Veracode Other Advice

Kyle Engibous
Systems Architect at a tech vendor with 201-500 employees
I would advise that you figure out a way to integrate it into your software development lifecycle in a way that it's not intrusive to your developers. That was really something that I set out to do. I didn't want my developers to have to go into their code, and kick off scans, and upload their code. So, I would really suggest looking at your integrations, your JIRA, your Jenkins, all of your add-ons, and hopefully that fits into the SDLC process, and then automating via their API. Essentially, what we were able to achieve is, my developers still live within JIRA and the issues get opened from Veracode into JIRA and they work on things that way. They can remediate it, kick it that way, and if they need to they can log into Veracode. But I'd suggest making the SDLC process integrated as much as you can to make it something that developers aren't having to spend a lot of time doing every day. Overall, I would give Veracode a nine out of 10, just because nothing is perfect. But it does everything for us and it was so painless. I speak very highly of it for those reasons. I would highly recommend CA Veracode. Every engineer that I've dealt with has been really sharp. The review process they have is really good and the knowledge they have has been tremendous. I really recommend working with them. View full review »
Directord98b
Director Security and Risk OMNI Cloud Operations at a tech vendor with 1,001-5,000 employees
We recommend Veracode to colleagues all the time. I'd give the advice of not getting hung up on trying to compare the static scanning to the dynamic scanning, that's number one. Don't even compare them. If you're doing neither, do statics first. It'll get the majority of your exposures addressed. Then you come in, in a second round, and do dynamic. Dynamic really becomes more of a confirmation of security. The other piece of advice I'd give is to "follow the directions." Make sure they understand how they're supposed to compile code. Take the advice of the program management team with their code, and follow their lead, and you'll come out in a very good position very quickly. I'd give Veracode a 10 out of 10 because the rate at which we gained control of our security posture, from a development perspective, was fast. There is a lack of wasted time on our developer organization in chasing down erroneously reported vulnerabilities. The erroneous reported vulnerabilities is very low, and that means that our developer time is very effective as we investigate a reported issue. As I said, it's 96, 98 percent probability it is real. So our developers gain confidence and don't second-guess the results. The level of detail that we are provided for a given vulnerability - the data path that it follows, the precision with which the justification is provided - is very high. Again, you're highly confident in the result. You are provided a tremendous amount of detail about the vulnerability it found. And the rate at which you can ramp up and be productive is very fast. View full review »
Sebastian Toma
Engineering Security Manager at Nextiva
If the springboard issue doesn't hold them back and the pricing model stays the same as the one that we have right now for this year with them, it's a good deal. Veracode is pretty straightforward to use and the support is really good. We don't have a lot of complaints about that. I don't know how the pricing model is going to change the actual price of the application. On a per license basis, Veracode has a very lucrative way of doing business. I don't think a big company that has a lot of services and applications would enjoy paying upwards of $200,000 per year to scan all their code. Prospective customers should look at how the pricing model affects them, especially if they are in the microservice type of architecture or if they are moving towards something like that. I would rate Veracode an eight out of ten just based on the experience that we had the past two years. The reason it's not ten is because of the ways these tools integrate. That rating is at risk of becoming a seven now with the pricing model changing. Veracode is probably not going to be that attractive anymore compared to other competitors. We knew other competitors were more expensive. The reason that we didn't go with them was that Veracode was very straightforward. View full review »
Informat5dbf
Information Security Engineer Team Lead at a hospitality company with 1,001-5,000 employees
My advice is what I mentioned in the pricing/licensing section above, you really need to understand what it is you are looking to do. Also, take into account a data sensitivity for the applications. It's not "one policy fits all." I really like that Veracode allows me to set up specific policies that I can apply to applications. Understand which are your critical apps that deal with critical, very sensitive data, and then apply a more rigorous scan model to them, versus internal applications that perhaps don't deal with as much PII, with as much sensitive information, and aren't available to the outside world. Those might have a lower risk footprint. Understand that, so when your developers go in there you are not treating every single thing like it is a public-facing, client-data-gathering, credit-card-processing web app. That way your developers can prioritize what they need to work on, so that you are delivering the right metrics to your leadership. You really need to understand that strategy going in, because the tool is not going to help you determine that. The tool is only going to help you scan. The only reason I don't rate it a nine or a 10 out of 10 is because we haven't hit those scalability roadblocks yet. I know we might have some challenges in the future, but I would say eight out of 10 is an incredibly good score for a product like this. If you were just asking me about the support and the people behind it, I would rate that a nine or a 10. If you bundle it all together it's an eight. I recommend CA Veracode to colleagues all the time. View full review »
