Veracode Review

Reporting for compliance with industry regulations is excellent, identifying most issues our penetration testers look for


What is our primary use case?

We're required to make sure we have no high or very high security issues in our code. Veracode is a code reviewer to prevent hacking and other bad things from happening.

How has it helped my organization?

The way it helps our company is that the code is secure. It also helps with our customers because I believe they can request a copy of the report. It lets them know that we're doing the best we can to provide secure software.

The solution has helped build my security skills as a developer. Now, as I proceed forward, I know what to look for when coding items. I'll be coding a little bit more defensively from what I've learned, from all the errors that it has found. Some of the stuff I wasn't even aware of. I also became aware of things that Veracode verified, but I really couldn't fix.

The policy reporting for ensuring compliance with industry standards and regulations is excellent. It identified most of the issues that our penetration testers look for and gave me a way to look at the line numbers of the code that needed fixing, and that was a huge help. It also gave me samples of code for what was going wrong and it enabled my supervisors and me to go through the whole project and fix 99 percent of the issues we had.

It provides visibility into application status across all testing types in a centralized view. The report is very good at showing that. We are not allowed to install anything until it passes the Veracode test. We have to fix all errors before we can install our software. It absolutely helps reduce risk exposure for our software.

I haven't come across any false positives.

What is most valuable?

The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up. We've had very few issues that we have actually had to contact Veracode about.

It does give some guidance, up to a point, for fixing vulnerabilities. It does a pretty good job of that. We went from a bunch of errors to a handful that I needed help with, and that was mostly because they provided some good information for us to look at. If I had been using this product a long time ago, I would have been able to anticipate a lot of things that Veracode discovered. The product I'm working on is about 12 years old and this was the first time we ran scans on it using Veracode. It identified quite a few issues. If you're starting a new project, it would be a good place to start. Once you get used to what people like penetration testers are looking for, this is a good tool to prevent having a pen test come back bad.

The Static Analysis Pipeline Scan is very good. It found everything that we needed to fix.

What needs improvement?

The triage indicator was kind of hard to find. It's a very small arrow and I had no idea it was there.

For how long have I used the solution?

We have been using Veracode for about three months.

What do I think about the stability of the solution?

The stability seems pretty good. There was only one instance where the site was down.

What do I think about the scalability of the solution?

I don't think Veracode has any problems with scalability. My company is very big. There are about 1,000 of us, all developers, using the solution. It's being used throughout the company for all our products.

How are customer service and technical support?

I would give their technical support five stars out of five. They were on point and they helped us identify resolutions for some of our issues that we couldn't figure out.

Which solution did I use previously and why did I switch?

We used Fortify. I was not involved in the decision to switch.

What's my experience with pricing, setup cost, and licensing?

I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good. It's just a good product, overall.

What other advice do I have?

The biggest lesson I have learned from using Veracode is that there isn't an answer for everything. But when an area needs to be mitigated the mitigation process is fairly easy.

It's pretty efficient, but in my case it took a long time to upload my information. It was a very big project, so I was not surprised that it took a long time, but it was mostly because of the internet around here. It would take a long time to upload the DLL and run the static analysis. It would take about two hours, but again, it's a large project.

Overall, it does a very good job of preventing vulnerable code from going into production. It identified issues that were not detected in penetration tests and allowed us to lock them down.

**Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
More Veracode reviews from users
...who work at a Financial Services Firm
...who compared it with WhiteSource
Add a Comment
Guest