IT Central Station is now PeerSpot: Here's why

Veracode OverviewUNIXBusinessApplication

Veracode is #1 ranked solution in AST tools and #2 ranked solution in application security solutions. PeerSpot users give Veracode an average rating of 8.0 out of 10. Veracode is most commonly compared to SonarQube: Veracode vs SonarQube. Veracode is popular among the large enterprise segment, accounting for 70% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 26% of all views.
Veracode Buyer's Guide

Download the Veracode Buyer's Guide including reviews and more. Updated: July 2022

What is Veracode?

Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

Veracode Customers

State of Missouri, Rekner

Veracode Video

Archived Veracode Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
reviewer1360617 - PeerSpot reviewer
Sr. Security Architect at a financial services firm with 10,001+ employees
Real User
Gave us much higher quality dynamic scanning with very few false positives and a robust static scanning solution
Pros and Cons
  • "Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution."
  • "One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive."

What is our primary use case?

We are using Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Static Component Analysis (SCA). We use different types of scanning across numerous applications. We also use Greenlight IDE integration. We are scanning external web applications, internal web applications, and mobile applications with various types/combinations of scanning. We use this both to improve our application security as well as achieve compliance with various compliance bodies that require code scanning.

How has it helped my organization?

Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution.  

Our Veracode license includes a "people component" that allows developers to request an in-person session to be scheduled to review a defect. This has helped our application security personnel pool to free up time for other pursuits. I'm not sure if this is included in all licenses or is an add-on.

What is most valuable?

Being cloud-based is a huge plus. All of our scans are always using up-to-date scan signatures and rules, and there is nothing for us to maintain.  Veracode has been spot-on with notifying about planned downtimes for maintenance and upgrades.  In my years of using the product, unplanned downtimes have been minimal (in fact I can't remember one.)

The API integration that allows integration with other tools, such as defect trackers and automated build tools, is also a benefit. We also like the integrated, available "in-person" support sessions to review and ask questions on discovered defects.

What needs improvement?

We've had one occasion where a sub-product upgrade required action on our part faster than we initially understood it needed to happen.  This ended up being relatively minor.  

One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive. 

Separately, I find the results console somewhat confusing.  When you are running multiple scan types for the same application, I've sometimes found it difficult to sort out where issues came from when I need that information.

Buyer's Guide
Veracode
July 2022
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
622,358 professionals have used our research since 2012.

For how long have I used the solution?

We have been using Veracode for over four years.

What do I think about the stability of the solution?

Our solution is highly stable with minimal downtimes.  (In fact I don't recall the last time there was an unplanned Veracode cloud outage that impacted us.)  We previously had occasional issues with the scan appliance model, but the relatively recent switch to the ISM model has been much more stable.

What do I think about the scalability of the solution?

Given that is is cloud based, coupled with their newer app-based internal scan model, we are pleased with the scalability and have not experienced any issues with scale.

How are customer service and support?

As mentioned in prior comments, Veracode is simply put our best vendor in terms of relationship, value-add, and customer service/technical support. We get responsive answers from support, and their support resources clearly understand the product, and issues are resolved quickly.

Which solution did I use previously and why did I switch?

Yes. We used a legacy, heavyweight dynamic scanning product. It would produce hundreds of pages of (mostly) false positives that were nearly impossible to digest and tune. We also didn't have a static scanning product. Moving to Veracode gave us much higher quality dynamic scanning with very few false positives (in part due to their model of human-assisted tuning, provided by them) and a robust static scanning solution.

How was the initial setup?

The setup was easy and straight forward. We had some issues with API calls from our build automation tools, but this was related to networking issues in reaching the Veracode servers on the Internet, not the Veracode product itself.

What about the implementation team?

We implemented with all in-house resources.

What was our ROI?

We achieve greatly improved security, earlier detection of security defects in the lifecycle, and as well as neatly meeting compliance requirements.

What's my experience with pricing, setup cost, and licensing?

For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.

Which other solutions did I evaluate?

Checkmarx and SonarQube.

What other advice do I have?

Of all the tools vendors I have relationships with, Veracode is simply our best vendor in terms of partnership, value add, and support responsiveness. 

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1359297 - PeerSpot reviewer
Software Engineer at a financial services firm with 501-1,000 employees
Real User
Source composition analysis component gives our developers comfort in using new libraries
Pros and Cons
  • "The source composition analysis component is great because it gives our developers some comfort in using new libraries."
  • "I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan."

What is our primary use case?

This was intended to scan all of our custom development efforts to ensure a certain level of (secure) code quality. Right now the scope of that effort is limited to web exposed systems but with maturity, we hope to increase that scope.

How has it helped my organization?

The Veracode platform probably hasn't improved our organization overall, although through no fault of theirs. Veracode is just one more tool that generates work for our developers.

What is most valuable?

The source composition analysis component is great because it gives our developers some comfort in using new libraries.

What needs improvement?

I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan. For instance, we have CI scans that run automatically, and sometimes the files don't get upload and/or processed by Veracode. Now, there's a static scan that hasn't been completed, which blocks all future scans. The only way we know this is an issue is going into the Web UI, check each application, and look for stalled scans. This is time-consuming and frustrating.

For how long have I used the solution?

I have been using Veracode for three years.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Veracode
July 2022
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
622,358 professionals have used our research since 2012.
Riley Black - PeerSpot reviewer
Senior Security Analyst at a wellness & fitness company with 1,001-5,000 employees
Real User
Increased productivity, helped build and improve security and development departmental relationships
Pros and Cons
  • "Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence."
  • "Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk"

What is our primary use case?

Veracode is a cornerstone of our Development Security Operations Program, particularly scanning automation and remediation tracking.

We've been able to monitor the release cycle and verify our Security Standards are met by setting policy and ensuring scans are taking place. If a scan fails to meet our standard the build breaks and the flaws are remediated before releasing to Stage and ultimately Production -  where the potential impact is much more costly. 

We have discovered opportunities to make our code even better thanks to Veracode!

How has it helped my organization?

Veracode has improved our Application Security program by providing numerous integrations and tools to take our AppSec/DevSecOps to the next level. 

Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence.

In many ways, Veracode has increased productivity, helped build and improve security and development departmental relationships as well as enabling developers to consider and care about application security. 

What is most valuable?

Greenlight - Developers can test their code before they commit. They are able to privately scan their code and correct any mistakes before it is committed into the build and scanned with the other components.

SAST - During a build process, we have integrated the Veracode Static Scanning (SAST) component which provides an excellent first glance at the code moving through environments.

SCA /SourceClear - Veracode SCA / Source Clear has given us excellent visibility into potential vulnerabilities found in third-party components, packages, frameworks, and libraries.

What needs improvement?

Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk. Right now I have to jailbreak an iPhone and Root an Android to intercept and fuzz requests with a Burp Suite Proxy.

That is a very time-consuming process and there are lots of dependencies. It would be very helpful if we can upload and .ipa or .apk into a Veracode simulator, provide credentials and run a Dynamic scan accordingly. Fuzzing functionality on API resources, HTTP Methods, and Parameters would also be very useful in testing our Web and API Application Firewalls, response pages, and other WAAF actions.

For how long have I used the solution?

I have been using Veracode for about two years now.

What do I think about the stability of the solution?

It seems to be very stable, no problems thus far.

What do I think about the scalability of the solution?

It has lots of growth potential, lots of room for improvement.

How are customer service and technical support?

Exceptional!

Which solution did I use previously and why did I switch?

Previously used Burp Suite, OWASP Zed Attack Proxy, Python scripts / Powershell and Batch, Retire.JS, Vulners, and Wappalyzer browser plugins.

How was the initial setup?

The initial setup very straightforward and integrations were up and running in a matter of days after purchase.

What about the implementation team?

Implementation was in-house (Deployment, Automation Engineers, Myself)

What was our ROI?

Unknown - productivity and time are measurable, possibly as much as 20%. Improvement in cross departmental relations is priceless!

Which other solutions did I evaluate?

We also evaluated WhiteHat Security.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1360623 - PeerSpot reviewer
VP Engineering at a tech services company with 201-500 employees
Consultant
Source code composition analysis helps with vulnerabilities and license compliance

What is our primary use case?

Our primary use cases are for comprehensive security assessment using static analysis, dynamic analysis, source code composition, and manual penetration tests. We also use it for security training for developers.                         

How has it helped my organization?

Veracode is a valuable tool in our secure SDLC process.                                                        

What is most valuable?

Source code composition analysis for vulnerabilities and license compliance is the most valuable feature.                                                                                                 

What needs improvement?

It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects.  

For how long have I used the solution?

I have been using Veracode for one year.

Which other solutions did I evaluate?

We also evaluated Synopsys.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Head IT Architecture at a tech vendor with 11-50 employees
Real User
Leaderboard
Enables us to perform security checks with ease
Pros and Cons
  • "We used it for performing security checks. We have many Java applications and Android applications. Essentially it was used for checking the security validations for compliance purposes."
  • "One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications."

What is our primary use case?

We used it for performing security checks. We have many Java applications and Android applications. Essentially it was used for checking the security validations for compliance purposes.

How has it helped my organization?

Technically there is nothing wrong with Veracode. The only issue that we have here is uploading the code, the process of actually uploading and getting our results back. All of that is a little cumbersome. 

What needs improvement?

Technically there is nothing wrong with Veracode. The only issue that we have is uploading the code, the process of actually uploading and getting our results back. All of that is a little cumbersome. 

One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications. So we would like to see a kind of a graphical representation of the problem areas. I would like to know which file is the biggest source of issues for me so that I can focus on resolving the issue, as a project manager. With how it is now, I am able to do this but I have to take out the whole PDF file and extract it. It takes up a lot of my time. I would like to see better strategic reporting. It would be great to get better graphical reporting.

For how long have I used the solution?

We have been using it for three years.

What do I think about the stability of the solution?

Stability is very good and there were no issues. I will give it five stars.

What do I think about the scalability of the solution?

It's very good; really very good. I would strongly recommend that. Technically I would be expecting a double concept for Veracode. I would still say this is one of the best products ever on that website. I don't have any issues with the scalability. 

How are customer service and technical support?

I had no technical issues at all.

How was the initial setup?

The initial setup can be a little complex for people or for organizations that don't have technical skills. Another small thing is that you need to have one person who's fluent and technically knowledgeable to help during the upload process. But otherwise, it's pretty much straightforward. It's not an issue, it's perfect.

What other advice do I have?

I would strongly recommend doing an internal analysis first, before setting it across to Veracode to proceed and to use it more as a final verification point. My point is that Veracode is very good, and I would strongly recommend it. I have seen other solutions on the market and that's why I say: don't waste your time on other products, just get Veracode.

I would rate it an eight out of ten. Not a ten because of the reporting issues I mentioned that I would like to see improved.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Divakar Rai - PeerSpot reviewer
Senior Solutions Architect at NessPRO Italy
Real User
A well supported and valuable tool that was part of our DevSecOps process
Pros and Cons
  • "I have used this solution in multiple projects for vulnerability testing and finding security leaks within the code."
  • "Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them."

What is our primary use case?

I have used this solution in multiple projects for vulnerability testing and finding security leaks within the code.

How has it helped my organization?

We were embracing Veracode as a process in our DevSecOps, although I have not personally used this solution for the past eight months.

What needs improvement?

This is not a very elaborate application. I think that the suggestions are between thirty-five and eighty percent accurate, with most cases being about seventy-five percent. Some of them are references where you have to go and determine whether they are direct threats, or not.

At the point in time when we were using this solution, we had older coders and the way Veracode tests for vulnerabilities may have been affected by the code style. I found that there were far too many warnings and some false positives. Of course, this comes with every product, and there are multiple tools that are used.

Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them.

What do I think about the stability of the solution?

In the context of a dev or UIT environment, I'll say that it is fairly stable. However, I would not be able to give ratings for stability in a production environment because I have no experience with it.

How are customer service and technical support?

Technical support was good and I was very happy with them.

We did not have that many issues to start with. They conducted training, and there was an architect that was working directly with me to answer everything. He was fairly knowledgeable. In the beginning, when we wanted to understand the product, he gave us great pointers. He provided very nice documentation that we followed and we were able to establish with the infrastructure team.

Which solution did I use previously and why did I switch?

I have used multiple tools similar to Veracode that integrate with the IDE.

How was the initial setup?

The initial setup was straightforward. What I recall is that it was not really difficult and we had optimal support. They also provided us with documentation to help set up integration with tools such as Jenkins.

What other advice do I have?

When it comes to DevSecOps, in the industry it is still under adoption. With the advent of the cloud and code being there, or on other public platforms, many people have embraced it or are in the process doing so. 

My advice for anybody interested in implementing this solution is to be really careful when choosing your tools. Be very proactive and up-front on the requirements of your systems, because no tool is perfect. You need to find the best fit for each particular use case. I would do a thorough analysis.

As a solution architect, I do small POCs and run initiatives on products to find out various aspects. For example, the technical feasibility of the product is an important aspect. Other important ones are usability, testing, and implementation. Normally, I select at least three products and do a comparative analysis based on the POC. After this, I recommend a particular solution.

I would recommend Veracode. There are plusses and minuses to this solution, but given the chance to use it again I would definitely do so. Every product has its own flaws, but for my use case, it did fit very well.

I would rate this solution an eight and a half out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Managing Principal Consultant at a tech vendor with 11-50 employees
Consultant
Easy to scale and does a good job, but only for a limited number of technologies
Pros and Cons
  • "The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs."
  • "I would like to see expanded coverage for supporting more platforms, frameworks, and languages."

What is our primary use case?

Our primary use case for this solution is application security.

What is most valuable?

The most valuable feature comes from the fact that it is cloud-based, and I can scale up without having to worry about any other infrastructure needs.

What needs improvement?

This solution does a good job, but it is limited to only a few technologies. I would like to see expanded coverage for supporting more platforms, frameworks, and languages.

Specifically, I would like to see support for mobile frameworks like Xaramin and React JS, as well as extended support for iOS applications.

For how long have I used the solution?

Five years.

What do I think about the scalability of the solution?

This solution is quite scalable.

We have approximately fifty users, but we definitely have plans to add more.

How are customer service and technical support?

I have used their technical support and they are quite good.

Which solution did I use previously and why did I switch?

We did not use another solution prior to this one.

How was the initial setup?

The initial setup of this solution is straightforward.

What's my experience with pricing, setup cost, and licensing?

This solution is on the pricey side. They have just streamlined the licensing and they have a number of flexible options available, so overall it is quite good, albeit pricey.

Which other solutions did I evaluate?

We evaluated other options, but we chose Veracode.

What other advice do I have?

My advice for anybody who is interested in implementing this solution is to ensure that your technology is actually supported because the coverage is quite patchy. It is possible that if you use a framework or a language that Veracode does not support then it will give quite poor results.

I would rate this solution a six out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Sebastian Toma - PeerSpot reviewer
Engineering Security Manager at Nextiva
Consultant
Offers everything for both static code analysis and dynamic code analysis
Pros and Cons
  • "We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the development life cycle."
  • "Veracode should make it easier to navigate between the solutions that they offer, i.e. between dynamic, static, and the source code analysis."

What is our primary use case?

Our primary use case of this solution is for static and dynamic analysis along with the source gear for the third party dependency (not IDM). 

We were looking into actually moving towards IDM, but that's the extent of my knowledge. They are licensed as two separate products. They're part of the same platform, but they are licensed separately.

We have Veracode, Veracode Developer Training, Veracode Software Composition Analysis, and SourceClear. SourceClear and SCA are pretty much the same. They just support different languages. Veracode as a whole, the top option, is the one that includes everything.

How has it helped my organization?

We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the development life cycle. We rely on this set of tools to automatically scan our artifacts when they are moving to different environments. 

We got it to the point that when we were promoting the artifacts from desktop to the server environment, we already had the scans completed. We knew the vulnerabilities that we were introducing with the new features ahead of time, i.e. before the QA department was finding them. That was the main reason we decided to use Veracode or to use tools for static analysis and dynamic analysis.

What is most valuable?

With Veracode, it's not about features for us. It is about the pricing model that they offer. To be honest, with their vulnerability database, the total amount of false positives that we're getting is very low. 

That's the main reason we use Veracode over anybody else. New Veracode features could include a very big database of actual vulnerabilities to be better than other products.

What needs improvement?

Veracode owns SourceClear. They bought them in 2017 or 2018, and they still are not fully integrated with the actual Veracode dashboards. Right now, you have to use two separate tools from the same company. One for the static analysis and dynamic analysis, then the second one for the third-party dependency. 

That is an area that they need to improve the service. Veracode needs to bring the second tool in already to the dashboard so that we don't have to use two separate logins. We don't want two different sets of jobs that we have to upload into two different places, etc. Veracode also needs better integration of their tools to each other.

Veracode should make it easier to navigate between the solutions that they offer, i.e. between dynamic, static, and the source code analysis. The SCA feature is on the website. Veracode should integrate SourceClear with the company product line finally after two years. I would love to see that. 

Veracode did not previously support Python 3. They just released the support for Python 3. Keeping updates coming quicker would be the main thing that I would love to see, i.e. to have all these solutions better integrated.

For how long have I used the solution?

We have been using Veracode as a solution for almost two years.

What do I think about the stability of the solution?

It's a very stable solution.

What do I think about the scalability of the solution?

Scalability is the main issue with Veracode. For my company, the outlier is out there, but when it comes to scalability, we had issues with automatically scanning springboard artifacts. If you scan the artifacts, they want the artifacts to be packaged in a specific way. This is very well documented on the website but it's not the way we're doing business. 

The workaround was taking the build that was getting put together by Jenkins and moved through the environment. We had to make a separate one, packaged differently just for the tools to work. For the scans to work, if that makes sense. Maybe we are just weird in the way we package our artifacts but maybe many are having the same issue.

We have about 200 engineers that have user roles in the solution. There are different roles. We have security administrators. We have team leads. We have managers. Their roles are all very well put together. Each team has a manager that has access to more features than the rest of his team. They can create things, delete things, compared to the regular guys that can only see the reports. It's very well structured, from that standpoint.

Theoretically, everything is integrated with Jenkins, so the staff depends from one application to another, i.e. three people or eight people from our side. From their end, in our pricing model, we have access directly to an account manager. They have a team of engineers that usually help us if we encounter any issues. It's very extensive in use. We have about 80 services and applications going through using the scanning solutions that Veracode has and we are scaling up.

