Veracode Reviews

My use case for Veracode is for a front-end application, specifically an agent compensation calculation engine. That application is deployed through an EAR file, and then Veracode scans the EAR file and gives me the scan report to help me change and improve the file for future deployments.

What I found most valuable in Veracode is that it gives me a part-by-part report of the entire EAR file and lets me set up the application for a limited time. For example, I'm running an application via the dev ops pipeline. Hence, I need to create a pipeline application and a sandbox to connect with Veracode and then add my application. When you create a sandbox, you can create it full-time or for a limited time, so I created it for a limited time. Once that expires, Veracode allows you to automatically renew it, which is one of the features I find remarkable in Veracode.

I also like that for each integration in Veracode, there's documentation.

I also find the Veracode support team extraordinary because the team goes above and beyond to ensure you get the best experience.

I find Veracode essential in preventing vulnerable code from going into production because if there's a vulnerability, the solution finds it. For example, my code has many JavaScript front-end and EAR files with some vulnerabilities. Right now, I'm deploying my code, but in the future, I may have to improve it and change it to ensure the servers are secure, so in that way, Veracode becomes more important for the industry today.

Policy reporting in Veracode is good in terms of ensuring compliance with industry standards and regulations. I like that the solution is more flexible when working with applications, mainly because my organization has a good firewall. Veracode is flexible and allows the organization to connect to the firewall in various ways. The Veracode policy is flexible and has an entire page and record that connects with my application, industry, company, and server in different ways. It does not disturb my policies so that I can get my application to work.

The false positive rate for Veracode is about seventy-thirty because it gives the most accurate report. For example, my organization depends on the Veracode analysis to ensure the code is on point, so the organization is building the next BI based on the Veracode analysis.

Veracode has also helped my organization save time because, without the report, the development team would spend a lot of time figuring out what is wrong and why the application is vulnerable. Veracode points out what is happening and why the file size must be reduced, so it helps reduce mistakes in terms of time.

An area for improvement I found in Veracode is the connectivity because currently, my company uses a plugin for the dev-ops cloud-based connectivity. A pretty helpful feature would be if Veracode gives a direct code for connecting to the Oracle server directly and authenticating it via a unique server. Currently, my organization has to find a roundabout for that and then needs to build a separate pipeline and then connect that pipeline for Veracode to start.

I've been using Veracode for the past two months.

Veracode has always been stable. It has good stability.

I found Veracode scalable because it supports a variety of platforms. Though the support for other platforms is less, Veracode has been incorporating more support over time and offering other solutions as well.

If you're unable to set up the solution, the Veracode team has a consultation call to help you set up the solution. The team would even raise set-up-related issues with the Veracode engineering team, which was how I reached Veracode Technical Support, which was a good experience.

I found Veracode Support extraordinary. I've been having an issue for the past month, and the team reached out to me and has been working with me for the past month, giving me various solutions to figure out how to solve the issue. It turns out it was a firewall issue, and I just had to go to the back-end and allow the back-end application, and now it is working fine.

The Veracode Support team was helpful and escalated my situation from level one to level two to level three, and finally, had the appropriate team reach out to me based on my issue. Then, within the span of two weeks, the team finally figured out the issue I was facing and gave me the final results and how I could fix it, so I found support good, fast, and responsive.

Overall, I had a pleasant experience with Veracode Support, so I rate support as eight out of ten.

Positive

I didn't use a previous solution before Veracode.

I wasn't involved in the initial deployment of Veracode.

I have no information on the pricing or licensing cost for Veracode.

I've not used the Software Bill of Materials in Veracode.

I'm unsure how the false positive rate affects developer confidence in Veracode on fixing vulnerabilities because I'm more of a DevOps user and don't work on development but automation.

I'm also unsure of the effect of Veracode on my organization's ability to fix flaws because I've not used it directly to fix any flaws. I report to the dev team, who then takes the report and fixes the flaws accordingly.

I'm unsure of the impact Veracode had on the overall security posture of my organization, as I didn't use it for that.

In my organization, Veracode has a hybrid cloud deployment.

The solution doesn't require any maintenance.

My rating for Veracode, overall, is eight out of ten.

What I'd tell others looking into buying the solution is that as far as DevOps is concerned, Veracode is a must-have. It's been helpful for my organization DevOps-wise, though I have no information on other Veracode offerings. I recommend that others buy Veracode.