ChiefInfaf47
Chief Information Security Officer with 501-1,000 employees
I would absolutely recommend Veracode. I've suggested to one of the larger agencies that they implement the solution and that they come to see what we've experienced and how we use the tool. I really like Veracode. That is one of the reasons that we brought them onboard ten years ago. Of course, they were new back then. The different aspects of the offerings that Veracode provides to their customers are somewhat unique and, right now, I couldn't ask another thing from them. We have approximately 30 Java developers and four or five testers. There are also project managers using it. We have one person who manages running of the scans and that person might have one or two other people to help. We haven't really been utilizing it to its full potential. We probably utilize it once or twice per quarter. We are planning to increase the capacity that we've purchased. However, we're getting ready to elect a new governor in Ohio. With that election, things will change, according to his or her desires. Right now, we're in a holding pattern waiting for November to come and go. In terms of integrating the solution into our existing software development lifecycle, because we started so long ago - before the software development lifecycle was fully implemented - we were doing Veracode testing just because it was a good idea. Then we actually developed a lifecycle. We got into scrums and it just naturally worked its way in, so when we actually hired a testing group, Veracode was already a part of the process. View full review »
GL32aS
Global Application Security at a pharma/biotech company with 10,001+ employees
I hold Veracode in high regard. It's a good organization to work with, and it's a very conscientious organization. I'm always a recommender of the solution set. View full review »
Dave Cheli
Chief Technology Officer
CA Veracode provides application security (AppSec) best practices and guidance to our teams in a couple ways. First of all, they have an e-learning module that has courses that we have required our developers to take. That's a best practice. Secondly, when we do have errors, Veracode is always available, their consultants, to help us either mitigate the error, or provide technical assistance on pointing exactly where the problem is and how we could probably fix it. I'm always amazed at how knowledgeable they are. They also have what's called a Software Composition Analysis that can point out errors and fixes for third-party software frameworks, which is very nice. The list goes on... And again, having received, early on, education from them on how best to integrate this in the workflow, those are areas where we've relied on best practices from Veracode. I'm in healthcare, and it's very important - and I'm sure in other industries just as well - but the stakes are very high. If we get hacked, if there's a data breach, it could put us out of business. It's a very good price point for a small company to have these kinds of capabilities, something we can afford for our application. I am very likely to recommend it to colleagues. As I mentioned, I brought it to this company, and I've already recommended and provided references to a few other companies over the last couple of years. View full review »
Associat7de6
Associate Director
I would rate the product as an eight out of 10 for recommend it to colleagues. I would rate the overall product as a seven out of 10. View full review »
Informatab29
Information Technology at a insurance company with 51-200 employees
In terms of integrating Veracode into our existing software development lifecycle, as our two existing applications are quite mature, and not changed often, we have not taken steps to have Jenkins or another CI tool that would allow us to get the full power from the Veracode environment. We look forward doing it, starting with the next app that gets developed from scratch. CA Veracode provided AppSec best practices and guidance to our security and development team during the kickoff phase. They offered assistance on specific code issues that were hard to fix, and guidance on preparing a credible set of rules for Veracode policy, all this at no additional cost. As Veracode licensing is generally time-related, I suggest you start the subscription once everything is ready for consumption, assign a specific person to it and declaring it mandatory at the policy level. Losing two months of great value because the devs are too busy, or because they think they don’t need it, or they fear the results, or because no one is taking charge of the Veracode process, is really a pity. Once the clock starts ticking, try to take advantage as much as you can. I would recommend Veracode to anyone involved in high-risk environments. View full review »
Steve-Wilson
Senior Infrastructure Engineer at a healthcare company with 5,001-10,000 employees
