Veracode Reviews

We use Veracode for static code analysis scans for our clients.

Veracode is deployed both on the cloud and on-premises.

Veracode helps prevent vulnerable code from being deployed into production by identifying problematic code. It enables us to send a report to the application developer, allowing them to address the vulnerabilities based on their criticality level. The developers are given six months to address medium-level issues and three months for critical ones. If the criteria are not mapped with the higher critical alerts present in those applications, we can enforce the build field and proceed without deploying it into production.

Veracode has helped improve our customers' organizations through the scanning taskbar, which identifies vulnerabilities in code. We have worked with ten clients, all of whom used Veracode to identify vulnerable code early in the development stage and resolve the issues. Additionally, Veracode offers Greenlight ID, which developers can integrate into their development process, providing clarity during the development phase. Veracode can also generate reports that developers can resolve, facilitating the quick resolution of security concerns.

The policy reporting for ensuring compliance with industry standards is excellent. The report helps us maintain our compliance.

It offers visibility into the application's status at every phase of development, including static analysis, dynamic analysis, composition analysis, and manual penetration testing throughout the Software Development Life Cycle.

Visibility aids the DevSecOps process by offering a clear framework for all involved departments, including the steps for handling severities.

Veracode assists our clients in addressing flaws by simplifying the process. The security team can review the code, approve or reject it, and developers can utilize the reports to promptly rectify the flaws.

It assists developers in saving approximately 20 percent of their time, primarily in the static part, as they no longer need to review all the code. Regarding the dynamic part, Veracode scans all the URLs, eliminating the necessity for developers to use additional tools. For third-party dependencies, developers depend on the reports and the Greenlight ID plug-in to streamline their workflow and save time.

Our clients depend on Veracode to improve their security stance.  

The CI/CD integration is the most valuable feature of Veracode. This feature is not present in other solutions.

The analytics dashboard is not user-friendly and can be improved to assist us with the application size and enable modifications, whether for static or dynamic scans. This is currently missing in Veracode.

Veracode needs to improve its integration with other tools.

We have requested an enhancement for Veracode because it does not support scanning the static and dynamic elements of code created by MuleSoft. Furthermore, it does not support these aspects for the new generation of applications and we have to use other tools.

I have been using Veracode for over seven years.

If there is an issue, I am unable to access all the logs due to insufficient permissions, which causes delays.

Veracode is scalable. To increase the scale, we simply need to increase the number of licenses.

The technical support team's response time is inadequate. Typically, they fail to provide assistance beyond the initial call due to the limited knowledge and inability of the first-level support to resolve issues effectively. I have been dealing with a single issue for three weeks without any resolution.

The vendor handles the deployment, and we simply need to install the ISM agents on our network. The deployment time depends on the size of the application. Large applications may take up to five days to scan, but on average, it takes one or two days.

The pricing depends on the functionality each client desires. For example, one of our clients only wishes to scan two applications, so they pay for that specific service in addition to our organization's third-party access to their system.

I give Veracode an eight out of ten.

20 to 30 percent of the false positive rates are vulnerabilities. Sometimes, almost 50 percent of the reports are false positives, which affects the time spent on tuning policies.

The false positives increase the amount of time our developers need to spend investigating the reports. 

Veracode offers static analysis, dynamic analysis, and composition analysis all in one place.

We are a team of five individuals who assist in deploying and managing Veracode, along with handling other tasks.

Our client base varies depending on their budgets, but we serve a large number of organizations in the financial industry.

I recommend Veracode. The solution is on par with the others, and organizations can read the reviews and run some tests before making a purchase.

We primarily use Veracode for static code analysis.

Veracode detects vulnerabilities. The most essential part is Veracode's PCI compliance policies. We need to make sure our code is compliant. Veracode's policy reporting features are effective at ensuring compliance with industry standards and regulations. The policy has changed here, but that functionality works quite well. It provides visibility to application status at every development stage. 

The solution helped us find and fix flaws. It ultimately saves us some time, but we still spend a long time sorting through the false positives. Every report generates a number of issues, some of which are valid. Others are mitigated by application design or network devices. Veracode improved our security overall. There is no doubt about that. 

The CSA vulnerability scanning is useful. 

The dynamic scanning feature appears to be working, however, 90%-95% of all vulnerabilities could be easily detected by any web browser.