My organization has a business relationship with Veracode. It's a Veracode partner.

My company uses Veracode Static Analysis for scanning purposes and static analysis. I am a DevOps engineer configuring automation for multiple teams in our company using Veracode Static Analysis. Our company uses the product to identify vulnerabilities in third-party libraries that our teams use internally to secure our products before moving the product outside of our company. The aforementioned features of the solution are used mostly in our company. Most of the teams within my organization use Veracode's static analysis part. My company did not procure the license for Veracode Dynamic Analysis.

From the market, my company could identify some of the libraries that were outdated and had severe vulnerabilities. Our company wishes to secure its products before moving out for production, for which we find Veracode helpful. Our company sees value in Veracode Static Analysis.

The most valuable feature of the solution is Veracode's library, which supports the automation of Veracode's scanning process.

The major benefit of Veracode Static Analysis is that you can schedule a scan on demand. We found the delta approach in scanning to be super quick in terms of returning results in our company, even though we had to make uploads of certain things, but it would be longer if the size of the scanning part were huge, making it one of the drawbacks.

If Veracode develops a plugin for multiple orchestration tools, it will be easy for us to use the product in our company.

If you schedule two parallel scans under the same project, one of them will be a failure. It would be good if Veracode could provide two different site codes since if another code scan gets triggered while the scanning for one code is going on, the newly triggered code scan fails, stating that there is already a scanning process in progress. If Veracode can handle a newly triggered second code scan in their sequence instead of making it fail and take it up later or on a wait so that they can trigger it after the first code scan gets completed, then it would be a nice improvement. There is no queuing mechanism for scanning right now.

Module selection is manual. If somebody adds a new module, it is not detected automatically, and moreover, it ignores that module and moves forward. You have to go and include that module manually, so if it is made dynamic in the future, it will be nice.

I have been using Veracode Static Analysis for two years. Almost six years ago, I used Veracode Static Analysis for a year. In total, I have three years of experience with Veracode Static Analysis. My company procured the solution, so I am an end user.

It is a stable solution. The speed of the solution was good in the past, and they have worked constantly to improve the speed.

It is a scalable solution.

Though Veracode Static Analysis is primarily available in the USA, we scan our company from multiple locations. The solution may have a huge number of users, but our company supports 30 projects with the help of the solution, which includes scanning for 30 microservices. I am unsure of the actual numbers regarding the solution's use since it is handled by someone else in my company.

I contacted the solution's technical support during the automation part, and it went well, after which I never faced any issues.

My company used Code Insight, a very similar solution to Veracode Static Analysis, but not the same.

Code Insight scanned even first-party libraries, which includes what we used to develop in our company.

Code Insight's vulnerabilities in the database completely differed from Veracode Static Analysis, but I can't recollect where it differs. If both Veracode Static Analysis and Code Insight were the same, we would not have used both in our company, so there is a difference between them. Veracode wasn't of any support when it came to dynamic scans in the past, though Veracode has recently started to support it, which I haven't used yet. I don't see any drawbacks with Veracode, so I am satisfied with whatever Veracode offers.

The solution is deployed on the cloud.

Depending on the number of users, my company makes payments toward the solution's licensing costs.

Veracode handles the maintenance part of the solution. Veracode's side may be down at times for maintenance.

I recommend Veracode Static Analysis to those planning to use it, but the scans should not be carried out daily since it can get too costly. I recommend not doing the frequent scans to save on the costs.

I rate the overall solution an eight out of ten.

We use Veracode to ensure our solutions meet the security standards in the financial industry in Nigeria.

Veracode does an excellent job to prevent vulnerable code from entering production.

Veracode ensures that the products we create for our clients are free of any code-related issues. This keeps them satisfied with our service and encourages them to continue doing business with us.

Veracode provides peace of mind and increases confidence in our code within the market. We realized the benefits within a few months.

At first, we experienced a high number of false positives, but the Veracode team provided guidance that enabled us to significantly reduce the count.

Initially, our developers were frustrated due to the high false positive rate. However, as we managed to reduce the number of false positives and the developers recognized that these were not actual issues, their morale improved, and their acceptance of the use of Veracode increased.

The false positive rate of the static analysis reduced the time that we spend on different operations.

