Veracode Benefits

Kyle Engibous
Systems Architect at a tech vendor with 201-500 employees
We have a large developer base at our company ranging in a variety of skills sets. Some are very security aware, others really don't have the knowledge. What Veracode provides is really good feedback on what vulnerabilities were found in their code: examples, definitions, ways to mitigate. One of the huge benefits we've seen is just a bigger security awareness within our development staff. Further, with the tools that Veracode provides, they're actually able to comprehend what the vulnerability was and then resolve it. So a lot of knowledge has been grown as a result, around security, with our developers. Veracode provides application security best practices and guides our security and development teams because most of the time, in the issues that it opens, it has lots of links and details in there. There are also regular emails and newsletters and they send out about trends. So, there's a fair amount of communication and there are also a lot of details within the issues that they find. There's always plenty of material that they link to in issues. They do a really good job of providing a lot of communication and detailed documentation around our application security tools. Our customers have benefited in the fact that know that we put security right in front, as a priority. It's not an afterthought. They're a lot more aware that we're security conscientious, instead of just, "The software works, here you go." We also have reports. Some of our customers have asked for various types of reporting and security related stuff. Now, we're also able to give them these reports, essentially from Veracode's scans of our software. So, we have a lot more documentation about it. Instead of answering one-off questionnaires from our clients, we actually have a canned report we can provide. Again, all this material, we didn't have a year ago. We were just ad hoc answering things and hoping that they didn't question it anymore, and we really didn't have any good evidence. They were just taking us at our word. View full review »
Directord98b
Director Security and Risk OMNI Cloud Operations at a tech vendor with 1,001-5,000 employees
We do automated scanning, so we use it as part of our development cycle. We do both automated security scanning as well as our own automated testing. We run the two in parallel and treat both outputs of, let's say, a sales functionality test. A security vulnerability is just a defect that needs to be resolved before we release the product. We do an automated upload to the Veracode platform for all of our applications - we have about 35 applications. For all of them, it's automatically done, pre-configured, pre-compiled, based on scripts that we worked out with Veracode. And then on a scheduled basis, the upload and scanning is done, in some cases, twice a month. In some of our applications, two to three times a week, we just constantly scan and look for exposures, and continue to feed that back to the development team and make sure that they don't release product that's not ready for market. We have found that our developers have become a lot more knowledgeable about how to develop secure code, and that was very important to us. We also became more knowledgeable about vulnerabilities in the market, which are the most critical to address. You could say it helped us to apply the right investment in the right place. In terms of best practices and guidance, we do quarterly reviews with Veracode, where they're analyzing our information alongside of us and providing feedback to our executive team to suggest strategic changes in certain approaches. We've also done benchmarks with them, where we've compared our maturity model to the industry's model, as far as security practices go and best practices for security and such. In some cases, we've made adjustments to improve, and in some cases we are confident we're ahead. Regarding our customers, for one, they can move to market faster, we can move to production faster. Also, we discuss our security program and the software development life cycle with them in pre-sales discussions, post-sales discussions, implementation approaches. What it does is, it gives them the confidence to move ahead in a more direct fashion, with one less headache for them to worry about. View full review »
Sebastian Toma
Engineering Security Manager at Nextiva
We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the development life cycle. We rely on this set of tools to automatically scan our artifacts when they are moving to different environments. We got it to the point that when we were promoting the artifacts from desktop to the server environment, we already had the scans completed. We knew the vulnerabilities that we were introducing with the new features ahead of time, i.e. before the QA department was finding them. That was the main reason we decided to use Veracode or to use tools for static analysis and dynamic analysis. View full review »
Informat5dbf
Information Security Engineer Team Lead at a hospitality company with 1,001-5,000 employees
It has given us insight into the actual flaws that are out there, and the speed at which they're getting mitigated. Now, we're starting to see quantitative metrics to show the overall risk with code vulnerabilities. It has been very helpful in that it has exposed an area that we weren't digging into as much as we should have, before. The developers' awareness of the security weaknesses within their code has also improved. They aren't just mitigating these issues, they are realizing these are, in fact, issues that have to be dealt with. We are just starting to integrate Veracode into our software development lifecycle. We are reaching out to a few of our developers to begin project Greenlight. Specifically, right now what we're doing is integrating the static code analysis scans into our change approval. If you want to put a new piece of code live, you have to have a clean Veracode scan, whether it be through mitigation approval or through actually resolving issues. We've