When it comes to dynamic scanning Veracode needs to improve its functionality.

They claim that we can do this, but it doesn't work when we're scanning the applications in real time.  

Static code analysis generates too many false positives, so it takes a lot of time to review them all. The security and development teams need to work together to mitigate the false positives. It doesn't affect the developers' confidence in the solution. It still works, but it takes time. It has a significant impact on the process. 

I have been using Veracode for five or six years.

I rate Veracode support a seven out of ten. We have weekly meetings with the support representatives to discuss any issues with the tool. It's pretty good.

Neutral

I rate Veracode a five out of ten. 

We use Veracode to scan our code before release. The scan ensures our projects will have no issues. We only use Veracode for customer-facing and revenue-generating web applications. 

Application security is paramount. It's essential to check any extended web applications we are using. Veracode enables us to check integrated segments that are based on other websites. We can also perform a light scan on some of the smaller customer-facing web applications.  

Veracode provides visibility into application status, but we do not use it during every development phase. We only use Veracode before the code goes into production. It improves our DevSecOps. We use an agile process, so we have less time to fix issues when we discover vulnerabilities. Veracode helps us fix many critical issues but only if it is compatible with all the technologies. 

It helps if the products you use are from preferred vendors like Salesforce. If your tools are incompatible, you might get some false positives. You can still use products that aren't from preferred vendors, but if you use tools like Salesforce, etc., it will automatically recognize and ignore these issues. It cuts down on the time we spend investigating. 

The overall false positive rate is good. It is about 70-80 percent accurate. In some stages, we have to let issues go and defer the fix until another time. We might wait to release a patch later. 

Veracode adds value when we run it in an integrated environment where all the core systems are similar to our production environment. It adds value to the developers in the final stages of testing or the QA environment. We can use it for functional or system testing. That is where it adds value for the developers by enabling them to fix many of the issues. Nothing flows into the queue box. We can say it has been effective if it's up to 70 percent, but if we consider the environmental constraints, it's around 30 to 40 percent. 

It adds daily value by improving the security posture of our customer-facing web applications. A developer could make a mistake not caught in the QA process. 

I like Veracode's ease of integration with various cloud platforms and tools. 

I'm also a cybersecurity expert. In addition to vulnerabilities, I am looking at this from a holistic cybersecurity perspective. Bringing Veracode in line with the latest vulnerabilities would add value. We see APT issues often, and some processes could be left vulnerable if our tool cannot cope with them. It would improve Veracode to bring it up to date with current threats that the cybersecurity industry highlights.

I would also like Veracode to offer training and certifications that users can do on their own time. It would encourage people to build skills that they could reuse across the board. Many other software publishers offer this. It helps build a user base and generate interest. Training is an excellent way to market your product. It would also be helpful to build a user community online to create a knowledge base of expert users who can answer questions and advise Veracode on ways to improve the product.

We been using Veracode for five or six years. 

SonarQube is another solution we've used. SonarQube has some limitations, and we feel like it isn't keeping pace with the technology landscape. We had to reconsider our tool, which led us to adopt Veracode.

We had some challenges initially, but I think that was due to a lack of training. After deployment, Veracode doesn't require much maintenance. 

Veracode's price is reasonable because of the value it offers. If you don't catch bad code before it goes into production, you have to spend money to rework it, and a security failure in your product can cost your company. We think it's worth what we pay.

It would be nice if Veracode were bundled with some preferred vendors like Salesforce and offered at a discount.

I rate Veracode a nine out of ten.

We use Veracode for application scanning.

Veracode is able to prevent vulnerable code from going into production.

Veracode has helped us to identify the vulnerable code in our applications before we put them into production.

The solution allows us to ensure compliance with standards and regulations.

Veracode provides visibility into the application status at every phase of development which makes it easier for our DevSecOps to do their jobs.

I give a nine out of ten for Veracode's ability to identify false positives. The false positive rate has increased our developer's confidence.

Veracode has enhanced our capability to address flaws by identifying bugs that may not have been detected through static analysis data.

Veracode has had a positive impact on our organization by providing us with greater insight into our data.

Veracode helps our developers save approximately ten percent of their time by detecting code issues and enabling them to promptly fix bugs before releasing the information into production.

Veracode helps secure our private data which improves our overall security posture.

Being able to scan our applications and identify all codes and defects is an extremely valuable feature.

