Veracode Review

Allows us to integrate with it through automated processes, but needs better APIs


What is our primary use case?

Static analysis.

How has it helped my organization?

It has allowed us to integrate with it through automated processes, which saves us a lot of time and effort.

Also, our customers benefited from the added application security assurance of our software, as they’ve been able to identify OWASP top-10 application vulnerabilities without a manual tester.

What is most valuable?

Static analysis scanning engine, because we need to do static analysis; that’s why we bought the product.

What needs improvement?

  • Better APIs
  • Reporting that I can easily query through the APIs
  • Preferably, a license model that I can predict

It would save us time when integrating with the APIs. Difficult APIs are annoying to work with and we have to trial/error our way through the integrations. The more straightforward and friendly they are, the less we have to trial/error.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

No issues with stability.

What do I think about the scalability of the solution?

Aside from the licensing, no issues with scalability.

How is customer service and technical support?

Good.

Which solutions did we use previously?

IBM Security App Scan. In looking at Veracode vs IBM Security App Scan, I switched because of the CI/CD offerings of Veracode.

How was the initial setup?

The APIs are a bit nonsensical, but otherwise straightforward.

What was our ROI?

It has not really resulted in any cost savings related to code fixes.

What's my experience with pricing, setup cost, and licensing?

The worst part about the product is that it does not scale at all. Also, microservices apps will cost you a fortune.

Which other solutions did I evaluate?

IBM, Coverity.

What other advice do I have?

Regarding measures taken to integrate Veracode into our existing software development lifecycle, we have 100% API integration. We use the Jenkins plugin as a last resort, but we are moving away from that.

The AppSec best practices and guidance to our security and development teams are manifested in the static analysis it provides.

In terms of advice to others looking into implementing this project, I would say don’t use the UI, and do what you can to have license conversations up front.

It depends on the use case and budget, but I would recommend CA Veracode to colleagues.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest

Sign Up with Email