Veracode Room for Improvement

UmarQureshi - PeerSpot reviewer
Security Lead at a retailer with 10,001+ employees

The language version support could be improved. For instance, I recall a situation where there was a slight delay in supporting the application for a specific job because there were concerns regarding the vulnerabilities present in the new languages.

Veracode combines container scanning and software composition analysis into a single package. This has always been an issue because people want the freedom to choose one or the other. However, we are almost compelled to purchase both components together.

I would like to request the inclusion of incremental scanning in a future release. By scanning only the portions of code where changes were made instead of the entire code, we can significantly reduce the scanning time.

I would like to see what Veracode plans to do regarding endpoint protection, PAN testing, DAST, RAST, and similar areas. I haven't seen any developments in these aspects yet. Products like Contrast are more advanced in this regard. So, as teams become more mature, what steps can we take to adopt the mindset and processes required for such advancements?

View full review »
AkashKhurana - PeerSpot reviewer
Senior Software Engineer at Publicis Sapient

The scanning process for records could be faster and there is room for improvement in Veracode's performance. Currently, it takes around 25 to 30 minutes to scan a standard repository, even for a small one. This is not ideal, especially since we are using a microservice architecture with eight repositories. If each repository takes 25 minutes to scan, it would take a significant amount of time to scan all of them. Therefore, I would like to see some performance improvements in Veracode to reduce the time it takes to scan our code and generate detailed reports.

View full review »
Reyansh Kumar - PeerSpot reviewer
Technical Specialist at Accenture

Sometimes we get a lot of false positives even after configuring our policies, so that could be improved.

There is an issue where the UI occasionally breaks in between uses of the application, which can be improved. The UI could also be more catchy for the benefit of the less technical users. 

It would be good if the configuration of dynamic scanning could be less complex.

View full review »
Buyer's Guide
Veracode
March 2024
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.
PB
ML engineer at a consultancy with 10,001+ employees

One area for improvement is the navigation in the UI. For junior developers or newcomers to the team, it can be confusing. The UI doesn't clearly bundle together certain elements associated with a scan. While running a scan, there are various aspects linked to it, but in the UI, they appear separate. It would be beneficial if they could redesign the UI to make it more intuitive for users.

In future releases, I would like to see some features. For example, there's a library we use as a third-party library. Sometimes, Veracode indicates that we can't use a particular tool because it has a lot of vulnerabilities in the code. It would be nice if Veracode's scan could show an alternative library to use instead of the one flagged as problematic

So instead of us having to go back and research, trying to figure out what other tool we can use as an alternative, if Veracode could provide those recommendations within the tool itself, it would be nice.

View full review »
Robert Hood - PeerSpot reviewer
Information Security Architect at a tech vendor with 5,001-10,000 employees

From what we have seen of Veracode's SCA offering, it is just average. The SBOM is adequate, but it's essentially the same as what everyone else is doing. In terms of SCA, they are about average compared to other systems. Therefore, I would like to see some improvements. 

SAST, DAST, and SCA in a single pane of glass would be a good upgrade to Veracode.

We are a Jira and Confluence shop and I would like to have a really good integration with those tools. 

We have a ticketing system that not too many companies have ever heard of. In fact, I had never heard of it before coming here. Instead of using a well-known industry standard like ServiceNow, we use a ticketing system called Cherwell, which also has an open API. Having an API for the ticketing system would be really beneficial.

I would prefer if Veracode offered more options for licensing, such as a pipeline or project license instead of a user license. Currently, I have around seven hundred users, but I manage fewer projects. Therefore, I believe it would be more beneficial and efficient for me if Veracode could adopt a project-based pricing model. In reality, I have multiple teams working on various projects simultaneously. Pricing based on the number of projects I have up and running would be more suitable for my needs compared to the number of developers working on a particular project.

One thing that I would like to be able to do is to receive a daily summary of the emails I currently receive. With numerous ongoing projects, constant scanning occurs, resulting in a high volume of emails about what is being processed. I believe it would be helpful if Veracode could create a daily summary of these emails. This way, I can easily track the number of actual emails I receive without having to go through each one individually. As of now, I already have 65 emails from Veracode, specifically regarding the processes that ran today.

View full review »
Alice William - PeerSpot reviewer
Senior Web Developer at a insurance company with 1,001-5,000 employees

Veracode provides us with some usage metrics. These metrics are based on the number of times we use Veracode, which is tied to our static scans. We only use static scans when we make changes to our code, and we have a part of our pipeline that runs the Veracode scan whenever we make a change or deploy the code. However, we don't deploy code very often because we have 20-30 websites in our company and we don't dedicate a lot of time to each individual website. So, when we do make changes, we will run the scan because it's part of the pipeline, but this has been affecting our usage metrics. We're not sure why Veracode's usage metrics are designed this way, but maybe they can provide some insight. We use these metrics, but we're now thinking about getting different metrics from Veracode. I started looking into setting up some dashboards myself so that we can have our own dashboard and statistics, such as how many flaws we've resolved in the past six months or how many issues we've identified when we're deploying a new website. We're more interested in these types of statistics than in how many times we're using Veracode because fixing flaws is the value that we're getting out of Veracode. Maybe setting up a new dashboard would be helpful, but that's something that Veracode can provide clarity or insight on.

View full review »
Anant Upadhyay - PeerSpot reviewer
Game Developer at Gamezlab

The scanning could be a little faster. The process is around three or four minutes, but it would help if it could be further reduced.

View full review »
SumalyaGuha - PeerSpot reviewer
Security Engineer at a comms service provider with 10,001+ employees

Veracode's false positive rate is a little toward the higher side. We understand that Veracode doesn't have the business context. I advocate that people look at their code, even though there is a vulnerability, to see exactly what it is. For example, a randomize function is being used to create an ID that is not being hashed. Veracode marks it as a false positive because it doesn't know if the ID is being used for cookie generation or some random ID in the log generator. We, as dev or sec people, have to go in there and analyze what the ID is being used for. But the false positive rate is definitely a little bit on the higher side.

The effect of the false positive rate on developers' confidence in the solution depends on the maturity level of that particular application team with respect to learning Veracode. In the initial stages, obviously, when developers see that, whenever they're writing code or pushing a build, there are a bunch of vulnerabilities, it may affect their confidence. But a couple of months or a couple of quarters down the line, when those same developers have already used Veracode and have raised their maturity level from one to at least three, it doesn't really affect them because they know that they have to go in there and check the vulnerabilities for themselves to determine if it's a false positive or a real vulnerability.

It has definitely taken a little more time to validate the false positives, but I would say there are a lot of true positives, as well, which have been remediated and which have been mitigated for the betterment of the security posture. But it has definitely taken a little more time to mark or validate those positives. Hence, I definitely advocate that people shift a little more to the left. They should do ID and pipeline scanning before they hit policy scanning because, with ID and pipeline scanning, you scan small chunks of code. You remediate that code faster, before it goes to the whole package and there's a bunch that you have to deal with.

Also, container security is slowly becoming a prevalent part of the development realm. Veracode's SAST, DAST, and SCA are pretty good with respect to industry standards, but with regard to container security, they are in either beta or alpha testing. They need to get that particular feature up and running so that they take care of the container security part.

In addition, there is a new concept out there, the IAST, which is interactive assessment security testing. It is a little more proactive than SAST. So if Veracode can combine that feature with their current technology, they would definitely be a front-runner again for the next five to six years.

View full review »
Rishabh Khanna - PeerSpot reviewer
Security Engineer at a tech services company with 5,001-10,000 employees

One of the most important areas that need improvement for Veracode is its DAST. Veracode's DAST engines are primitive. They need to work on that. It needs to be their number one priority.

The number of vulnerabilities and quality of the latest technology when compared to other scan engines such as Fortify and Checkmarx is not as good.

Veracode has multiple sides when it comes to dynamic testing. They offer software composition analysis, dynamic scans, and static scans. However, I would not recommend Veracode for dynamic testing because it wasn't able to scan many of our applications properly. Some of the other solutions were really efficient and proactively reported a lot of vulnerabilities. The Veracode scanner was not able to properly scan the applications because of authentication issues and login issues. HP Web Inspect and Microfocus Web Inspect allow us to make scripts by ourselves, which will then enable the scanner to scan the website in a more proper and systematic way. There were a lot of complications with Veracode's dynamic point of view, and a negligible amount of vulnerabilities were reported. On the other hand, when I tried Next Parker or Micro Focus Web Inspect, things were really good.

If we have to scan the latest code, for example, if we have written a piece of code in Angular or Node.js, we can't consider the solution because it is not as good as other solutions using newer code.

View full review »
KK
CEO and App Developer at DroidForge

While Veracode provides exceptional value to our development process, it needs some potential enhancements. The user interface and overall user experience could be better. They can simplify the interface by offering easier navigation and uses for our development team. 

Additionally, Veracode offers security testing, and expanding its coverage to include more diverse and emerging threats would be beneficial. It would strengthen its capabilities to encompass a broader spectrum of vendor expertise specific to newer technologies of unconventional attack. 

They could work to fortify our application against evolving cyber threats. 

I'd like to see more development tools and platforms integrated together with Veracode to amplify the solution's effectiveness. This improvement would facilitate a smoother collaboration and seamless integration across various tool sets and optimize development workflows. 

Also, the scanning should be a little faster. The process takes around three to four minutes. 

The pricing structure also needs to be reduced to accommodate smaller organizations.

View full review »
Ashish Upadhyay - PeerSpot reviewer
Founder at BlockMosiac

There are various areas that could be improved, including better integration. 

The false positives can be lowered. 

The interface is too complex. The UI needs to be improved. They need to make the learning curve lower. They should include more guidance in terms of usage.

The cost is high for smaller organizations. 

View full review »
Boyapati Sivannarayana - PeerSpot reviewer
Devops Engineer at Accenture

The reporting can be difficult. It's not very easy.

It's taking too much time to do a quality scan. It hasn't saved us much time. Deployment was three or four months ago. We did a policy scan using a greenlight deployment. When we do the deployment in Jenkins, we can do it faster. In Veracode, it can take four hours or even eight hours.

We don't like how long it takes to do a deployment. It should deploy more quickly.

View full review »
Shashank Niranjan - PeerSpot reviewer
Senior Software Engineer at Capgemini

Scanning large amounts of code can be a time-consuming process and there is scope for improvement.

View full review »
Devid William - PeerSpot reviewer
Application Security Architect at Banco Votorantim

They could improve how they fix vulnerabilities. They could have more support in place to help the developers. That would help a lot of users.

The pricing can be improved. It is really, really expensive. 

View full review »
OK
Sr. Development Manager at RWS Holdings PLC

Sometimes Veracode gives us results about small glitches in the necessary packages. For example, we recently found issues with Veracode's native libraries for .NET 6 that were fixed in the next versions of those libraries. But sometimes you do not know which version of the library particular components are using. 

The downside of that is that one day, the solution found some issues in that library for the necessary package we spent. Another day, it found the same issues with another library. It will clearly state that this is the same stuff you've already analyzed. This creates some additional work, but it isn't significant. However, sometimes you see the same issue for two or three days in a row.

In our project, we use a lot of limited packages that link to another library, and there may be issues in those reference libraries. For example, one library might be referenced by several Google packages. When it shows you a vulnerability in one library, you will not see the issues in all libraries. We've discussed the issue with the Veracode team, and they investigate a way to fix this. Hopefully, it will not be an issue. 

View full review »
PavanKumar18 - PeerSpot reviewer
Senior Testing Engineer at TollPlus LLC.

Veracode's container scanning could be improved. We containerize all the platforms we use inside a Docker image. For example, we create a Microsoft Docker image that we build our application on top of. I would like Veracode to implement IT scans before we commit the code.