Scanning large amounts of code can be a time-consuming process and there is scope for improvement.

I have been using the solution for nine months.

Veracode is stable.

Veracode is scalable. We have between 300 to 500 users.

The technical support is responsive.

Positive

We previously used some open source solutions and the management teams decided to switch over to Veracode.

I give the solution an eight out of ten.

We have Veracode deployed in multiple locations.

Maintenance is only required when updating the solution.

You should evaluate multiple solutions, but I suggest considering Veracode if it aligns with the organization's requirements.

Our primary uses are for reviews of our code and overall software environment, bug fixes, and detection of security flaws.  

We use the solution across multiple locations and regions, including Asia Pacific, EMEA, and North America. Our user base consists of 5200 individuals. 

The solution has given us real results when it comes to improving our overall security posture; it provides the best security and reports, indicates any flaws that may be present, and allows us to take steps to rectify them. The tool is now a part of our DevSecOps, and we truly rely on it.  

Regarding our ability to fix flaws, Veracode is very helpful; it provides a sense of confidence to our developers and a summary of reports that we can share with stakeholders such as our clients and senior management. The solution identifies security loopholes and gives us detailed feedback reports, allowing us to take action to remedy our security vulnerabilities. 

Veracode helped our developers save time; two or three development team members were previously dedicated to code security. By automating this task using the solution, those developers can reallocate their time to core software development, which is an excellent result. The time saved is in the region of 25%.   

Static Analysis' false positive rate positively affected time and costs related to tuning, leveraging data, and machine learning. Tuning data is essential as it gives us update optimization within our database, which is helpful for any organization. Veracode is the industry leader in being a one-stop shop security solution; it takes care of every aspect.  

The user interface is excellent, the code review process is quick and provides great analytics to understand our code better, and the SAST scan is high-speed.

Veracode is excellent at preventing vulnerable code from going into production; the scans are speedy and give us a detailed analysis of our code. 

We use the Software Bill of Materials feature; it's essential and advantageous. We can't do a bill of materials manually, so it's excellent that Veracode provides this. SBOM helps us manage our risks, as every company has software that needs to be run appropriately throughout the user and client base. It's necessary to have a security audit or security compliance in such applications, and Veracode enables this functionality so we can easily identify security flaws and take measurable action.

Creating a report using the SBOM feature is straightforward, and it's important to our organization because it provides a return on our investment. Previously, we sometimes required a third-party resource to create reports, but with Veracode, it's easier to take care of that on our end.  

The solution's policy reporting allows us to set our standards, group policies, and regulations, so ensuring code compliance is part of its analysis. Veracode notifies us if any flaws are detected, allowing us to take action to correct them.  

The solution provides visibility into application status at every development phase throughout the SDLC; we can use Veracode during the development, design, testing, and implementation phases. We can easily analyze our code before commencing large production deployments and fix any issues.   

Sometimes we get a lot of false positives even after configuring our policies, so that could be improved.

There is an issue where the UI occasionally breaks in between uses of the application, which can be improved. The UI could also be more catchy for the benefit of the less technical users. 

It would be good if the configuration of dynamic scanning could be less complex.

We've been using the solution for over three years. 

The solution is stable. It wasn't before, as different organizations required new group policies and configurations. The product has yet to mature fully but has developed enough to adopt a stable position in the market.

The solution is as scalable as required, but we must pay for that. 

The technical support is good; I rate them nine out of ten.

Positive

We previously used some open-source software, but our developers generally manually performed code-checking. Our requirement is for a solution that takes care of our software code and security throughout the SDLC. Following evaluation, we found Veracode more useful in terms of licensing, pricing, and features.

The initial setup was straightforward; it took seven to ten days, including gathering all requirements, overall deployment, and the final implementation. The deployment team consisted of four to five members. 

The product doesn't require any maintenance; operations and support are primarily handled by Veracode, as it's a fully managed service. 

We have seen an ROI with Veracode regarding time, money, and overall organization reports. Our ROI is in the region of 25-30%.

The solution reduced the cost of our DevSecOps by lowering the headcount for those previously dedicated to security throughout the SDLC. They can now spend more time improving their code base and focusing on development.  

The pricing and licensing are reasonable, and relatively straightforward, and different licensing and subscription models are available.