integrated it as part of our CAB process, and we're going to take that a step further and integrate it into the actual IDE for the developers. In terms of security best practices and guidance to our dev teams, Veracode has been fantastic. The one thing we really liked about Veracode when we got it - and I think some other providers are doing it now - was the consultation calls; that our developers are able to schedule them on their own, instead of going to a "gatekeeper." They upload their code, they have questions, they schedule it, they speak with someone on the other side who is an expert, they can speak developer-to-developers. That is really good stuff. Regarding our customers, I don't know if they have benefited per se, other than getting better, more secure applications. I don't know that our customers are necessarily looking for the most secure application, but it is something that I'm sure is on their mind, and they want to know that we're doing it. I would call it a tangential or unseen benefit. It is probably not in the top-10 things that they're looking for when they use one of our apps or our website. They are just assuming that a company such as ours is going to make sure that we have the appropriate security controls in place. So the way they benefit is that, hopefully, we're meeting that expectation, but I don't know that our customers are specifically looking for that as a decisive factor for using our websites or apps. View full review »
ChiefInfaf47
Chief Information Security Officer with 501-1,000 employees
We are a state agency, we're not a private-sector company. What we're able to do is take our main web-based application, which is not only for internal use but which the citizens of Ohio also use, and we can run this application, and others as well, through Veracode to ensure that we've done our job, our due diligence. We print out a report, we see the rating of the vulnerabilities that have been found: "critical" and "high", "moderate" and "low." We've been able to go from having critical vulnerabilities to where we're now into the more moderate range. We've shown improvement through the years. We can provide that information to our superiors, and to people who come in and audit us, to show that we've made progress on scanning. When we find a vulnerability, we do pass it on to our developers and they've been able to go in and adjust the code so that the vulnerability is no longer there. The goal, of course, is that these findings will help them as they develop new code so that these vulnerabilities are not a part of the next application. We run a follow-up scan to make sure the vulnerability has been cleared. The benefit, at this point, has been more internal than for our customers. Obviously we don't want them to have a problem so that they could then, theoretically, actually see the benefit. We try to be proactive. View full review »
GL32aS
Global Application Security at a pharma/biotech company with 10,001+ employees
We are able to create business policies, and the Veracode system allows us to enforce those policies. That's at the very high level. We're looking at improving the overall security quality of our software. We use it as a platform to help enable that process. Veracode, in and of itself, is doing nothing but inspecting software. But, there are many other practices that are essential to onboard and embed into our development lifecycle. Veracode is simply the platform that lets us see how well the software is being engineered. Based on some of the findings, we make improvements in areas that need education. It can't be boiled down to the one or two most important things. It's not Veracode by itself that's doing all of the stuff, there are a lot of tertiary activities that go into building better software. The Veracode system is used to help us validate the security quality of what we're producing. It helps us zero in on some of the things that we can do better. But that means we have to provide education to our developers and architects. In some cases we use their APIs; they're not as rich as I would like. We have added Greenlight to the IDEs, where the Greenlight tool is compatible. In terms of cost savings relating to code fixes since implementing Veracode, it would be difficult for me to give you some specifics. I'm not exposed to the cost of the iterations. Development teams have a budget for the year. There are features planned, there are releases planned. There are many other functions responsible for planning the releases. My job is to provide application security tools, so that they can incorporate the security practices that our company expects us all to adhere to. We know, anecdotally, that the time to write software, or scripts... You should write them securely, as opposed to having some additional testing development activities, and several other iterations downstream, because that would mean we're paying three, four, or five times for our resources to accomplish what they could perform correctly the first time, out of the gate. In that sense, the Veracode system, since we've been using it, has helped us identify and code correct over 34,000 security weaknesses. That means there are 34,000 weaknesses and vulnerabilities that never made it into production. It's hard to quantify, if any of those had been exploited, what would have been the real cost to catch them. The only thing I could do is speculate on cost right now. But we do know that it's far better to embed security upstream in the development lifecycle, and produce software correctly the first time, rather than retroactively adding security remediations to the iterations that produce software for service packs and patch releases. Those are unplanned events and there are certainly costs associated with those unplanned events. But I don't have a number I could throw out there and tell you what it is. I don't really look at Veracode as providing any best practices. It may have some educational aid embedded in the platform. I think the Veracode database of remediation guidance is somewhat vanilla. It's not contextual. I frankly don't rely