View full review »
Zach Handzlik - PeerSpot reviewer
Release Manager/Scrum Master at Amtech Software

I do expect large applications with millions of lines of code to take a while, but it would be nice if there was a possibility to be able to have a baseline initial scan. I know that Veracode touts that there are Pipeline Scans that are supposed to take 90 seconds or less, and we've tried to do that ourselves with our ERP application. However, it actually times out after two hours of scanning.

If the static scan itself or another option to run a lower tier scan can be integrated earlier on into our SDLC, it would be great. Right now, it takes so long that we usually leave it till a bit later in the cycle, whereas if it ran faster, we could push it to the time when a developer will be checking in code. That would make us feel a lot more confident that we'd be able to catch things almost instantaneously.

View full review »
JS
Manager of Application Development and Integrations at a university with 1,001-5,000 employees

Their platform is not consistent. It needs a lot of user experience updates. It's slow performing, and they log you out of the system every 15 minutes, so using the platform is challenging from a developer's perspective because you always have to log in.

I've been harping on it for the last two years. They try to compensate for that by building a relationship with staff. We keep asking questions we wouldn't have to ask if they had a better user interface. They would save their staff time and save us a lot of hassle. 

They claim to have the best false positive rate. It's hard to judge, but we've had several false positives, and the solution's inability to resolve them has been incredibly frustrating. The ability to schedule a consultation to talk through what's going on has been helpful. Still, I'd like to see the capability to act on false positives and resolve them in the application instead of us marking things as false positives. That's where they need to improve.

It has occupied my team's time because they're escalating the issue from support to engineering. They've been consulting my developers. They raise issues but don't spend time duplicating the issue. They close tickets saying it's not a problem or misunderstand what's being requested. They need to mature in that area a lot.

View full review »
Alex Fuglaar - PeerSpot reviewer
Manager at a financial services firm with 1,001-5,000 employees

It would be ideal if it was able to demonstrate higher levels of cybersecurity certifications like becoming FedRAMP compliant or working in those areas. That way we could use it on higher level contracts. That would be a good business opportunity for the solution.

View full review »
Saket Pandey - PeerSpot reviewer
Product Manager at a hospitality company with 51-200 employees

The false positive rates were quite high in our case. Prior to seeking a solution, we had already engaged in discussions with their support team, who also confirmed this issue. We had read a few reviews, which indicated the presence of false positives. However, in our specific situation, the number of false positives was substantial. There were instances when we logged in during the morning and encountered 30 or 40 raised flags. Resolving them sometimes occupied a significant portion of our day, often extending into the first half. Thus, in certain projects we undertook, the occurrence of false positives was considerably elevated. Despite being aware of this, we acknowledged that a majority of these flags were likely false. Nonetheless, due to the matter of security, we had to address them, resulting in a significant allocation of our time.

The false positive rate of the static analysis has impacted the time we spend on fine-tuning policies. We have had to allocate a considerable portion of the software team's time to address the significant number of false positives, resulting in substantial time investment. Additionally, some of our projects with clients have been delayed due to this issue. One particular project experienced a delay of approximately 25 days, with false positive cases accounting for an estimated 60 to 75 percent of the delay. The cost of the false positive rate is causing a slight disruption in the development process. Therefore, I believe this is the major area that needs improvement.

We initially deployed on the AWS cloud because AWS also offers us additional security benefits and most of our other solutions were already on AWS. However, I think Veracode could develop a self-contained cloud system, allowing them to deploy the solution on their own system. This would be beneficial for us as they could provide the data privacy we require. It would be great because each new update on the security process necessitates a slight change in the program.

The reporting features could be subcategorized if the bugs are categorized and subcategorized according to our requirements rather than the understanding of the security system. This would be beneficial because whenever we need to integrate or resolve a bug, it is crucial for us to identify the vulnerable parts of our code. This process requires additional time and effort. Moreover, it is often challenging for us to comprehend the specific changes the system expects from us.

View full review »
Freddy Bang. - PeerSpot reviewer
Chief Technology Officer at ELEARNINGFORCE International ApS

There might be room for improvement in the in-app guidance and the tips and tricks for the developer about how to progress. We would like more insight into the development environment, where they would get guidance on how to avoid flaws.

View full review »
Arnab Paul - PeerSpot reviewer
Cyber Security Consultant at a consultancy with 10,001+ employees

I've found that Veracode is not particularly suitable for Dynamic Application Security Testing. Unlike other tools equipped with their own crawlers, Veracode necessitates the use of a Selenium script for crawling. However, the tool's compatibility with all functions is limited, which can be frustrating. For instance, functions like upload, download, or those triggering new tabs are challenging to handle within the DAST section due to Selenium's inadequacies when used with Veracode.

In contrast to other tools where we can monitor requests and responses during a scan, Veracode lacks this capability. The scan initiates, and we must wait until completion to see the results. There's no opportunity to check if the right requests are being sent or if certain components are being excessively targeted. Once the scan starts, we're essentially locked in until it concludes, and only then can we access the results. Furthermore, even after the scan, we're only provided with a summary of scanned URLs and the number of requests made, without the specifics of the request or response contents.

View full review »
DB
Security Engineer at a tech vendor with 10,001+ employees

The sandbox could use some improvement; when creating a sandbox, it requires us to put the application name in twice, which seems unnecessary.

View full review »
Prateek Agarwal - PeerSpot reviewer
Manager at Indian Institute of Management Visakhapatnam

The UI could be better. Also, there are some scenarios where there is no security flaw, but the report indicates that there is a security flaw. The report is not perfectly accurate. So, the accuracy of the scanning reports needs improvement.

It currently takes too much time to scan all the vulnerabilities in the applications and code. The time should be reduced. The scanning engine in Veracode needs some improvement in terms of performance and efficiency.

View full review »
Jan Pašek - PeerSpot reviewer
Tech Lead at a financial services firm with 10,001+ employees

There are many false positives, especially one particular type: reported hard-coded passwords in the code. We do not have hard-coded passwords in our code, but we are using third-party libraries that have variables with passwords in their names. For example, a variable might be named "passwordForCommonFixFile" or "passwordForSecurityStore." Veracode's keyword analysis probably assesses these variables as hard-coded passwords. This is problematic because the false positives are coming from third-party libraries, and we cannot easily check the flaws to see if they are false positives. To fix the problem, we have to compile the code, which we should not have to do. We are forced to accept the false positives because we know from the software and system design that there cannot be hard-coded passwords in the third-party libraries we are using. If the libraries were generic, then there would be no chance that they would have hard-coded passwords for the specific services that we are connecting to. To reschedule the scan, we have to go through some bureaucracy. 

Despite the presence of many false positives, we remain confident in Veracode. However, the impact on developer confidence is negative, as it leads to resistance to enforcing certain development processes, including the use of Veracode in the development pipeline. This is understandable, given the complexity of the process required to reschedule the flaw for a single false positive. This process requires approval from the system owner, a senior manager, and the cybersecurity team.

Veracode has increased the work time of our developers because of the false positives.

The area with the most room for improvement is the speed and responsiveness of the query, as it is usually very slow. I am not sure if there is a specific space allocated for us that can cause this, but when I open an application and want to click through multiple scans to see the differences, or if I want to do anything else, everything loads very slowly. This makes it much less user-friendly to play around with the GUI and explore the features.

View full review »
RB
Security Analyst at a insurance company with 10,001+ employees

There can be a lot of improvement. It does not have a reporting structure for an OS-based vulnerability report, whereas its peers such as Fortify and Checkmarx have this ability. Checkmarx also provides a better visibility of the code flow.

Veracode is 75% or 80% accurate. At times, we do come across a lot of false-positive cases, but this is an issue with all security tools. Unfortunately, we do not see an option to set the policies because policies are predefined. Overall, when comparing it with its competitors, Checkmarx is better than Veracode in false-positive rate. Veracode's false-positive rate is decent. It is not too good and not too bad, but there is a lot of room for improvement. I personally found Checkmarx to be more accurate than Veracode. This false-positive rate has an effect on the security team because, for a false positive, a developer raises a ticket for us, and our job gets a little bit more hectic because we have more vulnerabilities to create rather than focusing on the positive ones. It is daunting when too many false positives are being reported by the development team for triaging purposes. However, in one of the calls related to their roadmap, I saw a feature where you can go through the code, and it provides you with some mitigation. 

View full review »
Nantabo Jackie - PeerSpot reviewer
Sales Manager at Soft Hostings Limited

It can be a bit complex because it takes a lot of time to have it complete the task.

Also, the interface is disjointed. 

And the documentation is kind of confusing. It may not be updated in the same way that the software is.

There is also a little bit of a learning curve before you can do security scanning of any application.

View full review »
Shobana Raghu - PeerSpot reviewer
Application Development Analyst at a consultancy with 10,001+ employees

The reporting was detailed, but there were some things that were missing. It showed us on which line an error was found, but it could have been more detailed.

Also, with upgrades, we had quite a difficult time tracking the reports, so there was some maintenance around that.

View full review »
Avinash Mukesh - PeerSpot reviewer
IT Specialists at Soft Hostings

Scanning progress is highly dependent on the speed of the Internet. This can create confusion about the completion of scanning tasks. For example, a static scan may detect all vulnerabilities during a single scan, but when static scanning is disabled, some vulnerabilities may be detected during one scan, but not during the next scan or a subsequent scan. This inconsistency can make it difficult to track vulnerabilities. Additionally, The solution does not make it easy to mitigate vulnerabilities that are not detected by static scanning.

The price of the solution has room for improvement.

View full review »
Hassan Saleh - PeerSpot reviewer
Managing Director at Century Bottling Company

Static scanning takes a long time, so you need to patiently wait for the scan to achieve. I also think the software could be more accurate. It isn't 100 percent, so you shouldn't completely rely on Veracode. You need to manually verify its findings. 

View full review »
Oscar Narvaez - PeerSpot reviewer
COE Head at a tech services company with 1,001-5,000 employees

Veracode can improve the price model and how they bill the final offer to customers. It's based on the amount of traffic. For example, you can buy 1 gigabyte distributed across various applications, and each one can consume part of the whole allotment of traffic data. 

You pay for all of the time that the tool is running, not for the number of scans. There are specific rules governing the amount of traffic applications can consume from the allotment you have. I would like the pricing to be more personalized. For example, some companies don't have a large budget for this kind of tool, whereas a large enterprise can acquire this kind of solution and pay for it. However, I'm an IT consultant working with various types of customers in different industries, including finance, insurance, and telecommunications.

View full review »
Daniel Krivda - PeerSpot reviewer
DevOps Engineer at a insurance company with 10,001+ employees

Third-party library scanning would be very useful to have. When I was researching this a year ago, there was not a third-party library scan available. This would be a nice feature to have because we are now running through some assessments and finding out which tool can do it since this information needs to be captured. Since Veracode is a security solution, this should be related.

I would recommend that they keep working on the integrations. For Azure DevOps, the integration is great. I am not sure what the integration possibilities are for the Google platform or AWS, but I would suggest every other platform should have this easy and great integration. It takes a lot of time for companies, so this feature is a big plus.

View full review »
Muhammed Shabreen - PeerSpot reviewer
CTO at RIZEK

From the usability perspective, it is not up to date with the latest trends. It looks very old. Tools such as Datadog, New Relic, or infrastructure security tools, such as AWS Cloud, seem very user-friendly. They are completely web-based, and you can navigate through them pretty quickly, whereas Veracode is very rigid. It is like an old-school enterprise application. It does the job, but they need to invest a little more on the usability front.

From the pricing perspective, it is not very convenient for startup organizations. They should have options to onboard it for the startup ecosystem quickly and affordably.

There should also be strengthening of the developer community.

View full review »
KN
Junior Developer Intern at a insurance company with 10,001+ employees

An area for improvement I found in Veracode is the connectivity because currently, my company uses a plugin for the dev-ops cloud-based connectivity. A pretty helpful feature would be if Veracode gives a direct code for connecting to the Oracle server directly and authenticating it via a unique server. Currently, my organization has to find a roundabout for that and then needs to build a separate pipeline and then connect that pipeline for Veracode to start.