To someone considering Veracode but concerned about the price, it can be a challenge for small and mid-sized organizations, but it's a good choice for larger enterprises. If security is a primary concern for any organization, they should consider Veracode; they won't be disappointed.  

We evaluated GitLab, Micro Focus, and SonarQube. 

I rate the solution nine out of ten. 

Regarding the tool's false positive rate, the analysis is good but can be affected by data and code not supported by Veracode. In these cases, we can experience some challenges, but other than that, the false positive reporting is good. In cases of unsupported code, developer confidence can be affected, as we know there may be some flaws we can't control. If they are minor enough, we can ignore them.

I advise others considering the product to go with it if it fulfills their requirements. Veracode is a tested name in the market for application security and detecting flawed code. They should evaluate other options if they fit the needs better, but I highly recommend Veracode.

We use Veracode for static code analysis, dynamic code analysis, and software composition analysis. In our organization, we have a bunch of applications that are running on a monorepo or microservice level. We have to do SAST on those applications so that we have a code review done on a bit level. 

Going forward through the application pipeline, we do it on the dynamic level, as well, where we are scanning the public URLs of those applications to see what people can see externally. It's a type of out-to-in scanning in which we are analyzing the traffic that is sent out and even the traffic that is coming in, the response and request headers of the URLs, whenever someone is at a single URL. 

Finally, for the software composition, Veracode uses a third-party analysis tool in which it has the libraries and the functions that are being used at a source code level. They are open source or dependent files that are used for building that in-house application.

As a company, we have moved from using contractors and third-party consulting companies to creating our software through more of an in-house model. We are moving more into the DevOps realm with more of our own teams developing our software. Veracode fits that DevSecOps ideology. It is definitely helping us build more secure software than we previously had.

We have a bunch of applications into which we have integrated Veracode and we have seen that, in the final phase of production delivery, there are fewer vulnerabilities than we used to have.

And because Veracode has remediation and tracking within the platform, it becomes a good single pane of glass where the developers and the security professionals can operate and govern the flaws in the software. And they can take the necessary steps to remediate them.

In the metrics that we generate every month, we have seen the numbers go up with respect to remediation as well as the number of flaws that we catch. The word is spreading, and more and more application teams are using the static code analysis tool inside their pipelines. Overall, we are moving from reactive mode to proactive mode in remediating vulnerabilities through Veracode.

Veracode also helps our developers save time, in the big picture, compared to a situation without Veracode. Let's say there is an application on which no static analysis was done and the audit team says, "Hey, you don't have any static code analysis in your pipelines. You need to do something about that." They could scan the code that is already running in production and find flaws, but those flaws would take a lot more effort, time, and resources to mitigate compared to if they had been detected in a static analysis prior to the code going into production. In that way, it has definitely saved time. But if we are talking about short-term planning for sprints, it takes a little more time than usual because security is coming into the picture, as well. But overall, it helps save time.

Our security posture has gotten better since 2020. It takes time to do the integration of the platform and educate people about how to use Veracode, and then move on to remediating and validating things. But the journey that we had with Veracode has definitely helped us a lot, overall, with respect to bettering our security posture.

The static analysis is the most valuable aspect for us.

It also has the ability to block a build. In pipeline scanning, there is a configuration that can be set with respect to the security level of the flaw. If there is a high or a critical issue, there's a way the build can be failed and blocked before going into production. But the best case that I have found for blocking builds is in the staging area. You don't really want any blocking done on the production environment because there are business SLAs that the enterprise has to fulfill. The best case would be blocking the builds in the staging phase, the pre-production environment, so that everything is taken care of before it is pushed to production.

There are three integration points for Veracode. One is the IDE plugin. Whenever a developer is writing code on their IDE platform plugin for Veracode—whether IntelliJ or Visual Studio, et cetera—it tells them if that piece of code has any vulnerabilities and if there is a better way to write the code.

The next point is the pipeline integration in which, whenever a build is getting pushed from a standalone branch to the main branch, a scan is done on that commit to see if there are any vulnerabilities.

Finally, when the build is published with the whole module, it can do another scan, as well. These three scans have their own pros and cons. The policy scan, which is a build scan, does the scanning on an overall basis with regard to the different standards out there, like OS and Spin5. It scans the first-party and third-party code, which is the most holistic scan that there can be. But the point is that it scans at three different integration points or stages, so it helps developers to remediate their vulnerabilities before they have moved far in the pipeline. Shift-left is definitely possible through Veracode.