on it to provide the kind of guidance developers need contextually. So, we augment education aids and remediation guidance with humans, security analysts. We also have other third-party solutions that really provide more contextual remediation guidance unique to the situations, as developers are trying to address them. We don't anticipate what their system is going to identify. But, based on what the system identifies, I would say it's 50/50, whether or not the scripted, plain vanilla, embedded guidance is really the right approach. It may or may not be, and I would say it's probably 50% accurate, but it's very vanilla. In terms of benefits to our clients from using Veracode, that's like asking me: Am I really happy that my car stops when I press the brakes. I think most people would expect cars to have brakes, and the brakes to work. No more, no less. Software, to me, it's probably in the same wheelhouse, that people use software without thinking, "Is it really secure?" It's assumed, frankly. So I'm not so sure our customers consciously think about security as a benefit, unless they are breached or compromised. It's one of those things that's difficult to track, in terms of how customers are benefiting. We just know that through our efforts we're delivering high-quality software. Maybe customers that are being independently assessed by third-party assessors - when those assessors have to do security inspections of the technologies that may be consumed by those institutions - if our software is deployed on-prem, we tend to believe that our software will have fewer weaknesses and vulnerabilities identified than, say, other technologies that are consumed on-prem. Only then, might it become apparent to the customer that they're working with a supplier of software that provides higher quality, relative to other suppliers. View full review »
Dave Cheli
Chief Technology Officer
Firstly, it prevents me from putting out software that has security vulnerabilities, which is a big thing and can be one of the most important things. Also, we just finished a vendor due diligence with a very large company that wants to do business with us, and one of their security questions was "Do you do static analysis?" I was able to just send a very professionally done report. They know Veracode and they said, "Okay, great. This is terrific." That very reason is why, three years ago when I first got to this company, I said, "We have to get hooked up with Veracode right away, so it's not like an afterthought." Because I'd been in a situation where you do it after the fact and you end up with 3,000 errors, medium to critical errors. It helps us put out better software more quickly, and gives me the piece of mind that we've done everything we can to prevent any security exploits. It's something that our customers don't think about, and the benefit would be that as long as there are no data breaches, there's no hacking within our system, they get a non-functional benefit. We work with pharmacies and they just expect that the system is secure. I would view that as a benefit to them - maybe something that they don't think about - but nonetheless, it's there. View full review »
Associat7de6
Associate Director
It has helped us identify all the applications flaws, especially with so many open source licenses available to the developers. With this product, it allows you to plug in all those gaps where you may open up the backdoors. This tool has helped us everyday with our goal to plug in all those gaps. We help make changes from the initial NAS that we sign up with the vendors and any third party who might be involved in our telephone activities. They have to ensure that phone is a standby application and security tool, plus we also make the changes in the workflow for any application. Before it is deployed into operations, it has to have a security certificate which proves that it has a Veracode application security certification on it and all the flaws that have been identified have been removed. View full review »
Informatab29
Information Technology at a insurance company with 51-200 employees
We used to revise code with free tools (like VCG) but they are not even in the same universe. Veracode static analysis allows us to pinpoint issues - from a simple hard-coded test password, to more serious issues - and saves us lot of time. For example, it raises a flag about a problematic third-party DLL before development invests time heavy using it. Also, from the very relevant results and issues that were pinpointed by Veracode, I can say that our customer security was greatly enhanced by its use. View full review »
Steve-Wilson
Senior Infrastructure Engineer at a healthcare company with 5,001-10,000 employees
We've been able to provide reports to our clients that show applications are either flaw-free, or in the process of being remediated, and give them timely status updates on how those flaw remediations are going on. Our customers have benefited by being able to have a little bit more assurance from us, from a trusted authority, that our code is properly flaw-free and remediated. View full review »
Suzan Nascimento
SVP Application Security at a financial services firm with 10,001+ employees
It has allowed us to scale and find vulnerabilities much faster than previous manual tools. It has allowed us to educate developers on it to use the consultation calls. View full review »
JimNelms
CISO at Laboratory Corporation of America Holdings
Interestingly enough, Veracode has evolved over time. Their chief designer has been a leader in security for many years and his insights into applications, and what we now consider DevOps, has been very helpful for the industry. The insights into how we now have a mobile workforce, and that the end-point is what you carry in your hand - and the protection of those apps and web pages - are imperative because the coding in our information has moved out. Quite honestly, the people have become the firewall. The products that Veracode has developed help me to manage that, scan that, know when something is going wrong, and I don't have to have a team of developers behind me that keep up with all the latest threats because the subscription service they provide for me does that. View full review »
