IT Central Station is now PeerSpot: Here's why

Veracode Software Composition Analysis Pros

Evan Gertis - PeerSpot reviewer
Penetration Tester at NetFoundry
The solution's ability to help create secure software is very valuable. We're a zero-trust networking company so we want to have the ability to say that we're practicing security seriously. Having something like Veracode allows us to have confidence when we're speaking to people about our product that we can back up what we're doing with a certification, with a reputable platform, and say, "This is what we're using to scan an application. Here's the number of vulnerabilities that are on an application. And here's the risk that we're accepting."
View full review »
Oleksandr Klymenko - PeerSpot reviewer
Development Manager at a tech company with 5,001-10,000 employees
Considering that in my project, we are mostly using Software Composition Analysis as a part of Static Code Analysis, for me, the main part is reporting and highlighting necessary vulnerabilities. Veracode platform has a rather good database of different vulnerabilities in different libraries and different sources. So, finding vulnerabilities in third-party libraries is the main feature of Software Composition Analysis that we use. It is the most important feature for us.
View full review »
AB
Principle Consultant at a tech services company with 11-50 employees
Within SCA, there is an extremely valuable feature called vulnerable methods. It is able to determine within a vulnerable library which methods are vulnerable. That is very valuable, because in the vast majority of cases where a library is vulnerable, none of the vulnerable methods are actually used by the code. So, if we want to prioritize the way open source libraries are updated when a library is found vulnerable, then we want to prioritize the libraries which have vulnerable methods used within the code.
View full review »
Buyer's Guide
Veracode Software Composition Analysis
July 2022
Learn what your peers think about Veracode Software Composition Analysis. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
621,327 professionals have used our research since 2012.
CD
Vice President QE Practice at a computer software company with 1,001-5,000 employees
We have to look at it from the perspectives of how important it is to fix something and when it should be prioritized for fixing. The JSON output from the agent-based scans gives us the CVS core, and that makes things much easier.
View full review »
Fiorina Liberta - PeerSpot reviewer
Principal SRE Engineer at AIA Singapore
The most valuable feature is the security and vulnerability parts of the solution. It shows medium to high vulnerabilities so we can find them, then upgrade our model before it is too late. It is useful because it automates security. Also, it makes things more efficient. So, there is no need for the security team to scan every time. The application team can update it whenever possible in development.
View full review »
Jagusztin Laszlo - PeerSpot reviewer
Chief Technology Architect at Alerant Zrt.
For use cases where our company buys a product with the source code, but only the final executables or the binaries, only Veracode is able to work on that type of tool.
View full review »
Nagaraj Sheshachalam - PeerSpot reviewer
Lead Cyber Security engineer at a manufacturing company with 10,001+ employees
There have been a lot of benefits gained from Veracode. Compared to other tools, Veracode has good flexibility with an easy way to run a scan. We get in-depth details on how to fix things and go through the process. They provide good process documents, community, and consultation for any issues that occur during the use of Veracode.
View full review »
Muhammed Shabreen - PeerSpot reviewer
CTO at RIZEK
It is a good product for creating secure software. The static code analysis is pretty good and useful.
View full review »
DavidJellison - PeerSpot reviewer
Senior Director, Quality Engineering at a tech services company with 1,001-5,000 employees
The dependency graph visualization provides the ability to see nested dependencies within libraries for pinpointing vulnerabilities.
View full review »
TUDOR CALINESCU - PeerSpot reviewer
Security Project Leader at a computer software company with 501-1,000 employees
It has given our management a view into issues with all of our product lines. We have three products and all of them were scanned. As a result, the project lead for each product has taken measures to improve things.
View full review »

Veracode Software Composition Analysis Cons

Evan Gertis - PeerSpot reviewer
Penetration Tester at NetFoundry
The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We don't want people to feel like they're missing out on something or that they're not following directions in the right way.
View full review »
Oleksandr Klymenko - PeerSpot reviewer
Development Manager at a tech company with 5,001-10,000 employees
The results of agent-based software composition analysis are not connected to policy scanning. So, for me, the only thing that Veracode can improve in Software Composition Analysis is to connect it with the policy scan because, at present, it is a bit inconvenient for those in our organization who use agent-based Software Composition Analysis. In the end, they need to make a static scan with all those libraries in order to receive that report. If Veracode implemented a connection between agent-based static scan and static scanning itself, it would be great because it would lead to fewer operations in order to prepare release documentation and release reporting from Veracode. We recently had a conversation with Veracode about it.
View full review »
AB
Principle Consultant at a tech services company with 11-50 employees
Veracode has a few shortcomings in terms of how they handle certain components of the UI. For example, in the case of the false positive, it would be highly desirable if the false positive don't show up again on the UI, instead still showing up for any subsequent scan as a false positive. There is a little bit of cluttering that could be avoided.
View full review »
Buyer's Guide
Veracode Software Composition Analysis
July 2022
Learn what your peers think about Veracode Software Composition Analysis. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
621,327 professionals have used our research since 2012.
CD
Vice President QE Practice at a computer software company with 1,001-5,000 employees
Veracode doesn't really help you so much when it comes to fixing things. It is able to find our vulnerabilities but the remediation activities it does provide are not a straight out-of-the-box kind of model. We need to work on remediation and not completely rely on Veracode.
View full review »
Fiorina Liberta - PeerSpot reviewer
Principal SRE Engineer at AIA Singapore
It could have better integration with our pipeline. If we could have better integration with our application pipeline, e.g., Jira, Bamboo, or Azure DevOps, then that will be very helpful. Right now, it is quite hard to integrate the solution into our existing pipeline.
View full review »
Jagusztin Laszlo - PeerSpot reviewer
Chief Technology Architect at Alerant Zrt.
There is room for improvement in the speed of the system. Sometimes, the servers are very busy and slow... Also, the integration with SonarQube is very weak, so we had to implement a custom solution to extend it.
View full review »
Nagaraj Sheshachalam - PeerSpot reviewer
Lead Cyber Security engineer at a manufacturing company with 10,001+ employees
The scanning could be improved, because some scans take a bit of time.
View full review »
Muhammed Shabreen - PeerSpot reviewer
CTO at RIZEK
From the usability perspective, it is not up to date with the latest trends. It looks very old. Tools such as Datadog, New Relic, or infrastructure security tools, such as AWS Cloud, seem very user-friendly. They are completely web-based, and you can navigate through them pretty quickly, whereas Veracode is very rigid. It is like an old-school enterprise application. It does the job, but they need to invest a little more on the usability front.
View full review »
DavidJellison - PeerSpot reviewer
Senior Director, Quality Engineering at a tech services company with 1,001-5,000 employees
Improving sorting through findings reports to filter by only what is critically relevant will help developers focus on issues.
View full review »
TUDOR CALINESCU - PeerSpot reviewer
Security Project Leader at a computer software company with 501-1,000 employees
It's problematic if you want to integrate it with your pipelines because the documentation is not so well written and it's full of typos. It is not presented in a structured way. It does not say, "If you want to achieve this particular thing, you have to do steps 1, 2, and 3." Instead, it contains bits of information in different parts, and you have to read everything and then understand the big picture.
View full review »
Buyer's Guide
Veracode Software Composition Analysis
July 2022
Learn what your peers think about Veracode Software Composition Analysis. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
621,327 professionals have used our research since 2012.