is something that would be nice to incorporate because the cost is significantly less than other security companies. For example, InfoSec is about $3,000 more than Veracode, for any organization that wants an all-encompassing security platform. But what we get with Veracode is a platform that provides software composition analysis, static code analysis, Docker Container Scanning, manual penetration testing results, and dashboards that show the progress for moving through all of those issues. And that's probably the most important aspect of the platform.

Once they introduced the prebuilt dashboards that really reduced the amount of friction with upper management. Typically, my mentor said that almost all issues in any business organization come down to personal relationships and opinions, so when Veracode introduced those dashboards, it removed the ability for people to give opinions about what was being done and what wasn't being done.

We're driven by facts as people, so we can look at those metrics and say, "This is what's actually getting done." And there's no ambiguity. Then really that just removes all opinion from any sort of conversation.

They monitor all of the conversations in the platform on the Veracode community. My rep is very responsive. He answers community questions. He votes up really important questions and the issues are getting answered quickly. That's the most important part because then the business, if we run into an issue on Monday and we spend two or three days trying to debug the issue, we haven't figured it out. You can go to a place and actually get an answer. Whereas some organizations try to use a tool that's custom made and they're going to run into an issue where it's intractable. It can't be solved. However, with Veracode, customer support has always been able to find some sort of solution. Anytime I've ever had a problem, it's always been resolved 100%. There's never been a time where it's gone unresolved. I can't say that about every tool.

Positive

We used a combination of things. We use Sonar, Veracode, and JFrog Artifactory just give us a diverse picture of what vulnerabilities are in the application and how we can fix them. Veracode seems to always provide the best feedback. Other platforms really aren't at the same level, they provide reports and those reports are usually very static and they're not very informative. Whereas with Veracode, the platform is very interactive. You can tell that it was designed for users and Sonar is the same way. Sonar is very static. Even in Bitbucket, you can now scan your code with Snyk.

The initial setup was pretty straightforward. The best way to handle it is to get the Java JAR file for the upload, use the terminal on any given laptop, like a Mac or a Linux, and create a small script that uploads a couple of JAR files up to the platform.

Once that's complete, once you have a proof of concept that works with just a couple of lines, then the next step is to move that into a pipeline. Preferably something like Jenkins. Jenkins allows people to run scripts. You can just run Dash straight in a pipeline. Once you have that setup, you pull all that down into the Jenkins pipeline.

Once that's done, you now have all of the binaries that need to be scanned, and you can set the pipeline to run a scan on a weekly cadence. If you want to take it a step further, you could actually move that into a build pipeline and really follow shift-left practices where you're moving the security aspect of the development cycle further up the pipeline. Flaws are being found before they go into production rather than after they're in production. So that would be my recommended approach for working through that problem.

I went through and I actually added container scanning now, so in Veracode at this point, we're running software composition analysis, static code analysis, and on top of that Docker container scanning. So it's a pretty big product. The thing that would be more helpful is better Jira automation since that aspect keeps track of what's getting done. Then essentially you have a full pipeline setup that automates the generation of tickets, scanning, and just takes care of itself. It's a self-service security tool.

The setup took around a week.

We have absolutely seen ROI. We have buy-in from upper management and developers. We have a lot of people who are very excited about what we're doing and we're working towards that.

We've personally seen a major decrease in vulnerabilities and we've seen an increase in awareness for security. So people actually have conversations about security now, and they're taking it seriously. It's no longer an issue that gets swept under the rug. I think a lot of smaller organizations would benefit from having a tool that showed them what is being done, as opposed to someone just saying this is what we're doing if they can see the results that really improve. So, once we added that, we saw a decrease in vulnerabilities, we decreased our third-party vulnerabilities from a pretty significant level and attended the three down to single digits, which is huge for any organization.

The thing that I'll go back to is when one of my mentors said to me "Evan, security is a critical aspect of any organization. People don't always believe in it. And the best way to sell it is to explain what could go wrong." So when we compare what could go wrong, having a third-party vulnerability, like a graph library, such as the one that Equifax used, which led to a $3 million lawsuit, and their reputation was destroyed. When you compare that to paying $8,000 for an application, it's a no-brainer. Once the reputation of an organization has been tarnished, that's it. The whole thing is completely over. Really everyone loses faith and once people lose trust, it's almost impossible to get people to believe in a vision.