In terms of Veracode providing AppSec (application security best practices) and guidance to our teams, they've been able to adapt their scanning and remediation in their SDLC, which is something we did not have really before. It's been a little bit of "not the best honeymoon" so far, doing this with our developers, but they've started coming along here in the past year and a half. The advice I'd give is look around, make sure it's the right fit for you. Make sure that the tools they offer are a good fit for your organization. And make sure this is something that you really feel would be good for your company. If you aren't currently doing this kind of analysis on your code, I would take a strong look at whether this is something that you really should be doing. It's a different world out there right now. I would recommend Veracode very highly, especially since the program management staff that I work with from Veracode are some of the best people that I've worked with in this industry. View full review »
Suzan Nascimento
SVP Application Security at a financial services firm with 10,001+ employees
I would give Veracode a nine out of 10 because it scales incredibly well, they have very qualified people working there who are able to clearly articulate what the problems are when they are talking in a remediation or consultation call. They are very knowledgeable, they are not condescending when they talk to a developer. The tool is very easy to consume. It's not like looking at a menu with 20 pages at a restaurant, it's very simple to digest. They have a lot of API connectors, they cover a lot of languages and it just scales. You can't beat that. Finally, the relationship is great with them. View full review »
JimNelms
CISO at Laboratory Corporation of America Holdings
On the rating scale is there anything above 10? If there are no ones and tens, it would be the closest to 10. They have always been supportive. We have had to change, do course corrections during implementations, or particular types of coding. I have just never had a problem. My loyalty to the product has been primarily due to the service and the expedience in which they solve any problems we have. View full review »
Dennis Miller
VP Development
I am highly likely to recommend Veracode to colleagues. Make sure, once you scan and find issues with your code, that the developers know how to remediate those issues so they don't go through them again. It's going to take some time to get through your first set of scans and mitigations. To fix your code is not straightforward. But once you do that and implement it back through your whole development cycle, they identify the issues and it's very easy to fix them, once you know and have gone through it once. View full review »
Tim Jee
Cyber Security Engineer at a Consumer Goods with 1,001-5,000 employees
I give Veracode a solid nine out of 10 because it is a full-featured product. It is not just something that they are selling to you and then leaving you to figure out how to use it. They actually help you every single step of the way and they want to show you how to do it. Their testers, their application security consultants, really help you and help educate the developers. They walk you through every step of the way. View full review »
Divakar Rai
Senior Solutions Architect at NessPRO Italy
When it comes to DevSecOps, in the industry it is still under adoption. With the advent of the cloud and code being there, or on other public platforms, many people have embraced it or are in the process doing so. My advice for anybody interested in implementing this solution is to be really careful when choosing your tools. Be very proactive and up-front on the requirements of your systems, because no tool is perfect. You need to find the best fit for each particular use case. I would do a thorough analysis. As a solution architect, I do small POCs and run initiatives on products to find out various aspects. For example, the technical feasibility of the product is an important aspect. Other important ones are usability, testing, and implementation. Normally, I select at least three products and do a comparative analysis based on the POC. After this, I recommend a particular solution. I would recommend Veracode. There are plusses and minuses to this solution, but given the chance to use it again I would definitely do so. Every product has its own flaws, but for my use case, it did fit very well. I would rate this solution an eight and a half out of ten. View full review »
Assistan84a9
Assistant Vice President of Programming and Development at a financial services firm with 501-1,000 employees
I would definitely recommend CA Veracode. Just make sure you define a process for your developers prior to implementing the technology. View full review »
Technica5eac
Technical Director at a financial services firm with 1,001-5,000 employees
The most important criteria when selecting a vendor are * reliability * customer service. Take advantage of all of the help that Veracode provides, for implementation, operations, and maintenance, because they absolutely know what they're doing. View full review »
Informat2327
Information Security Lead Analyst at a Consumer Goods with 10,001+ employees
I recommend it all the time. It's an important aspect of a complete security program. Not necessarily this product, but source code, fraud detection. I'd give it an eight out of 10 because it's pretty straightforward, but you still have to mostly wrap it with organizational policies that encourages its use. It's not a product - and I don't think it's really a product category - that sells itself to the end-user. They see benefits, but they do have to be convinced to use it. View full review »
VpOfServ3625
VP of Services at a tech vendor with 51-200 employees
I would be highly likely to recommend working with CA Veracode to colleagues. I rate it an eight out of 10. It's a good product - I can't say that it's lighting my world on fire - but it does what it needs to do. Just be prepared that it's going to take effort from all aspects of the business to be able to utilize and achieve the goal that you're looking to achieve with the product. View full review »
Mike McAlpen
