Veracode Reviews

We use it to scan third-party libraries to check for vulnerabilities.

Our company relies on Veracode to prevent vulnerable code from going into production. 

And it reduces post-deployment bug fixes. Before Veracode, the application was deployed to the production server and there would be a lot of bugs and issues. Once we implemented the Veracode scan, the full deployment issues were drastically reduced. In a month we do 10 releases and we used to get five or six post-deployment issues. Now, we barely get one or two.

Veracode has also significantly saved us time, around 30 to 40 percent, and we can concentrate on new features instead of fixing the old ones.

We use the full code analysis and the recommendations from the Veracode report.

One concern is that scans take a long time to run. We scan at the end of the day because we know it will take a lot of time. We leave it to run and the report will be generated by the next day when we arrive. The scanning time could be reduced.

I have been using Veracode for the last three months.

It's very stable. I've never seen any downtime with Veracode.

We use it on-prem, so I'm not sure whether it can be scaled. It's just one endpoint that multiple people access.

We have two scanning stages. The first one uses SonarQube, which only does code analysis. It doesn't scan third-party libraries that we use in our code. Veracode is the second level of check. We work on a banking project. The bank trusts Veracode and they recommended Veracode to scan our products.

The initial deployment was pretty straightforward. It's on-prem so there was no deployment strategy to follow. It took one to two days to deploy and check everything. A team of three to four people worked on the deployment. It depends on the project's complexity as well. As a DevOps engineer, I support a lot of projects within our organization, and the deployment varies from project to project.

In my department, we handle six to eight projects and each one needs a Veracode scan before deployment. As a company, we have multiple locations and departments but only the DevOps team of eight people has access.

The way we work with Veracode is that we have integrated it with Jenkins. We upload the artifacts to the server, trigger the Jenkins job, and the Veracode scan is generated. We have set everything from the Jenkins pipeline. The scan is automated using Jenkins, which means there is no need for maintenance. If there are new steps implemented in the pipeline, there might be some overhead, but it doesn't need any maintenance. We just set the port and everything works fine.

Other than the scanning time, I would give it a solid eight out of 10.

We use Veracode to scan server applications, and we also use it for SCA functionality and to scan pipelines of our other projects.

The quality of our code is much better now with structured utils meant for improving various topics related to security. Those are being applied consistently to various modules of the application. It enforces a type of structure and code changes to support future transformation.

False positives are a problem. Sometimes the flow paths are not accurate and don't represent real attack vectors, but this happens with every application that performs static analysis of the code. But it's under control. The number of false positives is not so high that it is unmanageable on our side. Once they are identified, you can mark them as false positives, and they can be accepted by the security project lead. After that, life goes on, and those will no longer be reported.

The problem is the time that you spend analyzing a flow to be sure that it is a false positive. Every problem that is reported as a security vulnerability has to be treated with maximum care by the developers. It is good, in the end, when it's a false positive instead of having a real vulnerability.

Because we are working on a huge application with lots of dependent sub-projects, there are 9 to 20 data paths. We have to check all of the vectors from all of these paths. If we decide that an attack vector might be susceptible to that attack, we start fixing it. But for the others, the attack vector is not relevant.

There is always room for improvement in any product; it's not something related specifically to Veracode. But in the case of Veracode, maybe they could improve the scanner to reduce the number of false positive events so that they remain only with the valid data paths that represent real attack vectors. We understand that this is quite hard to determine by just scanning the code.

Also, the UI of Veracode could be improved to permit better visualization of the issues and the grouping of the issues, with better filtering.

We have been using Veracode for four years.

We have seen delays in results on the order of hours, but there haven't been any crashes of their scanner. The solution is quite reliable, and all of the results from the scanning can be easily tracked in terms of time frame. You can see how your scanning has evolved, and there are no deviations due to a bug in the scanner.

For small and medium-sized projects, it's quite scalable. You can use the sandbox scanner they provide, and it is fine. But for large applications, it is not scalable. We do manual uploads, and this is not scalable.

We haven't called their support because we know how to interpret the results provided by their platform and how to mitigate the vulnerabilities that they have reported.

However, we have exchanged several emails to discuss some technical details of the solution that we applied it to, and everything was straightforward. There are no complaints from my side regarding what they said. Everything went smoothly and quickly.

Positive

We have used certain plugins from Teamscale, which is also a static code analyzer, and it integrates with various plugins in Sonar. We have also used OWASP for static composition analysis, and we are still using the third-party application scanning from OWASP as a Maven plugin. We have also evaluated Black Duck.

Veracode was the first choice for doing static application security testing. It was ranked first a couple of times in the last few years, so it was a natural choice to go with the top product. Also, SAP has a partnership with Veracode for the application that they are selling. It was a win for us, SAP, and for Veracode.