It's definitely worth it considering what could go wrong. The DevOps Mantra is to always be prepared for what could go wrong. Most things are going to go wrong.

Having a static cost gives people confidence. And once people start using it, if the price changes, then that's going to be dependent on how much they're getting out of it.

I definitely looked at other security platforms, but Veracode seems to have the most performance.

With Xray, essentially you upload your builds, once you've uploaded your build, you index it. And after you index it, it'll give you a security report. Now, the thing with that is you have to make a policy, you get a report, the report comes out as a PDF and the PDF doesn't really tell you how to fix it. It tells you the fixed version.

The first path of that really was just creating a pipeline that ran a curl request over to Artifactory to generate that PDF. And then on Monday mornings, that was automated. So management can go in, look at that PDF and say, "Oh, okay, these are the things that are happening in our application." Whereas Veracode, is fully automated, it runs the full scan and then creates the tickets. So that's the contrast. 

My advice would be to start with meeting with people from Veracode. Once you meet with the team from Veracode, the best way to handle that is to start asking questions and identifying the things that would be of value so that an organization doesn't start out by paying too much money. Then you're moving away from that being too scared of what the outcome is. I think once they go in and they have a meeting with people and they can actually discuss what they want to do, that's the first step towards planning out how the platform will be used.

I would rate it a ten out of ten. 

My company produces one of the most secure fabrics that you can find. Veracode is integrated into our development cycle through Jira. We do a full static analysis with Veracode and use Burp Suite to review the findings. The most common attack vector we find in Java code is SQL injection. When SQL injection shows up, you send a screenshot and a report to your executive team. They see the screenshot and say, "Oh, they're seeking injection here." 

This has now become a top priority. We're going to pause all these redundant features that we're making here and ensure our code is secure with no SQL injection vulnerabilities. Veracode finds everything, and the security engineers do the penetration test using the results. You provide a report showing where the issue is, and developers can fix it. We also use Veracode to train security engineers and teach them how to file reports.

My case is different from other individuals. I worked for a startup, so we had to find a way to capitalize on all the resources in Veracode. Larger organizations are not leveraging the built-in dashboard. That aspect is what people want to know about. They want to see how their money is being spent on security. The biggest problem with security is getting funding. None of these executives believe anything these users are saying until they can see the results.

They want that dashboard report. In less than three weeks, a junior security engineer can learn to create a dashboard easily that will allow the organization to stay on top of the most important things. They need to show the stakeholders that we're doing something here. They'll get the certification and see the dashboards. You now have something that's actually worth $2,000. With these other ones, who knows what you'll get. 

It allows us to provide a certificate showing stakeholders and potential customers the proof that we take security seriously. Everyone says that they're on top of their security and have all these things in place. In a sales call, we can immediately respond to any questions about our security posture by pointing them to a link showing that your company was among the few companies that completed the full certification process. Veracode has four levels of certification, and we are at level three, I believe. 

To my knowledge, Veracode is the only real devSecOps pipeline that captures every component of the software delivery cycle, from sandbox and staging to development and production. You need to go through those four phases and ensure the code is secure by the time it hits production. Veracode handles all those phases seamlessly and can be automated with Jenkins.

Veracode is highly efficient at fixing flaws. A single person can go through and do a penetration test after collecting the data from Veracode. Instead of telling developers where the issue is, they can show them in the code editor for the static analysis. They can assign tasks to the team using Jira, so developers almost never need to do that work. They actually almost never go back and fix any of these vulnerabilities. That's why I was my company's most hated and most loved man. I forced them to do it.

I like Veracode's API. You can put it into a simple bash script and run your own security testing from your MacBook in less than 15 minutes. Veracode's application security consulting team is very helpful. They're responsive and follow up quickly. 

Veracode would benefit greatly from more training resources. The videos are great, but I would like more hands-on training writing a script, validating a script with a unit test in a different language, etc. That's something that would be very valuable. 

We have used Veracode for more than four years.

Veracode is highly stable. It very rarely crashes. 

I rate Veracode support 10 out of 10. Their customer support is incredible. If I have any issues, I can immediately connect with their support team and have a real working solution within one week.

Positive

Deploying Veracode is easy. I had the best customer success manager at Veracode helping me. After deployment, Veracode requires little maintenance. 

