Veracode Pros and Cons

Veracode Pros

Directord98b
Director Security and Risk OMNI Cloud Operations at a tech vendor with 1,001-5,000 employees
Valuable features for us are the static scanning of the software, which is very important to us; the ability to set policy profiles that are specific to us; the software composition analysis, to give us reports on known vulnerabilities from our third-party components.
Veracode is a cloud-based platform, where they manage all the back-end, and they do a lot of analysis during the scans, and they do a lot of post-scan reconciliation.
That it is a cloud-based solution is very valuable to us. We don't need that hardware running our scans and hosting the environment to be scanned. Also, the technology, the static scanning versus dynamic scanning produces a much better result, a more accurate result.
View full review »
Sebastian Toma
Engineering Security Manager at Nextiva
We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the development life cycle.
View full review »
Informat5dbf
Information Security Engineer Team Lead at a hospitality company with 1,001-5,000 employees
The developers' awareness of the security weaknesses within their code has improved. They aren't just mitigating these issues, they are realizing these are, in fact, issues that have to be dealt with.
The one thing we really liked about Veracode when we got it was the consultation calls; that our developers are able to schedule them on their own, instead of going to a "gatekeeper." They upload their code, they have questions, they schedule it, they speak with someone on the other side who is an expert, they can speak developer-to-developers.
It's not "one policy fits all." I really like that Veracode allows me to set up specific policies that I can apply to applications.
View full review »
Find out what your peers are saying about Veracode, SonarQube, Micro Focus and others in Application Security. Updated: March 2020.
406,607 professionals have used our research since 2012.
ChiefInfaf47
Chief Information Security Officer with 501-1,000 employees
One of the valuable features is that it gives us the option of static scanning. Most tools of this type are centered around dynamic scanning. Having a static scan is very important.
View full review »
GL32aS
Global Application Security at a pharma/biotech company with 10,001+ employees
The Static and Dynamic Analysis capabilities are very valuable to us. They've improved the speed of the inspection process.
View full review »
Associat7de6
Associate Director
The tech support has been very much on the forefront of contacting customers. They help us by making sure all the processes have been outlined and are being followed. They regularly look with us at the whole platform process.
It provides security of different Shadow IT activities in our environment, especially around application development and website hosting.
View full review »
Suzan Nascimento
SVP Application Security at a financial services firm with 10,001+ employees
The most valuable feature is the remediation consulting that they give. I feel like any vendor can identify the flaws but fixing the flaws is what is most important. Being able to have those consultation calls, schedule them in the platform, and have that discussion with an applications expert, that process scales well and that is what has allowed a lot more reduction of risk to happen.
One of the best things they offer is the scalability. The fact that you can work with it through the cloud means that if you have unintegrated business units, you don't have to worry about having a solution on-prem and having the network connection; you don't have to worry about giving up source code, you are just sending your binary files for most of the applications. So it scales much faster.
View full review »
JimNelms
CISO at Laboratory Corporation of America Holdings
I don't have to have a team of developers behind me that keep up with all the latest threats because the subscription service they provide for me does that.
View full review »
Tim Jee
Cyber Security Engineer at a Consumer Goods with 1,001-5,000 employees
What's important for me, from Veracode, is the all-in-one metrics location. I can see where everything is across the entire portfolio of applications I have in this program, and I can report out on it.
View full review »
Divakar Rai
Senior Solutions Architect at NessPRO Italy
I have used this solution in multiple projects for vulnerability testing and finding security leaks within the code.
View full review »

Veracode Cons

Sebastian Toma
Engineering Security Manager at Nextiva
Veracode should make it easier to navigate between the solutions that they offer, i.e. between dynamic, static, and the source code analysis.
View full review »
Informat5dbf
Information Security Engineer Team Lead at a hospitality company with 1,001-5,000 employees
The only areas that I'm concerned with are some of the newer code libraries, things that we're starting to see people dabble with. They move quickly enough to get them into the Analysis Engine, so I wouldn't even say it is a complaint. It is probably the only thing I worry about: Occasionally hitting something that is built in some other obscure development model, where we either can't scan it or can't scan it very well.
I would also like to see some improvement in the speed. That is really the only complaint, but in all reality we have a massive Java application that needs to be scanned. Our developers are saying, "It takes 72 hours to scan it." That is probably the nature of the beast, and I'm actually pretty accepting of that time frame, but since it's a complaint that I get, faster is always better. I don't necessarily think that the speed is bad as it is, just that faster would be better.
View full review »
GL32aS
Global Application Security at a pharma/biotech company with 10,001+ employees
In some cases we use their APIs; they're not as rich as I would like.
The on-platform reporting needs to be opened up much more. We'd like to be able to look at the inspection data from a trending perspective in a much more open manner. I need to be able to sort and filter much more flexibly than I can today.
Another thing I need is continued support for the new languages today that are popular. Most of them are scripting languages more so than real, fourth-generation, commercial grade stuff; we're evolving. Most applications are using so much open-source that, quite frankly, it would be great to see Veracode, or anybody else, extend their platform to where they are able to help secure open-source platforms or repositories.
View full review »
Find out what your peers are saying about Veracode, SonarQube, Micro Focus and others in Application Security. Updated: March 2020.
406,607 professionals have used our research since 2012.
Associat7de6
Associate Director
We would like the consolidation of all the different modules. This would help, so then we would be able to see analytics and results on one screen, like a single pane of glass.
Once your report has been generated, you need to review the report with consultation team, especially if it is too detailed on the development side or regarding the language. Then, you need some professional help from their end to help you understand whatever has been identified. Scheduling consultation takes a longer time. So, if you are running multiple reports at the same time, then you need to schedule a multiple consultation times with one of their developers. There are few developers on their end who work can work with your developers, and their schedules are very tight.
View full review »
Suzan Nascimento
SVP Application Security at a financial services firm with 10,001+ employees
I would like to see more technical support for some of the connectors, some more detailed diagrams or run-books on how to install some of stuff; more hand-holding in the sense of understanding our environment.
They cover a lot of languages already and it doesn't make sense for them to cover legacy languages but I know there is a need for covering legacy languages.
View full review »
Tim Jee
Cyber Security Engineer at a Consumer Goods with 1,001-5,000 employees
When we scan binary, when we perform binary analysis, it could go faster. That has a lot to do with the essence of scanning binary code, it takes a little bit longer. Certain aspects, depending on what type of code it is, take a little long, especially legacy code.
View full review »
Divakar Rai
Senior Solutions Architect at NessPRO Italy
Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them.
View full review »
SeshagiriSriram
Vice President of Technology at TKM INFOTECH
One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications.
View full review »
Rick Spickelmier
Chief Technology Officer at a tech vendor with 201-500 employees
We would like a way to mark entire modules as "safe." The lack of this feature hasn't stopped us previously, it just makes our task more tedious at times. That kind of feature would save us time.
View full review »
Elina Petrovna
Professor at BitBrainery University
It could be improved with support for more programming languages, like SQL.
View full review »
Find out what your peers are saying about Veracode, SonarQube, Micro Focus and others in Application Security. Updated: March 2020.
406,607 professionals have used our research since 2012.