It took us one day to get ready to use the solution. We built the image and copied it during the night to several machines. The following day, we were ready to put it into the container registry in Azure, and then it could be used. We had a huge procedure and scripting. It was not simple.

The team that did it had about six engineers involved.

It is an expensive solution, but it's the best solution available on the market. If you want something at the top, you have to pay a bit more than the average.

Regarding extra expenses, it depends on what you want to buy. They have certain bundles that provide support via a hotline system with customer service. They can provide you access to certain security laboratories. You can opt for several licenses to educate more developers to be responsible for the security of your applications. All of these change the initial cost.

Of course, if you add more things, you can benefit from a better price. It depends on your negotiation skills and the number of licenses you want to buy.

The price can vary from year to year, and prices usually go up. Maintenance for the servers that do the scanning takes money, as do CPU, power, and memory. And there are the reports that are kept in the history for checking and for ISO certification. Those costs build up during a year.

For example, we have to manually upload the application that we are scanning because it's quite big, and it takes one day to be scanned. That means their scanner runs for a day on this application, and then we get the results back. That means our application is heavily consuming resources of that cloud server. Those resources are no longer paid for directly by us. We delegate this job to Veracode to do it for us, and we pay for it. But we free up our servers locally and can do other jobs with them.

We aren't trying to reduce our costs. We are trying to improve the security and quality to be sure that we and our customers don't have security issues. At the end of the day, security is the most important part. With every new release and with every new year, we allocate more and more to these operations, to improve our overall security.

Not every such application is able to prevent everything from going to production, but several issues can be spotted via the scanning of the code and resolved, and they are valid. There are many others that can be detected with additional tooling from OWASP, Sonar, et cetera.

We are not using the SBOM functionality from Veracode. We use another tool to create the software bill of materials. That solution is also able to scan Docker images, and it also provides details about what is inside the layers of the Docker image file.

In terms of visibility into application status at every phase of development, it depends on how able you are to scan your application. For large applications, you have to do manual uploads, which is the case for us. We don't do manual uploads on every build, but we trigger it at certain times when we want to create releases for customers. That helps with our accuracy, but it doesn't represent the exact moment when there is a problem in the application. We still have to analyze the commits and history, track things, and match them with the new flaws that have been found in the latest report.

Veracode doesn't save us time. We have to spend a lot of time fixing security issues, especially those that impact lots of dependencies, dependent code, and sub-projects. But in the end, we can sleep well at night knowing that we have closed a possible security leak within the code, which is better for everybody. Even if there is no real problem at that moment and you don't see any probability of that vulnerability appearing in production, it is better to take some time to fix it, and then you feel better.

It has provided what we were looking for in such an application, meaning static application security testing functionality. That was what we were interested in.

It is a broad and integrated platform. It provides multiple test scenarios and has the ability to do CI/CD pipeline integration. It is used for application security and vulnerability assessment.

Veracode provides guidance to develop secure software. It is one of the valuable features.

On-premise implementation is not available.

I have been using the solution for ten years.

It is stable.

The tool is scalable.

The technical support is good.

Neutral

The product is deployed on the cloud. We have a multi-cloud environment.

The solution is expensive.

Veracode’s policy reporting for ensuring compliance with industry standards and regulations is good. The product's false-positive rate is low. If the tool is used effectively, vulnerable codes do not go into protection.

The SBOM feature helps identify risks in all third-party software. It is quite easy to create a report using the SBOM feature. It is an important feature. The solution provides visibility into application status at every phase of development. We have not integrated it.

Veracode has a good effect on our organization’s ability to fix flaws. Veracode has helped our developers save time. Veracode has a good impact on our organization’s overall security posture. The solution is probably not worth the money. The developers are more confident while fixing vulnerabilities due to the solution’s low false-positive rate.

Overall, I rate the tool a six out of ten.

We used it for static and dynamic testing to check if there were any vulnerabilities in the code. If there were any vulnerabilities, we would check the report downloaded from the Veracode portal and try to fix the code before deploying it.

Veracode helped me remove errors, and it didn't take a long time to fix any issue because I had an answer regarding where the code needed to be fixed. That feature helped us test our cases and get them deployed. It helped me fix vulnerabilities and any other errors before deployment to the applications.

The SAST and DAST scans—we used it both before code was deployed and after it was deployed—helped us run through the issues and keep track of their status. It was deployed in the pipelines, through Jenkins, and checked the logs in Kubernetes.

The solution also saved us time. I really liked the automatic scanning because there was no way to know where an issue was. Human tendency is to make mistakes, but Veracode helped us find the exact spot where an error was and change it. The reporting helped us do that in a short amount of time.

For our team, it had a very good impact. My manager used to suggest that before taking code to the next level, it was a really good idea to scan it.