Veracode has had a significant impact on our organization's ability to address flaws. The solution is capable of detecting issues and providing suggestions that assist us in rectifying problems within the code.

Veracode helps our developers save time. We review the recommendations provided by the solution, adhere to our best practices, and then proceed to implement these suggestions. In cases where we might have had three lines of code, the solution is capable of reducing that to one or two lines. I would estimate that Veracode has decreased our developer time by 40 percent.

Veracode enables us to enhance our security posture by applying the knowledge we acquire through Veracode to all our new projects. Additionally, we can revisit previous projects to implement upgrades and add features, thereby enhancing their security.

Veracode helps to decrease our DevSecOps costs by saving our developers' time and aiding in the production of error-free code.

The static scan is the most valuable feature. We are also currently evaluating the Dynamic scan.

Veracode is costly, and there is potential for improvement in its pricing. In our region of the world, it is challenging to attract a significant number of sign-ups due to its unaffordability.

I have been using Veracode for one year.

Veracode is stable.

Based on the limited interaction we've had with technical support, I am satisfied with their service.

Positive

We used a tool in the past that was free, but we couldn't depend on the quality of the scans it provided in the free version.

The cost of Veracode is high.

There comes a point when we must make a decision between cost and quality, and we chose to prioritize quality by selecting Veracode. The confidence that Veracode instills in both our developers and clients justifies the associated cost.

We have four solution licenses for the static analysis scans.

We also evaluated one of Veracode's competitors. After conversing with the sales and technical teams of both solutions, we concluded that Veracode was the best choice for us.

I rate Veracode an eight out of ten.

We are currently in the process of investigating Veracode's capability to offer insight into the status of applications at each stage of development.

I currently work for a Veracode distributor here in Brazil. I work in both presales and post-sales, and I do implementations as well.

We talk a lot about shift-left and this is very important because, when you find problems near the beginning of the process, it costs less to resolve them. In addition, Veracode provides information on how to handle issues and that saves time for the developers. It's also good for a company's image because the problems are found before deployment to production. 

When it comes to developer confidence, the low false-positive rate is very important. If they use a tool with a lot of false positives, they won't believe the reports they get. And that's important because if the teams don't like a tool, they won't use it. Also, we don't have a tool in Veracode for tuning policies because it is an automated process. In most cases, we don't have many problems that require tuning. We just review the model and usually find it's fine.

To me, the principal feature is the CLI (command-line interface) because I put together a lot of implementations using it. Another important aspect is the low false-positive rate because the solution is very configurable. It is as low as 1 percent and that is a huge difference compared to competitors.

And Veracode's ability to prevent vulnerable code from going into production is the main selling point that we talk about with our customers. It is one of the most important features. 

I have also used the Software Bill of Materials (SBOM) feature in some implementations. It's important because in modern software development, people always use third-party components but they don't necessarily see the problems that they may contain. If you don't use the SBOM tool, you won't know the status of all these third-party pieces. And it's very easy to create a report using this feature because it is made in the Veracode portal with a graphical interface or, in the CLI, it's just one line of code.

Another important factor is the policy reporting for ensuring compliance with industry standards. We generally work with big companies in Brazil and, for them, maintaining the required standards is imperative. The policies can help achieve those standards.

We can also involve Veracode at every stage of the development process. It has a lot of tools to help with security.

Veracode has a new tool to automate the fixing of flaws, but we don't use it. Generally, the orientation that Veracode provides for resolving problems is good and developers can use it to handle the problems and make things work.

In the last month or so, I had a problem with the APIs when doing some implementations. The Veracode support team could be more specific and give me more examples. They shouldn't just copy the URL for a doc and send it to me. I am a distributor and a Veracode solutions expert, so if I create a ticket that means I have read the documentation. It would be better if they sent me more examples instead.

I have been using Veracode for two and a half years.

It has great stability. It uses AWS and I don't recall any downtime.

The license provides for scalability, so it's just a matter of connecting more users. We don't need to think about it, which is good.

Veracode is a SaaS solution. We just connect it to the customer's environment. It's very simple. We have plugins for the most popular CI/CD tools and, for other tools, it's one or two lines of code to implement. Generally, we just need one person who has edit access to the pipeline. So one or two people are sufficient to implement it.

There is no maintenance of the solution because it's SaaS.