How are customer service and technical support?

The solution's technical support is absolutely fantastic and very fast. Veracode has very fast resolution and response times. Usually, when we have an issue, it's only a few hours before we get an answer from them.

Another time, the Veracode integration wasn't working and in about 3 days we came up with a solution to our problem. At the high level, the beginning of the conversation with Veracode tech support is pretty fast. It's only a few hours. 

Coming up with a solution takes two to three days at the most with Veracode. We pay a lot of money for that. You get what you pay for.

Which solution did I use previously and why did I switch?

We never did use other products. The reason we started looking into IBM and WhiteSource was because of the hiccups or the speed bumps we were encountering with our springboard artifacts. We were in the process of evaluating other products and I think it's still a valid option. I wouldn't advertise it, but we were in the process of changing from Veracode just because of that one particular issue.

We had to build our artifacts differently than before just to scan them, i.e. instead of scanning the ones we were publishing. It's not a big deal overall, but it would be nice for the solution to work out of the box with everything that's out there. Instead, many companies are changing the way they're doing business just for this small little step in the delivery process.

How was the initial setup?

I was not involved with the initial setup. When we were uploading new applications to their solutions it was very straightforward. Their documentation is really good and very detailed.

In the worst case scenario, if the implementation engineer just runs through the material, you can go on the website for resources. The way they have everything documented is very good. Veracode is very well documented.

What was our ROI?

I do not have any information on ROI. We became better from an engineering standpoint, but I don't know if we saved a ton of money in the process.

What's my experience with pricing, setup cost, and licensing?

They just changed their pricing model two weeks ago. They went from a per-app license to a per-megabyte license. I know that the dynamic scan was $500 per app. Static analysis was about $4500 yearly. The license is only for the number of users, it doesn't matter what data you put in there. That was the old model. I do not know how the new model works. 

We are in negotiations with Veracode. The old model was about $500 for dynamic analysis and about $4500 for the static analysis, per app or service, per year.

Veracode offers a lot of other license options that you can put on top of what we just discussed, but I don't think we ever looked into any of those. The way we implemented it was very straightforward. You have your app and you pay this much for both dynamic and static licensing. That's all we cared about per year. 

Which other solutions did I evaluate?

We looked at IBM before we decided to go with Veracode. I've seen the documentation that our director of information security put together. 

We looked at six different solutions before we went with Veracode. Another company does their pricing model based on lines of code. WhiteSource was one other option we evaluated.

We did review a few of them. IBM App Scan and WhiteSource were definitely on the list. I don't remember the rest of them.

What other advice do I have?

If the springboard issue doesn't hold them back and the pricing model stays the same as the one that we have right now for this year with them, it's a good deal. Veracode is pretty straightforward to use and the support is really good. We don't have a lot of complaints about that. 

I don't know how the pricing model is going to change the actual price of the application. On a per license basis, Veracode has a very lucrative way of doing business. I don't think a big company that has a lot of services and applications would enjoy paying upwards of $200,000 per year to scan all their code. 

Prospective customers should look at how the pricing model affects them, especially if they are in the microservice type of architecture or if they are moving towards something like that.

I would rate Veracode an eight out of ten just based on the experience that we had the past two years. The reason it's not ten is because of the ways these tools integrate. 

That rating is at risk of becoming a seven now with the pricing model changing. Veracode is probably not going to be that attractive anymore compared to other competitors. We knew other competitors were more expensive. The reason that we didn't go with them was that Veracode was very straightforward.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Evan Christoe - PeerSpot reviewer
AVP, IS Manager with 1,001-5,000 employees
Real User
Substantially reduces the number of unmitigated flaws in our code

What is our primary use case?

We use Veracode to scan custom-developed code for flaws.

How has it helped my organization?

  • The volume of unmitigated flaws in our applications has been substantially reduced.
  • In terms of AppSec best practices, the team at Veracode has provided industry benchmarks against which we are measuring our improvement.
  • Our customers have benefited from the added security assurance of our applications, although they may not know it.

What is most valuable?

The identification of flaws.

What needs improvement?

We would like to see improvement in reporting, in particular, end dates on mitigations.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

The solution is very stable.

What do I think about the scalability of the solution?

It has handled all the expansion we have required from it.

How is customer service and technical support?

Technical support is highly competent.

How was the initial setup?

It was already implemented when I joined the organization. However, we have expanded greatly.

What's my experience with pricing, setup cost, and licensing?

We are about to enter discussions for renewal. I have heard there may be some changes to pricing. I will reserve judgment until the discussions are complete.

What other advice do I have?

I would recommend it. It covers all our custom-developed applications and will expand as new applications and services are added.

We have 50-plus users of Veracode. Their roles include InfoSec, developers, development managers, QA, and configuration management. In terms of deployment and maintenance, we have four people in configuration management and InfoSec.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Chief Information Security Officer with 501-1,000 employees
Real User
Helped us address our critical vulnerabilities through static scanning
Pros and Cons
  • "One of the valuable features is that it gives us the option of static scanning. Most tools of this type are centered around dynamic scanning. Having a static scan is very important."

    What is our primary use case?

    We use it for static checking.

    How has it helped my organization?

    We are a state agency, we're not a private-sector company. What we're able to do is take our main web-based application, which is not only for internal use but which the citizens of Ohio also use, and we can run this application, and others as well, through Veracode to ensure that we've done our job, our due diligence.

    We print out a report, we see the rating of the vulnerabilities that have been found: "critical" and "high", "moderate" and "low." We've been able to go from having critical vulnerabilities to where we're now into the more moderate range. We've shown improvement through the years. We can provide that information to our superiors, and to people who come in and audit us, to show that we've made progress on scanning.

    When we find a vulnerability, we do pass it on to our developers and they've been able to go in and adjust the code so that the vulnerability is no longer there. The goal, of course, is that these findings will help them as they develop new code so that these vulnerabilities are not a part of the next application. We run a follow-up scan to make sure the vulnerability has been cleared.

    The benefit, at this point, has been more internal than for our customers. Obviously we don't want them to have a problem so that they could then, theoretically, actually see the benefit. We try to be proactive.

    What is most valuable?

    • Having the option of static scanning. Most tools of this type are centered around dynamic scanning. Having a static scan is very important.
    • Utilizing the software as a service. We do the scanning of the compiled code ourselves but it's on their servers, which is a plus.
    • Technical support is available if needed and that is advantageous.
    • Having online education and training is also advantageous. 

    What needs improvement?

    I attended a meeting of one of the security organizations I am associated with. At the meeting were security professionals from several major retail companies. The topic of discussion happened to be application development security. When the question was asked concerning what tools are being used, many of these major retail companies said they are using Veracode. However, they were quick to comment that the product is too expensive and that there are too many false positives which take too much time to remediate.

    For how long have I used the solution?

    More than five years.

    What do I think about the stability of the solution?

    The stability is very good. They haven't had too many updates or upgrades. They did a major upgrade several years ago but it came out just fine. It has been a really good product.

    What do I think about the scalability of the solution?

    I'd call us a "mid-range" agency, so it's not like we have a ton of applications that we're changing and updating. It's good for us, but I can't really answer how scalable it is because we're not really big.

    How is customer service and technical support?

    I don't believe that the team has had any problem going on to the website, downloading the static code, or running scans. They do it quite often without any issue and are able to read the report and rectify whatever vulnerability has been discovered. There has not been a problem walking through those steps. It's been pretty straightforward. And if our team has any problems, we've got access to someone that we can schedule a call with to work out the issues.

    We haven't had to call tech support too often, but when we have had to call them, support has been good in terms of resolution time.

    How was the initial setup?

    I was involved, on a cursory level, with the setup. Our implementation strategy was to focus on our main web-based application. The way that they developed the application here was under one static set of code, so we could scan this code and, in essence, be able to check the vulnerability of most of the applications from the different business in our agency.

    What about the implementation team?

    We did not use an integrator or a third-party. We did it with the help of Veracode.

    What was our ROI?

    We are a state agency, so we're not for profit. I tell everybody we don't make money, we spend money. To frame it in the context of the public sector, I think we are giving our citizens peace of mind. When they come in to write a permit, and we send them to a service that collects payment, that jumping-off point is secure and safe. It would be more in those terms, rather than the bottom line.

    In the public sector, return on investment is not a term that is easily understood because we do not invest. But total cost of ownership is something that we can put our arms around. When we think about potential data breaches, Veracode has certainly helped us. When you think about the cost of the product and that I have one person, not ten people, running this tool, the total cost of ownership is low. I have no devices or servers, I didn't have to do any of that here onsite. It's all in the cloud. The total cost of ownership, given the services they provide, is very low, in my opinion.

    What's my experience with pricing, setup cost, and licensing?

    We're always looking to save the taxpayers' money. I used to tell my vendors, sharpen those pencils and make the tip laser-sharp. When it can be, I want it to be less expensive, but you get what you pay for too. Vendors need to be fair and I think Veracode has been fair.

    We use their SaaS solution and it's just an annual subscription.

    Which other solutions did I evaluate?

    The state of Ohio decided to bring AppScan in and that's an IBM tool. IBM became a major vendor in the state of Ohio. But what happened is that AppScan does not offer static code vulnerability checking; dynamic is something they do offer, but it's not as complete and comprehensive as a static scan is. Even the state has gone away from AppScan, but we were looking at it, we were starting to get set up for it. But evidently, other agencies haven't found it to be as useful. So we're not going that direction, we're staying with Veracode. 

    There would have been cost savings associated with going with AppScan but we decided, because the state was not going that way, that we were not going that way either.

    What other advice do I have?

    I would absolutely recommend Veracode. I've suggested to one of the larger agencies that they implement the solution and that they come to see what we've experienced and how we use the tool.

    I really like Veracode. That is one of the reasons that we brought them onboard ten years ago. Of course, they were new back then. The different aspects of the offerings that Veracode provides to their customers are somewhat unique and, right now, I couldn't ask another thing from them.

    We have approximately 30 Java developers and four or five testers. There are also project managers using it. We have one person who manages running of the scans and that person might have one or two other people to help.

    We haven't really been utilizing it to its full potential. We probably utilize it once or twice per quarter. We are planning to increase the capacity that we've purchased. However, we're getting ready to elect a new governor in Ohio. With that election, things will change, according to his or her desires. Right now, we're in a holding pattern waiting for November to come and go.

    In terms of integrating the solution into our existing software development lifecycle, because we started so long ago - before the software development lifecycle was fully implemented - we were doing Veracode testing just because it was a good idea. Then we actually developed a lifecycle. We got into scrums and it just naturally worked its way in, so when we actually hired a testing group, Veracode was already a part of the process.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    it_user673734 - PeerSpot reviewer
    Chief Technology Officer at a tech vendor with 201-500 employees
    Real User
    Increases our confidence in the security of our sever-side and mobile apps
    Pros and Cons
    • "It has an easy-to-use interface."
    • "We would like a way to mark entire modules as "safe." The lack of this feature hasn't stopped us previously, it just makes our task more tedious at times. That kind of feature would save us time."

    What is our primary use case?

    We use it for security scanning of SaaS and mobile software that we develop: one server-side and two mobile applications. Most customers require SAST and DAST scanning in order to purchase.

    How has it helped my organization?

    It gives us more confidence in the application security of the products we scan. We use it as part of our AppSec best practices. 

    What is most valuable?

    It has an easy-to-use interface.

    What needs improvement?

    We would like a way to mark entire modules as "safe." The lack of this feature hasn't stopped us previously, it just makes our task more tedious at times. That kind of feature would save us time.

    What do I think about the stability of the solution?

    We have never had any problems with the solution.

    What do I think about the scalability of the solution?

    It has always worked for us, we haven't found any issues. There have been no problems with scanning small and large objects.

    How are customer service and technical support?

    Technical support is excellent. It meets our needs.

    Which solution did I use previously and why did I switch?

    We had no previous solution. Our choice of Veracode was due to Veracode being a customer and requiring that we use their tool to scan our solution.

    How was the initial setup?

    The initial setup was straightforward. As it's a SaaS solution, it took no time to set up. But because I didn't take training, I spent a bit of time figuring out the product. No implementation (or strategy for implementation) was required, beyond some simple configuration settings.

    What's my experience with pricing, setup cost, and licensing?

    No issues, the pricing seems reasonable.

    Which other solutions did I evaluate?

    We evaluated no other products for SAST when we started using Veracode. 

    What other advice do I have?

    Be aware that the first run will find a lot of issues, many of which are not real issues; it will take time to understand that. Don't change object names as that will confuse it. Make sure you get development buy-in early.

    We're looking to expand its use within the development organization and are looking into another license. Currently, we have four users of the solution, myself (security) and developers. The four of us also maintain it.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Global Presales Head - Security Assurance at Wipro Technologies
    Consultant
    Provides faster scans but with a higher number of false positives

    What is our primary use case?

    Static application security testing, which is the primary use case. 

    There were different web applications which were scanned using this tool.

    How has it helped my organization?

    Veracode scans provide a higher number of false positives. Also, the overall reporting structure is complicated, and it's difficult to understand the report.

    What is most valuable?

    Veracode provides faster scans compared to other static analysis security testing tools.

    What needs improvement?

    Veracode should provide support to more software languages, like ABAP.

    For how long have I used the solution?

    Less than one year.
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    reviewer1384917 - PeerSpot reviewer
    reviewer1384917Principal, Customer Advocacy at Veracode
    Vendor

    Thank you for taking the time to share your experience with Veracode. We appreciate your time and hope all is going well. Please let me know if there's anything I can do to help.  My role is new here and I'm working to check in with customers who have taken effort to comment on their Veracode solutions.

    Michael Stricklen - PeerSpot reviewer
    Executive Director at Parthenon-EY
    Real User
    It has almost completely eliminated the presence of SQLi vulnerabilities. Needs more timely support for newer languages and framework versions.

    What is our primary use case?

    • Scanning web-facing applications for potential security weaknesses.
    • Helping to document the introduction of technical debt in our code bases.

    How has it helped my organization?

    • It gives feedback to developers on the effectiveness of their secure coding practices.  
    • It has almost completely eliminated the presence of SQLi vulnerabilities.

    What is most valuable?

    • Multiple languages and framework support: We can use one tool for our SAST needs.
    • Developers report liking the IDE integration provided by this tool.

    What needs improvement?

    • More timely support for newer languages and framework versions.  
    • Integration with Slack is another request from our developers.

    For how long have I used the solution?

    Trial/evaluations only.
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Team Lead / Architect at a tech services company with 1,001-5,000 employees
    User
    We use its static analysis during development to eliminate vulnerability issues

    What is our primary use case?

    I use Veracode to run scans on .NET applications, web applications and Windows/fat form applications. I also use it to make deployments in three-tier environments: the application server tier, web server tier and the database tier.

    How has it helped my organization?

    • Veracode has improved our penetration testing process. 
    • We use Veracode static analysis during development to eliminate vulnerability issues.

    What is most valuable?

    • I have found the user interface extremely helpful in prioritizing issues.
    • It allows me to prioritize the work to help resolve an issue.

    What needs improvement?

    They should improve on the static scanning time.

    For how long have I used the solution?

    Three to five years.
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user

    We have heard the need for faster scan times and I see this was an area you wanted to see improvement. I wanted to give you an update regarding our Static scanning. We recently extended the Veracode Static Analysis product family to include three purpose-built scan types:

    • IDE Scan, which provides fast, automated security feedback to developers in the IDE, in seconds
    • Pipeline Scan, a new, first-of-its-kind offering, which runs on every build and provides security feedback on code at a team level, with a median scan time of 90 seconds
    • Policy Scan, which returns a full security assessment of the code before release, in a median scan time of 8 minutes

    If you would like more information on our static analysis improvements let me know!

    Managing Director at Harrods
    User
    Provides the capability to track remediation and the handling of identified vulnerabilities. The application does not support API or Dynamic Application Security Testing
    Pros and Cons
    • "Allows us to track the remediation and handling of identified vulnerabilities."
    • "Provides the capability to track remediation and the handling of identified vulnerabilities."
    • "The security team can track the remediation and risk acceptance statistics."
    • "The solution does not support Dynamic Application Security Testing."
    • "The current version of the application does not support testing for API."

    What is our primary use case?

    We are planning on introducing a static code analysis tool to support a DevOps effort in our environment. The objective of the solution is to allow the team to identify vulnerabilities in the source code and improve the hygiene of the developed code before deployment.

    How has it helped my organization?

    This is currently still under evaluation, and it is pending review and assessment against other static code analysis solutions.

    What is most valuable?

    The solution provides the capability for the application teams to track remediation and the handling of identified vulnerabilities. The system provides workflow capabilities for the application teams to send the completed scans to the security teams for their review. In addition, the security team can track the remediation and risk acceptance statistics.

    What needs improvement?

    The solution currently does not support Dynamic Application Security Testing which is an important facet of application security testing. In addition, the current version of the application does not support testing for API.

    For how long have I used the solution?

    Trial/evaluations only.
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Associate Director
    Real User
    Provides security of different Shadow IT activities in our environment, however there are limitations on reporting causing bottlenecks
    Pros and Cons
    • "The tech support has been very much on the forefront of contacting customers. They help us by making sure all the processes have been outlined and are being followed. They regularly look with us at the whole platform process."
    • "It provides security of different Shadow IT activities in our environment, especially around application development and website hosting."
    • "We would like the consolidation of all the different modules. This would help, so then we would be able to see analytics and results on one screen, like a single pane of glass."
    • "Once your report has been generated, you need to review the report with consultation team, especially if it is too detailed on the development side or regarding the language. Then, you need some professional help from their end to help you understand whatever has been identified. Scheduling consultation takes a longer time. So, if you are running multiple reports at the same time, then you need to schedule a multiple consultation times with one of their developers. There are few developers on their end who work can work with your developers, and their schedules are very tight."

    What is our primary use case?

    Application security scanning.

    How has it helped my organization?

    It has helped us identify all the applications flaws, especially with so many open source licenses available to the developers. With this product, it allows you to plug in all those gaps where you may open up the backdoors. This tool has helped us everyday with our goal to plug in all those gaps.

