Mar 26 2018
Enables us to automatically submit each new build for scanning and get results directly into our JIRA
What is most valuable?The most important one is the static scanning analysis, and the reason is that it can tell us vulnerability in that code, right before we go ahead and push something to… more»
How has it helped my organization?We have a large developer base at our company ranging in a variety of skills sets. Some are very security aware, others really don't have the knowledge. What Veracode… more»
What needs improvement?From a technical standpoint, I'm pretty happy with everything. The one thing I'd like to be able to do is schedule dynamic scans. Today we're kicking those off manually… more»
What's my experience with pricing, setup cost, and licensing?If you're licensing, and you're looking at licensing models, you might want to ask Veracode about their microservice, depending on the company. If you are a microservice… more»
Which solution did I use previously and why did I switch?We had never done anything like this in the past. This was the solution that we chose. We didn't really evaluate anything else. I know that my boss has been a fan of some… more»
What other advice do I have?I would advise that you figure out a way to integrate it into your software development lifecycle in a way that it's not intrusive to your developers. That was really… more»
Which other solutions did I evaluate?There were some, but we didn't get serious about them because they didn't have everything that we wanted.
Apr 12 2018
What is most valuable?* The static scanning of the software is very important to us. * The ability to set policy profiles that are specific to us. * The software composition analysis, to give… more»
How has it helped my organization?We do automated scanning, so we use it as part of our development cycle. We do both automated security scanning as well as our own automated testing. We run the two in… more»
What needs improvement?It's really hard to criticize something that has become somewhat seamless for us. If they wanted to expand their capabilities into other areas of security, that would be… more»
What's my experience with pricing, setup cost, and licensing?We're very comfortable with their model. We think they're a good value. We worked very closely with Veracode on understanding their license model, understanding what… more»
Which solution did I use previously and why did I switch?Prior to working with Veracode, we used a self-applied application. That is, we had the solution on-premise, but just could never quite get the routine approach that we've… more»
What other advice do I have?We recommend Veracode to colleagues all the time. I'd give the advice of not getting hung up on trying to compare the static scanning to the dynamic scanning, that's… more»
Which other solutions did I evaluate?I'd rather not give out competitor names. But the method we were using in the past was what is called dynamic scanning, or DAST. That required we have an environment that… more»
Find out what your peers are saying about Veracode, SonarQube, Micro Focus and others in Application Security. Updated: December 2019.
390,810 professionals have used our research since 2012.
May 26 2019
What is most valuable?With Veracode, it's not about features for us. It is about the pricing model that they offer. To be honest, with their vulnerability database, the total amount of false… more»
How has it helped my organization?We are using the Veracode tools to expose the engineers to the security vulnerabilities that were introduced with the new features, i.e. a lot faster or sooner in the… more»
What needs improvement?Veracode owns SourceClear. They bought them in 2017 or 2018, and they still are not fully integrated with the actual Veracode dashboards. Right now, you have to use two… more»
What's my experience with pricing, setup cost, and licensing?They just changed their pricing model two weeks ago. They went from a per-app license to a per-megabyte license. I know that the dynamic scan was $500 per app. Static… more»
Which solution did I use previously and why did I switch?We never did use other products. The reason we started looking into IBM and WhiteSource was because of the hiccups or the speed bumps we were encountering with our… more»
What other advice do I have?If the springboard issue doesn't hold them back and the pricing model stays the same as the one that we have right now for this year with them, it's a good deal. Veracode… more»
Which other solutions did I evaluate?We looked at IBM before we decided to go with Veracode. I've seen the documentation that our director of information security put together. We looked at six different… more»
May 02 2018
What is most valuable?The reporting and mitigation features which allow our people to work on their own.
How has it helped my organization?It has given us insight into the actual flaws that are out there, and the speed at which they're getting mitigated. Now, we're starting to see quantitative metrics to show the overall risk with code… more»
What needs improvement?The only areas that I'm concerned with are some of the newer code libraries, things that we're starting to see people dabble with. They move quickly enough to get them into the Analysis Engine, so I… more»
What's my experience with pricing, setup cost, and licensing?I think the pricing is in line with the rest of the tools. I think you get what you pay for. It is certainly not inexpensive, but the value proposition is there. There are certainly cheaper tools, but… more»
Which solution did I use previously and why did I switch?We used HP WebInspect, which is now under the Fortify umbrella. HP WebInspect was just terrible. Had we used the on-demand cloud piece - which is why I perhaps have to pull my comment back - maybe we… more»
What other advice do I have?My advice is what I mentioned in the pricing/licensing section above, you really need to understand what it is you are looking to do. Also, take into account a data sensitivity for the applications… more»
Nov 19 2018
What is most valuable?* Having the option of static scanning. Most tools of this type are centered around dynamic scanning. Having a static scan is very important. * Utilizing the software as a service. We do the scanning… more»
How has it helped my organization?We are a state agency, we're not a private-sector company. What we're able to do is take our main web-based application, which is not only for internal use but which the citizens of Ohio also use, and… more»
What needs improvement?I attended a meeting of one of the security organizations I am associated with. At the meeting were security professionals from several major retail companies. The topic of discussion happened to be… more»
What's my experience with pricing, setup cost, and licensing?We're always looking to save the taxpayers' money. I used to tell my vendors, sharpen those pencils and make the tip laser-sharp. When it can be, I want it to be less expensive, but you get what you… more»
What other advice do I have?I would absolutely recommend Veracode. I've suggested to one of the larger agencies that they implement the solution and that they come to see what we've experienced and how we use the tool. I really… more»
Which other solutions did I evaluate?The state of Ohio decided to bring AppScan in and that's an IBM tool. IBM became a major vendor in the state of Ohio. But what happened is that AppScan does not offer static code vulnerability… more»
Apr 09 2018
What is most valuable?The Static and Dynamic Analysis capabilities are very valuable to us.