The commercial guys take care of the pricing, it's not something I'm involved in. But the licensing is simple. The SAST product has some rules that some customers have found a little confusing, but overall, the licensing is simple. 

The impact that Veracode has on security posture depends on the size of the company. Usually, large companies have standards in place, and that makes code development more secure than it is in small companies. For small companies, Veracode can really make a huge improvement to the SDLC.

We use it for security validation. As a company, we need to make sure that our code is secure. Not only do we need and want to do this for ourselves, but we also need to do it because of our security obligations to our clients.

It has been helping us capture security vulnerabilities that we would not catch otherwise.

When it comes to our ability to fix flaws, Veracode has given us more visibility into certain flaws that could show up, flaws that can be subtle and not seen in the code. For example, though it was not obvious, there was a case where a developer naively added the authentication into the code, which we're not supposed to do, obviously. It was not seen by our review process, and Veracode caught it and we were able to eliminate it.

It has also helped us to save time. The example, and where I see the most benefits of that, is in the Security Labs, where I have the developers training and constantly improving their security, and remembering their security techniques. That way, they are more proactive and make sure things are correct. They're faster because they're doing it in the first place.

Overall, in terms of our security posture, Veracode has made us more reliable. We're finding those flaws and our clients trust us more because of it.

And when considering whether it has reduced the cost of development, security, and operations for us, the short answer is no. But the long answer is yes. It clearly has added more procedures in place, which we needed to have, and that has definitely increased the cost of development. But in the long-term, how much have we saved from the intangible of a flaw not being exposed?

The Security Labs feature, in particular, is valuable, and I have been using the static code analysis as well.

I do have two pet peeves with the platform.

1. The user interface is slow as a dog; really slow. You go to any modern interface and it's a lot more snappy. Even though I understand a lot of what they're doing and why it might be slow, it is really slow. You click on something and it takes two to three seconds. That doesn't sound long, but it just feels super clunky.
2. There are many times when their product goes to check my code and it dies, and I don't know why. I've contacted support and they're not really helpful with this particular problem. I go to the logs and I look at what I can but I can't tell why the check process has essentially just died in the middle of checking.

Other than those two complaints, I still find it very strong and powerful.

In terms of additional features, the big one I would like to see is that, right now, I have to click through too many things to get to the triage report, which is the main thing I want to see for anything. I have to click through this one screen that doesn't give me any information and I really just want to get to the mitigation review screen quickly. Anything that would save me going through clicks and four or five different screens, because the interface is slow, would be fantastic. I want to get to that mitigation screen because the summary screens are not all that interesting to me. I need to know, "Is this mitigated? Is it not?" and get it checked off and reviewed.

I've been using Veracode for two years.

It has been a very stable product. I don't think the issues that we're having are related to its stability.

The scalability is "medium" because one of the things I've been having to do now is scale out more of the microservices by tier so that I can verify that the code is correct per tier. For me to scale up like that seems to be taking a lot of effort. I might be doing something wrong. Maybe it could be solved in a different way. But the scalability is average. On a scale of one to 10, I would put it at about five.

We do have plans to use more of Veracode. We are expanding into the SCA, where it is scanning the containers, and we've also just contracted with Veracode to do penetration testing.

The one time I had to use their technical support for the bug where a code check dies, I found them a little off-putting. They have never really fully answered the question. I got tired of asking because they didn't understand what I was saying.

During installation, their support was fantastic, a 10 out of 10. But in dealing with this one issue, I would give them a two.

Neutral

We haven't used another solution. Veracode is the first solution of this kind that we have worked with.

The initial deployment was pretty straightforward. We ran into some issues, but honestly, nothing out of the ordinary. I would definitely put it toward the easy side. I found the documentation to be appropriate.

The deployment time was days.

We are using Jenkins as our CI/CD. We're using Amazon Cloud K8 deployments.

We integrated it in two different ways. The original way was with AWS CodePipeline. For that, we used Veracode's Docker service. Once we had it hooked up and could send the file, that was pretty easy to use. The second way is we now actually use Jenkins for our code build. We do the same thing although we're going to change to the Jenkins plugin here shortly. But it was still the same, with the ability to use Docker to send the file to Veracode. Once we wrote it, it was really easy, which is why we did it that way on Jenkins. Through both of them, the implementations worked easily.