View full review »
Satheesh Bojedla - PeerSpot reviewer
Senior engineer at a financial services firm with 5,001-10,000 employees

If Veracode develops a plugin for multiple orchestration tools, it will be easy for us to use the product in our company.

If you schedule two parallel scans under the same project, one of them will be a failure. It would be good if Veracode could provide two different site codes since if another code scan gets triggered while the scanning for one code is going on, the newly triggered code scan fails, stating that there is already a scanning process in progress. If Veracode can handle a newly triggered second code scan in their sequence instead of making it fail and take it up later or on a wait so that they can trigger it after the first code scan gets completed, then it would be a nice improvement. There is no queuing mechanism for scanning right now.

Module selection is manual. If somebody adds a new module, it is not detected automatically, and moreover, it ignores that module and moves forward. You have to go and include that module manually, so if it is made dynamic in the future, it will be nice.

View full review »
Oluseyi Osifalujo - PeerSpot reviewer
Executive Director at Precise Financial Systems Limited

Veracode is costly, and there is potential for improvement in its pricing. In our region of the world, it is challenging to attract a significant number of sign-ups due to its unaffordability.

View full review »
Ivo Dias - PeerSpot reviewer
Sales Engineer at M3Corp

In the last month or so, I had a problem with the APIs when doing some implementations. The Veracode support team could be more specific and give me more examples. They shouldn't just copy the URL for a doc and send it to me. I am a distributor and a Veracode solutions expert, so if I create a ticket that means I have read the documentation. It would be better if they sent me more examples instead.

View full review »
MC
Vice President of Engineering at Avant Assessment

I do have two pet peeves with the platform.

  1. The user interface is slow as a dog; really slow. You go to any modern interface and it's a lot more snappy. Even though I understand a lot of what they're doing and why it might be slow, it is really slow. You click on something and it takes two to three seconds. That doesn't sound long, but it just feels super clunky.
  2. There are many times when their product goes to check my code and it dies, and I don't know why. I've contacted support and they're not really helpful with this particular problem. I go to the logs and I look at what I can but I can't tell why the check process has essentially just died in the middle of checking.

Other than those two complaints, I still find it very strong and powerful.

In terms of additional features, the big one I would like to see is that, right now, I have to click through too many things to get to the triage report, which is the main thing I want to see for anything. I have to click through this one screen that doesn't give me any information and I really just want to get to the mitigation review screen quickly. Anything that would save me going through clicks and four or five different screens, because the interface is slow, would be fantastic. I want to get to that mitigation screen because the summary screens are not all that interesting to me. I need to know, "Is this mitigated? Is it not?" and get it checked off and reviewed.

View full review »
Jagusztin Laszlo - PeerSpot reviewer
Lead Architect, Presales lead at Alerant Zrt.

There is room for improvement in the speed of the system. Sometimes, the servers are very busy and slow. Also, because we are located in Europe, it would be a big help if they had a European or national service, because of the regulations, not only because of the speed.

Also, the integration with SonarQube is very weak, so we had to implement a custom solution to extend it.

View full review »
JW
Lead Product Security Engineer at a computer software company with 1,001-5,000 employees

Veracode's long scan time for vulnerable code can hinder productivity. There is room for improvement in this area.

Veracode produced a lot of false positives.

Veracode's ability to fix flaws is less sophisticated than that of its competitors. For example, Veracode's static analysis scanning workflow for flaws is not as highly developed as Checkmarx's or Snyk's. Veracode would often provide incorrect sources and fail to identify the source of malicious user input coming to the team.

The process of bundling binaries or code for scanning could be improved.

View full review »
MH
Chief Software Architect at a tech services company with 51-200 employees

An area for improvement in Veracode is the time that it takes to scan large projects, as that makes it difficult to fit into our CI/CD pipelines.

One of our app scans times out after two hours, which requires uploading and scanning that particular application manually. Still, there's no visibility into the CI system with the vulnerabilities found. My company cannot incorporate that into the automatic cycle and has to scan manually, so Veracode could improve on that.

View full review »
AK
LSA at a consultancy with 10,001+ employees

The analytics dashboard is not user-friendly and can be improved to assist us with the application size and enable modifications, whether for static or dynamic scans. This is currently missing in Veracode.

Veracode needs to improve its integration with other tools.

We have requested an enhancement for Veracode because it does not support scanning the static and dynamic elements of code created by MuleSoft. Furthermore, it does not support these aspects for the new generation of applications and we have to use other tools.

View full review »
BF
Application Security Engineer at Advantasure

I have a few pet peeves and minor areas of irritation. Their customer success team does an excellent job, but getting their internal engineering team to do things isn't easy. They seem to lack a focus on maintaining the solution and improving it in the next generation. 

It's a common problem in the industry. Software developers are always thinking about the next big thing but lose sight of what's happening right now. If you have an idea for a feature request, you must submit it to be voted on by the Veracode community. I don't like this. No one will look at it unless enough people vote for it. 

Another issue we have concerns entry points. You must select the entry points for a static scan of your stuff. However, you can fix this by having templates in  Jenkins. Things can sometimes change, confusing Veracode. I want to lock those entry points in. Eventually, our DevOps team will create templates for everything. If I want a new template, I need to submit it to the community and get my peers to vote on it. It's a waste of time. 

View full review »
Geofrey Mutabazi - PeerSpot reviewer
Founder at a manufacturing company with 1-10 employees

Veracode can be slow at times and has room for improvement, which may cause delays in our products and prolonged static scans. However, we can run these scans in the background to minimize disruptions. Static scanning can be a slow process that requires some time.

The cost and scalability also have room for improvement.

View full review »
Michea Mbaziira - PeerSpot reviewer
Insurance Agent at ICEA

The backend support team of Veracode requires improvement as they are difficult to reach when we encounter issues.

The UI is not user-friendly and can be improved.

The speed of our internet connection affects the scanning process, which may take a considerable amount of time to finish. As a result, this can lead to challenges in planning and reporting, causing confusion.

View full review »
Prakash Pillay - PeerSpot reviewer
Director - Product Solution/Architecture at a tech vendor with 10,001+ employees

I would like to see improvement on the analytics side, and in integrations with different tools.

Also, the dynamic scanning takes time.

View full review »
Evan Gertis - PeerSpot reviewer
Penetration Tester at a tech vendor with 51-200 employees

The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We don't want people to feel like they're missing out on something or that they're not following directions in the right way. And we have a process in place where there's a set of tickets and people can work on them. It just seems that people are more focused. They tend to pay attention to what they're doing and there's accountability. So having a more rigorous JIRA integration would be very helpful.

View full review »
CM
CyberSec professional at a manufacturing company with 5,001-10,000 employees

Veracode's support could be better. It is limited and slow.

The security labs integration has room for improvement. Currently, it is not possible to see the security labs training reports on the dashboard. These reports are only available separately in the security labs platform. I think that adding the dashboards for integration would be a good area of improvement.

View full review »
Calinescu Tudor - PeerSpot reviewer
Security Project Leader at ATOSS AG

False positives are a problem. Sometimes the flow paths are not accurate and don't represent real attack vectors, but this happens with every application that performs static analysis of the code. But it's under control. The number of false positives is not so high that it is unmanageable on our side. Once they are identified, you can mark them as false positives, and they can be accepted by the security project lead. After that, life goes on, and those will no longer be reported.

The problem is the time that you spend analyzing a flow to be sure that it is a false positive. Every problem that is reported as a security vulnerability has to be treated with maximum care by the developers. It is good, in the end, when it's a false positive instead of having a real vulnerability.

Because we are working on a huge application with lots of dependent sub-projects, there are 9 to 20 data paths. We have to check all of the vectors from all of these paths. If we decide that an attack vector might be susceptible to that attack, we start fixing it. But for the others, the attack vector is not relevant.

There is always room for improvement in any product; it's not something related specifically to Veracode. But in the case of Veracode, maybe they could improve the scanner to reduce the number of false positive events so that they remain only with the valid data paths that represent real attack vectors. We understand that this is quite hard to determine by just scanning the code.

Also, the UI of Veracode could be improved to permit better visualization of the issues and the grouping of the issues, with better filtering.

View full review »
Dipjyoti Roy - PeerSpot reviewer
Senior Devops Engineer at Thosmon Reuters

There are times when certain modules cannot be scanned automatically, requiring us to manually select these modules and initiate the scanning process on our side.

The vulnerability report has potential for improvement and should encompass more detailed information about the vulnerability, rather than solely identifying it.

View full review »
Vladimir Shilov - PeerSpot reviewer
DevSecOps at Ciklum ApS

There are certain shortcomings in Veracode's static analysis engine. I would improve Veracode's static analysis engine to make it capable of identifying vulnerabilities with low false positives.

The product is good, and if improvements are required, then such improvements should not be significant enough. There may be a slight scope to improve the product's integration capabilities. The product can also consider improving its support of different .NET versions and other programming languages, like Java.

View full review »
Mahammad Azeem - PeerSpot reviewer
Application Architect at a tech services company with 10,001+ employees

Veracode's false positives have room for improvement. For example, if there is an applicant named ABC in Veracode. I have uploaded my Java file, which contains a hundred lines of code. I suspect that the ninetieth line includes a hard-coded password. Thus, during the scan, it will identify the presence of a hard-coded password on the ninetieth line and suggest how to mitigate and resolve this issue. In the next scan, I added fifty more lines of support and fixed the password-related problem. However, the line containing the password is no longer at the ninetieth position; it has moved to the hundredth line. Despite these changes, the next scan still detects the password flaw. Even though I encrypted the password and added the required string, the issue continues to be flagged. This constant flagging of the issue, even after resolving it, is one of the major drawbacks. To overcome this problem, we decided to create another application. This action was taken to prevent the recurrence of such issues. In the future, when I have a release in the coming months, I cannot keep encountering this problem repeatedly, as it still flags the issue as long as the code is in a different line. We have spoken to the vendor several times about this issue and scheduled a work order consultation call, but we did not receive a response.

In order to achieve software consolidation and analysis reports for Android applications, we need to utilize a third-party utility called SourceClear along with Veracode scanning. This complicates the market and has room for improvement. 

When scanning a file that is over one gigabyte in size, there is a high chance that Veracode will continue scanning. When we initially encountered this issue and investigated it, we raised a ticket. As a result, a Database Lock occurred, causing Veracode to become stuck.

View full review »
VS
Sr. Web Application Security at a tech vendor with 10,001+ employees

The dynamic scanning feature appears to be working, however, 90%-95% of all vulnerabilities could be easily detected by any web browser.

When it comes to dynamic scanning Veracode needs to improve its functionality.

They claim that we can do this, but it doesn't work when we're scanning the applications in real time.  

Static code analysis generates too many false positives, so it takes a lot of time to review them all. The security and development teams need to work together to mitigate the false positives. It doesn't affect the developers' confidence in the solution. It still works, but it takes time. It has a significant impact on the process. 

View full review »
SR
IT Manager at a financial services firm with 5,001-10,000 employees

The scanning on the UI portion of our applications is straightforward, but folks were having challenges with scans that involved microservices. They had to rope in an expert to have it sorted. In addition, one of my developers told me that they looked at the documentation that was given but still required the involvement of an expert to get the issue fixed. I would like the documentation to be a little more user-friendly.

Also, the turnaround times could be improved. From what I've heard, the scanning takes a bit of time to complete. If it could be completed a little more quickly, that would help.

View full review »
Walwasa Mulutazah Yahaya - PeerSpot reviewer
Project officer at BRAC Uganda

Its price is too high for a startup. If you want to run the analysis, it'll cost a lot. They need to fix its pricing. 

It takes a lot of time to scan the applications. They can make them faster and provide an option to scan a specific portion of the app. Such a feature would be very helpful.

It lacks regular updates. It isn't frequently updated.

