Veracode Pros and Cons

Veracode Pros

Kyle Engibous
Systems Architect at a tech vendor with 201-500 employees
With the tools that Veracode provides, our developers are actually able to comprehend what the vulnerability was and then resolve it. So a lot of knowledge has been grown as a result, around security, with our developers.
The most important feature is the static scanning analysis, and the reason is that it can tell us vulnerability in that code, right before we go ahead and push something to production or provide something to a client... Dynamic scanning actually hits our Web applications, to try to detect any well known Web application vulnerabilities as well.
Veracode has a nice API that they provide to allow for custom things to be built, or automation. We actually have integrated Veracode into our software development cycle using their API. We actually are able to automatically, every time a new build of a software is completed, submit that application, kick off a scan, and we get results in a much more automated fashion.
When those scans kick, Veracode integrates back into our JIRA and actually open tickets with the appropriate development teams. We can use that as a measurement of vulnerabilities opened, closed; we can tie them to releases. So, we get a whole lot more statistical information about security in our software products.
View full review »
Directord98b
Director Security and Risk OMNI Cloud Operations at a tech vendor with 1,001-5,000 employees
Valuable features for us are the static scanning of the software, which is very important to us; the ability to set policy profiles that are specific to us; the software composition analysis, to give us reports on known vulnerabilities from our third-party components.
Veracode is a cloud-based platform, where they manage all the back-end, and they do a lot of analysis during the scans, and they do a lot of post-scan reconciliation.
That it is a cloud-based solution is very valuable to us. We don't need that hardware running our scans and hosting the environment to be scanned. Also, the technology, the static scanning versus dynamic scanning produces a much better result, a more accurate result.
View full review »
Sebastian Toma
Engineering Security Manager at Nextiva
We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the development life cycle.
View full review »
Informat5dbf
Information Security Engineer Team Lead at a hospitality company with 1,001-5,000 employees
The developers' awareness of the security weaknesses within their code has improved. They aren't just mitigating these issues, they are realizing these are, in fact, issues that have to be dealt with.
The one thing we really liked about Veracode when we got it was the consultation calls; that our developers are able to schedule them on their own, instead of going to a "gatekeeper." They upload their code, they have questions, they schedule it, they speak with someone on the other side who is an expert, they can speak developer-to-developers.
It's not "one policy fits all." I really like that Veracode allows me to set up specific policies that I can apply to applications.
View full review »
ChiefInfaf47
Chief Information Security Officer with 501-1,000 employees
One of the valuable features is that it gives us the option of static scanning. Most tools of this type are centered around dynamic scanning. Having a static scan is very important.
View full review »
GL32aS
Global Application Security at a pharma/biotech company with 10,001+ employees
The Static and Dynamic Analysis capabilities are very valuable to us. They've improved the speed of the inspection process.
View full review »
Dave Cheli
Chief Technology Officer
It eases integration into our workflow. Veracode is part of our Jenkins build, so whenever we build our software, Jenkins will automatically submit the code bundle over to Veracode, which automatically kicks off the static analysis. It sends an email when it's done, and we look at the report.
When we do have errors, Veracode is always available, their consultants, to help us either mitigate the error, or provide technical assistance on pointing exactly where the problem is and how we could probably fix it. I'm always amazed at how knowledgeable they are.
They also have what's called a Software Composition Analysis that can point out errors and fixes for third-party software frameworks, which is very nice.
View full review »
Associat7de6
Associate Director
The tech support has been very much on the forefront of contacting customers. They help us by making sure all the processes have been outlined and are being followed. They regularly look with us at the whole platform process.
It provides security of different Shadow IT activities in our environment, especially around application development and website hosting.
View full review »
Informatab29
Information Technology at a insurance company with 51-200 employees
Veracode static analysis allows us to pinpoint issues - from a simple hard-coded test password, to more serious issues - and saves us lot of time. For example, it raises a flag about a problematic third-party DLL before development invests time heavy using it.
It is great to have such insight into code without having to upload the source code at all. It saves a lot of NDA paperwork. The Visual Studio plugin allows the developer to seamlessly upload the code and get results as he works, with no manual upload. The code review function is great. It allows you to find flaws in source code.
View full review »
Steve-Wilson
Senior Infrastructure Engineer at a healthcare company with 5,001-10,000 employees
The most important features, I would say, are the scanning abilities and the remediation abilities within the product. Scanning because, obviously, we want to make sure that our application code is flaw-free. And the remediation tools are helpful to the developers to help them track and manage their flaws.
View full review »