Veracode is inexpensive and cost-effective. The licensing model is unambiguous. You know what you are getting. They also give you several seats for training. That's why it would benefit them to improve the training because more people could take advantage of it and use certifications. Some certifications for other products don't have much real value, but Veracode is a product many companies use, so it could help people get jobs.

If you're concerned about the cost, you should meet with a representative to talk about pricing. Veracode is flexible, and they're willing to let companies try the platform or test different features. They will work with companies to get to the point where they'll use it.

I used JFrog X-ray with homegrown scripts for testing the code. It was terrible. We chose Veracode because it is more scalable. We could run scans on any code, and it was reliable. Also, their documentation was up to date. With other software providers, you would find an issue in the documentation, and they would backtrack, saying, "Oh, no one's using that." 

Veracode immediately responds to the community. You have people in the community supporting each other and suggesting new features. Software providers say they're open to suggestions. Veracode will quickly get something from the community and immediately put it into development. JFrog has the same stuff as they did four years ago. They haven't changed anything. 

I rate Veracode 10 out of 10. Veracode is constantly changing and improving. 

We are using Veracode to shift development left. Therefore, we want to train our team of third-party vendors and improve our code security.

Veracode has been effective at preventing vulnerable code from entering production. I can easily enable the support team. Additionally, the reports are free. Although we are at the beginning of our journey, I can see that Veracode is capturing vulnerabilities.

The cooperation between the security team and the development team is improving, and our security team's visibility is increasing. As a result, we are achieving better and better results, and Veracode is helping to improve our security posture.

I am using Veracode's preconfigured policies because I find them useful and complex.

I am satisfied with Veracode's visibility into application status at every phase of development.

We can see that false positives are quite low, around five to ten percent.

We can add notes to any false positives during static analysis testing so that our developers can see the notes and avoid wasting time on them.

Veracode's reporting function and executive summary help us emphasize the security of our business-critical products to our business, which also helps us get sponsorship from our management to fix flaws and move forward.

Veracode helps our developers save 10 percent of their time by identifying security flaws early in the development process. This allows us to fix the flaws before they go into production, which is more efficient and cost-effective.

Veracode has helped us improve our security posture.

The admin ID can be downloaded into Visual Studio, for example, and developers can use that directive without having to type code. I think this is the best feature of Veracode.

The integration of static testing with our Azure DevOps CI pipeline was easy.

Veracode's support could be better. It is limited and slow.

The security labs integration has room for improvement. Currently, it is not possible to see the security labs training reports on the dashboard. These reports are only available separately in the security labs platform. I think that adding the dashboards for integration would be a good area of improvement.

I have been using Veracode for almost six months.

Veracode is stable.

Veracode is easy to scale.

Technical support needs to improve its response times and the details of its responses.

Neutral

The deployment was somewhat complex because some of the documentation was outdated, which caused some problems. There was confusion about how to implement the static pipeline scan. It took some time to find the correct articles and speak with the support team to implement Veracode.

The deployment took a couple of hours and required one DevOps and one tech person.

Veracode is fairly priced.

Before selecting Veracode, we evaluated SonarQube and Codacy. We chose Veracode because of its comprehensiveness and its ability to provide us with a solution for each phase of the software development life cycle. Veracode offers both dynamic code analysis and static code analysis solutions. With Veracode, we were able to get everything we needed in one place, without having to sign contracts with multiple vendors.

I would rate Veracode eight out of ten.

We deployed Veracode in one location and have ten users.

I recommend Veracode based on the script language being used.

We use Veracode to scan server applications, and we also use it for SCA functionality and to scan pipelines of our other projects.

The quality of our code is much better now with structured utils meant for improving various topics related to security. Those are being applied consistently to various modules of the application. It enforces a type of structure and code changes to support future transformation.

False positives are a problem. Sometimes the flow paths are not accurate and don't represent real attack vectors, but this happens with every application that performs static analysis of the code. But it's under control. The number of false positives is not so high that it is unmanageable on our side. Once they are identified, you can mark them as false positives, and they can be accepted by the security project lead. After that, life goes on, and those will no longer be reported.

The problem is the time that you spend analyzing a flow to be sure that it is a false positive. Every problem that is reported as a security vulnerability has to be treated with maximum care by the developers. It is good, in the end, when it's a false positive instead of having a real vulnerability.