From the time of deployment, we saw the benefits within one to two months, which was fairly immediate.

There is maintenance required because, sometimes, the pipelines for our code review essentially stop. I have to go and check that, as I mentioned earlier. The second piece of maintenance is that if there are any flaws or false positives, you have to mitigate those results. We have two people involved in the maintenance.

I did the original Amazon CodePipeline implementation by myself and got it hooked up. As we went to more complex things, with Jenkins, that was done through an integrator DevOps team. On our side, it was just me involved.

I'm sure we have seen ROI, but I do not have a direct metric on it. There are a lot of intangibles in that. For example, what would be the cost of a particular flaw that we caught with Veracode, if it had gone live?

When I looked at the pricing, it was definitely a value. In terms of the service and what it's checking, the cost was very reasonable, particularly because we could have multiple code bases as part of a project.

Make sure that you're comparing apples to apples if you're concerned about the price of Veracode versus what you're reviewing. Some of the stuff that Veracode does and applies is not the same for other services. When I really compared apples to apples, I found Veracode to be rightly priced.

There were no costs in addition to the standard licensing fees, although we just signed up for a couple of other products.

We looked at other solutions but one of the big things that made a huge difference with Veracode had to do with pricing. Because we're moving more and more toward a microservices architecture, and we have about six code bases that make up our entire product, they made it clear that as long as something was a part of our product, it was the same price. That was amazing to us because competitors charged per code base. It was definitely a more economical solution and the one that made more sense, and is more in line, with our product. That really simplified the thought process for us and was a huge competitive advantage.

Veracode is a valuable tool to have in the toolbox to prevent vulnerable code from going into production. Veracode's false positive rate has been very good. It's reasonable. False positives take more time, but I have not noticed that time to be a significant burden. Its policy reporting for ensuring compliance with industry standards and regulations is adequate. 

In terms of having visibility into application status at every phase of deployment, Veracode doesn't provide that. It doesn't control the whole deployment cycle, so there's no way it can report on all of it.

The platform's interfaces look slightly antiquated but don't let that stop you from using it, because it has been a good solution for us.

The biggest lesson I have learned using it is that it's really nice to have these security checks in a single place in your code pipeline. We have multiple security companies at this point, but having the code review and product review security in one place helps us know that that part is "containerized." Having everything dealing with code review in one place is nice.

We are using it for two purposes. The first is to analyze the final binaries in our normal development cycle and the second is for auditing old software.

It's a SaaS solution.

Veracode is able to analyze the final software products. We compile the applications and it's an advantage for us because there are a lot of areas where we don't have the source code. In some companies, only internal development is taking place and they have the source code and everything else for the software. With those companies, there are other tools that we can use. But for use cases where our company buys a product with the source code, but only the final executables or the binaries, only Veracode is able to work on that type of tool. We are working in the financial sector for big bank banks and insurance companies. A lot of times, these types of companies don't have the source code for the applications, only the final applications. This is the biggest advantage of Veracode, that it's able to analyze these types of applications.

We use the scanning process to help our security professionals and developers fix flaws in the code and that helps speed up the development cycle. It helps to "shift-left" all of the security control to the earliest phase of the development cycle. It has sped up the development cycle significantly. An unexpected vulnerability can stop the development pipeline, at least for a little while, and we are able to avoid that.

It has also helped to increase our fix rate by almost 100 percent. In the past, if it turned out that we had vulnerabilities, we had no time to correct them. We went into production with them. Now, we are able to fix everything, 100 percent, in the development cycle.

In terms of best practices, we have the results from Veracode and then we have a Knowledge Base of the types of vulnerabilities and how they should be corrected by our developers.

Another benefit is that it has helped us with certification and audits. We have a lot of automated reports based on the scans and we can show them to the auditors. That has saved us a lot of money and work.

And Veracode SCA has helped to reduce the risk of a security breach because it finds vulnerabilities as early as possible. It has increased our security and development teams’ productivity because, with the automated scanning, we are able to scan much more than previously. It saves us at least one week per development cycle, if not more.

The recommendations from Veracode have improved our efforts in fixing potential vulnerabilities, and not just finding them. That's important for us because fixing is a very expensive process. If you can save time on that, it is a big help. And SCA’s automated, peer, and expert advice have definitely reduced remediation times, saving us at least a week per development cycle.