How has it helped my organization?We are able to create business policies, and the Veracode system allows us to enforce those policies. That's at the very high level. We're looking at improving the overall security quality of our software. We use it as a platform to help enable that process. Veracode, in and of itself, is doing… more»
What needs improvement?They've improved the speed of the inspection process. I'd never want the inspection process to become something that's suspect. False positives would diminish confidence in the results; if we don't continue to focus on reducing false positives... that is number one. The on-platform reporting needs… more»
What other advice do I have?I hold Veracode in high regard. It's a good organization to work with, and it's a very conscientious organization. I'm always a recommender of the solution set.
Mar 15 2018
What is most valuable?Certainly it eases integration into our workflow. Veracode is part of our Jenkins build, so whenever we build our software, Jenkins will automatically submit the code… more»
How has it helped my organization?Firstly, it prevents me from putting out software that has security vulnerabilities, which is a big thing and can be one of the most important things. Also, we just… more»
What needs improvement?The Web portal, at times, is not necessarily intuitive. I can get around when I want to but there are times when I have to email my account manager on: "Hey, where do I… more»
What's my experience with pricing, setup cost, and licensing?I think it's a great value. It's at a price point that a small company like mine can afford to use versus, if it was too exorbitant, I wouldn't be able to use this… more»
Which solution did I use previously and why did I switch?Veracode was really my first introduction to static code analysis. The way I came across it in my previous company was, they were going through security due diligence and… more»
What other advice do I have?CA Veracode provides application security (AppSec) best practices and guidance to our teams in a couple ways. First of all, they have an e-learning module that has courses… more»
Which other solutions did I evaluate?When I was at the last company, I looked at HPE (now Micro Focus) Fortify vs Veracode and maybe IBM had a product, but they were overly complex and overly expensive. I… more»
Jul 05 2018
Provides security of different Shadow IT activities in our environment, however there are limitations on reporting causing bottlenecks
What is most valuable?It has several components in that help you identify abilities in the core. It also provides security of different Shadow IT activities in our environment, especially… more»
How has it helped my organization?It has helped us identify all the applications flaws, especially with so many open source licenses available to the developers. With this product, it allows you to plug in… more»
What needs improvement?They are already working on, but we are looking forward to seeing it. We would like the consolidation of all the different modules. This would help, so then we would be… more»
What's my experience with pricing, setup cost, and licensing?It is pricey. There is a lot of value in the product, but it is a costly tool. The customer should demand better turnaround times for the money that they are paying… more»
Which solution did I use previously and why did I switch?We did not previously use another solution.
What other advice do I have?I would rate the product as an eight out of 10 for recommend it to colleagues. I would rate the overall product as a seven out of 10.
Which other solutions did I evaluate?We did a PoC with Black Duck.
See 31 More Veracode Reviews
User Assessments By Topic About Veracode
What is Veracode?
Veracode is an application security company that offers an automated cloud-based service for securing web, mobile and third-party enterprise applications. Veracode provides multiple security analysis technologies on a single platform, including static analysis, dynamic analysis, mobile application behavioral analysis and software composition analysis.
State of Missouri, Rekner
Also, our customers benefited from the added security assurance of our applications, as they’ve been able to identify OWASP top-10 application vulnerabilities without a manual tester.
Static analysis scanning engine is a key feature.
All the features provided by Veracode are valuable, including static scan, dynamic scan, and MPT (Manual Penetration Testing).
We use it to get our scan results and see where our software is vulnerable or not vulnerable.
For our rapid, secure DevOps cycle, we have integration of the Vericode API into our build tool, and Greenlight into our IDE.
When we expanded our definition of critical systems to include an internal application to be scanned by Veracode, we had initial scans that produced hundreds of vulnerabilities. We expected this, based on how the code was treated previously, but the Veracode platform allowed us to streamline our identification of these items and develop a game plan to quickly address them.
See more »
Code analysis tool to help identify code issues before entered into production.