Because we are working on a huge application with lots of dependent sub-projects, there are 9 to 20 data paths. We have to check all of the vectors from all of these paths. If we decide that an attack vector might be susceptible to that attack, we start fixing it. But for the others, the attack vector is not relevant.

There is always room for improvement in any product; it's not something related specifically to Veracode. But in the case of Veracode, maybe they could improve the scanner to reduce the number of false positive events so that they remain only with the valid data paths that represent real attack vectors. We understand that this is quite hard to determine by just scanning the code.

Also, the UI of Veracode could be improved to permit better visualization of the issues and the grouping of the issues, with better filtering.

We have been using Veracode for four years.

We have seen delays in results on the order of hours, but there haven't been any crashes of their scanner. The solution is quite reliable, and all of the results from the scanning can be easily tracked in terms of time frame. You can see how your scanning has evolved, and there are no deviations due to a bug in the scanner.

For small and medium-sized projects, it's quite scalable. You can use the sandbox scanner they provide, and it is fine. But for large applications, it is not scalable. We do manual uploads, and this is not scalable.

We haven't called their support because we know how to interpret the results provided by their platform and how to mitigate the vulnerabilities that they have reported.

However, we have exchanged several emails to discuss some technical details of the solution that we applied it to, and everything was straightforward. There are no complaints from my side regarding what they said. Everything went smoothly and quickly.

Positive

We have used certain plugins from Teamscale, which is also a static code analyzer, and it integrates with various plugins in Sonar. We have also used OWASP for static composition analysis, and we are still using the third-party application scanning from OWASP as a Maven plugin. We have also evaluated Black Duck.

Veracode was the first choice for doing static application security testing. It was ranked first a couple of times in the last few years, so it was a natural choice to go with the top product. Also, SAP has a partnership with Veracode for the application that they are selling. It was a win for us, SAP, and for Veracode.

It took us one day to get ready to use the solution. We built the image and copied it during the night to several machines. The following day, we were ready to put it into the container registry in Azure, and then it could be used. We had a huge procedure and scripting. It was not simple.

The team that did it had about six engineers involved.

It is an expensive solution, but it's the best solution available on the market. If you want something at the top, you have to pay a bit more than the average.

Regarding extra expenses, it depends on what you want to buy. They have certain bundles that provide support via a hotline system with customer service. They can provide you access to certain security laboratories. You can opt for several licenses to educate more developers to be responsible for the security of your applications. All of these change the initial cost.

Of course, if you add more things, you can benefit from a better price. It depends on your negotiation skills and the number of licenses you want to buy.

The price can vary from year to year, and prices usually go up. Maintenance for the servers that do the scanning takes money, as do CPU, power, and memory. And there are the reports that are kept in the history for checking and for ISO certification. Those costs build up during a year.

For example, we have to manually upload the application that we are scanning because it's quite big, and it takes one day to be scanned. That means their scanner runs for a day on this application, and then we get the results back. That means our application is heavily consuming resources of that cloud server. Those resources are no longer paid for directly by us. We delegate this job to Veracode to do it for us, and we pay for it. But we free up our servers locally and can do other jobs with them.

We aren't trying to reduce our costs. We are trying to improve the security and quality to be sure that we and our customers don't have security issues. At the end of the day, security is the most important part. With every new release and with every new year, we allocate more and more to these operations, to improve our overall security.

Not every such application is able to prevent everything from going to production, but several issues can be spotted via the scanning of the code and resolved, and they are valid. There are many others that can be detected with additional tooling from OWASP, Sonar, et cetera.

We are not using the SBOM functionality from Veracode. We use another tool to create the software bill of materials. That solution is also able to scan Docker images, and it also provides details about what is inside the layers of the Docker image file.

In terms of visibility into application status at every phase of development, it depends on how able you are to scan your application. For large applications, you have to do manual uploads, which is the case for us. We don't do manual uploads on every build, but we trigger it at certain times when we want to create releases for customers. That helps with our accuracy, but it doesn't represent the exact moment when there is a problem in the application. We still have to analyze the commits and history, track things, and match them with the new flaws that have been found in the latest report.

Veracode doesn't save us time. We have to spend a lot of time fixing security issues, especially those that impact lots of dependencies, dependent code, and sub-projects. But in the end, we can sleep well at night knowing that we have closed a possible security leak within the code, which is better for everybody. Even if there is no real problem at that moment and you don't see any probability of that vulnerability appearing in production, it is better to take some time to fix it, and then you feel better.

