Veracode Reviews

Interestingly enough, Veracode has evolved over time. Their chief designer has been a leader in security for many years and his insights into applications, and what we now consider DevOps, has been very helpful for the industry. The insights into how we now have a mobile workforce, and that the end-point is what you carry in your hand - and the protection of those apps and web pages - are imperative because the coding in our information has moved out. Quite honestly, the people have become the firewall. 

The products that Veracode has developed help me to manage that, scan that, know when something is going wrong, and I don't have to have a team of developers behind me that keep up with all the latest threats because the subscription service they provide for me does that.

Veracode helps me in several implementations over a couple of industry sectors in a number of ways.

My coding, especially the code we develop, has a number of faults per line and that costs me money and time to fix those, into the lifecycle. Veracode enables me to provide better code, faster, so my time to market is less.

The security means my total cost of ownership goes down significantly over a period of time. The more code I write, the better I organize that, the less my expense is in maintaining that code.

As we move to more of a mobile space, much of the code was developed on desktops, mobile laptops, and things. Mobile apps run differently and they have a different runtime. Chris Wysopal and I have talked several times over the past few years about how to address that. I'm not sure that there is a good answer yet, because it is so complex. But I'm pretty sure with Chris' track record that they are going to come up with a very good way to do that in the near future.

There are always a few bumps going into any new implementation because nobody has the same environment. We are in heterogeneous environments.

But I couldn't point out any one significant problem that comes to mind, because the bumps that we have found have been addressed and corrected pretty quickly.

Scalability is almost infinite in this because the cloud-based solution allows me to expand. The companies I work for are generally in the 10 billion-plus range, but with thousands of developers we have never really had anything on the capacity planning or the performance of the products.

Their technical support is the best in the business. These folks have been around, like I have, for many, many years so they have grown up with the industry. Not only are they developers, they have been practitioners before. Their chief designers, their coders - although many of them change - the key people who started this are still there, and you'll know them by first name; pick up the phone and they can help you with what you need.

Any previous solutions would have been more than 10 years ago, and I don't remember why we switched. It's like the car you drive or the shoes you like to wear: Once they work - and it has worked in multiple sectors - there is no reason to change.

When selecting a vendor, the important criteria are relationships and support. When I pick up the phone and I get a Sam King or a Bob Brennan on the line, things happen.

It is a pretty easy implementation. As you know, with anything like this, which is very human-oriented, change is people, not necessarily the products themselves. The services they provide and the training and some of the "hand-holding", if you will, have always helped make this the bright, shiny object for the coders, so its implementation has always been pretty smooth for me.

On the rating scale is there anything above 10? If there are no ones and tens, it would be the closest to 10. They have always been supportive. We have had to change, do course corrections during implementations, or particular types of coding. I have just never had a problem. My loyalty to the product has been primarily due to the service and the expedience in which they solve any problems we have.

Application security management.

We've been able to provide reports to our clients that show applications are either flaw-free, or in the process of being remediated, and give them timely status updates on how those flaw remediations are going on.

Our customers have benefited by being able to have a little bit more assurance from us, from a trusted authority, that our code is properly flaw-free and remediated.

The most important features, I would say, are the scanning abilities and the remediation abilities within the product. Scanning because, obviously, we want to make sure that our application code is flaw-free. And the remediation tools are helpful to the developers to help them track and manage their flaws.

We have been able to integrate Veracode through many of the IDEs that our developers use, using the Veracode APIs, or they've been actually been doing this manually as part of their SDLC.

Reporting. Some of the reporting features of Veracode do need improvement. They do not have the most robust access to data. That would be a bit more beneficial to a lot of our clients as well as our actual in-house staff. I've been talking to our program management at Veracode about that, and that is actually on their radar to have that improved, I think actually this year.

That would probably be the biggest area, access to more granular data that we could pull and use on a regular basis. Better dashboards. That kind of information.

It's stable, absolutely. They do regular maintenance schedules. Aside from that, I can't really think of a time where it has not been a stable product or unavailable. 

No issues with scalability.

We engage their support teams quite often actually. Part of our licensing package is a good number of hours per month for our development teams to work with their support teams at Veracode, to help solve remediation issues, troubleshoot some of the flaws that they encounter or can't understand. Their support teams have been able to work with our development teams very well.

We were not using a previous vendor prior to this. We've used other vendors like Nessus for pen testing. We still use those. Veracode was just more of an addition.

The setup has been more of a phase-in approach, and it's been gradual. It's been kind of a "trial-by-fire" setup with a lot of our development teams because most of our development teams aren't used to doing this. So, it's been a trial, I guess more so on our side, to get the adoption going on. It's just part of training our team to actually know there's something they need to do on a regular basis.

Regarding any cost savings relating to code fixes since we implemented Veracode in our development process, I can't say I have that information off the top of my head.

Just do your research. Make sure you're getting the best price on this. It can be expensive to do this, so I would just make sure that you're getting the proper number of licenses. Do your analysis. Make sure you know exactly what it is you need, going in. Then just see if it can work. Try and make sure you get the best price possible.

I was not part of the evaluation team on this, unfortunately. But I believe the other options were evaluated as well, but I don't have access to that information.