Overall, SCA has significantly lowered the risk of vulnerabilities. If we didn't identify them before production, and it turned out that there were vulnerabilities, there would be a big risk. We would have to go into production with them or stop the development pipeline. So it lowers the security risk significantly by doing early scanning. It has reduced our risk by at least 60 percent. It definitely helps create secure software. That is 100 percent important because we are working for financial companies.

It's good that it's cloud-based because we don't have to operate a new IT system for security scanning.

It provides a centralized view across all testing types, including SaaS, DAST, SCA, and manual penetration testing. We now have a central place with overall visibility.

In addition, the mitigation recommendations provided by the scanning engine are good. They are not all perfect, but they are good and usable.

There is room for improvement in the speed of the system. Sometimes, the servers are very busy and slow. Also, because we are located in Europe, it would be a big help if they had a European or national service, because of the regulations, not only because of the speed.

Also, the integration with SonarQube is very weak, so we had to implement a custom solution to extend it.

We have been using Veracode Software Composition Analysis for more than two years.

The stability is good. We haven't had any problems.

The scalability issue is a good question because it's not too fast, but it's scalable because it's cloud-based.

We use it for 10 critical applications.

Their technical support staff is skilled. We have been able to solve all of our problems with them. I wouldn't rate them a 10 because sometimes it's time-consuming to get the right guy to answer our questions. But we always get answers to our questions.

Positive

We used SonarQube because the developers liked it. We also used Checkmarx. We switched to Veracode SCA because of the binary scanning ability. Neither Checkmarx nor SonarQube is able to do that.

The initial setup was very easy. Because it's a cloud-based service, we were able to do it without the help of Veracode. We just read the recommendations and followed them. We had three guys involved, two developers and one security guy.

It took three months to implement. Our implementation strategy was to do a pilot and then everybody in the organization copied the reference implementation.

Our return on investment is due to saving a lot of development hours.

It's too expensive for the European market. That is why, in a big bank with 400 applications, we are able to use it for only 10 of them. But the other solutions are also expensive, so it wasn't a differentiator.

The static cost model is not that important. Veracode works on a subscription model, so we have to pay for it every year. 

We chose Veracode's Software Composition Analysis after we evaluated more than 10 products. Among those we evaluated were Checkmarx, Fortify, and SonarQube. The primary differentiator was the binary scanning use case.

Use Veracode for the special use case of binary scanning, because it is the best in this special use case.

Security Labs is very good as well. We are not using it day-to-day, but it's a good feature.

We use the solution for identifying bugs before deployment in the software-side cycle process.

It can be integrated with our CL and CDProp pipeline, and it can be used with multiple integrations in our Visual Studio Code editor. That's the main use case.

We've saved a lot of time since using Veracode. We've also been able to cut down on costs since we require a lot of penetration tests for testing our software. Veracode helps us drastically reduce these costs. We've cut our costs down by 40%.

The solution provides us with a feature that we can directly use with static and dynamic analysis. With static analysis, we can use it while the app is not running, and with dynamic analysis, we can scan our application while it is running. It provides efficiency and also saves a lot of time for penetration testing and bug testing.

The capabilities of the analysis of the code base can help us effectively detect potential vulnerabilities. This is the most valuable feature we found. It can be integrated with multiple code editors, and it can also be integrated with various CI/CD pipelines.

The dynamic analytics is efficient. It helps us identify bugs while the app is running. We find that this ability is way better than its competitor.

Our impression of the solution's ability to prevent vulnerable code from going into production is positive. Prior to Veracode, we used to deploy our apps, and it used to be an expensive process to fix the bugs and all the potential vulnerabilities after deployment. Now, we have access to AI. It has AI tools, which have been trained with a lot of data sets. It helps us to detect bugs and fix them.

We use the free access to VeriCloud's application security consulting team. The consulting team has helped us a lot, and we've had positive experiences with the vendors. It is efficient and very fast. It takes less than two or three days, and they always respond positively. They are really fast at solving our problems. It's important for us to have access to an application security consulting team at no extra cost.

We use Veracode's AI-generated fixes. They make fewer errors and are very accurate. We've had a very positive experience. They've saved approximately seven hours of debugging and error finding versus the manual penetration testing process. 