    We help make changes from the initial NAS that we sign up with the vendors and any third party who might be involved in our telephone activities. They have to ensure that phone is a standby application and security tool, plus we also make the changes in the workflow for any application. Before it is deployed into operations, it has to have a security certificate which proves that it has a Veracode application security certification on it and all the flaws that have been identified have been removed.

    What is most valuable?

    It has several components in that help you identify abilities in the core. It also provides security of different Shadow IT activities in our environment, especially around application development and website hosting.

    What needs improvement?

    They are already working on, but we are looking forward to seeing it. We would like the consolidation of all the different modules. This would help, so then we would be able to see analytics and results on one screen, like a single pane of glass. 

    Once your report has been generated, you need to review the report with consultation team, especially if it is too detailed on the development side or regarding the language. Then, you need some professional help from their end to help you understand whatever has been identified. Scheduling consultation takes a longer time. So, if you are running multiple reports at the same time, then you need to schedule a multiple consultation times with one of their developers. There are few developers on their end who work can work with your developers, and their schedules are very tight. Therefore, you have the report ready if you want a consultation, then it sometimes takes more than three to four days to arrange a meeting. I feel to wait four days to get a consultation and understand the report around the whatever has been identified is a bottleneck. 

    For how long have I used the solution?

    Three to five years.

    What do I think about the stability of the solution?

    We have not seen any major downtime.

    How are customer service and technical support?

    I would rate their technical support as a nine out of 10.

    The tech support has been very much on the forefront of contacting customers. They help us by making sure all the processes have been outlined and are being followed. They regularly look with us at the whole platform process. Therefore, they have been quite helpful.

    They have an account manager for personal relations between the customer and their technical people. This person takes care of bringing them the right person to address any issues that we have.

    Two years back, Veracode was having issues. It was taking a long time to start the application, and we worked with their technical support. They also have been constantly improving the platform.

    Which solution did I use previously and why did I switch?

    We did not previously use another solution.

    How was the initial setup?

    It was a bit complex initially when we started, because we had not been previously exposed to any such tool.

    It is a SaaS tool. So, towards the end, we did not have to install anything. We just needed an account for the platform to upload the build. There was an initial issue, because people were not previously exposed to this type of process, and it was something new that they were being asked to do.

    What was our ROI?

    It has helped us reduce our overall time to remedy any validity, which can be found after being rolled out and put into production. Though, I cannot give you the number. It is always better to safeguard the environment rather than being hacked or have production downtime. In three years, we have not had any breaches or we seen any reduction in Shadow IT.

    What's my experience with pricing, setup cost, and licensing?

    It is pricey. There is a lot of value in the product, but it is a costly tool.

    The customer should demand better turnaround times for the money that they are paying, especially around the reporting and standing up processes that we need to go through. It needs much more technical information on the platform with a tool that can help with information or have 24/7 support available, then it will be worth the price that we are paying, because right now, we don't have many options. There are not may companies who are in the market for Veracode, who want this type of in-depth analysis and examination. That is why customers, with the money that they are paying, have room for improvement in the scope of the Veracode product. 

    I recommend going for a one-year licensing with CA, because currently they are the leaders in this field with more features and a much better turn around time with a cheaper position, but there are a lot of new companies coming up in the market and they are building up their platforms. I suggest just not to get tied up with a long-term commitment, because I have seen with Black Duck that they are almost one-third of the price of the big platforms. Once there are the same features and functionality (or lot better performance) available in the market, people are going to migrate away from this platform. The market is changing so fast, and with the Black Duck acquisition, it is also expected that we may get a solution with a much faster platform with much better service at a cheaper price.

    Which other solutions did I evaluate?

    We did a PoC with Black Duck.

    What other advice do I have?

    I would rate the product as an eight out of 10 for recommend it to colleagues.

    I would rate the overall product as a seven out of 10.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Product Manager at GMS
    User
    All areas of the solution could use some improvement. It helps me to detect vulnerabilities.

    What is our primary use case?

    We are Veracode partners/distributors in Quito, Ecuador. 

    At this moment, I am reviewing the solution. 

    How has it helped my organization?

    It helps me to detect vulnerabilities.

    What is most valuable?

    I use the SAST feature the most.

    What needs improvement?

    All areas of the solution could use some improvement.

    For how long have I used the solution?

    Trial/evaluations only.
    Disclosure: My company has a business relationship with this vendor other than being a customer: We are Veracode partners/distributors in Quito, Ecuador.
    PeerSpot user
    it_user873405 - PeerSpot reviewer
    Lead Security Engineer at a tech vendor with 201-500 employees
    Real User
    Our customers get the security of bug-free code, but raw file scans would help
    Pros and Cons
    • "Scanning of .war and .jar is key for us."
    • "Raw file scans and dynamic scans would be an improvement, instead of dealing with code binaries."

    What is our primary use case?

    SAST. We have not yet integrated it into our software development lifecycle as it doesn't have the feature that enables us to integrate it with our repository.

    How has it helped my organization?

    It helps in achieving secure programming. Veracode provides us with industry best practices according to OWASP, CERT, and SANS. Our customers get the security of bug-free code and assurance regarding the application.

    What is most valuable?

    Scanning of .war and .jar.

    What needs improvement?

    Raw file scans and dynamic scans would be an improvement, instead of dealing with code binaries.

    For how long have I used the solution?

    Trial/evaluations only.

    What do I think about the stability of the solution?

    No stability issues yet.

    What do I think about the scalability of the solution?

    No scalability issues yet.

    Which solution did I use previously and why did I switch?

    We used SonarQube but to improve security in SAST we choose this.

    How was the initial setup?

    Setup is straightforward.

    What's my experience with pricing, setup cost, and licensing?

    The pricing is good for static code analysis.

    Which other solutions did I evaluate?

    Checkmarx, SonarQube.

    What other advice do I have?

    Implement this solution if you see WAF and SOC in your future.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    it_user877104 - PeerSpot reviewer
    VP Worldwide Delivery Acceleration at a financial services firm
    Real User
    Improved our security posture without the overhead of supporting infrastructure
    Pros and Cons
    • "Because it is a SaaS offering, I do not have to support the infrastructure."
    • "Some important languages are not supported."
    • "We have encountered occasional issues with scalability."

    What is our primary use case?

    SAST vulnerability scanning. Veracode is embedded in our release pipeline.

    How has it helped my organization?

    It improved our security posture. In terms of cost savings relating to code fixes since implementing Veracode, I'm not sure there are any. How do you quantify reputational damage from a security breach? However, they have provided AppSec best practices and guidance to our security and development teams through our support agreement, weekly meetings, and annual review.

    What is most valuable?

    Because it is a SaaS offering, I do not have to support the infrastructure.

    What needs improvement?

    Some important languages are not supported.

    For how long have I used the solution?

    One to three years.

    What do I think about the stability of the solution?

    No issues with stability.

    What do I think about the scalability of the solution?

    We have encountered occasional issues with scalability.

    How is customer service and technical support?

    Tech support is excellent.

    How was the initial setup?

    The initial setup was extremely straightforward.

    What's my experience with pricing, setup cost, and licensing?

    Negotiate for the best deal.

    Which other solutions did I evaluate?

    Fortify, App Scanner, Checkmarx.

    What other advice do I have?

    Make sure the supported  languages align with your developers.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Elina Petrovna - PeerSpot reviewer
    Professor at BitBrainery University
    Real User
    Does software composition analysis, discovering open source software weaknesses
    Pros and Cons
    • "I can have quick results by just uploading compiled components."
    • "It gives me an idea about the most important vulnerabilities and fast remediation tips."
    • "It does software composition analysis, discovering open source software weaknesses."
    • "It could be improved with support for more programming languages, like SQL."

    What is our primary use case?

    C++ financial application acting as hub for my academic accounting system.

    Application, which my institution partially owns, was analyzed after just having compiled the code. This happens seldom in academic software.

    It does software composition analysis, discovering open source software weaknesses.

    How has it helped my organization?

    I can have quick results by just uploading compiled components. It gives me an idea about the most important vulnerabilities and fast remediation tips.

    What is most valuable?

    • Dynamic analysis of on-premises applications using the Veracode proxy module.
    • Static analysis of applications, on which I share property with third-parties.

    What needs improvement?

    • Management of false positives
    • Agile best practices: Violation detection.
    • Support for more programming languages, like SQL.
    • Support for more frameworks for Java: .NET, Python, PHP, C, and C++.

    For how long have I used the solution?

    Still implementing.

    What do I think about the stability of the solution?

    It never crashes, as far as I know.

    What do I think about the scalability of the solution?

    Since it is a SaaS solution, the performance is fine.

    How are customer service and technical support?

    CA still has some difficulties integrating the Veracode team in their support services.

    Which solution did I use previously and why did I switch?

    I used SonarQube. It lacks of real enterprise-wide security detection. I continue to use Fortify and AppScan, while I am using Veracode.

    How was the initial setup?

    Setup is really simple, just use Jenkins, JIRA, Visual Studio, and Eclipse connectors for on-premise. The rest is online.

    What about the implementation team?

    Since we are based in the UK, the original Veracode Team (not CA) was helping us directly during the setup, then trained us.

    What was our ROI?

    Given the following:

    • Effectiveness of automatic detection of defects, taking into account bad fixes. 
    • Effort to find and correct a defect during automatic detection.
    • Effort to find and correct a defect during post release. 
    • Effectiveness of testing. 

    ROI expressed as project savings is 2.4% of the project cost.

    What's my experience with pricing, setup cost, and licensing?

    Costs are reasonable. No special infrastructure is required and the license model is good.

    Which other solutions did I evaluate?

    I evaluated Kiuwan, Coverity, and Klocwork

    What other advice do I have?

    I wish Veracode support had more SDLC integration tools.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    it_user873351 - PeerSpot reviewer
    CISO at Laboratory Corporation of America Holdings
    Video Review
    Real User
    Enables me to provide better code, faster, so my time to market is less
    Pros and Cons
    • "I don't have to have a team of developers behind me that keep up with all the latest threats because the subscription service they provide for me does that."

      How has it helped my organization?

      Interestingly enough, Veracode has evolved over time. Their chief designer has been a leader in security for many years and his insights into applications, and what we now consider DevOps, has been very helpful for the industry. The insights into how we now have a mobile workforce, and that the end-point is what you carry in your hand - and the protection of those apps and web pages - are imperative because the coding in our information has moved out. Quite honestly, the people have become the firewall. 

      The products that Veracode has developed help me to manage that, scan that, know when something is going wrong, and I don't have to have a team of developers behind me that keep up with all the latest threats because the subscription service they provide for me does that.

      What is most valuable?

      Veracode helps me in several implementations over a couple of industry sectors in a number of ways.

      My coding, especially the code we develop, has a number of faults per line and that costs me money and time to fix those, into the lifecycle. Veracode enables me to provide better code, faster, so my time to market is less.

      The security means my total cost of ownership goes down significantly over a period of time. The more code I write, the better I organize that, the less my expense is in maintaining that code.

      What needs improvement?

      As we move to more of a mobile space, much of the code was developed on desktops, mobile laptops, and things. Mobile apps run differently and they have a different runtime. Chris Wysopal and I have talked several times over the past few years about how to address that. I'm not sure that there is a good answer yet, because it is so complex. But I'm pretty sure with Chris' track record that they are going to come up with a very good way to do that in the near future.

      For how long have I used the solution?

      Three to five years.

      What do I think about the stability of the solution?

      There are always a few bumps going into any new implementation because nobody has the same environment. We are in heterogeneous environments.

      But I couldn't point out any one significant problem that comes to mind, because the bumps that we have found have been addressed and corrected pretty quickly.

      What do I think about the scalability of the solution?

      Scalability is almost infinite in this because the cloud-based solution allows me to expand. The companies I work for are generally in the 10 billion-plus range, but with thousands of developers we have never really had anything on the capacity planning or the performance of the products.

      How are customer service and technical support?

      Their technical support is the best in the business. These folks have been around, like I have, for many, many years so they have grown up with the industry. Not only are they developers, they have been practitioners before. Their chief designers, their coders - although many of them change - the key people who started this are still there, and you'll know them by first name; pick up the phone and they can help you with what you need.

      Which solution did I use previously and why did I switch?

      Any previous solutions would have been more than 10 years ago, and I don't remember why we switched. It's like the car you drive or the shoes you like to wear: Once they work - and it has worked in multiple sectors - there is no reason to change.

      When selecting a vendor, the important criteria are relationships and support. When I pick up the phone and I get a Sam King or a Bob Brennan on the line, things happen.

      How was the initial setup?

      It is a pretty easy implementation. As you know, with anything like this, which is very human-oriented, change is people, not necessarily the products themselves. The services they provide and the training and some of the "hand-holding", if you will, have always helped make this the bright, shiny object for the coders, so its implementation has always been pretty smooth for me.

      What other advice do I have?

      On the rating scale is there anything above 10? If there are no ones and tens, it would be the closest to 10. They have always been supportive. We have had to change, do course corrections during implementations, or particular types of coding. I have just never had a problem. My loyalty to the product has been primarily due to the service and the expedience in which they solve any problems we have.

      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      it_user873348 - PeerSpot reviewer
      VP at a non-tech company with 11-50 employees
      Video Review
      Real User
      Enables us to provide secure code training packages to our customers

      How has it helped my organization?

      It has helped us be more secure, and it has helped us put a package together for our customers that will take into consideration training, all the way down to the coding level.

      What is most valuable?

      For us, it's the partnership. We have always been very strong partners with Veracode. They provide excellent training to our sales team, so we are able to work with our customers to show them the value of secure code training.

      What needs improvement?

      More integration into the specific application; an open API would be good. Aside from that, I think they do a really good job in terms of the features they have. 

      For how long have I used the solution?

      Three to five years.

      What do I think about the stability of the solution?

      Veracode has always been a very stable product for us, a very stable product for our customers, and it has been a very stable relationship as well.

      What do I think about the scalability of the solution?

      We have customers of every size from several hundred to several hundred thousand. The product works well, regardless of the size of the company we are working with.

      How is customer service and technical support?

      We have had customers - and it has been our own experience as well - tell us that the support is second to none. They are very quick to respond, very quick to answer questions in a really knowledgeable way.

      How was the initial setup?

      We've had no comments from our customers other than that it is an easy setup.

      Which other solutions did I evaluate?

      When it comes to secure coding, Veracode is the only one we really considered.

      What other advice do I have?

      For us, whenever we are selecting a partner, vendors to work with who are going to be working with our customers, we have to make sure that they align regarding customer support philosophy, and that is the reason we selected to work with Veracode.

      I would definitely rate Veracode a 10 out of 10, based on our customer feedback. Whenever we know the relationship is going well between Veracode and our customers, it reflects very well on us.

      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      it_user873345 - PeerSpot reviewer
      Cyber Security Engineer at a consumer goods company with 1,001-5,000 employees
      Video Review
      Real User
      Provides an all-in-one metrics location, I can see where everything is across my full portfolio
      Pros and Cons
      • "What's important for me, from Veracode, is the all-in-one metrics location. I can see where everything is across the entire portfolio of applications I have in this program, and I can report out on it."
      • "When we scan binary, when we perform binary analysis, it could go faster. That has a lot to do with the essence of scanning binary code, it takes a little bit longer. Certain aspects, depending on what type of code it is, take a little long, especially legacy code."

      How has it helped my organization?

      It has given us visibility into the applications we have that are participating in the application security program.

      What is most valuable?

      For me, at the program manager level, I'm not a developer. What I do is run applications through a security program. What's important for me, from Veracode, is the all-in-one metrics location. I can see where everything is across the entire portfolio of applications I have in this program, and I can report out on it. That is one of the more important pieces for me, at the compliance level.

      What needs improvement?

      Speed. When we scan binary, when we perform binary analysis, it could go faster. That has a lot to do with the essence of scanning binary code, it takes a little bit longer. Certain aspects, depending on what type of code it is, take a little long, especially legacy code. In our case, we have quite a bit of older code. It takes some time to get through.

      For how long have I used the solution?

      More than five years.

      What do I think about the stability of the solution?

      As a SaaS product, you have certain expectations for it to be stable. It is a very mature platform so we haven't had any issues with its performance.

      What do I think about the scalability of the solution?

      It absolutely scales out. Our program is pretty small, but the eventual goal is complete application portfolio coverage. I have no expectation that we are going to have any issues with scaling.

      How are customer service and technical support?

      Technical support is great. The folks that I have interacted with, from services all the way through to the pen-testers have been great. They are on par with anybody else out there. In some cases, specifically for applications, they are probably a lot better than most.

      Which solution did I use previously and why did I switch?

      I have done a lot of product comparisons in my time, in information security. A lot of them are modules of a product, there is no single pane of glass. When I talk about metrics, I want to see everything in a single pane of glass, I want to see all of my results in one location. A lot of the other application security products out there can't do that yet. They are getting there but Veracode has already been able to do that for years. Veracode can run multiple types of tests and you can see all the results in one area.

      When selecting a vendor the most important criteria are 

      • scalability
      • reliability of results - we want to see results-oriented success.

      How was the initial setup?

      Setup is very straightforward. Since everything is SaaS, everything is uploaded to the cloud. It's very simple to do. There is no setup on the back-end, initially. Once we start getting a little more sophisticated with integrations we are going to be just fine. Currently, we are early in the program so everything is done manually. So there is no setup. Everything is just done in the cloud.

      What other advice do I have?

      I give Veracode a solid nine out of 10 because it is a full-featured product. It is not just something that they are selling to you and then leaving you to figure out how to use it. They actually help you every single step of the way and they want to show you how to do it. 

      Their testers, their application security consultants, really help you and help educate the developers. They walk you through every step of the way.

      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      Suzan Nascimento - PeerSpot reviewer
      SVP Application Security at a financial services firm with 10,001+ employees
      Video Review
      Real User
      Remediation consulting calls with the vendor help us find vulnerabilities much faster
      Pros and Cons
      • "The most valuable feature is the remediation consulting that they give. I feel like any vendor can identify the flaws but fixing the flaws is what is most important. Being able to have those consultation calls, schedule them in the platform, and have that discussion with an applications expert, that process scales well and that is what has allowed a lot more reduction of risk to happen."
      • "One of the best things they offer is the scalability. The fact that you can work with it through the cloud means that if you have unintegrated business units, you don't have to worry about having a solution on-prem and having the network connection; you don't have to worry about giving up source code, you are just sending your binary files for most of the applications. So it scales much faster."
      • "I would like to see more technical support for some of the connectors, some more detailed diagrams or run-books on how to install some of stuff; more hand-holding in the sense of understanding our environment."
      • "They cover a lot of languages already and it doesn't make sense for them to cover legacy languages but I know there is a need for covering legacy languages."