I liked that I could easily find out where my errors were. Instead of going through the whole code and the scripts, it showed me where the errors were and gave me an idea of how to fix them.

The reporting was detailed, but there were some things that were missing. It showed us on which line an error was found, but it could have been more detailed.

Also, with upgrades, we had quite a difficult time tracking the reports, so there was some maintenance around that.

I used Veracode for 13 months.

I had a situation that was due to a slow network, and I couldn't get results within a specific time. Because of that, there was a lag in production; we couldn't deploy the code on time. There was a crash, and because of that, we couldn't meet our production deadline.

The downtime happened two or three times. I thought it was due to a network issue when it happened once, but then I came to understand that it was a maintenance issue.

Veracode is really not difficult or complex to understand. The whole concept is simple. It takes some time to get used to the tool, but it is a very simple tool to work with.

It was quite fast. Scanning my code took 25 to 30 minutes, which was quite good.

We are developers who utilize Veracode for the static and dynamic scanning of our applications.

Veracode provides both us and our customers with confidence that our applications do not have any issues by helping to prevent any vulnerable code from being deployed in production.

Veracode has helped us improve the way we conduct static and dynamic code testing in our organization. Based on the reports we receive, we can quickly identify what needs to be fixed immediately after the scan. For minor issues, we are given time to address them after moving into production, but for major issues, the application is unable to enter the production phase.

We utilize Veracode for static and dynamic code scanning in our software configuration and lifecycle management. It is integrated as part of our pipeline, allowing the code to be automatically scanned in the background. This enables us to review the reports promptly.

The information provided by Veracode enables us to easily rectify vulnerabilities in the workflow.

Veracode can help our developers save time, depending on the issue and the age of the application.

Veracode saves time by automating the basic tasks that were previously performed manually.

Veracode has had a positive impact on our security stance and has empowered our customers to confidently migrate their applications to the cloud.

The static scan and the detailed reports, which include issue information and permissions, are the most valuable features.

Veracode does not support scans for .NET Blazor server applications. We encounter errors whenever attempting a scan. I would appreciate it if Veracode could incorporate support for these applications.

I would like Veracode to offer code support for the latest releases of .NET whenever they are released by Microsoft.

I have been using Veracode for over one year.

Veracode is stable.

The technical support is helpful, but they operate on their own schedule, so in certain instances, we have to endure a considerable wait for a resolution.

Neutral

I give Veracode an eight out of ten.

Our customer provides us with a Veracode profile account for uploading and testing code. We do not manage the solution or have any insight into how it is deployed.

I highly recommend Veracode for assisting in identifying vulnerabilities in code.

I have learned that Veracode can confidently scan and detect vulnerabilities in code. However, for older or unsupported applications, we need to seek an alternative solution.

We use Veracode to scan our codes for vulnerabilities and risks.

Veracodes' ability to prevent vulnerable code from entering production works very well and it can detect the type of script used.

The software bill of materials helps us understand the industry that we are in and ensures we have a stable solution.

We can easily create a report using a software bill of materials because it has good templates that we can use.

Veracode has improved our organization by allowing us to fix the flows quickly for our clients by making data coding easy.

Veracode provides visibility into all phases of development.

The visibility into our development provides confidence to our DevSecOps that they will be able to deploy on time with no errors.

The false positive rate is good but we require a lot of skills to utilize it properly.

The false positive helps our DevOps troubleshoot every stage of development and increase their efficiency which boosts their confidence.

Veracode has helped our developers save around 20 percent of their time.

It has increased our organization's ability to fix flaws. We can scan code in a video which reduces costs and risk.

Veracode has increased security in our overall security posture because it detects flaws during scans.

We have saved around $500 a month in DevOps with Veracode.

Code scanning is the most valuable feature. 

The templates allow us to create wonderful reports.

The software bill of materials feature helps our supply chain security.

The backend support team of Veracode requires improvement as they are difficult to reach when we encounter issues.

The UI is not user-friendly and can be improved.

The speed of our internet connection affects the scanning process, which may take a considerable amount of time to finish. As a result, this can lead to challenges in planning and reporting, causing confusion.

I have been using the solution for three years.

It is stable.

Veracode is scalable.

The support is slow to respond.

Neutral

The initial setup was straightforward. I deployed the solution myself within three days.

The implementation was completed in-house.

We have seen a 32 percent return on investment with Veracode.

The licensing cost for Veracode is fair.

I give the solution an eight out of ten.

Veracode is user-friendly depending on how we use it. 

We have seven people using the solution.

Veracode does not require any maintenance on our end.

Veracode is a secure, reliable, and sustainable tool that all organizations should use for scanning code.

I use Veracode to ensure the projects I deliver don't have vulnerabilities. 

Veracode provides insight into vulnerabilities at every stage, so your team can progress through the development cycle more efficiently. It improves developer confidence by showing us our capabilities and the potential of our code. 