Veracode's false positive rate is a little toward the higher side. We understand that Veracode doesn't have the business context. I advocate that people look at their code, even though there is a vulnerability, to see exactly what it is. For example, a randomize function is being used to create an ID that is not being hashed. Veracode marks it as a false positive because it doesn't know if the ID is being used for cookie generation or some random ID in the log generator. We, as dev or sec people, have to go in there and analyze what the ID is being used for. But the false positive rate is definitely a little bit on the higher side.

The effect of the false positive rate on developers' confidence in the solution depends on the maturity level of that particular application team with respect to learning Veracode. In the initial stages, obviously, when developers see that, whenever they're writing code or pushing a build, there are a bunch of vulnerabilities, it may affect their confidence. But a couple of months or a couple of quarters down the line, when those same developers have already used Veracode and have raised their maturity level from one to at least three, it doesn't really affect them because they know that they have to go in there and check the vulnerabilities for themselves to determine if it's a false positive or a real vulnerability.

It has definitely taken a little more time to validate the false positives, but I would say there are a lot of true positives, as well, which have been remediated and which have been mitigated for the betterment of the security posture. But it has definitely taken a little more time to mark or validate those positives. Hence, I definitely advocate that people shift a little more to the left. They should do ID and pipeline scanning before they hit policy scanning because, with ID and pipeline scanning, you scan small chunks of code. You remediate that code faster, before it goes to the whole package and there's a bunch that you have to deal with.

Also, container security is slowly becoming a prevalent part of the development realm. Veracode's SAST, DAST, and SCA are pretty good with respect to industry standards, but with regard to container security, they are in either beta or alpha testing. They need to get that particular feature up and running so that they take care of the container security part.

In addition, there is a new concept out there, the IAST, which is interactive assessment security testing. It is a little more proactive than SAST. So if Veracode can combine that feature with their current technology, they would definitely be a front-runner again for the next five to six years.

I've been using Veracode for the last three and a half years.

Once or twice a month there is maintenance on the Veracode side because they're updating some signature in their database or something else. I have seen maintenance coming up, but it's not an issue because the pipelines and integrations that we are running keep on running in the background. It's just the GUI that we are not able to access at that particular time.

It's pretty scalable if our enterprise has the licenses for scaling the applications. I haven't faced any issues with regard to scalability, apart from licensing, of course.

We have contacted Veracode's tech support a bunch of times. The only downside is the time needed to schedule a consultation call with the pro services team, keeping in mind that enterprises need to buy pro services licenses before they can use it.

When someone is scheduling a meeting with them, the issue type should be as precise as possible. In that way, they can rope in the exact SME for that particular topic, because in the development realm there are so many languages and so many types of issues out there. There are different personnel for each of those categories. So the more precise the details are for the meeting, the better the SME will be for that particular consultation.

Positive

We have only used Veracode, right from the start.

The initial setup was pretty straightforward. They have a SaaS solution and there are a bunch of API integrations that made it pretty straightforward.

As for maintenance, all the upgrades and updates are done on Veracode's side. But there is a wrapper. When we are doing the integration, there is a package that we use to upload the files in Veracode. Sometimes there is a new release for that package and we have to update it in the GitLab repo. That's the only maintenance we need to do.

They have made it worth the price with the kind of discount and the kinds of modifications they made for us with regard to licensing. Previously, it was per profile. But they have adjusted according to our requirements because we are a big company and we handle a lot of applications. There's a tiered discount that they have provided us, so the cost is justified.

If someone looking at Veracode is concerned about the price, it depends on their requirements. I wouldn't really recommend Veracode for a small firm, because it might be a little pricey for them. But for a large organization, with more than 1,000 applications in the enterprise, there are tiered levels of pricing. Obviously, there are other cutting-edge solutions that have become available recently, but Veracode is something that a big organization should look at.

When it comes to managing risks, we use the remediation feature that Veracode has. Whenever there is a flaw, we do have tickets open up for it and the application owner or the developer goes through the vulnerabilities. There are times when the vulnerability is a false positive and you can mark it as such within the Veracode platform itself. And we, as security professionals, do the validation for whether the business justification is good or not. And we either have a source code review for the vulnerability or have an exception open up for the remediation step that the application or the owner is asking for. We do risks via the platform, as well as through the ticketing tool that we use.