      How has it helped my organization?

      It has allowed us to scale and find vulnerabilities much faster than previous manual tools. It has allowed us to educate developers on it to use the consultation calls.

      What is most valuable?

      The most valuable feature is the remediation consulting that they give. I feel like any vendor can identify the flaws but fixing the flaws is what is most important. Being able to have those consultation calls, schedule them in the platform, and have that discussion with an applications expert, that process scales well and that is what has allowed a lot more reduction of risk to happen.

      What needs improvement?

      I would like to see more technical support for some of the connectors, some more detailed diagrams or run-books on how to install some of the stuff; more hand-holding in the sense of understanding our environment.

      They cover a lot of languages already and it doesn't make sense for them to cover legacy languages but I know there is a need for covering legacy languages.

      My biggest need, the kind of feature I would want, is more on the technical support side.

      For how long have I used the solution?

      Three to five years.

      What do I think about the stability of the solution?

      In the early years, it was a little less stable but I know they have switched to more of an Agile CI/CD methodology and I have seen a lot more stability since they moved to that methodology.

      What do I think about the scalability of the solution?

      One of the best things they offer is the scalability. The fact that you can work with it through the cloud means that if you have unintegrated business units, you don't have to worry about having a solution on-prem and having the network connection; you don't have to worry about giving up source code, you are just sending your binary files for most of the applications. So it scales much faster.

      How are customer service and technical support?

      The technical support is good. I like the fact that you can email Veracode support. You get a very fast response, usually within the same day. 

      If you don't have an SPM, Solution Program Manager, to escalate issues after that - you don't have to escalate a lot of issues, but if you do and you don't have feature - that is where they seem to fall down a little bit. So they need help with their level-2 and level-3 support. They do very well at level-1 and then you need to escalate, sometimes. That is where they need to improve a little bit.

      Which solution did I use previously and why did I switch?

      At a previous company, we were using HPE Fortify. We couldn't scale because it was an on-prem solution. Therefore, after five years, we decided to break out of the mold and use a SaaS solution. We were comfortable at the time doing so because we weren't sending source code, for the most part. As soon as we went to a cloud solution we scaled dramatically.

      What I look for in a vendor is 70 percent a technical match with the features and benefits we need and for the remaining 30 percent, I look at the culture of the company because, for me, it is a relationship. I want to have a partnership and I want it to feel like a win-win. If they feel like it is a short-term decision, get in get out, I want to know that. I want to be able to talk to them at any time and add service enhancements, feature enhancements, those kinds of things. It's a 70-30 split for me.

      How was the initial setup?

      The implementation is straightforward in the sense that there are a lot of APIs to integrate, and they have a lot of connectors that do that for you.

      Which other solutions did I evaluate?

      HPE Fortify, Checkmarx, IBM AppScan. It really was between HPE Fortify, most of the time, and Veracode. I typically like Veracode because it is a SaaS solution. You have other providers now that do the same SaaS but then it goes back to the relationship and the partnership. I feel that I have that with Veracode.

      What other advice do I have?

      I would give Veracode a nine out of 10 because it scales incredibly well, they have very qualified people working there who are able to clearly articulate what the problems are when they are talking in a remediation or consultation call. They are very knowledgeable, they are not condescending when they talk to a developer. The tool is very easy to consume. It's not like looking at a menu with 20 pages at a restaurant, it's very simple to digest. They have a lot of API connectors, they cover a lot of languages and it just scales. You can't beat that. Finally, the relationship is great with them.

      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      it_user866175 - PeerSpot reviewer
      Information Security Engineer Team Lead at a hospitality company with 1,001-5,000 employees
      Real User
      Reporting and mitigation features allow our developers to work independently
      Pros and Cons
      • "The developers' awareness of the security weaknesses within their code has improved. They aren't just mitigating these issues, they are realizing these are, in fact, issues that have to be dealt with."
      • "The one thing we really liked about Veracode when we got it was the consultation calls; that our developers are able to schedule them on their own, instead of going to a "gatekeeper." They upload their code, they have questions, they schedule it, they speak with someone on the other side who is an expert, they can speak developer-to-developers."
      • "It's not "one policy fits all." I really like that Veracode allows me to set up specific policies that I can apply to applications."
      • "The only areas that I'm concerned with are some of the newer code libraries, things that we're starting to see people dabble with. They move quickly enough to get them into the Analysis Engine, so I wouldn't even say it is a complaint. It is probably the only thing I worry about: Occasionally hitting something that is built in some other obscure development model, where we either can't scan it or can't scan it very well."
      • "I would also like to see some improvement in the speed. That is really the only complaint, but in all reality we have a massive Java application that needs to be scanned. Our developers are saying, "It takes 72 hours to scan it." That is probably the nature of the beast, and I'm actually pretty accepting of that time frame, but since it's a complaint that I get, faster is always better. I don't necessarily think that the speed is bad as it is, just that faster would be better."

      What is our primary use case?

      Dynamic and static code analysis.

      How has it helped my organization?

      It has given us insight into the actual flaws that are out there, and the speed at which they're getting mitigated. Now, we're starting to see quantitative metrics to show the overall risk with code vulnerabilities. It has been very helpful in that it has exposed an area that we weren't digging into as much as we should have, before.

      The developers' awareness of the security weaknesses within their code has also improved. They aren't just mitigating these issues, they are realizing these are, in fact, issues that have to be dealt with.

      We are just starting to integrate Veracode into our software development lifecycle. We are reaching out to a few of our developers to begin project Greenlight. Specifically, right now what we're doing is integrating the static code analysis scans into our change approval. If you want to put a new piece of code live, you have to have a clean Veracode scan, whether it be through mitigation approval or through actually resolving issues. We've integrated it as part of our CAB process, and we're going to take that a step further and integrate it into the actual IDE for the developers.

      In terms of security best practices and guidance to our dev teams, Veracode has been fantastic. The one thing we really liked about Veracode when we got it - and I think some other providers are doing it now - was the consultation calls; that our developers are able to schedule them on their own, instead of going to a "gatekeeper." They upload their code, they have questions, they schedule it, they speak with someone on the other side who is an expert, they can speak developer-to-developers. That is really good stuff.

      Regarding our customers, I don't know if they have benefited per se, other than getting better, more secure applications. I don't know that our customers are necessarily looking for the most secure application, but it is something that I'm sure is on their mind, and they want to know that we're doing it. I would call it a tangential or unseen benefit. It is probably not in the top-10 things that they're looking for when they use one of our apps or our website. They are just assuming that a company such as ours is going to make sure that we have the appropriate security controls in place. So the way they benefit is that, hopefully, we're meeting that expectation, but I don't know that our customers are specifically looking for that as a decisive factor for using our websites or apps.

      What is most valuable?

      The reporting and mitigation features which allow our people to work on their own.

      What needs improvement?

      The only areas that I'm concerned with are some of the newer code libraries, things that we're starting to see people dabble with. They move quickly enough to get them into the Analysis Engine, so I wouldn't even say it is a complaint. It is probably the only thing I worry about: Occasionally hitting something that is built in some other obscure development model, where we either can't scan it or can't scan it very well.

      I would also like to see some improvement in the speed. That is really the only complaint, but in all reality we have a massive Java application that needs to be scanned. Our developers are saying, "It takes 72 hours to scan it." That is probably the nature of the beast, and I'm actually pretty accepting of that timeframe, but since it's a complaint that I get, faster is always better. I don't necessarily think that the speed is bad as it is, just that faster would be better.

      For how long have I used the solution?

      One to three years.

      What do I think about the scalability of the solution?

      I don't think that we are even beginning to push the envelope of what the system is capable of. We haven't had any problems. I'd say we are probably on the lower end of usage, not only the number of scans but regarding the number of applications. I haven't seen any issues, but I also wouldn't expect to hit issues, given where we are.

      How are customer service and technical support?

      The support team itself, or security program manager and a few others, have been fantastic. Most of the time, they're willing to move and work faster than we are actually capable of. They have been spot on in helping us get this thing rolling.

      They are fantastic. They get the highest rating.

      Which solution did I use previously and why did I switch?

      We used HP WebInspect, which is now under the Fortify umbrella. HP WebInspect was just terrible. Had we used the on-demand cloud piece - which is why I perhaps have to pull my comment back - maybe we would have had a different experience. But we had a WebInspect instance on a single server that was inside of our own data center. It was very, very kludgy, very slow, didn't work very well. We were hitting the required specs for it but we'd have a dynamic website scan, which should not have taken very long, taking a week. It not only should have been very close to the scanning engine, but had its own dedicated route for pieces that live in the cloud. It was bad, and it was slow, and their reporting was terrible. There was no real support for it. It was just very bad.

      How was the initial setup?

      It was very easy. The cloud instance got turned on, we had a support rep dedicated to us to help us get up and running. It couldn't have been easier.

      What was our ROI?

      I can't think of any cost savings related to code fixes since implementing Veracode. We are mostly focused on using it for application security, which is a hard thing to quantify unless you have a major breach.

      What's my experience with pricing, setup cost, and licensing?

      I think the pricing is in line with the rest of the tools. I think you get what you pay for. It is certainly not inexpensive, but the value proposition is there. There are certainly cheaper tools, but I don't think we'd be getting the support that we get with those, and that is what separates this product from the others.

      Regarding licensing, pay very close attention to what applications you're going to need to do dynamic scanning for, versus static. Right now, the way the licensing is set up, if you don't have any static elements for a website, you can certainly avoid some costs by doing more dynamic licenses. You need to pay very close attention to that, because if you find out later that you have static code elements - like Java scripts, etc. - that you want to have scanned statically, having the two licenses bundled together will actually save you money. 

      You really need to understand how your application is going to be delivered and not think of it just as, "This is a website and this is a mobile app," or "This is a website and this is a fat client." Often, with new frameworks, you have websites - especially with Java specifically, which is not even a new framework - running Java, but you also have things running in a local Java sandbox on the machine, or on a Java virtual machine. You really want to understand how that application is being delivered to the end-user, and not just think of it as applications on a box and websites.

      What other advice do I have?

      My advice is what I mentioned in the pricing/licensing section above, you really need to understand what it is you are looking to do.

      Also, take into account a data sensitivity for the applications. It's not "one policy fits all." I really like that Veracode allows me to set up specific policies that I can apply to applications. Understand which are your critical apps that deal with critical, very sensitive data, and then apply a more rigorous scan model to them, versus internal applications that perhaps don't deal with as much PII, with as much sensitive information, and aren't available to the outside world. Those might have a lower risk footprint. Understand that, so when your developers go in there you are not treating every single thing like it is a public-facing, client-data-gathering, credit-card-processing web app. That way your developers can prioritize what they need to work on, so that you are delivering the right metrics to your leadership.

      You really need to understand that strategy going in, because the tool is not going to help you determine that. The tool is only going to help you scan.

      The only reason I don't rate it a nine or a 10 out of 10 is because we haven't hit those scalability roadblocks yet. I know we might have some challenges in the future, but I would say eight out of 10 is an incredibly good score for a product like this. If you were just asking me about the support and the people behind it, I would rate that a nine or a 10. If you bundle it all together it's an eight.

      I recommend Veracode to colleagues all the time.

      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      PeerSpot user
      Software Security Consultant at DXC Technology
      Real User
      Code scanning is fast with current, updated algorithms

      What is our primary use case?

      Provides static code analysis of the customers' applications from all industries. It includes any type of code and scripts, but mostly Java, .Net, C++, and C# environments.

      How has it helped my organization?

      The solution is a specialist in SAST that you can rely on. Code scanning is fast with current, updated algorithms.

      What is most valuable?

      Provides consistent evaluation and results without huge fluctuations in false positives or negatives. 

      What needs improvement?

      It should include more informational, low level, vulnerability summaries and groupings. Large related groups of low level vulnerabilities may amount to a design flaw or another avenue for attack.

      For how long have I used the solution?

      More than five years.
      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user854784 - PeerSpot reviewer
      Director Security and Risk OMNI Cloud Operations at a tech vendor with 1,001-5,000 employees
      Real User
      Keys for us are the static scanning and the ability to set policy profiles specific to us
      Pros and Cons
      • "Valuable features for us are the static scanning of the software, which is very important to us; the ability to set policy profiles that are specific to us; the software composition analysis, to give us reports on known vulnerabilities from our third-party components."
      • "Veracode is a cloud-based platform, where they manage all the back-end, and they do a lot of analysis during the scans, and they do a lot of post-scan reconciliation."
      • "That it is a cloud-based solution is very valuable to us. We don't need that hardware running our scans and hosting the environment to be scanned. Also, the technology, the static scanning versus dynamic scanning produces a much better result, a more accurate result."

        What is our primary use case?

        Application development and secure code development.

        How has it helped my organization?

        We do automated scanning, so we use it as part of our development cycle. We do both automated security scanning as well as our own automated testing. We run the two in parallel and treat both outputs of, let's say, a sales functionality test. A security vulnerability is just a defect that needs to be resolved before we release the product.

        We do an automated upload to the Veracode platform for all of our applications - we have about 35 applications. For all of them, it's automatically done, pre-configured, pre-compiled, based on scripts that we worked out with Veracode. And then on a scheduled basis, the upload and scanning is done, in some cases, twice a month. In some of our applications, two to three times a week, we just constantly scan and look for exposures, and continue to feed that back to the development team and make sure that they don't release product that's not ready for market.

        We have found that our developers have become a lot more knowledgeable about how to develop secure code, and that was very important to us. We also became more knowledgeable about vulnerabilities in the market, which are the most critical to address. You could say it helped us to apply the right investment in the right place.

        In terms of best practices and guidance, we do quarterly reviews with Veracode, where they're analyzing our information alongside of us and providing feedback to our executive team to suggest strategic changes in certain approaches. We've also done benchmarks with them, where we've compared our maturity model to the industry's model, as far as security practices go and best practices for security and such. In some cases, we've made adjustments to improve, and in some cases we are confident we're ahead.

        Regarding our customers, for one, they can move to market faster, we can move to production faster. Also, we discuss our security program and the software development life cycle with them in pre-sales discussions, post-sales discussions, implementation approaches. What it does is, it gives them the confidence to move ahead in a more direct fashion, with one less headache for them to worry about.

        What is most valuable?

        • The static scanning of the software is very important to us.
        • The ability to set policy profiles that are specific to us. 
        • The software composition analysis, to give us reports on known vulnerabilities from our third-party components.

        What needs improvement?

        It's really hard to criticize something that has become somewhat seamless for us. If they wanted to expand their capabilities into other areas of security, that would be fine. They're a very knowledgeable group of people. We do meetings with them on a pretty regular basis. We gain insights from their perspectives.

        To me, if they just broadened their footprint into the areas that their feet feel comfortable going into, we'd have no problem pursuing that.

        For how long have I used the solution?

        Three to five years.

        What do I think about the stability of the solution?

        No issues with stability.

        What do I think about the scalability of the solution?

        None.

        How are customer service and technical support?

        Tech support is very effective. We can do online requests for read-outs with their tech support - but the more common support would be for security advisory, when we're looking at certain vulnerabilities that we're struggling with how to remediate. We can get online with one of their security engineers, and they provide advice to us some best practices on making the code changes to secure the system. They do a very good job of that.

        Which solution did I use previously and why did I switch?

        Prior to working with Veracode, we used a self-applied application. That is, we had the solution on-premise, but just could never quite get the routine approach that we've developed with Veracode. The program management features that Veracode offers to help us get our program up and going, along with the low false-positive rates that their solution provides - versus what we had done in the past - gave us some immediate traction. I think that we were able to make progress in the first five or six months working with Veracode, that we had not made in four or five years with previous approaches.

        It was a dynamic scanning solution but, again, it was on-premise. Veracode is a cloud-based platform, where they manage all the back-end, and they do a lot of analysis during the scans, and they do a lot of post-scan reconciliation, where the other solution was a good solution, but all of that work fell upon us to do for ourselves. Our focus is on developing features and functions for our application, and running an application security platform in-house is just not practical, just not our core competency.

        How was the initial setup?

        It was straightforward. We went from signing a deal on December 30th, to performing that first scan on January 5th, to completing that scan and starting to remediate issues on about January 15th. And that is one of the fastest wrap-ups of any technology that I've been associated with.

        What was our ROI?

        By implementing Veracode in our development process, what we've done is cost avoidance, not necessarily savings. By getting ahead of it, and releasing product to the market that's more secure, we have very few, if any, reported issues by our customers. So we don't have to go and do a maintenance repair of those. That's an avoidance of cost. 

        It's a pretty accepted standard that if you release a vulnerability or a flaw into the market, it's going to cost you 10 times more to address it after the fact than if you prevent it. I'd say that that, plus the automation of the scanning, has also reduced the amount of capacity or full time equivalence we have to apply to repair and scan.

        As I said, we have 35 applications, and instead of having 35 different people preparing their packages for upload and scan, it's automated. We don't have to spend money doing that as well. 

        So avoiding the cost of releasing vulnerabilities into the market that get caught by customers and reported back, is a big one; and then, reducing the investment of performing the continual scans.

        What's my experience with pricing, setup cost, and licensing?

        We're very comfortable with their model. We think they're a good value.

        We worked very closely with Veracode on understanding their license model, understanding what comprises the fee and what does not. With their assistance in design, we decomposed our application in a way where we are scanning a very significant amount of code without wasting their capacity and generating redundant reported issues. You scan in profiles, per se. And we work with them, in their offices, to design the most effective approach.

        So the advice I would have for customers is, you can get up and live fast, but work closely with Veracode to refine the method you use for scanning and the way you compile the applications. There's a concept called entry-point scanning, and that's probably not used well by the rest of their customers. We see our licensing as a good value because we leverage it heavily. I'd say many customers might not quite go to that level. But that's their choice.

        Which other solutions did I evaluate?

        I'd rather not give out competitor names.