It has provided what we were looking for in such an application, meaning static application security testing functionality. That was what we were interested in.

We use Veracode to test for errors in the code in the applications we are building within our service pipelines.

Veracode assists in preventing vulnerable code from entering production. It is essential to ensure that our applications entering production are free from errors.

It has assisted our organization by providing a report that we can share with our developers, identifying vulnerabilities in their code. This enables them to address the issues before the code is put into production.

Ever since the implementation of Veracode, I have noticed that the processes for rectifying the issues in our pipelines have become much easier.

Veracode helps our developers save time. The solution has simplified the coding process for our developers.

I would rate Veracode's impact on our organization's overall security posture as nine out of ten. The solution has been beneficial to us daily, and we haven't encountered any issues with their solution so far.

The capability to identify vulnerable code is the most valuable feature of Veracode.

There are times when certain modules cannot be scanned automatically, requiring us to manually select these modules and initiate the scanning process on our side.

The vulnerability report has potential for improvement and should encompass more detailed information about the vulnerability, rather than solely identifying it.

I have been using Veracode for three years.

Veracode is stable.

I believe Veracode is scalable, but I am not certain.

I rate Veracode a seven out of ten.

I recommend Veracode. The solution only requires a one-time configuration into the pipeline and the testing is done automatically. 

Integrating Veracode with our pipelines is an easy process. We simply use VML files and the integration is done automatically for us.

We currently have approximately 55 microservices, composed of various teams. Altogether, there are about 170 people utilizing Veracode.

I recommend becoming as familiar as possible with Veracode before using it. Even watch online tutorials to ensure that the deployment goes as smoothly as possible.

I have helped other companies implement Veracode Static Analysis in their IT environment. In our company, we need to scan many .NET applications using Veracode, and we could scan our software since it is a SaaS solution, after which we process the reports to improve the product.

The most valuable features of the solution are its extensive reporting capabilities and user-friendly interface.

There are certain shortcomings in Veracode's static analysis engine. I would improve Veracode's static analysis engine to make it capable of identifying vulnerabilities with low false positives.

The product is good, and if improvements are required, then such improvements should not be significant enough. There may be a slight scope to improve the product's integration capabilities. The product can also consider improving its support of different .NET versions and other programming languages, like Java.

I have been using Veracode Static Analysis for three or four months.

Our company faced some issues with the tool, but the support team solved these issues quite quickly. The stability of the tool is high. Stability-wise, I rate the solution an eight out of ten.

It is a scalable solution. We can implement the tool in different DevOps environments and projects, because of which we can create groups of applications and apply different policies to application groups, making it an enterprise-level tool. Scalability-wise, I rate the solution a ten out of ten.

The solution's technical support helped us solve different problems related to Veracode, including some of its use cases. Veracode's support helped our company get around a problem and how to set up the scan rules correctly when we had some unexpected errors during the scanning process. I rate the technical support a nine out of ten.

Positive

I have experience with Snyk. I used Snyk a year ago. Snyk doesn't support the version of the .NET applications we use in our company, so we decided to move to Veracode.

The initial setup was easy since it is a SaaS solution and a well-documented product at the same time. In our company, we don't need to spin up a server to install something since we simply use the web interface and integrate the web interface with the DevOps environment.

On a scale of one to ten, where one is a hard setup and ten is an easy setup, I rate the initial setup phase an eight or nine.

The solution is deployed on the cloud. In our company, we use Microsoft Azure DevOps for our environment, but I don't know the environment in which Veracode gets used in our company. Veracode offers a web interface and API, so I don't know their cloud solutions.

The deployment is quite fast, but its overall quickness in terms of deployment depends on the number of applications you want to scan. If you want to scan one application, the deployment can be quickly done since we need to integrate Veracode into our DevOps environment.

The pricing of the product depends upon the number of codes or the number of applications.

I recommend those planning to use the solution check the system requirements and choose a solution that supports programming languages and .NET Framework versions that record scans.

I am not sure if it is one of the best solutions because I am not an expert in other solutions available in the market. Somehow, I personally feel it is one of the best tools in the market.

I rate the overall product a nine out of ten.