View full review »
Peter Westin - PeerSpot reviewer
Backend Engineer at a tech company with 1,001-5,000 employees

I would like to see more AI features. It's a current subject because with ChatGPT and other solutions being developed all the time, IT attacks will increase. I actually talked to the CEO of an IT security company in the United States because he ranked the top-10 IT security risks this year, and one of the biggest risks was new vulnerabilities or attacks would occur because of ChatGPT and similar services. To defend against those it's very important that the good guys use AI in ways that are good instead of bad.

View full review »
Naushath Raja - PeerSpot reviewer
Senior Director at a tech vendor with 10,001+ employees

Veracode's ease of use could be improved. I would also like to see more online videos and tutorials that could help us understand the product better. It would also be helpful if Veracode created a certification program for DevSecOps staff to learn about their product and get certified. This kind of training would raise the company's profile within the industry. 

View full review »
JA
IT Project Manager at Orange España

There should be more control for administrative users so that we can add and delete any functionality or module within the platform. We should not have to reach out to Veracode's customer support every time. We should be able to customize our modules. 

Also, the analytics reporting should be improved. It should provide bar graphs and full visualizations so that people who are not as technical can understand things.

View full review »
Sairam Bathini - PeerSpot reviewer
DevSecOps Engineer at Tata Consultancy

Veracode should include the feature to run multiple scales at a time.

View full review »
SA
Manager IT at a tech company with 201-500 employees

We have some constraints interacting with Veracode self-support. I'm not talking about their technical support. I'm talking about self-support. We sometimes have a hard time communicating with them.

View full review »
JV
Manager Consultant at a tech services company with 1-10 employees

Veracode has the capability to identify flaws in the code. I would like Veracode to also have the ability to fix these flaws in a future release.

View full review »
Shiva Prasad Reddy - PeerSpot reviewer
Program Analyst at a tech services company with 10,001+ employees

There is a sandbox limit of 10 so any company using Veracode needs to plan for only having those 10 sandboxes. If they increased that to 25 or 30, the scan time would decrease and the results should be more effective.

There is also a size limit of 100 MB so we cannot upload files that are larger than that. That could be improved. 

Also, the duration of the scan is a bit too long.

View full review »
Fiorina Liberta - PeerSpot reviewer
Principal SRE Engineer at AIA Singapore

The mitigation recommendations are sometimes helpful. Sometimes, they are outdated. Sometimes, there are a lot of false positives inside Veracode. That is something that I already suggested to the Veracode team.

It could have better integration with our pipeline. If we could have better integration with our application pipeline, e.g., Jira, Bamboo, or Azure DevOps, then that will be very helpful. Right now, it is quite hard to integrate the solution into our existing pipeline.

If it has better integration with our DevOps pipeline, then we would use it more. However, at the moment, if the solution can be used for a new project, then we can integrate it. However, if that takes too long, we will integrate other things that are faster.

View full review »
GG
Technical Program Manager at a engineering company with 10,001+ employees
  • To be able to upload source codes without being compiled. That’s one feature that drives us to see other sources.

Compiled code means that the code written is stored in binaries for machine reading only. Veracode reads only those binaries (compiled code). The other way to have the code is “Source Code written only”, a process where you don’t compile and anyone is able to read line by line the code.

This example might seem weird, but maybe will clear things out:

Binary Code (Supported by Veracode):

11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010

11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 11110 010

1111000101000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 010 11110001011000 0111 0001 01 110 00010 0101

Source Code:

public class HelloWorld {

public static void main(String[] args) {

// Prints "Hello, World" to the terminal window.

System.out.println("Hello, World");

}

}

View full review »
AR
DevOps Engineer at a consultancy with 10,001+ employees

One concern is that scans take a long time to run. We scan at the end of the day because we know it will take a lot of time. We leave it to run and the report will be generated by the next day when we arrive. The scanning time could be reduced.

View full review »
AjitMatthew - PeerSpot reviewer
Principal. - Head - IT, Information Security and Admin at a consultancy with 201-500 employees

When we engaged Veracode to conduct the manual penetration testing, they were extremely slow in completing the task and delivering the report, causing a delay of two to three weeks for us. The duration of the manual penetration testing process needs to be improved.

The cost of the solution can be reduced.

View full review »
Miodrag Zarev - PeerSpot reviewer
Senior Software Engineer at a tech vendor with 11-50 employees

We are testing Veracode's software composition analysis, but we're having trouble integrating it with SVN. It works out of the box when you use Git but doesn't work as well with other tools like SVN. It's more geared toward Git.

View full review »
CD
Vice President QE Practice at a computer software company with 1,001-5,000 employees

The mitigation recommendations are the standard ones, but if there are specific activities that come into the picture, Veracode should provide more remediation solutions. Since all of our team members are pretty good at what they do, they're able to do a good job with the information they get. But if somebody had to start off from the ground floor, they might need some help to understand things.

Veracode doesn't really help you so much when it comes to fixing things. It is able to find our vulnerabilities but the remediation activities it does provide are not a straight out-of-the-box kind of model. We need to work on remediation and not completely rely on Veracode.

Also, there are certain third-party libraries that might be called up by the code and that might have vulnerabilities. I haven't seen that Veracode is able to deal with that aspect. 

Another area for improvement is when the code's logic might have certain flaws that can result in a security vulnerability. Veracode doesn't handle that as well. Improvement in those areas would help us determine things much faster.

View full review »
Chris Sawyer - PeerSpot reviewer
Full Stack Engineer at TCDRS

I've seen slightly better static analysis tools from other companies when it comes to speed and ease of use.

Also, with the dynamic tool, sometimes a scan gets stuck and it can be hard to get a hold of the right person in a timely manner to find out why it got stuck and to get it unstuck, or to create a new one.

Overall, speed and customer support could be improved.

View full review »
KA
Cyber Security Consultant at a computer software company with 51-200 employees

The scans were sometimes not accurate in version 2022. There were some false positives in the vulnerability reports. We used to get false positives, and we were responsible for checking all of the alerts and determining whether they were true positives or false positives. They might have already improved it. If they have not, they can look into how to mitigate false positives.

View full review »
TR
Associate Software Engineer at a healthcare company with 201-500 employees

I would like Veracode to add more language support.

To use the Veracode extensions, we need to create a file in a folder and name it "prevention and filters." It would be more user-friendly if Veracode could automate this process by creating the file automatically when the Greenlight extension is installed. Additionally, a pop-up tool for security could be shown to guide users through the process making it more user-friendly.

View full review »
GR
System Engineer at a tech vendor with 10,001+ employees

The interface is basic and has room for improvement.

The main problem I have faced with Veracode is that it does not integrate well with JFrog Artifactory, the repository where all our jobs are stored. This means that sometimes jobs are not reflected in the Veracode report, which is a major drawback.

We have a Maven repository provided by Maven itself, which is widely used by all developers. It is the heart of these jobs, and every detail is available in the jobs. So when Veracode says that a specific job is not vulnerable, but the Maven repository says that it is, I don't think Veracode is updated daily. This is a problem because if I fix the job, taking two to three hours to do so, and then Veracode is updated two weeks later and linked to the Maven repository again, Veracode may show that the job is no longer vulnerable. This is a threat, as it wastes a lot of time for developers. As developers, we usually have deadlines to meet for moving to particular environments, such as UAT or production. Veracode is wasting our efforts by not being updated daily.

View full review »
KW
Founder/Developer at Sarkonah

They need to have a plug-in, a better integration with the development environment. 

View full review »
David Jellison - PeerSpot reviewer
Senior Director, Quality Engineering at Everbridge

I think the biggest room for improvement is around known or accepted vulnerabilities that, when we re-scan, we want those things to be recognized as already accepted, as an exception. Sometimes they show up as something new and we have to go back and re-accept that as an accepted exception in order to bring our numbers back into compliance. I think if they could improve the operations around accepted vulnerabilities, we would see improvements in our productivity.

I would also like to see more executive reporting. Having a good snapshot of how well we're tracking, where each of the teams that own the applications, how they're doing, and where their gaps are would be good. Currently, the reporting is geared towards tracking current vulnerabilities. Even though they have trending, the trending doesn't necessarily evaluate the teams and how well they're doing. I would also like to be more oriented towards teams.

Overall, I would give Veracode a nine out of 10.

View full review »
EricOlson1 - PeerSpot reviewer
Application Security Program Manager at a tech services company with 5,001-10,000 employees

We're still trying to get things operationalized, piloted, and tested. I haven't heard about any problems so far. However, it would be great if Veracode automatically packaged stuff up for you. 

For example, it would be nice if the solution used AI or machine learning to detect what your code was by doing. It could perform the review and decide how to package up the software. You could run it and wouldn't need as much developer involvement.

View full review »
FranckGafsou - PeerSpot reviewer
Security Architect Lead at a comms service provider with 10,001+ employees

This solution has a clear interface, but there are times when you go to the menu of a scan, you have to open another page for the project, or if you need to link, you also have to link your scan to a specific project. Some people find it difficult to understand those different screens and menus.

When you want to retrieve specific information about the projects that are linked to your scan, it's not easy. Those pages need to be redesigned.

I also don't understand Veracode workspaces. Other people also find that feature difficult to understand.

Those are the features that Veracode needs to redesign.

View full review »
KB
Sr. VP Engineering at a computer software company with 51-200 employees

One thing I would strongly encourage Veracode to do, early on in the process—in the first 30 days—is to provide a strong professional services-type of engagement where they come to the table with the front solution engineers, and work with their customer's team and their codebase to show how the product can be integrated into GitHub or their own repository. They should guide them on best practices for getting the most out of Veracode, and demonstrate it with live scanning on the customer's code. It should be done in a regimented way with, say, a 30-minute call on a Tuesday, and a 30-minute call on a Friday.

I would ask Veracode to be a lot more engaged with the customer and set up live sessions where they force the customer to engage with Veracode's technical team. Veracode could show them a repo, how they should do things, this is what these results mean, here is a dashboard, here's the interpretation, here's where you find the results. And they should say, "If you don't understand something, here's how you contact customer support." A little bit more hand-holding would go a long way toward the adoption of Veracode's technology.

View full review »
SC
Systems Engineer at Shift movers

I think Veracode could integrate some advanced technologies to better address new threats as they arise. 

View full review »
SR
Product Marketer at a media company with 1,001-5,000 employees

The false positive rate is a gray area. The number of false positives could be reduced a lot. For each good result, we are getting somewhere around 15 to 20 false positives. We expect false positives, but if that ratio could be reduced to a single-digit number for the false positives, that would be much more helpful.

We are spending some manual effort and time on this because it happens sometimes, when we first scan code, that it says there is no threat. And the second time we scan it, it says there is a threat. Those kinds of positive responses make us do double work. If that was better, it would greatly improve our overall efficiency.

Apart from the false positives, I would like to see more plugins and integrations to make Veracode much more user-friendly for developers and users. Any IDE plugins would make our work faster.

View full review »
NS
Delivery Manager at a tech vendor with 10,001+ employees

I'm also a cybersecurity expert. In addition to vulnerabilities, I am looking at this from a holistic cybersecurity perspective. Bringing Veracode in line with the latest vulnerabilities would add value. We see APT issues often, and some processes could be left vulnerable if our tool cannot cope with them. It would improve Veracode to bring it up to date with current threats that the cybersecurity industry highlights.

I would also like Veracode to offer training and certifications that users can do on their own time. It would encourage people to build skills that they could reuse across the board. Many other software publishers offer this. It helps build a user base and generate interest. Training is an excellent way to market your product. It would also be helpful to build a user community online to create a knowledge base of expert users who can answer questions and advise Veracode on ways to improve the product.

View full review »
Rafael Mesquita - PeerSpot reviewer
Full Stack Software Developer at DreamDev

We waste a lot of time figuring out which results are false positives, and it has affected our trust in the tool. After we've spent time training and setting up the tool correctly, we need to scan our code and remove all the false positives. Finally, it's good enough to identify our security issues.