We are also using SBOM (Software Bill of Materials) for inventing all the different kinds of modules and libraries that we are using for an application. Using the SBOM feature, you would have to leverage the API to get the inventory from the API calls that Veracode has. But in our organization, we use the GUI report generation more than the SBOM report because there is an executive summary in the GUI report with regard to first-party and third-party flaws. It also has the mitigation steps. SBOM would only give you the list of softwares, libraries, and versions that are being used. It is not as detailed as the GUI report that Veracode provides.

Things to consider when looking at Veracode include the different integration points where you want to integrate Veracode, how big your organization is, and how many applications you want to do security analysis on. If it's a big organization, Veracode is obviously a solution to evaluate, but for a small organization, below 500 apps, it might be a little pricey. Also, you will need a couple of Veracode champions on your team who know it inside out. You will need training provided by Veracode, so make sure that is included during the procurement stage. That will help you implement the tool within your organization faster and much more efficiently.

I would have given Veracode a nine out of 10 a couple of years back, but given the tools that are coming out on the market, and the scope of development, which is increasing, I would place it at eight.

We use it primarily for our application security concerns. We use the dynamic, static, and SCA scanning tools. We run our static scans after the code is compiled, and that gets uploaded automatically through our DevOps tool. We have installed an agent in one of our cloud servers that is behind a firewall to run the dynamic scan against the runtime. We run our SCA scans when we do the static scans, which is after compilation.

Prior to using Veracode, we hadn't really looked into security features or thought about security in the same way that we have since we started using Veracode. We were focused on what you hear about in the news, such as making sure that it is HTTPS secured. We hadn't really dug into the nitty gritty of application security and scanning our source code, running it against a runtime environment, and looking at the actual third-party solutions that we integrate or use in our code. Veracode has helped with our mindset as an organization to start thinking about things more securely by design rather than as a reactive measure. We're being more proactive with security.

Veracode's integration with our continuous integration solution is what I've found to be the most valuable feature. It is easy to connect the two and to run scans in an automated way without needing as much manual intervention.

We feel very confident about Veracode's ability to prevent vulnerable code from going into production. Having the stamp of approval helps not only from a marketability standpoint but also from an overall good feeling within the organization that we're doing our part to help keep our code free from vulnerabilities.

This solution provides visibility into application status at every phase of development. It goes from compiling the code all the way to running it in production. It covers all major aspects of the SDLC. We run static scans and SCA scans early on in the process to make sure that we catch any code that is insecure by design. If we are able to catch it earlier on, before it's actually out in the production environment, it reduces costs. The dynamic scans are run further along in our QA process. That is, once we've deployed the code and have it in a runtime environment, we run weekly scans in a dynamic environment against the code runtime to make sure that there aren't any new vulnerabilities that got introduced. We are looking at doing manual penetration testing in 2023, where we would be using a spinoff of the code that was released to the customers to make sure that there aren't any holes through which a nefarious actor could get in and exploit what was built.

Veracode's false-positive rate is low. The few instances when it looked like there were false positives, the issues were found to be either true vulnerabilities or things that were that way by design. If a developer thought that there would be a ton of false positives when using the tool, it would then diminish the value of actually using the tool. Veracode touts itself as being a tool with the lowest false-positive rate in the market. It gives inherent confidence in the tool itself, and developers are more inclined to think that if it found something, it's pretty likely that it is not a false positive. They would then work to prove it wrong rather than discounting it without even looking into it.

We haven't really found many false positives with static analysis, and there hasn't been a significant impact on our time and cost related to tuning, leveraging data, and machine learning.

Continuous integration linking definitely saves a lot of time because it takes away the step where a developer needs to manually upload the code every time to do a scan. It can run in the background, and having the Visual Studio plugin includes it directly in the development environment. If developers do get assigned a bug that they need to fix, they can pull it right up in their development environment and not have to log in to the portal. It will all be right there.

I'm primarily the one who has been involved in DevSecOps, and Veracode has definitely reduced my time. If we had gone with a conglomeration of open-source tools, it would've taken me a ton more time. Whereas with Veracode, all the documentation is out there, and I'm able to integrate everything that I need from a usability standpoint. I don't have to learn a new tool every time I need to integrate a new security scanning option. It has helped me tremendously and has saved me a lot of time.