Dennis Miller
VP Development
The coding standards in our development group have improved. When we scan our code - at the end of a build cycle we'll go through and scan our code - from those scans we've learned the patterns and techniques to make our code more secure. An example would be SQL injection. We have mitigated all the SQL injection in our applications. That is now part of our software development life cycle, to do a static scan before we release to our client base. We mitigate what we have to. I'm not aware of any cost savings relating to code fixes since implementing Veracode in our development process. In terms of Veracode providing application security best practices and guidance to our development teams, once we scan the software and we have to go through a mitigation process, we make sure we implement that in the base standards. Once we mitigate a problem, we implement it back into the base to make sure the developers who are still developing code are not going to have the same issues that we just mitigated. For our customers, they know that we go through another level of application security with our application, one our competitors don't use. They know our code meets a standard and that we implement the standard and the structures. That we have mitigated gives them a little bit of peace of mind that our code is valid, and that it's not going to hurt their infrastructure. View full review »
Tim Jee
Cyber Security Engineer at a Consumer Goods with 1,001-5,000 employees
It has given us visibility into the applications we have that are participating in the application security program. View full review »
Divakar Rai
Senior Solutions Architect at NessPRO Italy
We were embracing Veracode as a process in our DevSecOps, although I have not personally used this solution for the past eight months. View full review »
Assistan84a9
Assistant Vice President of Programming and Development at a financial services firm with 501-1,000 employees
When we expanded our definition of critical systems to include an internal application to be scanned by Veracode, we had initial scans that produced hundreds of vulnerabilities. We expected this, based on how the code was treated previously, but the Veracode platform allowed us to streamline our identification of these items and develop a game plan to quickly address them. This has also lead to better overall code quality for the team, by pointing out some dated practices that needed updating. We have required that our critical systems pass a Veracode scan prior to code being deployed into production. We also have included a step in the development stage to run specific code through a Veracode Sandbox to encourage better code quality, early on in the development lifecycle. Veracode has helped us meet the requirements of our yearly external audits and has improved code quality, leading to less down time and less buggy code that users will encounter. View full review »
Technica5eac
Technical Director at a financial services firm with 1,001-5,000 employees
The benefits are quick discovery and understanding of software vulnerabilities that we are putting in our own code. By discovering them quickly enough, we can triage them and determine the best ways to remediate them and prevent them from happening in the future. It helps us gain confidence that the applications we're putting out in the hands of millions and millions of people have that industrial-strength quality to them; that we don't need to worry about as much as we used to. View full review »
Informat2327
Information Security Lead Analyst at a Consumer Goods with 10,001+ employees
It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security. In terms of application security best practices and guidance to our teams, their engineering staff is really excellent. They provide our developers with suggestions and they take those to heart. They've learned from the recommended remediation strategies provided by the Veracode security engineers. That makes all of their future code better. As for our customers, it lowers the risk for people visiting our site. View full review »
VpOfServ3625
VP of Services at a tech vendor with 51-200 employees
We're being much more security conscious whenever we're writing code, and we're trying to make sure it's giving us a benchmark, and to make sure we meet that, on a release cycle. In terms of AppSec best practices, it has made everybody more conscious about what they're trying to accomplish, because they know at the end of the release cycle we're going to be running scans. They basically need to make sure they adhere to all the rules. Our customers have benefited from the added application security we offer because they're more confident that our software isn't going to expose their organizations to any risk. View full review »
SeniorIneab1
Senior Information Security Program Manager at a financial services firm with 10,001+ employees
The benefits are the fact that it identifies our vulnerabilities, and it has improved us by allowing us to pull everything to the left in agreement with our SDLC and with our developers, and have them not only get buy-in because they can run sandbox scans that allow them not to generate metrics, but also run policy scans where we identify what the policy is and what is acceptable. So, it has helped us secure our company and our applications. View full review »
Mike McAlpen
CISSP, CISM at a tech services company with 1,001-5,000 employees
By using this product, we can point out not only any potentially insecure coding, but how to fix it. It's a requirement, a legal requirement. So we benefit by not breaking regulatory law. View full review »
Applicat1f76
Application & Product Security Manager at a insurance company with 1,001-5,000 employees
It has allowed us to integrate with it through automated processes, which saves us a lot of time and effort. Also, our customers benefited from the added application security assurance of our software, as they’ve been able to identify OWASP top-10 application vulnerabilities without a manual tester. View full review »