Our developers improve and become more efficient using Veracode. Once we identify issues in our code, it's much easier to avoid the same mistakes in future projects. It teaches them how to overcome those vulnerabilities and errors while reducing costs.

Veracode saves a lot of time compared to traditional methods for identifying vulnerabilities. We save around $500 a month using Veracode because we don't need to hire experts. 

Veracode has improved our overall security posture. We feel assured that applications we deliver to clients or use internally are highly secure. It has helped us develop strategies to create stable, secure platforms.

I like the static scanning, and Veracode's interface is excellent. The dashboard is easy to navigate. I love the Software Bill of Materials (SBOM) feature because it helps you explore various industries and understand what to do to minimize risks and maintain compliance. It's straightforward and ensures my applications are compliant. 

It's easy to create reports using the SBOM feature because it has templates that you can customize depending on the reporting requirements. It gives me a report of the compliance requirements for any industry. It helps us internally and improves the services we provide to our clients.

Veracode is great for preventing vulnerable code from going into production because it covers various programming languages like JavaScript and PHP. You can be confident that your code is secure no matter which language you use.

Static scanning takes a long time, so you need to patiently wait for the scan to achieve. I also think the software could be more accurate. It isn't 100 percent, so you shouldn't completely rely on Veracode. You need to manually verify its findings. 

I've used Veracode for three years.

Veracode is stable. I've been working with it for a long time. 

I rate Veracode support 10 out of 10. They're friendly and responsive. 

Positive

Deploying Veracode is straightforward. I did it with one other colleague. 

We can afford Veracode, but it's too expensive for small enterprises. If you're concerned about the price, you should weigh the benefits you can achieve. It has saved us a lot of money on DevOps. We save about $500 a month by not outsourcing this work to experts.  

I rate Veracode eight out of 10.

It's an excellent product for developing a secure platform that will benefit your company and its customers while helping you build a sustainable development team. Before implementing Veracode, you need to prepare and have at least one person who understands how to use the product. 

Veracode helps to prevent vulnerable code from going into production. They are providing remediation support. They provide a specific solution. If a code has any vulnerability, they provide the snippet of that code. They also provide recommendations. Their support team is very active. If you have any concerns related to the vulnerabilities, they schedule a call and resolve your issues. That is very good.

With Veracode, there are fewer false positives as compared to other tools. It provides genuine vulnerabilities. It is also user-friendly. They are not only sticking to SAST testing. They also have pen testing.

The visibility that Veracode provides is good. They provide a proper dashboard for everything. We have visibility into the application status at every phase of development - Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Test. I am satisfied with it. We have not integrated it with our DevOps pipeline, but it has all the features for easy integration.

Veracode helps us to fix flaws. They provide very good recommendations. It is very easy for a developer to fix the flaws. They provide a specific solution.

Veracode has helped our developers save time. It has been very useful.

In my experience, Veracode is one of the most powerful tools available in the market from a security perspective. It is a market leader in source code analysis.

I am expecting some AI-related features in it. Also, if someone is using AI-generated code, Veracode should be able to detect that.

I have more than 12 years of experience working with Veracode. 

It is stable. There are no unplanned downtimes. If they are going to have downtime because of maintenance or any other reason, they communicate that to you a week before. They not only inform you by email. They also alert you through their portal.

Their support is good. I would rate them a ten out of ten. 

Positive

I work with almost all the tools available in the market. Its competitors are AppScan and Fortify. Synopsys is also there, and Checkmark is also there.

Veracode is the best tool as of now. That is because of the quality of the product and technical support. Veracode supports all the testing options.

Veracode is a leading tool in the market for code security. It is all about the source code review from a security perspective. It identifies the vulnerabilities in the source code. Apart from this, they also provide services for run-time code. If you have your application in production, it can also find vulnerabilities in that. They also support software composition. If your application is using a third-party library, they can identify the vulnerabilities in that.

It is straightforward. It is easy to deploy because it is a cloud-based service. It does not take long.

They are a mature company. They have already worked a lot on all the things. They keep on coming up with new features. Their R&D team is very good.

The ROI is in terms of time savings and security. If an attack happens because of a vulnerability, it costs a company and impacts its reputation. No one should be compromising on security.

As compared to others, it is a costly solution. It is overpriced, and many organizations with a limited budget cannot afford it. That is why they are going for other tools, but those tools are not that effective. Veracode is better in terms of quality. If you want good service, you have to pay for it.

I am working at a consultancy, and I did a PoC with five or six top tools in the market. I found Veracode to be the best in every aspect.

I am currently looking for some AI-powered tools. I am exploring the AI capabilities of various tools.

Overall, I would rate Veracode a nine out of ten. With AI capabilities, it would be a ten.