I do expect large applications with millions of lines of code to take a while, but it would be nice if there was a possibility to be able to have a baseline initial scan. I know that Veracode touts that there are Pipeline Scans that are supposed to take 90 seconds or less, and we've tried to do that ourselves with our ERP application. However, it actually times out after two hours of scanning.

If the static scan itself or another option to run a lower tier scan can be integrated earlier on into our SDLC, it would be great. Right now, it takes so long that we usually leave it till a bit later in the cycle, whereas if it ran faster, we could push it to the time when a developer will be checking in code. That would make us feel a lot more confident that we'd be able to catch things almost instantaneously.

I've been using Veracode for a little over a year now.

I haven't had any stability issues, bugs, or glitches.

The scalability is really good. I recently added to the solution some new applications that I learned about late in the game. There were probably 10 that I had to add in rapid succession and scan as well. It was very quick and painless.

Veracode's technical support is very responsive, and I've heard back within 24 hours regarding a couple of issues I've entered. We have actual consulting calls, which are a scheduled event, and I like the way they handle those as well. I have nothing but good things to say about them and give them a rating of ten out of ten.

Positive

I was involved with the initial setup of Veracode, and it was straightforward. We had a third-party vendor who was evaluating it, so a little bit of the setup was done. However, adding a new application to the tool is easy and self-explanatory. It doesn't take much time at all, and the documentation is out there if we need to look up anything.

We implemented it with the help of a third-party vendor. They had two people on their team who were working on the deployment along with me. My responsibilities included adding all of our software to the tool to run scans against it, integrating it with our DevOps solution, discussing the tool itself with internal stakeholders as to how they can use it and showing programmers how to use the tool from an internal adoption standpoint.

I know that Veracode is a semi-pricey solution. If you are serious about security, I would recommend that you use an open-source option to learn how the scanning process works and then look into Veracode if you want to really step up your game and have an all-in-one solution.

We evaluated a couple of open-source tools such as Snyk and SonarQube against Veracode with the help of a third-party vendor. We didn't use any of those and landed on Veracode because of the Veracode Verified seal. This, along with Veracode being the market leader, gave Veracode an edge over the others.

The main difference between Veracode and the solutions we evaluated is that Veracode is an all-in-one solution. Though an open-source solution would've been more cost-effective, we would've had to use a bunch of different tools. It would have required more knowledge to do the integration piece and would've taken a lot more time and effort. There would have been invisible costs associated with it just by the virtue of time. In comparison, Veracode's dynamic scan, static scan, and software composition analysis are all in one place.

My advice would be to look at the open source tools out there and see how far along you are in your security journey and what your needs are. If you're looking for the best in the market, Veracode is a great option, as far as paid solutions go, because it's a one-stop shop. If you have more time at your disposal and you don't mind integrating some solutions, then I'd recommend an open-source tool. However, if you have the resources, I would definitely recommend going for Veracode.

On a scale from one to ten, I would rate Veracode at nine.

We use Veracode for dynamic, static, and software composition scanning. Veracode is a SaaS solution.

Veracode has exposed many flaws, and the Security Labs have helped train the team to understand security and fix flaws. You don't know what you don't know. They've shown us what we don't know so we can identify and fix our security issues.

Veracode effectively prevented vulnerable code from going into production. I have a hard time validating that assumption, but I think it's good at that. It seems like it does a lot in terms of compliance with industry standards and regulations. 

We've requested some features for fine-tuning the ability to craft the policy and what can break a build. It was disappointing that they didn't add that. However, we've used the policy features and were able to report on it, so we were pleased with that. It can create custom dashboards and see which applications are breaking a policy. We get a lot of metrics on those scans. 

We have Veracode built into our software delivery pipeline. Automation was our objective when we started evaluating Veracode. We have a high degree of automation in our regular scanning. Every day we do software composition scanning and static analysis, and we do weekly scans using aerodynamic analysis.

The automation features have saved us tons of time because we don't have to worry about whether it is getting done. Tackling security requires a massive time investment. The value we get from it is that our apps are more secure.
Veracode has raised our leadership's security awareness. This tool has generated more conversations around security and ways we can protect our software.

Veracode Security Labs are fantastic. My team loves getting the hands-on experience of putting in a flaw and fixing it. It's interactive. We've gotten decent support from the sales and software engineers, so the initial support was excellent. They scheduled a consultation call to dive deep and discuss why we see these findings and codes. That was incredibly helpful.