Rick Spickelmier
Chief Technology Officer at a tech vendor with 201-500 employees
It gives us more confidence in the application security of the products we scan. We use it as part of our AppSec best practices. View full review »
Elina Petrovna
Professor at a government with 51-200 employees
I can have quick results by just uploading compiled components. It gives me an idea about the most important vulnerabilities and fast remediation tips. View full review »
Israel Varela
VP Sales at a non-tech company with 11-50 employees
It has helped us be more secure, and it has helped us put a package together for our customers that will take into consideration training, all the way down to the coding level. View full review »
Siddharth Kundalkar
Director Software Engineering at a tech services company with 51-200 employees
We do not pass our release without performing a static and a dynamic scan, and mitigating the flaws identified. In terms of how our customers have benefited from the added application security of our applications, they are aware of our development process and it makes them comfortable that we have implemented industry best practices. View full review »
ChiefCom2e57
Chief Compliance Officer at a financial services firm with 51-200 employees
Ensures our code and system are 100% compliant. In terms of APPSec best practices and guidance to our team, the Knowledgebase available on the Veracode system is a great resource for our developers. For our customers, the added security assurance is a requirement. View full review »
ProjectMbc02
Project Manager at a tech vendor with 501-1,000 employees
We have used the results of scans to train our people and make them more sensitive to security issues during development, although we haven't done any specific integration of Veracode into our software development cycle. Engineers are better trained, so we hope to see increased compliance with our security guidelines. We do incorporate the suggested course of action from the Veracode report (AppSec best practices and guidance) in our best practices. Also, our customers benefit from the fact that the application is more secure. View full review »
Efe Oral
Software Developer/Architect at a insurance company with 201-500 employees
It made us change our approach to coding. We tried to make sure our application stayed secure and safe. View full review »
GL32aS
Global Application Security at a pharma/biotech company with 10,001+ employees
Scalability and its optimization of security inspections. At the end of the day, I like the fact that it is all prim. It does not require a lot of support on our side. We get the benefit of security inspections and it scales with our community, which is global. View full review »
Evan Christoe
AVP, IS Manager with 1,001-5,000 employees
* The volume of unmitigated flaws in our applications has been substantially reduced. * In terms of AppSec best practices, the team at Veracode has provided industry benchmarks against which we are measuring our improvement. * Our customers have benefited from the added security assurance of our applications, although they may not know it. View full review »
Terry Chu
DevOps Release Engineer at a tech services company with 51-200 employees
Made our company aware of any potential code security vulnerabilities. Also, customers can use our products knowing they are verified by top organizations as safe. View full review »
HeadOfTe86f0
Head of Technology. at a tech services company with 11-50 employees
It allows us to prove our security levels to vendors, and additionally helps us with our HIPAA security policies. Also, CA Veracode has provided AppSec best practices and guidance to our teams. Finally, it makes the IT Governance process of the sales cycle easier. View full review »
MahendraAitha
Lead Security Engineer at a tech vendor with 201-500 employees
It helps in achieving secure programming. Veracode provides us with industry best practices according to OWASP, CERT, and SANS. Our customers get the security of bug-free code and assurance regarding the application. View full review »
VpWorldw093e
VP Worldwide Delivery Acceleration at a financial services firm
It improved our security posture. In terms of cost savings relating to code fixes since implementing Veracode, I'm not sure there are any. How do you quantify reputational damage from a security breach? However, they have provided AppSec best practices and guidance to our security and development teams through our support agreement, weekly meetings, and annual review. View full review »
Michael Ward
Managing Director with 1,001-5,000 employees
This is currently still under evaluation, and it is pending review and assessment against other static code analysis solutions. View full review »
Manoj Purandare
General Manager - Application Security at a tech consulting company with 51-200 employees
PoC is in progress. View full review »
Michael Stricklen
Executive Director at a consultancy with 10,001+ employees
* It gives feedback to developers on the effectiveness of their secure coding practices. * It has almost completely eliminated the presence of SQLi vulnerabilities. View full review »
reviewer923928
Team Lead / Architect at a tech services company with 1,001-5,000 employees
* Veracode has improved our penetration testing process. * We use Veracode static analysis during development to eliminate vulnerability issues. View full review »
RomanPotapov
Software Security Consultant at a tech services company
The solution is a specialist in SAST that you can rely on. Code scanning is fast with current, updated algorithms. View full review »
Ashish Kulkarni
Manager at a tech services company with 10,001+ employees
Veracode scans provide a higher number of false positives. Also, the overall reporting structure is complicated, and it's difficult to understand the report. View full review »
JorgeIzquierdo
Product Manager with 201-500 employees
It helps me to detect vulnerabilities. View full review »

Sign Up with Email