We get some false positives with JavaScript languages like React, TypeScript, and Angular. The problem is rooted in the build process of JavaScript, not the code we are using. This is something we spend lots of time trying to resolve. When we point to a specific library and review that on the code, we can see it is a part of the build that isn't going into production. It's only a part of the build because JavaScript has a different build process. 

This hasn't happened in .NET or C# because we use can all the libraries used when coding. In JavaScript, it's tough, and we spend tons of time trying to find the issue. However, it's not a problem because it's a pre-compiled language. This isn't unique to Veracode. Black Duck does the same thing.

Maybe Veracode could automatically detect the language type first and improve the way it scans JavaScript to reduce the false positive rate for this specific language. Also, in the reporting area, it could connect to the source code Veracode uses for the third-party library.

When Veracode finds security issues, it creates a report with the number and description of the issues. Sometimes, we are not able to connect that issue with the third-party library containing the code and applications the developers are building. The relationship between the flaw in the code and the third-party library could be more apparent because developers may not realize that the root cause is the library, not the code itself. 

The compliance features are good, but it's pretty picky in terms of what it considers a security issue. I and the other developers struggle to understand what is flagged as a security vulnerability. If you can see a security issue in there, you can see all the documentation, but it's difficult to relate that to the code to determine why the issue happened. It could be clearer how to find the issue in the structure of the code. 

View full review »
Anshuman Kishore - PeerSpot reviewer
Director Product Development at Mycom Osi

Veracode Static Analysis lacks penetration testing, so that's a concern. The tool is also unable to scan when it's a C or C++ model, so that's another area for improvement.

View full review »
Nathan S - PeerSpot reviewer
VP of Product at a healthcare company with 51-200 employees

Veracode Static Analysis can improve the false positive. There are always improvements that can be done to the false positive rate. There are some things that get flagged that are not an issue. However, it is not a huge concern.

View full review »
Ajit Matthew - PeerSpot reviewer
Sr. Partner IT and Information Security at TheMathCompany

The training lab is not very user-friendly and takes a long time to set up. This is an area that should be improved because we've not used it as much as we should have.

View full review »
ST
Engineering Security Manager at Nextiva

Veracode owns SourceClear. They bought them in 2017 or 2018, and they still are not fully integrated with the actual Veracode dashboards. Right now, you have to use two separate tools from the same company. One for the static analysis and dynamic analysis, then the second one for the third-party dependency. 

That is an area that they need to improve the service. Veracode needs to bring the second tool in already to the dashboard so that we don't have to use two separate logins. We don't want two different sets of jobs that we have to upload into two different places, etc. Veracode also needs better integration of their tools to each other.

Veracode should make it easier to navigate between the solutions that they offer, i.e. between dynamic, static, and the source code analysis. The SCA feature is on the website. Veracode should integrate SourceClear with the company product line finally after two years. I would love to see that. 

Veracode did not previously support Python 3. They just released the support for Python 3. Keeping updates coming quicker would be the main thing that I would love to see, i.e. to have all these solutions better integrated.

View full review »
SM
Security Analyst at a tech services company with 11-50 employees

Veracode Greenlight scans the code while the developer writes it. It will be beneficial for developers if Veracode Greenlight includes Python.

View full review »
BahatiAsher Faith - PeerSpot reviewer
Software Developer at Appnomu Business Services

It's very expensive for a small organization.

View full review »
SP
Software development program leader at Vendavo

The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it. The pricing model was expensive and the results were not the same as the full solution analysis. It gives a differently scoped "just in time" analysis within the context of the IDE, so it didn't speak to the same problem space.

The best situation would be the one where the developers don't even need to log into the web portal, and the results from the scans would be delivered into their IDEs. It would be an asynchronous job, but if they could see the results right there, while they're working on the code, then they wouldn't need to go to a separate tool to look at the information to figure out what to do next.

The workflow today on the build side is optimal, so imagine that's still doing the same thing but then in the backend, whenever a developer has that project open in the browser, if they chose to, they could enable a view to see the most recent Veracode results of that module. That scan might be from last night or six hours ago or any other point, and that's fine. It would be the best possible situation to put the results and the actions right in front of the developer, in the tool that they're already using when they're touching the code.

The only other thing that we've found a reasonable workaround with is how to work with microservices in the context of Veracode. This was necessary because Veracode's licensing model and the interaction model are built around an idea of an application. When you're talking about a section of business logic that's being delivered by possibly dozens of microservices, there is some friction with Veracode in terms of how that application gets defined and how the scans occur and get reported on.

When we reached out to Veracode about this, I got a slide deck that provided us with different options of how they recommend proceeding in this context. It was helpful, and clearly a question they've considered and they had answers ready to go on. The ideas helped us and essentially reinforced what we were already thinking. It's getting the job done, but it still feels like a little bit of a square peg in a round hole and it could be a little smoother in terms of that interaction.

The problem boils down to how we fit the microservices architecture into the Veracode notion of an application. We need to be able to get a holistic view across the microservices, which is extremely challenging, especially when those microservices are owned by different teams who have different needs to see and respond to the scans. 

View full review »
SM
Principal for the Application Security Program and Access Control at a engineering company with 10,001+ employees

When we go from the dynamic scan to static scan to SCA, there is a huge change in the UI. This was not relayed to us when we were buying the product nor during the demo. They mentioned, "Yeah, this was an acquisition. The third-party library scanner was an acquisition from SourceClear."

You can see there is a huge difference in the user experience in terms of both the display as well as the usability of the product. That is one of our pet peeves: They are not normalizing the UI across the three product segments. We had numerous calls with them early on because we were new to the platform. The sales team is not aligned with the support team. The support team keeps telling us to use a different UI versus the one that the sales team showcased during the sales cycle.

There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed. It is ironic that they claim themselves as agile AppSec tool, but their UI doesn't reflect that.

We had a couple of consulting calls, and perhaps it may be the engineers that we got, they were not really up to speed with our frameworks. They were very focused on .NET and Java, which are legacy frameworks for us. We don't use these at all in our code base. We are using the newer, modern web frameworks, like Django. They have very little coverage or knowledge base on these, especially on the mobile side.

There are a lot of faults with the Static Analysis Pipeline Scan tool. Their tool seems to be very good with legacy products, which are developed in .NET and Java frameworks, but there are false positives when it comes to using modern web frameworks, like Python and Django. The C++ code doesn't even scan. We have spent at least three weeks worth of time going back and forth because it won't support the use cases that we have.

View full review »
Deepak Naik - PeerSpot reviewer
Chief Security Officer at Digite

It is pretty efficient when creating secure software. For one or two particular applications, the dynamic code analysis can take too much time. Sometimes, it takes three days or more. That is where we find speed getting dragged. Apart from that, it is pretty efficient for us to get results and make our software secure.

If the dynamic scan is improved, then the speed might go up. That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us.

They could probably provide some plugins for the Visual Studio code.

View full review »
DC
Chief Technology Officer

The Web portal, at times, is not necessarily intuitive. I can get around when I want to but there are times when I have to email my account manager on: "Hey, where do I find this report?" Or "How do I do this?" They always respond with, "Here's how you do it." But that points to a somewhat non-intuitive portal. 

With that said, I hate when companies redo their portals all the time. So it's kind of a catch-22, but that would be my only critique.

View full review »
Pradeep Kumar. - PeerSpot reviewer
Founder and Director at Bizcarta Technologies India Pvt Ltd

On-premise implementation is not available.

View full review »
‌B
Senior software engineer at a tech services company with 1,001-5,000 employees

The false positives have room for improvement. Sometimes, we will get false positives, which we mark as mitigated. However, it can be annoying when they come up again in the next release. Every time a new person is doing the work, they may not be aware of the history of the issue. They must then check the false positive again and mark it as mitigated, and it may come up again in the future. False positives can be an irritating and time-consuming issue for developers to deal with. Investigating them can be a waste of time, as they have already been looked into. This can be frustrating for those involved. False positives waste our time and resources.

The zip file scanning has room for improvement. Sometimes when we upload the zip files for scanning, it can take a long time to get the report. This can take up to a day. Unfortunately, even after waiting a day, sometimes we find that nothing happened and we have to start the process over. This is both time-consuming and frustrating, as we feel the system has crashed.

The reports have room for improvement. I believe the reports are thorough but can become overwhelming with unnecessary information that may not be pertinent to the developer. I'd prefer to have customizable reports that allow us to select which elements we'd like to include.

I believe the usability of the UI needs to be improved. For example, when we navigate away from a page, it should remember our last location and take us back there instead of sending us to the homepage. Additionally, it should be easier to navigate between pages without having to refresh the page each time.

Veracode should provide potential customers with better training materials and resources to help them make a more informed decision before purchasing the product. This could include tutorials, demonstrations, more about how the product works, the user interface, the quality of Veracode's reports, and more. It is unclear if these resources are already available, but they should be made more visible if so.

View full review »
Anshuman Kishore - PeerSpot reviewer
Director Product Development at Mycom Osi

Veracode Static Analysis could improve the terminology. For example, I do not know what the sandbox scan does. The terminology and the way they have used it are quite confusing. They should have a process of capturing problems that users are having on their end.

Veracode Static Analysis should adapt and detect the vulnerability which is coming from customers.

View full review »
VD
Lead Security Architect at a comms service provider with 1,001-5,000 employees

There are few languages that take time for scanning. It covers the majority of languages from C to Scala, but it doesn't support certain languages and the newer versions of certain languages. For example, it doesn't support SAP and new JavaScript frameworks such as Node.js and React JS. They can include support for these. If you go to their website, you can see the list of languages that are currently supported.

The false-positive rates are also something they can work on.

View full review »
OK
Development Manager at a computer software company with 1,001-5,000 employees

The results of agent-based software composition analysis are not connected to policy scanning. So, for me, the only thing that Veracode can improve in Software Composition Analysis is to connect it with the policy scan because, at present, it is a bit inconvenient for those in our organization who use agent-based Software Composition Analysis. In the end, they need to make a static scan with all those libraries in order to receive that report. If Veracode implemented a connection between agent-based static scan and static scanning itself, it would be great because it would lead to fewer operations in order to prepare release documentation and release reporting from Veracode. We recently had a conversation with Veracode about it.

View full review »
reviewer1360617 - PeerSpot reviewer
Sr. Security Architect at a financial services firm with 10,001+ employees

We've had one occasion where a sub-product upgrade required action on our part faster than we initially understood it needed to happen.  This ended up being relatively minor.  

One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive. 

Separately, I find the results console somewhat confusing.  When you are running multiple scan types for the same application, I've sometimes found it difficult to sort out where issues came from when I need that information.

View full review »
RB
Senior Security Analyst at a wellness & fitness company with 1,001-5,000 employees

Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk. Right now I have to jailbreak an iPhone and Root an Android to intercept and fuzz requests with a Burp Suite Proxy.

That is a very time-consuming process and there are lots of dependencies. It would be very helpful if we can upload and .ipa or .apk into a Veracode simulator, provide credentials and run a Dynamic scan accordingly. Fuzzing functionality on API resources, HTTP Methods, and Parameters would also be very useful in testing our Web and API Application Firewalls, response pages, and other WAAF actions.

View full review »
AF
Cloud system engineer at a consultancy with 1-10 employees

The GUI requires significant simplification, as its current complexity creates a steep learning curve for new users.

I would like Veracode to introduce more sophisticated AI features.  

View full review »
LF
Sales Engineer at a computer software company with 51-200 employees

There should be more APIs, especially in SCA, to get some results or automate some things.

View full review »
Calinescu Tudor - PeerSpot reviewer
Security Project Leader at ATOSS AG

The UI is messy because it freezes sometimes and some of the UI components are blocked and I do not know why that is happening. It's not happening only to me. Colleagues have reported to me that they have this issue.