CISSP, CISM at a tech services company with 1,001-5,000 employees
I recommend CA Veracode all the time. I am a public speaker, frequently on the speaker circuit, and I recommend it all the time. There are really three solutions at the top of the industry ratings, and Veracode is the best, in my opinion. We are a good customer and we had been for a long time. I actually am a bit of an evangelist for them when I'm doing public speaking. View full review »
Applicat1f76
Application & Product Security Manager at a insurance company with 1,001-5,000 employees
Regarding measures taken to integrate Veracode into our existing software development lifecycle, we have 100% API integration. We use the Jenkins plugin as a last resort, but we are moving away from that. The AppSec best practices and guidance to our security and development teams are manifested in the static analysis it provides. In terms of advice to others looking into implementing this project, I would say don’t use the UI, and do what you can to have license conversations up front. It depends on the use case and budget, but I would recommend CA Veracode to colleagues. View full review »
Rick Spickelmier
Chief Technology Officer at a tech vendor with 201-500 employees
Be aware that the first run will find a lot of issues, many of which are not real issues; it will take time to understand that. Don't change object names as that will confuse it. Make sure you get development buy-in early. We're looking to expand its use within the development organization and are looking into another license. Currently, we have four users of the solution, myself (security) and developers. The four of us also maintain it. View full review »
Elina Petrovna
Professor at a government with 51-200 employees
I wish Veracode support had more SDLC integration tools. View full review »
Israel Varela
VP Sales at a non-tech company with 11-50 employees
For us, whenever we are selecting a partner, vendors to work with who are going to be working with our customers, we have to make sure that they align regarding customer support philosophy, and that is the reason we selected to work with Veracode. I would definitely rate Veracode a 10 out of 10, based on our customer feedback. Whenever we know the relationship is going well between Veracode and our customers, it reflects very well on us. View full review »
Siddharth Kundalkar
Director Software Engineering at a tech services company with 51-200 employees
We have made process changes and improvements, although Veracode is not tightly integrated into our CI/CD platform yet. I am very likely to recommend to colleauges that they work with CA Veracode. View full review »
Princip677
Managing Principal Consultant at a tech vendor with 11-50 employees
My advice for anybody who is interested in implementing this solution is to ensure that your technology is actually supported because the coverage is quite patchy. It is possible that if you use a framework or a language that Veracode does not support then it will give quite poor results. I would rate this solution a six out of ten. View full review »
ChiefCom2e57
Chief Compliance Officer at a financial services firm with 51-200 employees
Have them guide you through your first scan - make sure to add hours to your initial contract for that. I am very likely to recommend Veracode to colleagues. View full review »
ProjectMbc02
Project Manager at a tech vendor with 501-1,000 employees
When asked, we let our customers and partners know that we use Veracode and that we are happy with it. View full review »
Efe Oral
Software Developer/Architect at a insurance company with 201-500 employees
If it's the first time you are using a security application, be ready for some new tools which you will require you to revitalize the flaws reported. Reports are very well documented. Once you understand what it means and you get used to it, you will see that it is detailed and clearly explained. View full review »
GL32aS
Global Application Security at a pharma/biotech company with 10,001+ employees
I never give 10s. I would give it a nine. It does nearly everything, but penetration testing. It covers such a broad breadth of our portfolio. In our business, we have applications written in so many different languages. Finding something that can consistently scan and not generate false positives across the paradigm or the whole ecosystem of languages, that is impressive. It is speed of inspection, the accurateness of the inspection outcomes, and frankly, it has fairly good business analytics embedded on the platforms. So, it does a lot more for us than not. View full review »
Evan Christoe
AVP, IS Manager with 1,001-5,000 employees
I would recommend it. It covers all our custom-developed applications and will expand as new applications and services are added. We have 50-plus users of Veracode. Their roles include InfoSec, developers, development managers, QA, and configuration management. In terms of deployment and maintenance, we have four people in configuration management and InfoSec. View full review »
Terry Chu
DevOps Release Engineer at a tech services company with 51-200 employees
I am very likely to recommend Veracode to colleagues. Veracode is great. View full review »
HeadOfTe86f0
Head of Technology. at a tech services company with 11-50 employees
Do your research, make sure you implement the tools you need. I am very likely to recommend Veracode to a colleague. View full review »
MahendraAitha
Lead Security Engineer at a tech vendor with 201-500 employees
Implement this solution if you see WAF and SOC in your future. View full review »
VpWorldw093e
VP Worldwide Delivery Acceleration at a financial services firm
Make sure the supported languages align with your developers. View full review »

Sign Up with Email