        But the method we were using in the past was what is called dynamic scanning, or DAST. That required we have an environment that was up and running with the application, and then we could proceed to scan. You can see that if we have 35 applications, that means we've got 35 environments running our application internally, just for scanning purposes. That's a lot of hardware, whereas this methodology uses static scanning, where we upload the compiled code and we don't invest any hardware in doing that. The scanning capability not only does the scanning but contains the application code for us. There are a lot of complexities with trying to do a dynamic scan on-premise, versus a static scan on a platform.

        You almost can't compare the two. False-positive rate in the dynamic scanning was very high - 30 percent, maybe - and the false-positive rate for the static scanning is very low - maybe two to four percent. That is a significant value, because you don't have to spend a lot of time sorting through reported issues to determine if they're valid or not. We're pretty well assured that as we start investigating one, it's more than likely valid. We don't have that doubt entering in.

        It was a different approach. Two concepts: 

        1. That it is a cloud-based solution, which is very valuable to us, we don't need that hardware running our scans and hosting the environment to be scanned.
        2. The technology, the static scanning versus dynamic scanning produces a much better result, a more accurate result.

        What other advice do I have?

        We recommend Veracode to colleagues all the time.

        I'd give the advice of not getting hung up on trying to compare the static scanning to the dynamic scanning, that's number one. Don't even compare them. If you're doing neither, do statics first. It'll get the majority of your exposures addressed. Then you come in, in a second round, and do dynamic. Dynamic really becomes more of a confirmation of security.

        The other piece of advice I'd give is to "follow the directions." Make sure they understand how they're supposed to compile code. Take the advice of the program management team with their code, and follow their lead, and you'll come out in a very good position very quickly.

        I'd give Veracode a 10 out of 10 because the rate at which we gained control of our security posture, from a development perspective, was fast. There is a lack of wasted time on our developer organization in chasing down erroneously reported vulnerabilities. The erroneous reported vulnerabilities is very low, and that means that our developer time is very effective as we investigate a reported issue. As I said, it's 96, 98 percent probability it is real. So our developers gain confidence and don't second-guess the results. 

        The level of detail that we are provided for a given vulnerability - the data path that it follows, the precision with which the justification is provided - is very high. Again, you're highly confident in the result. You are provided a tremendous amount of detail about the vulnerability it found. And the rate at which you can ramp up and be productive is very fast.

        Disclosure: I am a real user, and this review is based on my own experience and opinions.
        PeerSpot user
        it_user854052 - PeerSpot reviewer
        Head of Technology. at a tech services company with 11-50 employees
        Real User
        Allows us to prove our security levels to vendors, helps with our HIPAA security policies
        Pros and Cons
        • "It allows us to prove our security levels to vendors, and additionally helps us with our HIPAA security policies."
        • "Mitigation review isn't always super easy."
        • "Straightforward to set up, but the configuration of the rules engine is difficult and complicated."

        What is our primary use case?

        Certifying the application security of my SAS-based application code base.

        How has it helped my organization?

        It allows us to prove our security levels to vendors, and additionally helps us with our HIPAA security policies. Also, CA Veracode has provided AppSec best practices and guidance to our teams. Finally, it makes the IT Governance process of the sales cycle easier.

        What is most valuable?

        Static and dynamic scans of the code. It is part of our release cycle.

        What needs improvement?

        Mitigation review isn't always super easy.

        For how long have I used the solution?

        One to three years.

        What do I think about the stability of the solution?

        No issues with stability.

        What do I think about the scalability of the solution?

        No issues with scalability.

        How is customer service and technical support?

        It is excellent.

        How was the initial setup?

        Straightforward to set up, but the configuration of the rules engine is difficult and complicated.

        What was our ROI?

        It helps us get over the line for security when contracting with customers, and any help reducing security vulnerabilities is a big help to us.

        What's my experience with pricing, setup cost, and licensing?

        Pricing/licensing is complicated.

        What other advice do I have?

        Do your research, make sure you implement the tools you need.

        I am very likely to recommend Veracode to a colleague.

        Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
        PeerSpot user
        it_user854049 - PeerSpot reviewer
        Chief Compliance Officer at a financial services firm with 51-200 employees
        Real User
        Ad-hoc scanning during the development cycle, reporting for audits, are key features
        Pros and Cons
        • "Ad-hoc scanning during the development cycle and reports for audits are valuable features."
        • "I would like to see these features: entering comments for internal tracking; entering a priority; reports that show the above."

        What is our primary use case?

        We test each major release of our software using Veracode static and dynamic testing. We also do manual penetration testing annually.

        How has it helped my organization?

        Ensures our code and system are 100% compliant. In terms of APPSec best practices and guidance to our team, the Knowledgebase available on the Veracode system is a great resource for our developers.

        For our customers, the added security assurance is a requirement.

        What is most valuable?

        • Ad-hoc scanning during the development cycle
        • Reports for audits

        In terms of integrating Veracode into our existing software development lifecycle, there are regular milestones in the SDLC to perform Veracode scans.

        What needs improvement?

        • Entering comments for internal tracking
        • Entering a priority
        • Reports that show the above

        For how long have I used the solution?

        One to three years.

        What do I think about the stability of the solution?

        No issues with stability.

        What do I think about the scalability of the solution?

        No issues with scalability.

        How are customer service and technical support?

        Excellent.

        Which solution did I use previously and why did I switch?

        We did use a previous solution. It didn't satisfy our needs technically, and the customer service and its cost were not satisfactory.

        How was the initial setup?

        Easy.

        What was our ROI?

        We don't do a detailed enough analysis to reflect on any cost savings relating to code fixes made since we implemented Veracode.

        What's my experience with pricing, setup cost, and licensing?

        Negotiate some, but their prices are reasonable.

        Which other solutions did I evaluate?

        HPE Fortify.

        What other advice do I have?

        Have them guide you through your first scan - make sure to add hours to your initial contract for that.

        I am very likely to recommend Veracode to colleagues.

        Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
        PeerSpot user
        it_user854046 - PeerSpot reviewer
        DevOps Release Engineer at a tech services company with 51-200 employees
        Real User
        Makes us aware of any potential code security vulnerabilities in our products
        Pros and Cons
        • "Informs me of code security vulnerabilities. Bamboo build automation with Veracode API calls are used.​"
        • "The user interface could be more sleek. Some scanning requirements aren't flexible. Some features take some time for new users to understand (like what exactly "modules" are)."

        What is our primary use case?

        Scanning for code security vulnerabilities within our company's products.

        How has it helped my organization?

        Made our company aware of any potential code security vulnerabilities. Also, customers can use our products knowing they are verified by top organizations as safe.

        What is most valuable?

        Informing me of application security vulnerabilities. Bamboo build-automation with Veracode API calls are used.

        What needs improvement?

        • The user interface could be more sleek.
        • Some scanning requirements aren't flexible.
        • Some features take some time for new users to understand (like what exactly "modules" are).

        For how long have I used the solution?

        One to three years.

        What do I think about the stability of the solution?

        No issues with stability.

        What do I think about the scalability of the solution?

        No issues with scalability.

        How is customer service and technical support?

        Great.

        How was the initial setup?

        Somewhat straightforward. There was a little confusion about "missing modules" that are third-party files that we couldn't upload because we don't actually have them. That really confused us, but the technical support resolved the confusion.

        What was our ROI?

        I can't report on any cost savings relating to code fixes since implementing Veracode in our development process, but it makes us feel more confident about our code, which is awesome.

        What's my experience with pricing, setup cost, and licensing?

        We are satisfied.

        Which other solutions did I evaluate?

        None. We might look into Checkmarx.

        What other advice do I have?

        I am very likely to recommend Veracode to colleagues. Veracode is great.

        Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
        PeerSpot user
        it_user797976 - PeerSpot reviewer
        Global Application Security at a pharma/biotech company with 10,001+ employees
        Real User
        Static and Dynamic Analysis have improved the speed of our inspection process
        Pros and Cons
        • "The Static and Dynamic Analysis capabilities are very valuable to us. They've improved the speed of the inspection process."
        • "In some cases we use their APIs; they're not as rich as I would like."
        • "The on-platform reporting needs to be opened up much more. We'd like to be able to look at the inspection data from a trending perspective in a much more open manner. I need to be able to sort and filter much more flexibly than I can today."
        • "Another thing I need is continued support for the new languages today that are popular. Most of them are scripting languages more so than real, fourth-generation, commercial grade stuff; we're evolving. Most applications are using so much open-source that, quite frankly, it would be great to see Veracode, or anybody else, extend their platform to where they are able to help secure open-source platforms or repositories."

        What is our primary use case?

        We use it to assess or do security inspections of our software that we produce or assemble. We have a very large portfolio of software across our enterprise. The Veracode system is a platform that scales with the dynamics of our organization. We have people that are in many locations, in the US and abroad. The fact that the Veracode platform is essentially a cloud-based platform, that makes it scalable.

        How has it helped my organization?

        We are able to create business policies, and the Veracode system allows us to enforce those policies. That's at the very high level.

        We're looking at improving the overall security quality of our software. We use it as a platform to help enable that process. Veracode, in and of itself, is doing nothing but inspecting software. But, there are many other practices that are essential to onboard and embed into our development lifecycle. Veracode is simply the platform that lets us see how well the software is being engineered. Based on some of the findings, we make improvements in areas that need education.

        It can't be boiled down to the one or two most important things. It's not Veracode by itself that's doing all of the stuff, there are a lot of tertiary activities that go into building better software. The Veracode system is used to help us validate the security quality of what we're producing. It helps us zero in on some of the things that we can do better. But that means we have to provide education to our developers and architects.

        In some cases we use their APIs; they're not as rich as I would like. We have added Greenlight to the IDEs, where the Greenlight tool is compatible.

        In terms of cost savings relating to code fixes since implementing Veracode, it would be difficult for me to give you some specifics. I'm not exposed to the cost of the iterations. Development teams have a budget for the year. There are features planned, there are releases planned. There are many other functions responsible for planning the releases. My job is to provide application security tools, so that they can incorporate the security practices that our company expects us all to adhere to. We know, anecdotally, that the time to write software, or scripts... You should write them securely, as opposed to having some additional testing development activities, and several other iterations downstream, because that would mean we're paying three, four, or five times for our resources to accomplish what they could perform correctly the first time, out of the gate.

        In that sense, the Veracode system, since we've been using it, has helped us identify and code correct over 34,000 security weaknesses. That means there are 34,000 weaknesses and vulnerabilities that never made it into production. It's hard to quantify, if any of those had been exploited, what would have been the real cost to catch them. The only thing I could do is speculate on cost right now. But we do know that it's far better to embed security upstream in the development lifecycle, and produce software correctly the first time, rather than retroactively adding security remediations to the iterations that produce software for service packs and patch releases. Those are unplanned events and there are certainly costs associated with those unplanned events. But I don't have a number I could throw out there and tell you what it is.

        I don't really look at Veracode as providing any best practices. It may have some educational aid embedded in the platform. I think the Veracode database of remediation guidance is somewhat vanilla. It's not contextual. I frankly don't rely on it to provide the kind of guidance developers need contextually. So, we augment education aids and remediation guidance with humans, security analysts. We also have other third-party solutions that really provide more contextual remediation guidance unique to the situations, as developers are trying to address them. We don't anticipate what their system is going to identify. But, based on what the system identifies, I would say it's 50/50, whether or not the scripted, plain vanilla, embedded guidance is really the right approach. It may or may not be, and I would say it's probably 50% accurate, but it's very vanilla.

        In terms of benefits to our clients from using Veracode, that's like asking me: Am I really happy that my car stops when I press the brakes. I think most people would expect cars to have brakes, and the brakes to work. No more, no less. Software, to me, it's probably in the same wheelhouse, that people use software without thinking, "Is it really secure?" It's assumed, frankly. So I'm not so sure our customers consciously think about security as a benefit, unless they are breached or compromised. It's one of those things that's difficult to track, in terms of how customers are benefiting. We just know that through our efforts we're delivering high-quality software.

        Maybe customers that are being independently assessed by third-party assessors - when those assessors have to do security inspections of the technologies that may be consumed by those institutions - if our software is deployed on-prem, we tend to believe that our software will have fewer weaknesses and vulnerabilities identified than, say, other technologies that are consumed on-prem. Only then, might it become apparent to the customer that they're working with a supplier of software that provides higher quality, relative to other suppliers.

        What is most valuable?

        The Static and Dynamic Analysis capabilities are very valuable to us. 

        What needs improvement?

        They've improved the speed of the inspection process.

        I'd never want the inspection process to become something that's suspect. False positives would diminish confidence in the results; if we don't continue to focus on reducing false positives... that is number one.

        The on-platform reporting needs to be opened up much more. We'd like to be able to look at the inspection data from a trending perspective in a much more open manner. I need to be able to sort and filter much more flexibly than I can today. I don't have the on-platform flexibility to sort and filter inspection data, and that's not good.

        Another thing I need is continued support for the new languages today that are popular. Most of them are scripting languages more so than real, fourth-generation, commercial grade stuff; we're evolving. Most applications are using so much open-source that, quite frankly, it would be great to see Veracode, or anybody else, extend their platform to where they are able to help secure open-source platforms or repositories. Currently, I have to have another supplier in my tool chain and that means I have to extract data from different tool repositories to see one holistic picture of security quality, risks, and vulnerabilities. It would be great if I could see it all in one place, but I have to harvest the information from Veracode, harvest information from Rapid7, harvest information from Sonatype, just so that I can get a good, round perspective of where my first-party and third-party code, and the components in the dependent libraries, are in terms of weaknesses, risks, and vulnerabilities. That's a burdensome activity. 

        If Veracode spent more time providing more plug-ins to other competitors' environments, or provided very open APIs so we could harvest data, bring it into one lens so that we can look at the security inspection data through one set of dashboards, it would provide a lot more value from a governance perspective. 

        For how long have I used the solution?

        More than five years.

        What other advice do I have?

        I hold Veracode in high regard. It's a good organization to work with, and it's a very conscientious organization. I'm always a recommender of the solution set.

        Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
        PeerSpot user
        it_user846645 - PeerSpot reviewer
        VP Development
        Real User
        The scans have helped us make our code more secure, but mitigation can take a long time
        Pros and Cons
        • "The coding standards in our development group have improved. From scanning our code we've learned the patterns and techniques to make our code more secure. An example would be SQL injection. We have mitigated all the SQL injection in our applications."

          What is our primary use case?

          To certify that we have valid code, and that the developers are working with valid structures and writing good code.

          How has it helped my organization?

          The coding standards in our development group have improved. When we scan our code - at the end of a build cycle we'll go through and scan our code - from those scans we've learned the patterns and techniques to make our code more secure. An example would be SQL injection. We have mitigated all the SQL injection in our applications.

          That is now part of our software development life cycle, to do a static scan before we release to our client base. We mitigate what we have to.

          I'm not aware of any cost savings relating to code fixes since implementing Veracode in our development process.

          In terms of Veracode providing application security best practices and guidance to our development teams, once we scan the software and we have to go through a mitigation process, we make sure we implement that in the base standards. Once we mitigate a problem, we implement it back into the base to make sure the developers who are still developing code are not going to have the same issues that we just mitigated.

          For our customers, they know that we go through another level of application security with our application, one our competitors don't use. They know our code meets a standard and that we implement the standard and the structures. That we have mitigated gives them a little bit of peace of mind that our code is valid, and that it's not going to hurt their infrastructure. 

          What is most valuable?

          We just use the static scan, it's all we got into as of now. We're happy with that, it seems to work very well for us.

          What needs improvement?

          Going through the mitigation is probably the hardest thing to do and that's still an ongoing process. If there is a code issue to mitigate, it sometimes takes a little bit longer than what you would think. It might not be anything that they're doing. It's just their engine is changing and our code is changing so we have two things moving. We get a good score one time, scan it again on a new release and the score drops because the engine is picking up more things. I don't know if they could do anything about that. It's just one of those things you might just have to live with.

          For how long have I used the solution?

          Three to five years.

          What do I think about the stability of the solution?

          No issues with stability.

          What do I think about the scalability of the solution?

          No issues with scalability, we're good there.

          How are customer service and technical support?

          They're very good. Anything that we've brought up to them, they've responded to us very quickly.

          Which solution did I use previously and why did I switch?

          We used the built-in solution inside of Microsoft Visual Studio, and we switched because Veracode had more cohesive scanning abilities and found a lot more issues with our code, when we first scanned it.

          How was the initial setup?

          It was pretty straightforward.

          What's my experience with pricing, setup cost, and licensing?

          We get good value out of what we have right now.

          Which other solutions did I evaluate?

          We had a couple of products that we looked at, but went with Veracode.

          What other advice do I have?

          I am highly likely to recommend Veracode to colleagues.

          Make sure, once you scan and find issues with your code, that the developers know how to remediate those issues so they don't go through them again.

          It's going to take some time to get through your first set of scans and mitigations. To fix your code is not straightforward. But once you do that and implement it back through your whole development cycle, they identify the issues and it's very easy to fix them, once you know and have gone through it once.

          Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
          PeerSpot user
          it_user841116 - PeerSpot reviewer
          Information Security Lead Analyst at a consumer goods company with 10,001+ employees
          Real User
          We have learned from the recommended remediation strategies, making future code better
          Pros and Cons
          • "It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security."
          • "In terms of application security best practices and guidance to our teams, their engineering staff is really excellent. They provide our developers with suggestions and they take those to heart. They've learned from the recommended remediation strategies provided by the Veracode security engineers. That makes all of their future code better."
          • "The scanning is a little slow, but other than that it's fine. It's usually when the binaries get up into the multi-hundred megabyte size."

          What is our primary use case?

          Security scanning.

          How has it helped my organization?

          It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security.

          In terms of application security best practices and guidance to our teams, their engineering staff is really excellent. They provide our developers with suggestions and they take those to heart. They've learned from the recommended remediation strategies provided by the Veracode security engineers. That makes all of their future code better.

          As for our customers, it lowers the risk for people visiting our site.

          What is most valuable?

          Catching coding flaws before they go live.

          Regarding integrating Veracode into our software development lifecycle, we started out with it being used only as a web interface, and now developers are starting to use it right in their IDE on the desktop.

          What needs improvement?

          It's a pretty dynamic product. It's changing all the time and improving.

          For how long have I used the solution?

          Three to five years.

          What do I think about the stability of the solution?