View full review »
KE
Cybersecurity Executive at a computer software company with 51-200 employees

Because we're so early in our implementation, we have had minimal feedback in terms of room for improvement. We have seen some minor things within the interface itself that we would love to see some improvements on.

One of those is scheduling, which can be a little difficult. For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had. We have to change that over to a one-time scan. It would be lovely if we could run ad hoc scans without changing our recurring schedule. That can be a little painful because it happens a lot, unfortunately. I think that will change, so I don't want to knock them completely. Right now, we run a manual configuration setup, but once we integrate this via API into our CI/CD life cycle, that issue should go away.

View full review »
NS
Automation Practice Leader at a financial services firm with 10,001+ employees

The solution has issues with scanning. It tries to decode the binaries that we are trying to scan. It decodes the binaries and then scans for the code. It scans for vulnerabilities but the code doesn't. They really need two different ways of scanning; one for static analysis and one for dynamic analysis, and they shouldn't decode the binaries for doing the security scanning. It's a challenge for us and doesn't work too well. 

As an additional feature I'd like to see third party vulnerability scanning as well as any container image scanning, interactive application security testing and IAS testing. Those are some of the features that Veracode needs to improve. Aside from that, the API integration is very challenging to integrate with the different tools. I think Veracode can do better in those areas.

View full review »
NS
Lead Cyber Security engineer at a manufacturing company with 10,001+ employees

The scanning could be improved, because some scans take a bit of time. 

Many developers have commented on the packaging. It is quite different compared to other tools, so the packaging of codes could be changed. They should make it more uniform.

On the reporting, there should be an option like sending reports to groups or task ID.

View full review »
DM
IT Cybersecurity Analyst at a educational organization with 11-50 employees

If Veracode was more diversified, as far as the number of platforms and the number of applications it could do in our favor, we would be using it even more. But there are a number of platforms it doesn't support. For example, I know they support C+, .NET, and Java, but there are certain platforms they don't support and that was disappointing.

They have a pretty unique process to get guidance. It's not like you send them an email. You could do that, but if you want to set up a consultation call, you have to go to the website and give them a certain amount of detail so that they can study the problem and the detail and be ready to meet with you. It's not as simple as doing an email. You have to go to their website and you have to click on the "consultation" button and pick a time to talk with an engineer. Sometimes an engineer is not available for quite a while. You have to wait at least a couple of days before you can meet. Having to wait for two days is not that efficient. You should be able to set it up within 24 hours.

And regarding announcements from Veracode, I've tried to get them to let my developers know directly, and I'm not sure if that's happening. I want to tell Veracode to make sure that happens. I don't want them to send an announcement to me and then I have to disseminate that information to my developers. I want it to go directly to them. They've got the developers' names and emails in their database so those announcements should go directly to them.

View full review »
CG
Enterprise Architect, VP at a financial services firm with 501-1,000 employees

There is a concept called false positives where things might come up as a potential issue but they really are not. In our case specifically, we might get a false positive when a potential vulnerability is discovered through Veracode analysis, but the way that the application is built makes it so what appears to be a vulnerability is not really an issue. Stated a different way, even though there might be something that prevents that particular event from ever happening, the product does not correctly detect the safeguards or the impossibility of the issue arising.  

When a false positive gets reported by the Composition Analysis, it results in more work for you to do than you should have to. There is a lot of information to go through and so some of it is due to those false positives. You either have to do work to eliminate the false positives being identified, or you have to look at the alert and determine that it is harmless.  

As far as what might be added in future releases, more artificial intelligence capabilities would be desirable. I do not know if they have it now. Maybe one example could be to make more focused suggestions or give more information in the reports to locate the cause of the issues. It should be something that improves results over time so that people do not have to do as much work to understand the details.  

View full review »
VR
Solution Architect at a tech vendor with 10,001+ employees

Veracode does not support scans for .NET Blazor server applications. We encounter errors whenever attempting a scan. I would appreciate it if Veracode could incorporate support for these applications.

I would like Veracode to offer code support for the latest releases of .NET whenever they are released by Microsoft.

View full review »
SR
Manager, Information Technology at Broadcom Corporation

When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications.

For C++ based languages, or languages where there is a platform dependency—for example, if I write C language code it is dependent on whether I'm executing that on Windows, or on Linux, or another platform—and with some of these platforms-specific languages, Veracode makes something called debug symbols that are introduced into the code. That gets cumbersome. They could improve that or possibly automate. If Veracode could quickly analyze the code and make file-line flags, that would be great. It is easy to do for Java, Python, and Pearl, but not so easy for C++. So when it comes to the debug symbols, guidance or automation could be improved.

Also, scan completion, as well scanning progress, is not reported accurately. Sometimes the scan says it will complete in two to three hours but it will take four or five hours. That is one of the areas where they can give a more accurate estimate.

View full review »
KM
Information Assurance Manager at xMatters

Whenever there is a mitigation that is submitted through the platform, I'm the one who approves it. The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most.

View full review »
AS
DevSecOps Consultant at a comms service provider with 10,001+ employees

We would like to see fewer false positives. 

Sometimes, I get feedback from a developer saying, "They are scanning a Python code, but getting feedback around Java code." While the remediation and guidelines are there, improvement is still required, e.g., you won't get the exact guidelines, but you can get some sort of a high-level insights.

Veracode has a little bit of noise. Sometimes you will get a lot of issues, which you just need to triage. While the solution is excellent, it does come with a little bit of noise.

View full review »
ST
Associate Director

They are already working on, but we are looking forward to seeing it. We would like the consolidation of all the different modules. This would help, so then we would be able to see analytics and results on one screen, like a single pane of glass. 

Once your report has been generated, you need to review the report with consultation team, especially if it is too detailed on the development side or regarding the language. Then, you need some professional help from their end to help you understand whatever has been identified. Scheduling consultation takes a longer time. So, if you are running multiple reports at the same time, then you need to schedule a multiple consultation times with one of their developers. There are few developers on their end who work can work with your developers, and their schedules are very tight. Therefore, you have the report ready if you want a consultation, then it sometimes takes more than three to four days to arrange a meeting. I feel to wait four days to get a consultation and understand the report around the whatever has been identified is a bottleneck. 

View full review »
SN
SVP Application Security at a financial services firm with 10,001+ employees

I would like to see more technical support for some of the connectors, some more detailed diagrams or run-books on how to install some of the stuff; more hand-holding in the sense of understanding our environment.

They cover a lot of languages already and it doesn't make sense for them to cover legacy languages but I know there is a need for covering legacy languages.

My biggest need, the kind of feature I would want, is more on the technical support side.

View full review »
CS
Executive Assistant at a tech company with 51-200 employees

Veracode's ability to prevent vulnerable code from going into production is commendable. However, we have encountered numerous cases of false positives that need improvement.

The technical support service has room for improvement. There are times when we rely on them, but we are not receiving an adequate response.

The stability has room for improvement.

View full review »
FN
Application Security Engineer at a financial services firm with 1,001-5,000 employees

In the next release, I would like a proper way of packaging files for scanning and the packing of IOS apps and API Dynamic scan methodology. 

Also, there seem to be lots of false positives. This can be improved upon. 

View full review »
HM
DevOps Engineer at Barclays Technology

Searching for applications in Veracode is a little bit difficult. We have to minimize the length of an application's name to 47 characters. It would be good if this limit could be increased so that an application's name can be properly reflected in Veracode.

View full review »
RL
Security Architect at a financial services firm with 1,001-5,000 employees

It's pretty efficient, but sometimes the static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools. In some cases, they might have other mechanisms which would deal with a particular vulnerability, but it wouldn't be captured in the code. I would estimate the false positive rate at about 20 percent.

Upon review, the developers understand the solution. But when they get the initial list of findings, it can be a bit daunting to them if it's not managed appropriately.

Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved. There are times when we need a quick turnaround but it will take a little while. We might have something scanning and not get a result until the following day. It's not too critical, but it does increase the delay. Most of the time, when developers submit their code, because of the way that we use it, it's because in their minds they're ready to have that code deployed into production. But the security testing, especially with the feedback, introduces additional time into the project, especially if a security fix is needed.

View full review »
DR
Senior Solutions Architect at NessPRO Italy

This is not a very elaborate application. I think that the suggestions are between thirty-five and eighty percent accurate, with most cases being about seventy-five percent. Some of them are references where you have to go and determine whether they are direct threats, or not.

At the point in time when we were using this solution, we had older coders and the way Veracode tests for vulnerabilities may have been affected by the code style. I found that there were far too many warnings and some false positives. Of course, this comes with every product, and there are multiple tools that are used.

Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them.

View full review »
Product Security Engineer at a tech services company with 5,001-10,000 employees

In terms of improvement, I don't have any valuable input. The application works fine and I don't have any negative feedback. Maybe pipeline scanner can be improved to support some additional language packages.

View full review »
DJ
Senior Director, Quality Engineering at a tech services company with 1,001-5,000 employees

Three areas that we continue to struggle with are

  1. Identifying and flagging false positives that reappear in other locations, where a rule that can catch other occurrences such that we don't have to repeat the override each time would help in productivity, and 
  2. Improving sorting through findings reports to filter by only what is critically relevant will help developers focus on issues,
  3. Add enterprise aggregate reporting, showing teams grouped in business units with trends per team and at the group level that can be sent by email as a digest with drill-in back to the dashboard.
View full review »
HJ
Sr Director at a non-profit with 51-200 employees

The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified. 

The solution needs to be more flexible. It needs to work with clients more effectively. 

Right now, the licensing model is based on the number of applications as opposed to being flexible and based on the number of developers or based on some other parameters. This constrains our company in terms of defining what an application is and doing the scans. We have an application with multiple deposit rates, but Veracode has a hard time recognizing the different components sitting in different depositories as one application. 

The solution is pretty similar to others. There wasn't anything that was so startlingly different it would make us want to stay.

View full review »
VS
Senior Manager Cyber Security at a tech services company with 201-500 employees

Veracode's policy reporting, which ensures compliance with industry standards and regulations, is valuable. It would also be helpful to have a specific example that we can relate to in order to better understand it. Currently, the information is scattered, so precision would greatly assist us.

Veracode can be improved in terms of software composition analysis and related vulnerabilities. For instance, when an application team provides us with their software code, we perform code scanning. During this process, we often encounter software composition analysis vulnerabilities that require the application team to upgrade their Java file from version X to version Y. We then communicate this to the application team, and they proceed with the upgrade. Once the upgrade is complete, we conduct a rescan. However, during the rescan, Veracode may identify compatibility issues with the upgraded version Y. This situation puts the application team in a difficult position, as they may be unable to accommodate this change within their project schedule. Therefore, this is an area where I believe Veracode could make improvements.

The technical consultation can be enhanced to effectively address the communication variations among different regions.

View full review »
RR
Founder & CEO at a healthcare company with 1-10 employees

I would suggest charging the developer for training, as it's not very expensive.

Only charge for developer training because it's a service you give now and they may need to be technical support. 

It costs them money to do that, but with the technology, an incremental user is negligible incremental costs, which doesn't really cost them. That's software economics.

I would like to see them only charge for developer training for the qualified startups and start charging for the licensing once the product goes into production, and available.

View full review »
AB
Principle Consultant at a tech services company with 11-50 employees

Most of our time is spent configuring the SAST and SCA tools. I would consider that one of the weak points of the product. Otherwise, once the product is set up on the computer, it is fairly fast.

Like many tools, Veracode has a good number of false positives. However, there are no tools at this point in the market that they can understand the scope of an application. For example, if I have an application with only internal APIs and no UI, Veracode can detect that. It might detect that the HTML bodies of the requests are not sanitized, so it would then be prone to cross-site injections and SQL injections. But, in reality, that is a false positive. It will be almost impossible for a tool to understand the scope unless we start using machine learning and AI. So, it's inevitable at this point that there are false positives. Obviously, that doesn't make the developers happy, but I don't think there is another way around this, but it is not just because of Veracode. It's just the nature of the problem, which cannot be solved with current technologies. 