Veracode's static and software composition scanning has been most beneficial for us. We already use a competing product for dynamic scanning. 

Their platform is not consistent. It needs a lot of user experience updates. It's slow performing, and they log you out of the system every 15 minutes, so using the platform is challenging from a developer's perspective because you always have to log in.

I've been harping on it for the last two years. They try to compensate for that by building a relationship with staff. We keep asking questions we wouldn't have to ask if they had a better user interface. They would save their staff time and save us a lot of hassle. 

They claim to have the best false positive rate. It's hard to judge, but we've had several false positives, and the solution's inability to resolve them has been incredibly frustrating. The ability to schedule a consultation to talk through what's going on has been helpful. Still, I'd like to see the capability to act on false positives and resolve them in the application instead of us marking things as false positives. That's where they need to improve.

It has occupied my team's time because they're escalating the issue from support to engineering. They've been consulting my developers. They raise issues but don't spend time duplicating the issue. They close tickets saying it's not a problem or misunderstand what's being requested. They need to mature in that area a lot.

I've been using Veracode for about two years now.

I have some concerns about the leadership. This is only speculation, but I believe some leadership decisions have created a ton of turnover at Veracode. The solution was sold to another company, impacting us because we constantly get new contacts to work with, so we always have to ramp them up to speed. They're not necessarily as skilled as the prior contacts we've had. 

Is Veracode taking care of their staff? Are they keeping the people they need to support their customers? There have been months when I just had turnover fatigue from Veracode because we're constantly getting new contacts to work with. One thing that sets them apart is that we have a direct contact we can go to when we need an issue escalated or we need help understanding how something works.

I don't have any concerns about scalability.

I rate Veracode support two out of 10. When I raise issues, I expect support to bend over backward and be grateful that we're pointing out problems in their system. They should work to understand what we're talking about and reach out to us. 

I expect to meet with them, and I've never had a meeting with them to talk through issues. That's not how they work. Also, I feel like their staff isn't very skilled. They don't understand things and insult my developers. The support is terrible, but other Veracode staff has been exceptional. We always have to lean on our customer support contacts to determine why a ticket was closed. What's going on here? Can you escalate this? We're not getting any traction on that. 

Negative

I previously used Qualys. It had terrible support and wasn't supported well enough at the university. Also, Qualys is not a full-app security solution. It only did dynamic scanning and lacked the flexibility we needed.

Setting up Veracode takes some effort. Their web interface isn't too intuitive. It's also slow, which poses a challenge when setting it up. Veracode provided some help getting it running. 

We did it ourselves with help from Veracode. If I had to do it again, I would do it all ourselves, too, because we got the support we needed from Veracode and didn't require a consultant's extra expertise. Veracode was that expertise. 

After deployment, Veracode requires routine maintenance. Their platform is down sometimes. Our nightly builds occasionally get stuck, and we must reach out to them. There is scheduled maintenance and dealing with issues as they come. I don't know if you necessarily call that maintenance, but it's time-consuming.

It's hard to quantify ROI on security. It makes us feel better. We have all this scanning, and we're identifying where we are vulnerable. If it prevents exposure, it saves us millions of dollars. There's potentially a considerable ROI, but it's speculative at this point.

The cost has been a barrier to broader use here. I think my team is the only one at the university. Other folks might like to use it, but it's pretty pricey. You could see what else is in the market, but I hear that's the price for most solutions. You might not find a better deal in the market, or it might be an incomplete solution. For the level of interaction we get with Veracode staff, it's been pretty good.

Right now, we've had a little more interaction with Veracode staff because they want to sell to the rest of the university. So they've been willing to meet with us frequently, answer questions, and get on support for issues that get closed when they shouldn't be closed.

I rate Veracode seven out of 10 because I have a beef about their support. Their turnover is impacting us, and we have concerns about how they treat their staff. We love Security Labs. We like the dashboards and reporting. I feel like Veracode wants to see us succeed on their platform, which goes a long way. They want to help us meet the goals set when we started using this product. That's a value add they provide. They do a great job finding security flaws.

At the same time, we have issues with support, platform usability, and performance. If I met a prospective Veracode user, I would point out those issues but also mention our positive experience with the solution engineer and sales staff. They've been accommodating and always willing to work with us.