          The scanning is a little slow, but other than that it's fine. It's usually when the binaries get up into the multi-hundred-megabyte size.

          What do I think about the scalability of the solution?

          We haven't encountered any scalability issues with Veracode so far.

          How are customer service and technical support?

          They're awesome. Their timeliness is acceptable, but their expertise is phenomenal.

          Which solution did I use previously and why did I switch?

          Veracode is the first professional solution I've used. It was in place when I got to the company.

          How was the initial setup?

          We just use it as a cloud service for third-party developers.

          What was our ROI?

          In terms of cost savings relating to code fixes since implementing Veracode in our development process, I can't really give hard numbers.

          What's my experience with pricing, setup cost, and licensing?

          I'm not the pricing guy.

          Licensing is pretty flexible. It's a little bit weird, it's by the size of the binary, which is a strange way to license a product. So far they've been pretty flexible about it.

          What other advice do I have?

          I recommend it all the time.

          It's an important aspect of a complete security program. Not necessarily this product, but source code, fraud detection.

          I'd give it an eight out of 10 because it's pretty straightforward, but you still have to mostly wrap it with organizational policies that encourages its use. It's not a product - and I don't think it's really a product category - that sells itself to the end-user. They see benefits, but they do have to be convinced to use it.

          Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
          PeerSpot user
          it_user842937 - PeerSpot reviewer
          Systems Architect at a tech vendor with 201-500 employees
          Real User
          Enables us to automatically submit each new build for scanning and get results directly into our JIRA
          Pros and Cons
          • "With the tools that Veracode provides, our developers are actually able to comprehend what the vulnerability was and then resolve it. So a lot of knowledge has been grown as a result, around security, with our developers."
          • "The most important feature is the static scanning analysis, and the reason is that it can tell us vulnerability in that code, right before we go ahead and push something to production or provide something to a client... Dynamic scanning actually hits our Web applications, to try to detect any well known Web application vulnerabilities as well."
          • "Veracode has a nice API that they provide to allow for custom things to be built, or automation. We actually have integrated Veracode into our software development cycle using their API. We actually are able to automatically, every time a new build of a software is completed, submit that application, kick off a scan, and we get results in a much more automated fashion."
          • "When those scans kick, Veracode integrates back into our JIRA and actually open tickets with the appropriate development teams. We can use that as a measurement of vulnerabilities opened, closed; we can tie them to releases. So, we get a whole lot more statistical information about security in our software products."
          • "The one thing I'd like to be able to do is schedule dynamic scans. Today we're kicking those off manually, but I believe that it's something have on their roadmap."

          What is our primary use case?

          Security scanning of the applications, of software that my company built.

          How has it helped my organization?

          We have a large developer base at our company ranging in a variety of skills sets. Some are very security aware, others really don't have the knowledge. What Veracode provides is really good feedback on what vulnerabilities were found in their code: examples, definitions, ways to mitigate. One of the huge benefits we've seen is just a bigger security awareness within our development staff.

          Further, with the tools that Veracode provides, they're actually able to comprehend what the vulnerability was and then resolve it. So a lot of knowledge has been grown as a result, around security, with our developers.

          Veracode provides application security best practices and guides our security and development teams because most of the time, in the issues that it opens, it has lots of links and details in there. There are also regular emails and newsletters and they send out about trends. So, there's a fair amount of communication and there are also a lot of details within the issues that they find. There's always plenty of material that they link to in issues. They do a really good job of providing a lot of communication and detailed documentation around our application security tools.

          Our customers have benefited in the fact that know that we put security right in front, as a priority. It's not an afterthought. They're a lot more aware that we're security conscientious, instead of just, "The software works, here you go."

          We also have reports. Some of our customers have asked for various types of reporting and security related stuff. Now, we're also able to give them these reports, essentially from Veracode's scans of our software. So, we have a lot more documentation about it. Instead of answering one-off questionnaires from our clients, we actually have a canned report we can provide. Again, all this material, we didn't have a year ago. We were just ad hoc answering things and hoping that they didn't question it anymore, and we really didn't have any good evidence. They were just taking us at our word.

          What is most valuable?

          The most important one is the static scanning analysis, and the reason is that it can tell us vulnerability in that code, right before we go ahead and push something to production or provide something to a client.

          We pair that with dynamic scanning, which actually hits our Web applications, to try to detect any well-known Web application vulnerabilities as well. It's really just a way for us to stay ahead of it and provide some assurances and security with the software that we deliver.

          Also, Veracode has a nice API that they provide to allow for custom things to be built, or automation. We actually have integrated Veracode into our software development cycle using their API. We actually are able to automatically, every time a new build of a software is completed, submit that application, kick off a scan, and we get results in a much more automated fashion. So the API is a huge thing that we use from Veracode, in addition to those two types of scans.

          In terms of integrating Veracode into our existing software development life cycle, we heavily use JIRA today for bug tracking issues, time management, and the like, for our development team. When those scans kick, Veracode integrates back into our JIRA and actually open tickets with the appropriate development teams. We can use that as a measurement of vulnerabilities opened, closed; we can tie them to releases. So, we get a whole lot more statistical information about security in our software products. That's really what we use in measuring there, the integration back to JIRA in issues found.

          What needs improvement?

          From a technical standpoint, I'm pretty happy with everything. The one thing I'd like to be able to do is schedule dynamic scans. Today we're kicking those off manually, but I believe that it's something have on their roadmap.

          Other than that, I don't really get too involved in the cost sides of things that's in my job, I'm more of a technical focus, but I have heard from my manager and a couple other people that the solution is quite expensive. So that is possibly one factor that could turn somebody away from Veracode. But, like I said, I really don't know much more about that. Technically, I'm very impressed and happy with what they've had to offer.

          For how long have I used the solution?

          One to three years.

          What do I think about the stability of the solution?

          I have not run into one issue with stability with it. I'm throwing stuff at it all day and I can't think of one time where I've had an issue with submitting a scan or getting a scan to complete. It's been pretty flawless.

          What do I think about the scalability of the solution?

          The one thing we hit was some licensing limitation. Again, it went back to cost, I believe. We had to go back and change our licensing model with Veracode to be able to scan all the things that we wanted to. I think there was some confusion up front with their licensing or cost. 

          Like I said, that's really the only area that I've heard some gripes about, but I'm far removed. I'm not sure if it was scalability or a licensing mishap, but we did have some issues early on, with the amount of things that we wanted to scan and what their limits were for us. But ever since whatever was straightened out there, I have not had an issue of scalability.

          How are customer service and technical support?

          Initially, I had some questions back and forth and I was able to get everything resolved, mostly via email. Overall, I thought the response time was good, the answers were concise and accurate. Within 24 hours I was getting a response via email from their support. For what I needed to set up, I really thought their support was great and really sharp.

          I don't work with the support that often, now that things are established. But to get off the ground running, they were extremely helpful.

          Which solution did I use previously and why did I switch?

          We had never done anything like this in the past. This was the solution that we chose. We didn't really evaluate anything else. I know that my boss has been a fan of some CA products in the past and really recommended this one. I did some digging on it, from a technical standpoint, and I said I believed it would be able to scan all our stuff, support our platforms, the languages that we write our applications in, so that's how we landed on Veracode.

          How was the initial setup?

          Without the API, it would have been extremely complex. It would have been very painful because it would have been a very manual process of submitting applications. 

          I am fortunate enough that I have a pretty strong development background, so I do a lot of coding myself. For the person without development experience, using the API would have been very difficult. Where I work, we're a little unique in that sense.

          But the rest of it, it's a cloud-based solution. I'm kicking off all my stuff over to Veracode and it's running in their environments and producing results. There's not a whole lot of setup besides that. It's not a big cost on an any infrastructure that we have to run or support. So, pretty painless really.

          What was our ROI?

          I wish I had some numbers - this is really not my area. I would assume that it's got to be a fair amount of cost savings, only because we're touching things earlier. We didn't have anything before. I don't have good stats to provide except for the fact that now we have something in our process, where before we didn't. Before, security things were only being addressed if somebody actually found something or, even worse, if a customer found something. We don't have a lot of historical data but it's got to be substantial.

          I believe, from a technical standpoint, it's paying off for the rest of the organization. I think ethically it's the right thing to do. Educating our staff - I don't really know how you measure that in a dollar amount - but our developers are getting education and are becoming more aware of security in their software. Me being a technical guy, those two things are huge, and the dollars don't add up enough. I'm not sure how you would measure it.

          It probably pays off more over time as well. We're still only a year into it. So we're still learning a lot ourselves.

          What's my experience with pricing, setup cost, and licensing?

          If you're licensing, and you're looking at licensing models, you might want to ask Veracode about their microservice, depending on the company. If you are a microservice architecture, I would suggest asking them about their microservice pricing. I would suggest that you evaluate that with your code and their other licensing model, which is like a lump sum in size of artifacts, and just make sure that you price that out with them, because there might be some tradeoffs that can be made in price.

          Which other solutions did I evaluate?

          There were some, but we didn't get serious about them because they didn't have everything that we wanted.

          What other advice do I have?

          I would advise that you figure out a way to integrate it into your software development lifecycle in a way that it's not intrusive to your developers. That was really something that I set out to do. I didn't want my developers to have to go into their code, and kick off scans, and upload their code. So, I would really suggest looking at your integrations, your JIRA, your Jenkins, all of your add-ons, and hopefully that fits into the SDLC process, and then automating via their API.

          Essentially, what we were able to achieve is, my developers still live within JIRA and the issues get opened from Veracode into JIRA and they work on things that way. They can remediate it, kick it that way, and if they need to they can log into Veracode. But I'd suggest making the SDLC process integrated as much as you can to make it something that developers aren't having to spend a lot of time doing every day.

          Overall, I would give Veracode a nine out of 10, just because nothing is perfect. But it does everything for us and it was so painless. I speak very highly of it for those reasons.

          I would highly recommend CA Veracode. Every engineer that I've dealt with has been really sharp. The review process they have is really good and the knowledge they have has been tremendous. I really recommend working with them.

          Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
          PeerSpot user
          Dave Cheli - PeerSpot reviewer
          Chief Technology Officer
          Real User
          Integrates easily into our workflow, Jenkins submits the code and the analysis runs automatically
          Pros and Cons
          • "It eases integration into our workflow. Veracode is part of our Jenkins build, so whenever we build our software, Jenkins will automatically submit the code bundle over to Veracode, which automatically kicks off the static analysis. It sends an email when it's done, and we look at the report."
          • "When we do have errors, Veracode is always available, their consultants, to help us either mitigate the error, or provide technical assistance on pointing exactly where the problem is and how we could probably fix it. I'm always amazed at how knowledgeable they are."
          • "They also have what's called a Software Composition Analysis that can point out errors and fixes for third-party software frameworks, which is very nice."
          • "The Web portal, at times, is not necessarily intuitive. I can get around when I want to but there are times when I have to email my account manager on: "Hey, where do I find this report?" Or "How do I do this?" They always respond with, "Here's how you do it." But that points to a somewhat non-intuitive portal."

          What is our primary use case?

          The primary use is as a static analysis tool. But we also use Greenlight and dynamic, and we're currently having a manual penetration test.

          How has it helped my organization?

          Firstly, it prevents me from putting out software that has security vulnerabilities, which is a big thing and can be one of the most important things. 

          Also, we just finished a vendor due diligence with a very large company that wants to do business with us, and one of their security questions was "Do you do static analysis?" I was able to just send a very professionally done report. They know Veracode and they said, "Okay, great. This is terrific." 

          That very reason is why, three years ago when I first got to this company, I said, "We have to get hooked up with Veracode right away, so it's not like an afterthought." Because I'd been in a situation where you do it after the fact and you end up with 3,000 errors, medium to critical errors.

          It helps us put out better software more quickly, and gives me the piece of mind that we've done everything we can to prevent any security exploits.

          It's something that our customers don't think about, and the benefit would be that as long as there are no data breaches, there's no hacking within our system, they get a non-functional benefit. We work with pharmacies and they just expect that the system is secure. I would view that as a benefit to them - maybe something that they don't think about - but nonetheless, it's there. 

          What is most valuable?

          Certainly it eases integration into our workflow. Veracode is part of our Jenkins build, so whenever we build our software, Jenkins will automatically submit the code bundle over to Veracode, which automatically kicks off the static analysis. It sends an email when it's done, and we look at the report.

          Once it's set up - and it's pretty easy to set up - it pretty much just works and I don't really have to think about it, outside of whenever I get my emails to look at the reports.

          It was a very easy integration that we did within the first week of going live with the software.

          So ease of use, ease of integration.

          What needs improvement?

          The Web portal, at times, is not necessarily intuitive. I can get around when I want to but there are times when I have to email my account manager on: "Hey, where do I find this report?" Or "How do I do this?" They always respond with, "Here's how you do it." But that points to a somewhat non-intuitive portal. 

          With that said, I hate when companies redo their portals all the time. So it's kind of a catch-22, but that would be my only critique.

          For how long have I used the solution?

          Three to five years.

          What do I think about the stability of the solution?

          It's always been pretty rock solid. 

          What do I think about the scalability of the solution?

          No scalability issues that I'm aware of. 

          How are customer service and technical support?

          Exceptional.

          Which solution did I use previously and why did I switch?

          Veracode was really my first introduction to static code analysis. The way I came across it in my previous company was, they were going through security due diligence and we didn't have any code analysis software. The company, a very large health plan, said, "Here are three that we recommend." Veracode happened to have been one of them, along with HPE and another company, maybe it was IBM, I don't know. We took a look at all of them and we made a decision to go with Veracode.

          How was the initial setup?

          It was easy. It's very straightforward. There's nothing complicated about it.

          What was our ROI?

          I haven't really thought about cost savings related to code fixes, since we implemented Veracode, other than: It's always easier and much cheaper to catch errors and fix them before you go to production, versus catching them while in production. Just like it's much easier to fix things before production, as opposed to having somebody hack your system and to find out that you have a cross-site script error.

          But again, I've never quantified it in terms of whether it's saved me money. 

          Just off the cuff, the cost of the license is small in comparison to the value it brings. I don't have to buy the software myself, I don't have to have specially trained security professionals that monitor this stuff. But I haven't really broken it down to quantify it into dollars, as such.

          What's my experience with pricing, setup cost, and licensing?

          I think it's a great value. It's at a price point that a small company like mine can afford to use versus, if it was too exorbitant, I wouldn't be able to use this product.

          About licensing, just go ahead and get them.

          Get a license at the beginning of a project. Don't wait until the end, because you want to use the product throughout the entire software development lifecycle, not just at the end. You could be surprised, and not in a positive way, with all the vulnerabilities there are in your code.

          Which other solutions did I evaluate?

          When I was at the last company, I looked at HPE (now Micro Focus) Fortify vs Veracode and maybe IBM had a product, but they were overly complex and overly expensive. I remember talking to our Veracode account rep, who also was my account rep originally here at Focus Script, and she did a fabulous job of explaining it, doing a demo, showing how easy it was to use, and that's what sold me. Again, it was recommended from a very large health plan as one of the more reputable systems out there.

          What other advice do I have?

          CA Veracode provides application security (AppSec) best practices and guidance to our teams in a couple ways. First of all, they have an e-learning module that has courses that we have required our developers to take. That's a best practice.

          Secondly, when we do have errors, Veracode is always available, their consultants, to help us either mitigate the error, or provide technical assistance on pointing exactly where the problem is and how we could probably fix it. I'm always amazed at how knowledgeable they are. 

          They also have what's called a Software Composition Analysis that can point out errors and fixes for third-party software frameworks, which is very nice. The list goes on... And again, having received, early on, education from them on how best to integrate this in the workflow, those are areas where we've relied on best practices from Veracode.

          I'm in healthcare, and it's very important - and I'm sure in other industries just as well - but the stakes are very high. If we get hacked, if there's a data breach, it could put us out of business. It's a very good price point for a small company to have these kinds of capabilities, something we can afford for our application.

          I am very likely to recommend it to colleagues. As I mentioned, I brought it to this company, and I've already recommended and provided references to a few other companies over the last couple of years.

          Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
          PeerSpot user
          it_user837504 - PeerSpot reviewer
          Information Technology at a insurance company with 51-200 employees
          Real User
          Give us insight into code without having to upload it, saving a lot of NDA paperwork
          Pros and Cons
          • "Veracode static analysis allows us to pinpoint issues - from a simple hard-coded test password, to more serious issues - and saves us lot of time. For example, it raises a flag about a problematic third-party DLL before development invests time heavy using it."
          • "It is great to have such insight into code without having to upload the source code at all. It saves a lot of NDA paperwork. The Visual Studio plugin allows the developer to seamlessly upload the code and get results as he works, with no manual upload. The code review function is great. It allows you to find flaws in source code."
          • "It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help."

          What is our primary use case?

          We test two mission-critical web applications (C# Web forms).

          How has it helped my organization?

          We used to revise code with free tools (like VCG) but they are not even in the same universe. Veracode static analysis allows us to pinpoint issues - from a simple hard-coded test password, to more serious issues - and saves us lot of time. For example, it raises a flag about a problematic third-party DLL before development invests time heavy using it.

          Also, from the very relevant results and issues that were pinpointed by Veracode, I can say that our customer security was greatly enhanced by its use.

          What is most valuable?

          It is great to have such insight into code without having to upload the source code at all. It saves a lot of NDA paperwork. The Visual Studio plugin allows the developer to seamlessly upload the code and get results as he works, with no manual upload. The code review function is great. It allows you to find flaws in source code, but the source code never leaves your workstation, it is all client side, no NDA needed.

          What needs improvement?

          It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help (but not now, now that I've learned it).

          For how long have I used the solution?

          One to three years.

          What do I think about the stability of the solution?

          No, we did not detect a single glitch or fault in a year. We once had a periodic maintenance activity on the Veracode platform during a deadline, but it was clearly announced in advance, so we just went around it and had no issues.

          What do I think about the scalability of the solution?

          No, you don’t have such concerns on Veracode. The process is really "launch and forget" (and wait for results).

          How are customer service and technical support?

          The team that assists us with it is just great, especially considering there is a language barrier for some of our employees. Veracode did its best to get those employees in the loop with the chance to attend the meeting, as well with the aid of written English.

          Which solution did I use previously and why did I switch?