The solution's policy reporting for insurance compliance with industry standards and regulations is very helpful. It's fast as well. The team helps us at every step of the product life cycle. They provide us with very useful visibility into things like static analysis, composition analysis, and manual penetration. It significantly helps us to reduce the time that we have to manually fix the bugs, and it also provides us with an efficient solution for future cases via past analysis through its data algorithm. We've saved six to eight hours compared to manual fixing.

Veracode has had a positive impact on our organization's ability to fix flaws compared to the prior. It has reduced our costs and time, and it has also provided us with multiple security functions. That, and it's made our application a lot more secure. It really helps our devs free up time due to less debugging needed on their part.

The solution has helped us a lot with our overall security posture. Many security features were fixed prior to release, and we've been able to reduce manpower and employee count. We've reduced teams from six or seven people to two or three. 

The integration capabilities with our existing development tools are very good. The integration process was easy. It has stable APIs.

The solution does take a bit more time when we use it for multiple processes. When we use it for a single process, it takes up less time. The cost also goes up when we use it for multiple processes. 

I have been using the solution for six months.

The solution is very stable. We haven't come across any bugs. 

Our security team of three uses the solution. 

It's great for scaling. We can use it on multiple projects which involve multiple security flows.

Technical support has been very fast and efficient. The team helps us at every phase of the development cycle. 

Positive

We did not use a different solution. Previously, we relied on manual testing. 

We deployed the solution in about three months. We had a team of eight working on the implementation. During the process, I was in charge of, IT was in charge of security, and the AI algorithm.

We don't require any maintenance.

Even after six months, we've seen an ROI. In terms of resources, it's great for cost-cutting. It also generally cuts costs by 40%.

The pricing is moderate for particular processes. However, if we take an entire process in general, it can be costly. It's more economical to use it for single purposes instead of generalizing processes. 

Thanks to its algorithm, Veracode is an on-demand service that can be very cost-effective. With so many features, we no longer require many people to test.  

If they are worried about pricing, people should try out their demo feature, which is available online. That way, they can demo and evaluate how it would work for them. If it works for their team and product, they may find it can optimize their processes. Of course, it depends on the use case. 

I'd advise colleagues considering Veracode to evaluate the specific requirements for their application and do an in-depth analysis. I would recommend it as a product.

I'd rate the solution ten out of ten. 

We used Veracode for code scanning and source composition analysis.

Veracode can block vulnerable code from going into production.

The SBOM is a good option for companies that are asked about their SBOM.

The SBOM helps manage our risk.

Generating SBOM reports is not difficult, but setting up the necessary infrastructure for analysis takes time.

The policy reporting is incredibly robust.

Veracode provides visibility into application status in every phase of development.

The source composition analysis had very good reporting.

Veracode's long scan time for vulnerable code can hinder productivity. There is room for improvement in this area.

Veracode produced a lot of false positives.

Veracode's ability to fix flaws is less sophisticated than that of its competitors. For example, Veracode's static analysis scanning workflow for flaws is not as highly developed as Checkmarx's or Snyk's. Veracode would often provide incorrect sources and fail to identify the source of malicious user input coming to the team.

The process of bundling binaries or code for scanning could be improved.

I trialed Veracode for two weeks. 

In our short trial period, we did experience some stability issues.

Veracode scales sufficiently.

I worked with Veracode's technical consultation staff and found the agent to be incredibly knowledgeable and sophisticated in their use of Veracode, as well as in vulnerable load patterns.

Positive

The deployment was complex.

Ten people were involved in the deployment.

We used the experience of engineers who had used Veracode in the past, as well as feedback from Veracode's engineers.

Veracode's pricing is competitive.

I believe Veracode would be willing to negotiate decent terms for organizations that are concerned about the pricing.

We also evaluated Checkmarx and Snyk, respectively. This puts them at a slight disadvantage in terms of identifying execution paths and their ability to comprehensively show how vulnerable code is executed in our solution.

I would rate Veracode six out of ten.

Once Veracode is fully configured, the maintenance should be relatively minimal.

Veracode's best advantages are detailed reporting for industries such as government work, or other industries that may require exceptionally detailed reports or secure security verifications. However, I would suggest that people look out for the accuracy of results and the usefulness of findings on a large scale. Additionally, Veracode has a difficult-to-navigate user interface.