Veracode Cons

Kyle Engibous
Systems Architect at a tech vendor with 201-500 employees
The one thing I'd like to be able to do is schedule dynamic scans. Today we're kicking those off manually, but I believe that it's something have on their roadmap.
View full review »
Sebastian Toma
Engineering Security Manager at Nextiva
Veracode should make it easier to navigate between the solutions that they offer, i.e. between dynamic, static, and the source code analysis.
View full review »
Informat5dbf
Information Security Engineer Team Lead at a hospitality company with 1,001-5,000 employees
The only areas that I'm concerned with are some of the newer code libraries, things that we're starting to see people dabble with. They move quickly enough to get them into the Analysis Engine, so I wouldn't even say it is a complaint. It is probably the only thing I worry about: Occasionally hitting something that is built in some other obscure development model, where we either can't scan it or can't scan it very well.
I would also like to see some improvement in the speed. That is really the only complaint, but in all reality we have a massive Java application that needs to be scanned. Our developers are saying, "It takes 72 hours to scan it." That is probably the nature of the beast, and I'm actually pretty accepting of that time frame, but since it's a complaint that I get, faster is always better. I don't necessarily think that the speed is bad as it is, just that faster would be better.
View full review »
GL32aS
Global Application Security at a pharma/biotech company with 10,001+ employees
In some cases we use their APIs; they're not as rich as I would like.
The on-platform reporting needs to be opened up much more. We'd like to be able to look at the inspection data from a trending perspective in a much more open manner. I need to be able to sort and filter much more flexibly than I can today.
Another thing I need is continued support for the new languages today that are popular. Most of them are scripting languages more so than real, fourth-generation, commercial grade stuff; we're evolving. Most applications are using so much open-source that, quite frankly, it would be great to see Veracode, or anybody else, extend their platform to where they are able to help secure open-source platforms or repositories.
View full review »
Dave Cheli
Chief Technology Officer
The Web portal, at times, is not necessarily intuitive. I can get around when I want to but there are times when I have to email my account manager on: "Hey, where do I find this report?" Or "How do I do this?" They always respond with, "Here's how you do it." But that points to a somewhat non-intuitive portal.
View full review »
Associat7de6
Associate Director
We would like the consolidation of all the different modules. This would help, so then we would be able to see analytics and results on one screen, like a single pane of glass.
Once your report has been generated, you need to review the report with consultation team, especially if it is too detailed on the development side or regarding the language. Then, you need some professional help from their end to help you understand whatever has been identified. Scheduling consultation takes a longer time. So, if you are running multiple reports at the same time, then you need to schedule a multiple consultation times with one of their developers. There are few developers on their end who work can work with your developers, and their schedules are very tight.
View full review »
Informatab29
Information Technology at a insurance company with 51-200 employees
It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help.
View full review »
Steve-Wilson
Senior Infrastructure Engineer at a healthcare company with 5,001-10,000 employees
Reporting. Some of the reporting features of Veracode do need improvement. They do not have the most robust access to data. That would be a bit more beneficial to a lot of our clients as well as our actual in-house staff. I've been talking to our program management at Veracode about that, and that is actually on their radar to have that improved, I think actually this year.
View full review »
Suzan Nascimento
SVP Application Security at a financial services firm with 10,001+ employees
I would like to see more technical support for some of the connectors, some more detailed diagrams or run-books on how to install some of stuff; more hand-holding in the sense of understanding our environment.
They cover a lot of languages already and it doesn't make sense for them to cover legacy languages but I know there is a need for covering legacy languages.
View full review »
Tim Jee
Cyber Security Engineer at a Consumer Goods with 1,001-5,000 employees
When we scan binary, when we perform binary analysis, it could go faster. That has a lot to do with the essence of scanning binary code, it takes a little bit longer. Certain aspects, depending on what type of code it is, take a little long, especially legacy code.
View full review »

Sign Up with Email