          VCG (Visual Code Grepper) but I am not even going to compare them. VCG is as good as they come, but Veracode is a different breed. An application went through VCG and we were pretty confident. Then, Veracode results just blew us out of our shoes.

          How was the initial setup?

          I manage the Veracode suite for my company, and I was personally walked through the various steps. Once I was up and running, we had another two-hour session to explain to us how a proper Veracode assessment should be planned (developers, code reviewers). As a result, I believe we have not only a pretty solid code review process up and running, but this was all provided to us at no additional cost.

          What we felt is that the Veracode guys want to enjoy and use their solution first. They are not pushing to get consultancy time if that can be avoided. If you need consultancy time you can have it and the prices are convenient. We did not. All the help came at no additional cost.

          What was our ROI?

          It is difficult to assert, but it helps a lot with maintaining compliance with our main customers, and helps us to pinpoint some specific issues. The cost of not having Veracode would be pretty high for us.

          What's my experience with pricing, setup cost, and licensing?

          The licensing and prices were upfront and clear. They stand behind everything that is said during the commercial phase and during the onboarding phase. Even the most irrelevant "that can be done" was delivered, no matter how important the request was.

          The licensing is fair, it is time-limited (e.g. one year) but there is a size cap for every app. If your applications are big (due third-party libraries, for example) you should discuss this beforehand and explore suitable agreements.

          Which other solutions did I evaluate?

          Competitors were evaluated but seemed, at once, too bloated or not relevant to all our specific requests. We were not interested in buying a product (such as a standalone program) rather we were interested in getting a tool for creating a process, and Veracode is that.

          What other advice do I have?

          In terms of integrating Veracode into our existing software development lifecycle, as our two existing applications are quite mature, and not changed often, we have not taken steps to have Jenkins or another CI tool that would allow us to get the full power from the Veracode environment. We look forward doing it, starting with the next app that gets developed from scratch.

          CA Veracode provided AppSec best practices and guidance to our security and development team during the kickoff phase. They offered assistance on specific code issues that were hard to fix, and guidance on preparing a credible set of rules for Veracode policy, all this at no additional cost.

          As Veracode licensing is generally time-related, I suggest you start the subscription once everything is ready for consumption, assign a specific person to it and declaring it mandatory at the policy level. Losing two months of great value because the devs are too busy, or because they think they don’t need it, or they fear the results, or because no one is taking charge of the Veracode process, is really a pity. Once the clock starts ticking, try to take advantage as much as you can.

          I would recommend Veracode to anyone involved in high-risk environments.

          Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
          PeerSpot user
          it_user836430 - PeerSpot reviewer
          Senior Infrastructure Engineer at a healthcare company with 5,001-10,000 employees
          Real User
          Scanning helps ensure our code is flaw-free, and remediation tools help developers track and manage flaws
          Pros and Cons
          • "The most important features, I would say, are the scanning abilities and the remediation abilities within the product. Scanning because, obviously, we want to make sure that our application code is flaw-free. And the remediation tools are helpful to the developers to help them track and manage their flaws."
          • "Reporting. Some of the reporting features of Veracode do need improvement. They do not have the most robust access to data. That would be a bit more beneficial to a lot of our clients as well as our actual in-house staff. I've been talking to our program management at Veracode about that, and that is actually on their radar to have that improved, I think actually this year."

          What is our primary use case?

          Application security management.

          How has it helped my organization?

          We've been able to provide reports to our clients that show applications are either flaw-free, or in the process of being remediated, and give them timely status updates on how those flaw remediations are going on.

          Our customers have benefited by being able to have a little bit more assurance from us, from a trusted authority, that our code is properly flaw-free and remediated.

          What is most valuable?

          The most important features, I would say, are the scanning abilities and the remediation abilities within the product. Scanning because, obviously, we want to make sure that our application code is flaw-free. And the remediation tools are helpful to the developers to help them track and manage their flaws.

          We have been able to integrate Veracode through many of the IDEs that our developers use, using the Veracode APIs, or they've been actually been doing this manually as part of their SDLC.

          What needs improvement?

          Reporting. Some of the reporting features of Veracode do need improvement. They do not have the most robust access to data. That would be a bit more beneficial to a lot of our clients as well as our actual in-house staff. I've been talking to our program management at Veracode about that, and that is actually on their radar to have that improved, I think actually this year.

          That would probably be the biggest area, access to more granular data that we could pull and use on a regular basis. Better dashboards. That kind of information.

          For how long have I used the solution?

          One to three years.

          What do I think about the stability of the solution?

          It's stable, absolutely. They do regular maintenance schedules. Aside from that, I can't really think of a time where it has not been a stable product or unavailable. 

          What do I think about the scalability of the solution?

          No issues with scalability.

          How are customer service and technical support?

          We engage their support teams quite often actually. Part of our licensing package is a good number of hours per month for our development teams to work with their support teams at Veracode, to help solve remediation issues, troubleshoot some of the flaws that they encounter or can't understand. Their support teams have been able to work with our development teams very well.

          Which solution did I use previously and why did I switch?

          We were not using a previous vendor prior to this. We've used other vendors like Nessus for pen testing. We still use those. Veracode was just more of an addition.

          How was the initial setup?

          The setup has been more of a phase-in approach, and it's been gradual. It's been kind of a "trial-by-fire" setup with a lot of our development teams because most of our development teams aren't used to doing this. So, it's been a trial, I guess more so on our side, to get the adoption going on. It's just part of training our team to actually know there's something they need to do on a regular basis.

          What was our ROI?

          Regarding any cost savings relating to code fixes since we implemented Veracode in our development process, I can't say I have that information off the top of my head.

          What's my experience with pricing, setup cost, and licensing?

          Just do your research. Make sure you're getting the best price on this. It can be expensive to do this, so I would just make sure that you're getting the proper number of licenses. Do your analysis. Make sure you know exactly what it is you need, going in. Then just see if it can work. Try and make sure you get the best price possible.

          Which other solutions did I evaluate?

          I was not part of the evaluation team on this, unfortunately. But I believe the other options were evaluated as well, but I don't have access to that information.

          What other advice do I have?

          In terms of Veracode providing AppSec (application security best practices) and guidance to our teams, they've been able to adapt their scanning and remediation in their SDLC, which is something we did not have really before. It's been a little bit of "not the best honeymoon" so far, doing this with our developers, but they've started coming along here in the past year and a half.

          The advice I'd give is look around, make sure it's the right fit for you. Make sure that the tools they offer are a good fit for your organization. And make sure this is something that you really feel would be good for your company. If you aren't currently doing this kind of analysis on your code, I would take a strong look at whether this is something that you really should be doing. It's a different world out there right now.

          I would recommend Veracode very highly, especially since the program management staff that I work with from Veracode are some of the best people that I've worked with in this industry.

          Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
          PeerSpot user
          it_user835104 - PeerSpot reviewer
          Project Manager at a tech vendor with 501-1,000 employees
          Real User
          We use scan results for training to increase sensitivity to security issues during development
          Pros and Cons
            • "Calypso (our application) is large and the results take up to two months. Further, we also have to package Calypso in a special manner to meet size guidelines."
            • "Because our application is large, it takes a long time to upload and scan."

            What is our primary use case?

            Static code scan.

            How has it helped my organization?

            We have used the results of scans to train our people and make them more sensitive to security issues during development, although we haven't done any specific integration of Veracode into our software development cycle. Engineers are better trained, so we hope to see increased compliance with our security guidelines.

            We do incorporate the suggested course of action from the Veracode report (AppSec best practices and guidance) in our best practices.

            Also, our customers benefit from the fact that the application is more secure.

            What is most valuable?

            We use the results of the scan to identify vulnerabilities in the product.

            What needs improvement?

            Calypso (our application) is large and the results take up to two months. Further, we also have to package Calypso in a special manner to meet size guidelines.

            For how long have I used the solution?

            One to three years.

            What do I think about the stability of the solution?

            No issues with stability.

            What do I think about the scalability of the solution?

            Because our application is large, it takes a long time to upload and scan.

            How are customer service and technical support?

            Based on limited usage, we are satisfied.

            Which solution did I use previously and why did I switch?

            We did not have a previous solution. We picked this product because our partner (SAP) uses it.

            How was the initial setup?

            Straightforward.

            What was our ROI?

            There are no directly measurable cost savings. We see security improvement as a key part of our product development.

            What other advice do I have?

            When asked, we let our customers and partners know that we use Veracode and that we are happy with it.

            Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
            PeerSpot user
            Assistant Vice President of Programming and Development at a financial services firm with 501-1,000 employees
            Real User
            Allows us to streamline identification of vulnerabilities and quickly address them
            Pros and Cons
            • "When we expanded our definition of critical systems to include an internal application to be scanned by Veracode, we had initial scans that produced hundreds of vulnerabilities. We expected this, based on how the code was treated previously, but the Veracode platform allowed us to streamline our identification of these items and develop a game plan to quickly address them."
            • "Code analysis tool to help identify code issues before entered into production."
            • "Vulnerability Management and mitigation recommendations help with resolution of issues found, prior to deployment to production."
            • "Developer Sandboxes help move scanning earlier within the SDLC."
            • "The only notable problem we have had is that when new versions of Swift have come out, we have found Veracode tends to be a bit behind in updates to support the new language changes."
            • "The Greenlight product that integrates into the IDE is not available for PHP, which is our primary language."

            What is our primary use case?

            Static code analysis for internally developed critical systems.

            How has it helped my organization?

            When we expanded our definition of critical systems to include an internal application to be scanned by Veracode, we had initial scans that produced hundreds of vulnerabilities. We expected this, based on how the code was treated previously, but the Veracode platform allowed us to streamline our identification of these items and develop a game plan to quickly address them. This has also lead to better overall code quality for the team, by pointing out some dated practices that needed updating.

            We have required that our critical systems pass a Veracode scan prior to code being deployed into production. We also have included a step in the development stage to run specific code through a Veracode Sandbox to encourage better code quality, early on in the development lifecycle.

            Veracode has helped us meet the requirements of our yearly external audits and has improved code quality, leading to less down time and less buggy code that users will encounter.

            What is most valuable?

            • Code analysis tool to help identify code issues before entered into production.
            • Vulnerability Management and mitigation recommendations help with resolution of issues found, prior to deployment to production.
            • Developer Sandboxes help move scanning earlier within the SDLC.
            • The platform itself has a lot of AppSec best practices information, especially in the mitigation recommendation process. They have also offered cybersecurity e-learning for our team. 

            What needs improvement?

            The only notable problem we have had is that when new versions of Swift have come out, we have found Veracode tends to be a bit behind in updates to support the new language changes.

            Also the Greenlight product that integrates into the IDE is not available for PHP, which is our primary language.

            For how long have I used the solution?

            More than five years.

            What do I think about the stability of the solution?

            No issues with stability.

            What do I think about the scalability of the solution?

            No issues with scalability.

            How is customer service and technical support?

            We have rarely needed to use tech support, and when we have it has performed as expected.

            How was the initial setup?

            Straightforward. Just add the applications in the portal and start scanning.

            What was our ROI?

            We don’t have the metrics to track specific dollars, but Veracode has saved us the cost of hundreds of employee hours by streamlining our vulnerability discovery process in legacy code, and by improving the quality of code released into production. 

            As we support our organization's customer-facing digital channels by writing higher quality code, we have reduced the amount of bugs or downtime a user experiences using our systems. This saves in employee time and also increases engagement with our digital channels.

            What's my experience with pricing, setup cost, and licensing?

            Pricing seems fair for what is offered, and licensing has been no problem. All developers are able to get the access they need.

            Which other solutions did I evaluate?

            Yes, but too long ago to remember which ones.

            What other advice do I have?

            I would definitely recommend CA Veracode.

            Just make sure you define a process for your developers prior to implementing the technology.

            Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
            PeerSpot user
            it_user694200 - PeerSpot reviewer
            it_user694200Manager at a tech services company with 10,001+ employees
            Consultant

            How good is adding agents working in Banking and financial and Healthcare industries?

            it_user833553 - PeerSpot reviewer
            CISSP, CISM at a tech services company with 1,001-5,000 employees
            Real User
            SAST, DAST, and Greenlight point out potentially insecure coding and how to fix it
            Pros and Cons
            • "For our rapid, secure DevOps cycle, we have integration of the Vericode API into our build tool, and Greenlight into our IDE."
            • "It would help if there were a training module that would explain how to more effectively integrate the SAST product into the build tool, Jenkins or Bamboo."
            • "It would help to have more training for developers to help them set it up."

            What is our primary use case?

            We use it for a lot of things and they're all primary: SAST, DAST, and Greenlight.

            How has it helped my organization?

            By using this product, we can point out not only any potentially insecure coding, but how to fix it. It's a requirement, a legal requirement. So we benefit by not breaking regulatory law.

            What is most valuable?

            SAST, DAST, and Greenlight are the most important features because today it's important for our regulatory compliance law to keep our product coding relatively secure.

            For our rapid, secure DevOps cycle, we have integration of the Vericode API into our build tool, and Greenlight into our IDE.

            What needs improvement?

            I think they are doing pretty well. It would help if there were a training module that would explain how to more effectively integrate the SAST product into the build tool, Jenkins or Bamboo. I think that's a real good idea.

            For how long have I used the solution?

            More than five years.

            What do I think about the stability of the solution?

            No issues with stability.

            What do I think about the scalability of the solution?

            No issues with scalability, other than making sure that our people know how to use it.

            How are customer service and technical support?

            Excellent.

            Which solution did I use previously and why did I switch?

            Never. I've been using it for 20 years. I tried others, like HPE's and IBM's, when I was with Visa, but this is the best.

            How was the initial setup?

            I think it's simple, but sometimes it would help to have more training for developers to help them set it up.

            What was our ROI?

            I can't give you exact numbers, but it's a lot cheaper to do it sooner rather than later.

            What's my experience with pricing, setup cost, and licensing?

            Pricing is worth the value. 

            Which other solutions did I evaluate?

            They didn't have products before this one. This one pre-dated them.

            What other advice do I have?

            I recommend CA Veracode all the time. I am a public speaker, frequently on the speaker circuit, and I recommend it all the time. There are really three solutions at the top of the industry ratings, and Veracode is the best, in my opinion.

            We are a good customer and we had been for a long time. I actually am a bit of an evangelist for them when I'm doing public speaking.

            Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
            PeerSpot user
            it_user833550 - PeerSpot reviewer
            VP of Services at a tech vendor with 51-200 employees
            Real User
            We're much more security conscious when writing code, to meet the benchmarks it gives us
            Pros and Cons
            • "We use it to get our scan results and see where our software is vulnerable or not vulnerable."
            • "The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but it sometimes causes more work on our end."

            What is our primary use case?

            Dynamic and static scanning.

            How has it helped my organization?

            We're being much more security conscious whenever we're writing code, and we're trying to make sure it's giving us a benchmark, and to make sure we meet that, on a release cycle.

            In terms of AppSec best practices, it has made everybody more conscious about what they're trying to accomplish, because they know at the end of the release cycle we're going to be running scans. They basically need to make sure they adhere to all the rules.

            Our customers have benefited from the added application security we offer because they're more confident that our software isn't going to expose their organizations to any risk.

            What is most valuable?

            The ability to run scans. It's a critical piece of why we use the platform. We use it to get our scan results and see where our software is vulnerable or not vulnerable.

            It's part of our SDLC now.

            What needs improvement?

            The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but sometimes it causes more work on our end.

            For how long have I used the solution?

            One to three years.

            What do I think about the stability of the solution?

            No issues with stability.

            What do I think about the scalability of the solution?

            Not that I know of.

            How is customer service and technical support?

            I have not contacted tech support.

            How was the initial setup?

            It seemed straightforward. I didn't actually do the work, but from what I was told, it seemed like it was fairly easy to get going.

            What was our ROI?

            I cannot give numbers on any cost savings related to code fixes since implementing CA Veracode in our development process.

            What's my experience with pricing, setup cost, and licensing?

            It's worth the value.

            Which other solutions did I evaluate?

            We did evaluate other options, but I can't remember who we looked at.

            What other advice do I have?

            I would be highly likely to recommend working with CA Veracode to colleagues. 

            I rate it an eight out of 10. It's a good product - I can't say that it's lighting my world on fire - but it does what it needs to do.

            Just be prepared that it's going to take effort from all aspects of the business to be able to utilize and achieve the goal that you're looking to achieve with the product.

            Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
            PeerSpot user
            Director Software Engineering at a tech services company with 51-200 employees
            Real User
            We do release with both static and dynamic scans, and mitigating the flaws identified
            Pros and Cons
            • "All the features provided by Veracode are valuable, including static scan, dynamic scan, and MPT (Manual Penetration Testing)."
            • "We use Ruby on Rails and we still don't have any support for that from Veracode."
            • "The static scans on Java lack microservices architecture scanning. We have developed an in-house pattern for this and the scans can't take care of it as a single entity."

            What is our primary use case?

            To have a third-party analyze our code and make recommendations from a security perspective.

            How has it helped my organization?

            We do not pass our release without performing a static and a dynamic scan, and mitigating the flaws identified.

            In terms of how our customers have benefited from the added application security of our applications, they are aware of our development process and it makes them comfortable that we have implemented industry best practices.

            What is most valuable?

            All the features provided by Veracode are valuable.

            What needs improvement?

            We use Ruby on Rails and we still don't have any support for that from Veracode.

            The static scans on Java lack microservices architecture scanning. We have developed an in-house pattern for this and the scans can't take care of it as a single entity.

            For how long have I used the solution?

            More than five years.

            What do I think about the stability of the solution?

            No issues with stability.

            What do I think about the scalability of the solution?

            No issues with scalability.

            How is customer service and technical support?

            The support is good but has room for improvement. Issues don't get acknowledged quickly, repeated updating is required.

            What was our ROI?

            The cost savings are the efforts that it would take to do this at a stretch if this was not implemented early on in our development cycle.

            What's my experience with pricing, setup cost, and licensing?

            I think licensing needs to be changed or updated so that it works with adjustments. Pricing is expensive compared to the amount of scanning we perform.

            Which other solutions did I evaluate?

            WhiteHat.

            What other advice do I have?

            We have made process changes and improvements, although Veracode is not tightly integrated into our CI/CD platform yet.

            I am very likely to recommend to colleauges that they work with CA Veracode.