Once we explain to the developers why there are false positives, they understand. In Veracode, embedded features (where there are false positives) can be flagged as such. So, next time that they run the same scan, the same "vulnerability" will be still flagged as a false positive. Therefore, it's not that bad from that point of view.

Veracode has a few shortcomings in terms of how they handle certain components of the UI. For example, in the case of the false positive, it would be highly desirable if the false positive don't show up again on the UI, instead still showing up for any subsequent scan as a false positive. There is a little bit of cluttering that could be avoided. However, that is not necessarily a shortcoming of the product. I think it's more of a shortcoming of the UI. It's just the way it's visualized. However, going forward, I personally don't want to see any more vulnerabilities that I already flagged as a false positive.

It does take some time to understand the way the product works and be able to configure it properly. Veracode is aware of that. Because the SCA tools are actually a company that they acquired, SourceClear, the SCA tool and SAST tool are not completely integrated at this point. You are still dealing with two separate products, which can cause some headaches. I did have a conversation with the Veracode development team not too long ago where I voiced my concerns. They acknowledged that they're working on this and are aware of it. Developers have limited amounts of time dedicated to learning how to use a tool. So, they need quite a bit of help, especially when we're talking about this type of integration between the SAST and SCA. I would really like to see better integration between the SAST and SCA.

View full review »
it_user831864 - PeerSpot reviewer
Application & Product Security Manager at a insurance company with 1,001-5,000 employees
  • Better APIs
  • Reporting that I can easily query through the APIs
  • Preferably, a license model that I can predict

It would save us time when integrating with the APIs. Difficult APIs are annoying to work with and we have to trial/error our way through the integrations. The more straightforward and friendly they are, the less we have to trial/error.

View full review »
MT
Software Architect at Alfresco Software

What could improve a lot is the user interface because it's quite dated. And in general, as we are heavy users of GitHub, the integration with the user interface of GitHub could be improved as well. 

There is also room for improvement in the reporting in conjunction with releases. Every time we release software to the outside world, we also need to provide an inventory of the libraries that we are using, with the current state of vulnerabilities, so that it is clear. And if we can't upgrade a library, we need to document a workaround and that we are not really touched by the vulnerability. For all of this reporting, the product could offer a little bit more in that direction. Otherwise, we just use information and we drop these reports manually.

Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access.

Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA. It provides visibility into the SAST, DAST and SCA, but honestly, all the information then travels outside of the system and it goes to JIRA.

In the end, we are an enterprise software company and we have some products that are not as modern as others. So we are used to user interfaces that are not great. But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated.

Also, we're not using the pipeline scan. We upload using the Java API agent and do a standard scan. We don't use the pipeline scan because it only has output on the user interface and it gets lost. When we do it as part of our CI process, all the results are only available in the log of the CI. In our case we are using Travis, and it requires someone to go there and check things in the build logs. That's an area where the product could improve, because if this information was surfaced, say, in the checks of the code we test on GitHub—as happens with other static analysis tools that we use on our code that check for syntax errors and mapping—in that case, it would be much more usable. As it is, it is not enough.

The management of the false positives is better than in other tools, but still could improve in terms of usability, especially when working with multiple branches. Some of the issues that we had already marked as "To be ignored" because they were either false positives or just not applicable in our context come down, again, to the problem of the user interface. It should have been better thought out to make it easier for someone who is reviewing the list of the findings to mark the false positives easily. For example, there were some vulnerabilities mentioning parts of libraries that we weren't actually using, even if we were including them for different reasons, and in that case we just ignore those items.

We have reported all of these things to product management because we have direct contact with Veracode, and hopefully they are going to be fixed. Obviously, these are things that will improve the usability of the product and are really needed. I'm totally happy to help them and support them in going in the right direction, meaning the right direction from my perspective.

View full review »
MS
Executive Director at Parthenon-EY
  • More timely support for newer languages and framework versions.  
  • Integration with Slack is another request from our developers.
View full review »
it_user873351 - PeerSpot reviewer
CISO at Laboratory Corporation of America Holdings

As we move to more of a mobile space, much of the code was developed on desktops, mobile laptops, and things. Mobile apps run differently and they have a different runtime. Chris Wysopal and I have talked several times over the past few years about how to address that. I'm not sure that there is a good answer yet, because it is so complex. But I'm pretty sure with Chris' track record that they are going to come up with a very good way to do that in the near future.

View full review »
it_user836430 - PeerSpot reviewer
Senior Infrastructure Engineer at a healthcare company with 5,001-10,000 employees

Reporting. Some of the reporting features of Veracode do need improvement. They do not have the most robust access to data. That would be a bit more beneficial to a lot of our clients as well as our actual in-house staff. I've been talking to our program management at Veracode about that, and that is actually on their radar to have that improved, I think actually this year.

That would probably be the biggest area, access to more granular data that we could pull and use on a regular basis. Better dashboards. That kind of information.

View full review »
it_user778905 - PeerSpot reviewer
Technical Director at a financial services firm with 1,001-5,000 employees

I'd like to see an improved component of it work in a DevOps world, where the scanning speed does not impede progress along the AppSec pipeline.

View full review »
YT
R&D Director at a computer software company with 201-500 employees

We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it.

View full review »
Christian Camerlengo - PeerSpot reviewer
Senior Programmer/Analyst at a financial services firm with 10,001+ employees

The triage indicator was kind of hard to find. It's a very small arrow and I had no idea it was there.

View full review »
MV
Cybersecurity Expert at PSYND

They should invest in mobile security.

View full review »
SH
Chief Information Security Officer with 501-1,000 employees

I attended a meeting of one of the security organizations I am associated with. At the meeting were security professionals from several major retail companies. The topic of discussion happened to be application development security. When the question was asked concerning what tools are being used, many of these major retail companies said they are using Veracode. However, they were quick to comment that the product is too expensive and that there are too many false positives which take too much time to remediate.

View full review »
SK
Director Software Engineering at a tech services company with 51-200 employees

We use Ruby on Rails and we still don't have any support for that from Veracode.

The static scans on Java lack microservices architecture scanning. We have developed an in-house pattern for this and the scans can't take care of it as a single entity.

View full review »
DA
DevOps and Cloud Architect at a hospitality company with 1-10 employees

Security can always be improved. I'd like to know how we can better prevent intrusions to our systems and create risk analysis use cases and understand them. What is the level of risk for what we want to do? How can we understand the process better? I'd like to have a better overview of what's going on. 

View full review »
Raj Nachiappan - PeerSpot reviewer
Director of Solutions Architecture at VetsEZ

The runtime code analysis could be improved so that we can see every element in one place.

View full review »
BM
Assistant Vice President of Programming and Development at a financial services firm with 501-1,000 employees

The only notable problem we have had is that when new versions of Swift have come out, we have found Veracode tends to be a bit behind in updates to support the new language changes.

Also the Greenlight product that integrates into the IDE is not available for PHP, which is our primary language.

View full review »
it_user779082 - PeerSpot reviewer
Senior Information Security Program Manager at a financial services firm with 10,001+ employees

I would love to be able to do a dynamic sandbox scan. I think that that would allow us to really get a lot more buy-in from the software development teams. We would be able to scan our applications, identify the vulnerabilities, not generate metrics, which would allow the teams to address the vulnerabilities earlier in the cycle, and then have cleaner scans later on.

Also, I would maybe like to see a better report engine.

View full review »
Jesus Montes Ceron - PeerSpot reviewer
Architect of solutions at IPComMx

There is room for improvement in documentation. Maybe the documentation about how to configure something. It is difficult to get the expected result. 

View full review »
JS
Senior Software Developer at a pharma/biotech company with 201-500 employees

It can have more APIs and capabilities to handle other things well. We were doing a trial for it. There were two things that I looked at: one was uploading some Java-related content and the other was uploading database SQL files and having the review done on the quarterback. 

The Java portion of it worked fine, and it was pretty seamless, but the database portion was not. We uploaded some files to use for vulnerabilities, and the tell-all portion of it was pretty easy. We uploaded a war file and Java files, and we got the reports back on these. They were pretty clear to understand. We did the same thing for the database portion for the most part. However, the content wasn't getting uploaded in a predictable fashion, and it was slow and hard to get done. We had to do it over and over. After it indicated that the content was uploaded, there were no results. There were zero search findings. It was possibly a user error, something that we didn't do correctly, but they had acknowledged that it was something they were currently enhancing. This is something that could be made easier if they haven't already done that. I don't know how many releases they've had in that timeframe. I haven't looked at it since then. It was a trial period.

View full review »
it_user673734 - PeerSpot reviewer
Chief Technology Officer at a tech vendor with 201-500 employees

We would like a way to mark entire modules as "safe." The lack of this feature hasn't stopped us previously, it just makes our task more tedious at times. That kind of feature would save us time.

View full review »
EP
Professor at BitBrainery University
  • Management of false positives
  • Agile best practices: Violation detection.
  • Support for more programming languages, like SQL.
  • Support for more frameworks for Java: .NET, Python, PHP, C, and C++.
View full review »
it_user866175 - PeerSpot reviewer
Information Security Engineer Team Lead at a hospitality company with 1,001-5,000 employees

The only areas that I'm concerned with are some of the newer code libraries, things that we're starting to see people dabble with. They move quickly enough to get them into the Analysis Engine, so I wouldn't even say it is a complaint. It is probably the only thing I worry about: Occasionally hitting something that is built in some other obscure development model, where we either can't scan it or can't scan it very well.

I would also like to see some improvement in the speed. That is really the only complaint, but in all reality we have a massive Java application that needs to be scanned. Our developers are saying, "It takes 72 hours to scan it." That is probably the nature of the beast, and I'm actually pretty accepting of that timeframe, but since it's a complaint that I get, faster is always better. I don't necessarily think that the speed is bad as it is, just that faster would be better.

View full review »
it_user797976 - PeerSpot reviewer
Global Application Security at a pharma/biotech company with 10,001+ employees

They've improved the speed of the inspection process.

I'd never want the inspection process to become something that's suspect. False positives would diminish confidence in the results; if we don't continue to focus on reducing false positives... that is number one.

The on-platform reporting needs to be opened up much more. We'd like to be able to look at the inspection data from a trending perspective in a much more open manner. I need to be able to sort and filter much more flexibly than I can today. I don't have the on-platform flexibility to sort and filter inspection data, and that's not good.

Another thing I need is continued support for the new languages today that are popular. Most of them are scripting languages more so than real, fourth-generation, commercial grade stuff; we're evolving. Most applications are using so much open-source that, quite frankly, it would be great to see Veracode, or anybody else, extend their platform to where they are able to help secure open-source platforms or repositories. Currently, I have to have another supplier in my tool chain and that means I have to extract data from different tool repositories to see one holistic picture of security quality, risks, and vulnerabilities. It would be great if I could see it all in one place, but I have to harvest the information from Veracode, harvest information from Rapid7, harvest information from Sonatype, just so that I can get a good, round perspective of where my first-party and third-party code, and the components in the dependent libraries, are in terms of weaknesses, risks, and vulnerabilities. That's a burdensome activity. 

If Veracode spent more time providing more plug-ins to other competitors' environments, or provided very open APIs so we could harvest data, bring it into one lens so that we can look at the security inspection data through one set of dashboards, it would provide a lot more value from a governance perspective. 

View full review »
SeshagiriSriram - PeerSpot reviewer
Head IT Architecture at a tech vendor with 11-50 employees

Technically there is nothing wrong with Veracode. The only issue that we have is uploading the code, the process of actually uploading and getting our results back. All of that is a little cumbersome. 

One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications. So we would like to see a kind of a graphical representation of the problem areas. I would like to know which file is the biggest source of issues for me so that I can focus on resolving the issue, as a project manager. With how it is now, I am able to do this but I have to take out the whole PDF file and extract it. It takes up a lot of my time. I would like to see better strategic reporting. It would be great to get better graphical reporting.