            Disclosure: I am a real user, and this review is based on my own experience and opinions.
            PeerSpot user
            it_user831864 - PeerSpot reviewer
            Application & Product Security Manager at a insurance company with 1,001-5,000 employees
            Real User
            Allows us to integrate with it through automated processes, but needs better APIs
            Pros and Cons
            • "Also, our customers benefited from the added security assurance of our applications, as they’ve been able to identify OWASP top-10 application vulnerabilities without a manual tester."
            • "Static analysis scanning engine is a key feature."
            • "It needs better APIs, reporting that I can easily query through the APIs and, preferably, a license model that I can predict."

            What is our primary use case?

            Static analysis.

            How has it helped my organization?

            It has allowed us to integrate with it through automated processes, which saves us a lot of time and effort.

            Also, our customers benefited from the added application security assurance of our software, as they’ve been able to identify OWASP top-10 application vulnerabilities without a manual tester.

            What is most valuable?

            Static analysis scanning engine, because we need to do static analysis; that’s why we bought the product.

            What needs improvement?

            • Better APIs
            • Reporting that I can easily query through the APIs
            • Preferably, a license model that I can predict

            It would save us time when integrating with the APIs. Difficult APIs are annoying to work with and we have to trial/error our way through the integrations. The more straightforward and friendly they are, the less we have to trial/error.

            For how long have I used the solution?

            One to three years.

            What do I think about the stability of the solution?

            No issues with stability.

            What do I think about the scalability of the solution?

            Aside from the licensing, no issues with scalability.

            How are customer service and technical support?

            Good.

            Which solution did I use previously and why did I switch?

            IBM Security App Scan. In looking at Veracode vs IBM Security App Scan, I switched because of the CI/CD offerings of Veracode.

            How was the initial setup?

            The APIs are a bit nonsensical, but otherwise straightforward.

            What was our ROI?

            It has not really resulted in any cost savings related to code fixes.

            What's my experience with pricing, setup cost, and licensing?

            The worst part about the product is that it does not scale at all. Also, microservices apps will cost you a fortune.

            Which other solutions did I evaluate?

            IBM, Coverity.

            What other advice do I have?

            Regarding measures taken to integrate Veracode into our existing software development lifecycle, we have 100% API integration. We use the Jenkins plugin as a last resort, but we are moving away from that.

            The AppSec best practices and guidance to our security and development teams are manifested in the static analysis it provides.

            In terms of advice to others looking into implementing this project, I would say don’t use the UI, and do what you can to have license conversations up front.

            It depends on the use case and budget, but I would recommend CA Veracode to colleagues.

            Disclosure: I am a real user, and this review is based on my own experience and opinions.
            PeerSpot user
            it_user797976 - PeerSpot reviewer
            Global Application Security at a pharma/biotech company with 10,001+ employees
            Video Review
            Real User
            Its has the ability to scale and not produce a lot of false positives
            Pros and Cons
            • "It has the ability to scale, and the fact that it doesn't produce a lot of false positives."
            • "It does nearly everything, but penetration testing."

            How has it helped my organization?

            Scalability and its optimization of security inspections. At the end of the day, I like the fact that it is all prim. It does not require a lot of support on our side. We get the benefit of security inspections and it scales with our community, which is global. 

            What is most valuable?

            It has the ability to scale, and the fact that it doesn't produce a lot of false positives.

            What needs improvement?

            Number one, I need analytics, analytics, and more analytics. It is all about risk based management and better decision support, that is why. 

            What do I think about the stability of the solution?

            It is rock solid, we have used it now for seven years.

            How are customer service and technical support?

            On a scale of one to 10, I would give it an eight. 

            Which solution did I use previously and why did I switch?

            We had no previous solution. We didn't know we needed to invest in Veracode. It worked out that way through our evaluation process that it was the right solution for us.

            What other advice do I have?

            I never give 10s. I would give it a nine. It does nearly everything, but penetration testing. It covers such a broad breadth of our portfolio. In our business, we have applications written in so many different languages. Finding something that can consistently scan and not generate false positives across the paradigm or the whole ecosystem of languages, that is impressive. It is speed of inspection, the accurateness of the inspection outcomes, and frankly, it has fairly good business analytics embedded on the platforms. So, it does a lot more for us than not.

            Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
            PeerSpot user
            reviewer1384917 - PeerSpot reviewer
            reviewer1384917Principal, Customer Advocacy at Veracode
            Vendor

            Thank you for taking the time to share your experience with Veracode. We appreciate your time and hope all is still going well. Please let me know if there's anything I can do to help.

            it_user778905 - PeerSpot reviewer
            Technical Director at a financial services firm with 1,001-5,000 employees
            Real User
            Enables us to quickly discover, understand, triage, and remediate our software's vulnerabilities
            Pros and Cons
            • "The benefits are quick discovery and understanding of software vulnerabilities that we are putting in our own code. By discovering them quickly enough, we can triage them and determine the best ways to remediate them and prevent them from happening in the future."
            • "We have such a wide variety of users for Veracode, including security champions, development leads, developers themselves, that the ease of use is really quite important, because we don't assume anything about what those people might already know, or need to know. It just makes it very useful for anyone who has to engage with it."
            • "Tech support is outstanding. Best in class. Absolutely. They bend over backwards to help us. We'll come up with questions and within minutes, we'll get answers. It's amazing. It's truly amazing."
            • "I'd like to see an improved component of it work in a DevOps world, where the scanning speed does not impede progress along the AppSec pipeline."

            What is our primary use case?

            Software security, static code scanning.

            It has performed very well.

            How has it helped my organization?

            The benefits are quick discovery and understanding of software vulnerabilities that we are putting in our own code. By discovering them quickly enough, we can triage them and determine the best ways to remediate them and prevent them from happening in the future.

            It helps us gain confidence that the applications we're putting out in the hands of millions and millions of people have that industrial-strength quality to them; that we don't need to worry about as much as we used to. 

            What is most valuable?

            • Completeness, comprehensiveness
            • speed
            • ease of use

            We have such a wide variety of users for Veracode, including security champions, development leads, developers themselves, that the ease of use is really quite important, because we don't assume anything about what those people might already know, or need to know. It just makes it very useful for anyone who has to engage with it.

            What needs improvement?

            I'd like to see an improved component of it work in a DevOps world, where the scanning speed does not impede progress along the AppSec pipeline.

            For how long have I used the solution?

            Three to five years.

            What do I think about the stability of the solution?

            Stability has been great. I've never seen any downtime, in four years.

            What do I think about the scalability of the solution?

            We went from 50 applications in 2015, we're now up to over 400. There seems to be no limit on how quickly it can scale and operate.

            How are customer service and technical support?

            They're outstanding. Best in class. Absolutely. They bend over backwards to help us. We'll come up with questions and within minutes, we'll get answers. It's amazing. It's truly amazing.

            How was the initial setup?

            It was very straightforward. Veracode was very helpful, hand-holding - anything that we needed - they were right there and made it very simple.

            Which other solutions did I evaluate?

            We had been evaluating various different types of source-code scanners. It was a fundamental element of the program and we knew we had to have the best one that would meet a wide variety of applications: development, apps, as well as a wide variety of geographic dispersion of the people writing these apps. 

            We had IBM, we had Fortify, we had PMD, and there was one other scanner at the time that we were evaluating. Veracode came out on top, in almost every category.

            By using a cloud-based scanner, we really had no issues with where the developers are geographically located. So we didn't really have setup problems at all. It just kind of happened, and scales fairly naturally, organically.

            What other advice do I have?

            The most important criteria when selecting a vendor are

            • reliability
            • customer service.

            Take advantage of all of the help that Veracode provides, for implementation, operations, and maintenance, because they absolutely know what they're doing.

            Disclosure: I am a real user, and this review is based on my own experience and opinions.
            PeerSpot user
            reviewer1384917 - PeerSpot reviewer
            reviewer1384917Principal, Customer Advocacy at Veracode
            Vendor

            Thank you for taking the time to share your experience with Veracode.  We appreciate your time and hope all is still going well.  Please let me know if there's anything I can do to help.

            it_user779082 - PeerSpot reviewer
            Senior Information Security Program Manager at a financial services firm with 10,001+ employees
            Real User
            Gives us every vulnerability that has been identified, so there is no human intervention
            Pros and Cons
            • "The ability on static scans to be able to do sandbox scans which do not generate metrics."
            • "I would love to be able to do a dynamic sandbox scan. I think that that would allow us to really get a lot more buy-in from the software development teams."

            What is our primary use case?

            The primary use case is application security and application security testing, specifically static and dynamic analysis, and software composition analysis. It has performed excellently.

            How has it helped my organization?

            The benefits are the fact that it identifies our vulnerabilities, and it has improved us by allowing us to pull everything to the left in agreement with our SDLC and with our developers, and have them not only get buy-in because they can run sandbox scans that allow them not to generate metrics, but also run policy scans where we identify what the policy is and what is acceptable. So, it has helped us secure our company and our applications.

            What is most valuable?

            1. The ability on static scans to be able to do sandbox scans which do not generate metrics.
            2. Gives us every vulnerability that has been identified, so there is no human intervention. Therefore, we can actually look and prioritize our own vulnerabilities as opposed to having someone else try to get in between.

            What needs improvement?

            I would love to be able to do a dynamic sandbox scan. I think that that would allow us to really get a lot more buy-in from the software development teams. We would be able to scan our applications, identify the vulnerabilities, not generate metrics, which would allow the teams to address the vulnerabilities earlier in the cycle, and then have cleaner scans later on.

            Also, I would maybe like to see a better report engine.

            What do I think about the stability of the solution?

            It is extremely stable.

            What do I think about the scalability of the solution?

            So far, extremely scalable.

            How are customer service and technical support?

            We do have ongoing technical support. We use them more as a backstop. My team handles most of the calls and issues that any of the developers might have. 

            CA support has excellent time frames. They are knowledgeable and get back to you with an actual solution, which is always a plus.

            How was the initial setup?

            The initial setup was very straightforward.

            1. It is SaaS, so we did not have to install anything locally.
            2. We were able to give our privileged users better roles because it is role-based, and to do multi-factor authentication. All we have to do, once we set up our trust relationship, we have single sign-on and we white-listed everything. So, it is everything that we wanted from a security point of view, and it is easy to roll out.
            Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
            PeerSpot user
            reviewer1384917 - PeerSpot reviewer
            reviewer1384917Principal, Customer Advocacy at Veracode
            Vendor

            Thank you for taking the time to share your experience with Veracode. We appreciate your time and hope all is still going well. Please let me know if there's anything I can do to help, my role is new here and I'm fascinated with the customer feedback.

            it_user712167 - PeerSpot reviewer
            General Manager - Application Security at a tech consulting company with 51-200 employees
            Consultant
            Needs to improve service levels and capabilities versus competitors. Provides a wide range of platforms and technology assessments.

            How has it helped my organization?

            PoC is in progress.

            What is most valuable?

            • Application testing
            • False positives challenges
            • Wide range of platforms and technology assessments

            What needs improvement?

            It needs to reach the level of Checkmarx's and Fortify Software's capabilities and service levels, or may further loosen the market share.

            What do I think about the stability of the solution?

            No.

            What do I think about the scalability of the solution?

            No.

            How are customer service and technical support?

            Customer Service:

            A three out of 10.

            Technical Support:

            A two out of 10.

            Which solution did I use previously and why did I switch?

            Quality levels, service offerings, pricing, and mainly the features and abundance of technologies provided by others made us switch to a different solution.

            What about the implementation team?

            In-house.

            What's my experience with pricing, setup cost, and licensing?

            The pricing is pretty high.

            Which other solutions did I evaluate?

            Yes. Checkmarx, SonarQube and Fortify Software.

            Disclosure: I am a real user, and this review is based on my own experience and opinions.
            PeerSpot user
            it_user697020 - PeerSpot reviewer
            Software Developer/Architect at a insurance company with 201-500 employees
            Vendor
            Static, dynamic, and manual scan features were useful for us.

            What is most valuable?

            We used the application for the web. Static, dynamic, and manual scan features were all very useful for us. All of them helped us fix many security flaws.

            How has it helped my organization?

            It made us change our approach to coding. We tried to make sure our application stayed secure and safe.

            What needs improvement?

            The current features were enough for us. Although reports are well documented, it was difficult for us to understand them at first.

            For how long have I used the solution?

            We have been using the solution for about a year.

            What do I think about the stability of the solution?

            We did not encounter any issues with stability.

            What do I think about the scalability of the solution?

            We did not encounter any issues with scalability.

            How are customer service and technical support?

            We didn't use the technical support, so I can't comment on this question.

            Which solution did I use previously and why did I switch?

            We did not use a previous solution. This was the first security application we used.

            How was the initial setup?

            It was very easy to setup. Everything on the website was clearly explained.

            What's my experience with pricing, setup cost, and licensing?

            I don't know about the prices.

            Which other solutions did I evaluate?

            We did not evaluate any alternative solutions.

            What other advice do I have?

            If it's the first time you are using a security application, be ready for some new tools which you will require you to revitalize the flaws reported.

            Reports are very well documented. Once you understand what it means and you get used to it, you will see that it is detailed and clearly explained.

            Disclosure: I am a real user, and this review is based on my own experience and opinions.
            PeerSpot user
            it_user542859 - PeerSpot reviewer
            Security Consultant at a tech company with 501-1,000 employees
            Vendor
            Allows developers to run their own scans. I would like to see the false positives corrected.

            What is most valuable?

            Allows developers to run their own scans.

            How has it helped my organization?

            Reduced dependency on the security team to run scans. It helped the organizations to scan a large number of applications on a regular basis.

            What needs improvement?

            I would like to see the following:

            • Correction of the regularly received false positives
            • Options to manage comments and mitigations
            • Better UI functionality

            For how long have I used the solution?

            We have used this solution for a year.

            What do I think about the stability of the solution?

            A few months ago, there were issues with the scanners and tickets were opened. However, they were resolved. This is a stable product.

            What do I think about the scalability of the solution?

            There have not been any scalability issues yet.

            How is customer service and technical support?

            I would give technical support a rating of 8/10. At times, we have not seen the best support in terms of issues faced during a scan.

            Disclosure: I am a real user, and this review is based on my own experience and opinions.
            PeerSpot user
            Gustavo_Gonzalez - PeerSpot reviewer
            Technical Program Manager at a engineering company with 10,001+ employees
            Real User
            The coverage it provides of the last vulnerabilities reported and of the programming languages is valuable.
            Pros and Cons
            • "The coverage of the last vulnerabilities reported."
            • "To be able to upload source codes without being compiled. That’s one feature that drives us to see other sources."

            How has it helped my organization?

            We decided to begin a partnership with Veracode, so we can improve our services and provide the customers that trust us with a platform capable to report vulnerabilities and also delegate and keep tracking of the remediation until the applications score 100% on stability before they go to production.

            What is most valuable?

            • Customer and professional support
            • Live sessions and training
            • The coverage of the last vulnerabilities reported
            • The coverage of the programming languages

            What needs improvement?

            • To be able to upload source codes without being compiled. That’s one feature that drives us to see other sources.

            Compiled code means that the code written is stored in binaries for machine reading only. Veracode reads only those binaries (compiled code). The other way to have the code is “Source Code written only”, a process where you don’t compile and anyone is able to read line by line the code.

            This example might seem weird, but maybe will clear things out:

            Binary Code (Supported by Veracode):

            11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010

            11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 11110 010

            1111000101000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 0101

            Source Code:

            public class HelloWorld {

            public static void main(String[] args) {

            // Prints "Hello, World" to the terminal window.

            System.out.println("Hello, World");

            }

            }

            What do I think about the stability of the solution?

            When tracking source code vulnerabilities, sometimes it’s possible that the tool loses the path of the issues when the source code has been modified significantly.

            How are customer service and technical support?

            Customer Service:

            Customer and platform support is one of the best in the field. The experts are skilled and can have as many meetings and researches as needed.

            Technical Support:

            The Veracode support team excels with help of their experts capable to solve most of the situations, and taking advantage of the variety of their members to delegate issues and problems to solve.

            Which solution did I use previously and why did I switch?

            I use a portfolio of tools for security consulting, but Veracode is the main app I rely on because customers are happy to be able to track the status of each individual issue or vulnerability.

            How was the initial setup?

            Initial setup is very complex, requiring security knowledge, but it’s easy when experts guide you through all the process. Even after months of use, the Veracode experts are always there to help you on both the workflow and the dashboard tool.

            What's my experience with pricing, setup cost, and licensing?

            Veracode is a very complete tool; that drives you to invite customers, the apps team, developers and even the product and marketing team to navigate through the whole application. Its complexity makes it quite expensive, but it’s all worth it, with all the engineering in the background.

            Which other solutions did I evaluate?

            Before choosing this product, many tools were tested, such as HPE WebInspect, AppScan, Checkmarx, etc. Those tools are good, and do their jobs really well. Veracode has many pros that involve a human touch, which is something a consulting firm, customers and big companies want from the information technology field.

            What other advice do I have?

            I recommend exhausting all resources and gaining knowledge from different security tools, before making a decision. Veracode is not cheap, but it is a tool capable of giving dynamic, static and even manual scan results in one platform. Veracode is one of very few options out there, and the very best.

            Disclosure: I am a real user, and this review is based on my own experience and opinions.
            PeerSpot user
            it_user335091 - PeerSpot reviewer
            Senior Security Consultant at a retailer with 1,001-5,000 employees
            Vendor
            We were able to easily integrate static code testing into the SDLC process, moving from the waterfall to the agile methodology while still able to integrate Veracode testing within both.

            Valuable Features

            Static code analysis is a valuable feature.

            Improvements to My Organization

            We were able to easily integrate static code testing into the SDLC process. We moved from the waterfall to the agile methodology, and were still able to integrate Veracode testing within both methodologies.

            Room for Improvement

            It's been over a year since I used the product. But when I did, I found there were too many false positives.

            Use of Solution

            I used it for one year.

            Deployment Issues

            No issues encountered.

            Stability Issues

            No issues encountered.

            Scalability Issues

            No issues encountered.

            Customer Service and Technical Support

            Customer Service:

            8/10

            Technical Support:

            8/10

            Disclosure: I am a real user, and this review is based on my own experience and opinions.
            PeerSpot user
            Buyer's Guide
            Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.
            Updated: July 2022
            Buyer's Guide
            Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.