View full review »
it_user797976 - PeerSpot reviewer
Global Application Security at a pharma/biotech company with 10,001+ employees

Number one, I need analytics, analytics, and more analytics. It is all about risk based management and better decision support, that is why. 

View full review »
RO
IT security architect at a consumer goods company with 10,001+ employees

The solution could improve the Dynamic Analysis Security Testing(DAST).

There could be better support for different languages. It is very difficult in some languages to prepare the solution for the static analysis and this procedure is really hard for a pipeline, such as GitHub. They should make it easy to scan projects for any language like they do in other vendors, such as Checkmarx.

We have found there are a lot of false positives and the severity rating we have been receiving has been different compared to other vendor's solutions. For example, in Veracode, we receive a rating of low but in others solutions, we receive a rating of high when doing the glitch analysis.

View full review »
SS
Head Of Information Security at a media company with 51-200 employees

The efficiency of Veracode is fine when it comes to creating secure software, but it tends to raise a lot of false positives. It will tell you about a lot of issues that might be hard for an attacker to actually manipulate. Because of that it's very difficult, sometimes, to sort through all of the findings and figure out what you actually ought to pay attention to. Maybe calling them false positives isn't entirely accurate. There were a lot of things that it would raise that were accurate, but we just didn't consider them terribly important to address because it would be very hard for an attacker to actually use them to do anything bad. I think it frustrated the engineers at times. 

Also, the policies you have, where you can tune the findings you get, don't allow you not to file tickets about certain findings. It will always report the findings, even if you know you're not that concerned about a library writing to a system log, for example. It will keep raising them, even though you may have a ticket about it. The integration will keep updating the ticket every time the scan runs.

We couldn't make it stop. We tried tuning the policies. We had several meetings with the Veracode team to get their feedback on how we could tune the policies to quiet some of these things down and nothing ever resulted in that. Ultimately we couldn't stop some of these alerts from coming out.

Even stranger, for some of the issues raised, such as the ones that were in the vendor code base, we would put the status in Veracode that we communicated this to the vendor, but then, the next time the scan was run, it would find the same issue. One time it would respect that update and the next time, afterwards, it wouldn't respect it and it would generate the issue again. It was really weird. It was reopening the issues, even though they should have been in a "closed" state.

Another significant area for improvement is that their scanning had a lot of problems over this last year. One of the biggest problems was at first it wasn't able to read packaged Go. When I say packaged Go, I mean packaged the way the Go programming language says you're supposed to package Go to deploy the software, when you're using multiple build modules together to make an app. That's a totally normal thing to do, but Veracode was not able to dig into the packages and the sub-modules and scan all the code. It could only scan top-level code.

Once they fixed that problem, which took them until August, we found that it kept reporting that there were no problems at all in our Go code base. That was even scarier because it would usually give all these false positives on our other repositories. I had the application security engineer write a bunch of known defects into some Go code and push it in there and scan it, and it didn't raise anything with any of that. They're advertising that they have a Go scanner, but it doesn't actually function. If our company was going to continue in business, I would have asked them for a refund on the license for the Go scanner at our next renewal, but since we're going out of business, I'm not renewing.

I would also love to see them make it easier to debug the JIRA integration. Right now, all of the logs that are generated from the JIRA integration are only visible to the Veracode engineering team. If you need to debug this integration, you have to have a live meeting with them while they watch the debug messages. It's utterly ridiculous. Their employees are really nice, and I appreciate that they would go through this trouble with me, but I think it's terrible that we have to bother them to do that.

View full review »
EC
AVP, IS Manager at a financial services firm with 1,001-5,000 employees

We would like to see improvement in reporting, in particular, end dates on mitigations.

View full review »
it_user854784 - PeerSpot reviewer
Director Security and Risk OMNI Cloud Operations at a tech vendor with 1,001-5,000 employees

It's really hard to criticize something that has become somewhat seamless for us. If they wanted to expand their capabilities into other areas of security, that would be fine. They're a very knowledgeable group of people. We do meetings with them on a pretty regular basis. We gain insights from their perspectives.

To me, if they just broadened their footprint into the areas that their feet feel comfortable going into, we'd have no problem pursuing that.

View full review »
it_user335091 - PeerSpot reviewer
Senior Security Consultant at a retailer with 1,001-5,000 employees

It's been over a year since I used the product. But when I did, I found there were too many false positives.

View full review »
MW
Managing Director at Harrods

The solution currently does not support Dynamic Application Security Testing which is an important facet of application security testing. In addition, the current version of the application does not support testing for API.

View full review »
it_user842937 - PeerSpot reviewer
Systems Architect at a tech vendor with 201-500 employees

From a technical standpoint, I'm pretty happy with everything. The one thing I'd like to be able to do is schedule dynamic scans. Today we're kicking those off manually, but I believe that it's something have on their roadmap.

Other than that, I don't really get too involved in the cost sides of things that's in my job, I'm more of a technical focus, but I have heard from my manager and a couple other people that the solution is quite expensive. So that is possibly one factor that could turn somebody away from Veracode. But, like I said, I really don't know much more about that. Technically, I'm very impressed and happy with what they've had to offer.

View full review »
it_user877104 - PeerSpot reviewer
VP Worldwide Delivery Acceleration at a financial services firm

Some important languages are not supported.

View full review »
it_user854049 - PeerSpot reviewer
Chief Compliance Officer at a financial services firm with 51-200 employees
  • Entering comments for internal tracking
  • Entering a priority
  • Reports that show the above
View full review »
it_user873348 - PeerSpot reviewer
VP at a non-tech company with 11-50 employees

More integration into the specific application; an open API would be good. Aside from that, I think they do a really good job in terms of the features they have. 

View full review »
HB
Software Engineer at a tech services company with 1,001-5,000 employees

I would like to see them provide more content in the developer training section. This field is really changing each day and there are flaws that are detected each day. Some sort of regular updates to the learning would help. 

I would also like to see more integration with other frameworks. There were some .NET Core versions that weren't supported back when we started, but now they're providing more support for it.

View full review »
it_user873345 - PeerSpot reviewer
Cyber Security Engineer at a consumer goods company with 1,001-5,000 employees

Speed. When we scan binary, when we perform binary analysis, it could go faster. That has a lot to do with the essence of scanning binary code, it takes a little bit longer. Certain aspects, depending on what type of code it is, take a little long, especially legacy code. In our case, we have quite a bit of older code. It takes some time to get through.

View full review »
it_user846645 - PeerSpot reviewer
VP Development

Going through the mitigation is probably the hardest thing to do and that's still an ongoing process. If there is a code issue to mitigate, it sometimes takes a little bit longer than what you would think. It might not be anything that they're doing. It's just their engine is changing and our code is changing so we have two things moving. We get a good score one time, scan it again on a new release and the score drops because the engine is picking up more things. I don't know if they could do anything about that. It's just one of those things you might just have to live with.

View full review »
it_user837504 - PeerSpot reviewer
Information Technology at a insurance company with 51-200 employees

It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help (but not now, now that I've learned it).

View full review »
AE
Enterprise Architect at a computer software company with 1-10 employees

The licensing model could be improved. 

If they can provide an automatic upload model, that would be really good. Right now we have to upload the NK bucket hosting to get through the analysis. That is kind of cumbersome.

The documentation is poor and the technical support isn't helpful.

View full review »
it_user852402 - PeerSpot reviewer
Software Security Consultant at DXC Technology

It should include more informational, low level, vulnerability summaries and groupings. Large related groups of low level vulnerabilities may amount to a design flaw or another avenue for attack.

View full review »
it_user835104 - PeerSpot reviewer
Project Manager at a tech vendor with 501-1,000 employees

Calypso (our application) is large and the results take up to two months. Further, we also have to package Calypso in a special manner to meet size guidelines.

View full review »
VV
Senior Project Manager at a computer software company with 501-1,000 employees

The reports on offer are too verbose. They might want to consider t restructuring their reports to better give a very good summary or overview in the first five or so pages and then go ahead and drill into the details of each and every vulnerability beyond that.

The documentation could be improved. They could, for example, provide more details in terms of how to fix issues related to sign-ups. There isn't enough detailed information out there to assist users.

View full review »
Raj Nachiappan - PeerSpot reviewer
Director of Solutions Architecture at VetsEZ

It takes a while to get a response to the software composition analysis. It is within an acceptable range but it could still be improved.

In the future, I would like to see the RASP capability built-in.

View full review »
AK
Global Presales Head - Security Assurance at Wipro Technologies

Veracode should provide support to more software languages, like ABAP.

View full review »
it_user833553 - PeerSpot reviewer
CISSP, CISM at a tech services company with 1,001-5,000 employees

I think they are doing pretty well. It would help if there were a training module that would explain how to more effectively integrate the SAST product into the build tool, Jenkins or Bamboo. I think that's a real good idea.

View full review »
it_user697020 - PeerSpot reviewer
Software Developer/Architect at a insurance company with 201-500 employees

The current features were enough for us. Although reports are well documented, it was difficult for us to understand them at first.

View full review »
AM
Chief Executive Officer at Cybrella

There needs to be better API integration to the development team's pipeline, which is something that is missing and needs to be improved.

View full review »
reviewer1359297 - PeerSpot reviewer
Software Engineer at a financial services firm with 501-1,000 employees

I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan. For instance, we have CI scans that run automatically, and sometimes the files don't get upload and/or processed by Veracode. Now, there's a static scan that hasn't been completed, which blocks all future scans. The only way we know this is an issue is going into the Web UI, check each application, and look for stalled scans. This is time-consuming and frustrating.

View full review »
it_user854052 - PeerSpot reviewer
Head of Technology. at a tech services company with 11-50 employees

Mitigation review isn't always super easy.

View full review »
it_user542859 - PeerSpot reviewer
Security Consultant at a tech company with 501-1,000 employees

I would like to see the following:

  • Correction of the regularly received false positives
  • Options to manage comments and mitigations
  • Better UI functionality
View full review »
it_user841116 - PeerSpot reviewer
Information Security Lead Analyst at a consumer goods company with 10,001+ employees

It's a pretty dynamic product. It's changing all the time and improving.

View full review »
JB
Team Lead / Architect at a tech services company with 1,001-5,000 employees

They should improve on the static scanning time.

View full review »
it_user873405 - PeerSpot reviewer
Lead Security Engineer at a tech vendor with 201-500 employees

Raw file scans and dynamic scans would be an improvement, instead of dealing with code binaries.

View full review »
it_user920715 - PeerSpot reviewer
Managing Principal Consultant at a tech vendor with 11-50 employees

This solution does a good job, but it is limited to only a few technologies. I would like to see expanded coverage for supporting more platforms, frameworks, and languages.

Specifically, I would like to see support for mobile frameworks like Xaramin and React JS, as well as extended support for iOS applications.

View full review »
AC
Associate Consultant at a comms service provider with 201-500 employees

A high number of false positives are reported and this should be reduced.

View full review »
it_user833550 - PeerSpot reviewer
VP of Services at a tech vendor with 51-200 employees

The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but sometimes it causes more work on our end.

View full review »
it_user802140 - PeerSpot reviewer
Product Manager at GMS

All areas of the solution could use some improvement.

View full review »
it_user854046 - PeerSpot reviewer
DevOps Release Engineer at a tech services company with 51-200 employees
  • The user interface could be more sleek.
  • Some scanning requirements aren't flexible.
  • Some features take some time for new users to understand (like what exactly "modules" are).
View full review »
reviewer1360623 - PeerSpot reviewer
VP Engineering at a tech services company with 201-500 employees

It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects.  

View full review »
it_user712167 - PeerSpot reviewer
General Manager - Application Security at a tech consulting company with 51-200 employees

It needs to reach the level of Checkmarx's and Fortify Software's capabilities and service levels, or may further loosen the market share.

View full review »
Buyer's Guide
Veracode
March 2024
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.