In terms of Veracode providing AppSec (application security best practices) and guidance to our teams, they've been able to adapt their scanning and remediation in their SDLC, which is something we did not have really before. It's been a little bit of "not the best honeymoon" so far, doing this with our developers, but they've started coming along here in the past year and a half.

The advice I'd give is look around, make sure it's the right fit for you. Make sure that the tools they offer are a good fit for your organization. And make sure this is something that you really feel would be good for your company. If you aren't currently doing this kind of analysis on your code, I would take a strong look at whether this is something that you really should be doing. It's a different world out there right now.

I would recommend Veracode very highly, especially since the program management staff that I work with from Veracode are some of the best people that I've worked with in this industry.

Software security, static code scanning.

It has performed very well.

The benefits are quick discovery and understanding of software vulnerabilities that we are putting in our own code. By discovering them quickly enough, we can triage them and determine the best ways to remediate them and prevent them from happening in the future.

It helps us gain confidence that the applications we're putting out in the hands of millions and millions of people have that industrial-strength quality to them; that we don't need to worry about as much as we used to. 

• Completeness, comprehensiveness
• speed
• ease of use

We have such a wide variety of users for Veracode, including security champions, development leads, developers themselves, that the ease of use is really quite important, because we don't assume anything about what those people might already know, or need to know. It just makes it very useful for anyone who has to engage with it.

I'd like to see an improved component of it work in a DevOps world, where the scanning speed does not impede progress along the AppSec pipeline.

Three to five years.

Stability has been great. I've never seen any downtime, in four years.

We went from 50 applications in 2015, we're now up to over 400. There seems to be no limit on how quickly it can scale and operate.

They're outstanding. Best in class. Absolutely. They bend over backwards to help us. We'll come up with questions and within minutes, we'll get answers. It's amazing. It's truly amazing.

It was very straightforward. Veracode was very helpful, hand-holding - anything that we needed - they were right there and made it very simple.

We had been evaluating various different types of source-code scanners. It was a fundamental element of the program and we knew we had to have the best one that would meet a wide variety of applications: development, apps, as well as a wide variety of geographic dispersion of the people writing these apps. 

We had IBM, we had Fortify, we had PMD, and there was one other scanner at the time that we were evaluating. Veracode came out on top, in almost every category.

By using a cloud-based scanner, we really had no issues with where the developers are geographically located. So we didn't really have setup problems at all. It just kind of happened, and scales fairly naturally, organically.

The most important criteria when selecting a vendor are

• reliability
• customer service.

Take advantage of all of the help that Veracode provides, for implementation, operations, and maintenance, because they absolutely know what they're doing.

We use this solution for Digital Health.

This solution has helped us in developing a secured product.

Veracode is fantastic! All of the features are valuable.

My experience with Veracode across the board every time, in all products, the technology, the product, the service, and the salespeople are fabulous. They are engaging.

I would suggest charging the developer for training, as it's not very expensive.

Only charge for developer training because it's a service you give now and they may need to be technical support. 

It costs them money to do that, but with the technology, an incremental user is negligible incremental costs, which doesn't really cost them. That's software economics.

I would like to see them only charge for developer training for the qualified startups and start charging for the licensing once the product goes into production, and available.

I have several years of experience working with Veracode.

When we used this solution a year ago, we used the most current version.

It's a stable solution. I would rate stability a ten out of ten.

It's a scalable product. My rating out of ten would be a ten, scalability-wise.

We have a software development manager and three other people who are using it.

Technical support is phenomenal. They are fabulous and very responsive, it's amazing.

Previously, I did not use another solution. Because I knew Veracode for many years, my approach with the company was that it was a startup and we need to do it securely. This is s why we went with Veracode.

The initial setup was straightforward. It was extremely easy and took only a few hours to deploy.

We have a team in-house to implement this solution.

The pricing for qualified startups such as Neo4j could be improved.

It allows startups to develop a secure product, but it takes time for startups to get money for the products. 

Veracode could provide the services, at a significantly lower price during that period with a condition that the moment that it becomes production, Veracode has to be paid.

If they would change that, it would be phenomenal for the entire industry and for them.

Licensing cost is on a yearly basis and there are no additional costs, the pricing is straightforward.

At the time that we used this solution, we were a startup, the software may not have been that complex. It's not like Oracle.

My advice to others who are interested in using this solution is to pay attention to the full instructions.

I would rate Veracode Developer Training a ten out of ten.

We focus on these two use cases: 

1. Our first use case is for Static Analysis (SAST). The purpose of it is to scan our code for any vulnerabilities and security breaches. Then, we get some other reports from the tool, pointing us to the problematic line of code, showing us what is the vulnerability, and giving us suggestions on how to fix or mitigate them.
2. The second use case is for the Software Composition Analysis (SCA) tool, which is scanning our open sources and third-party libraries that we consumed. They scan and check on the internal database (or whatever depository tool it is using), then they return back a report saying our open sources, the versions, and what are the exposures of using those versions. For any vulnerability, it suggests the minimum upgrades to do in order to move to another more secure version.

Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely.  By adopting their suggestions, we are fixing this vulnerability.

Once you run the tool and realize that it is not secure to use a certain method or function, then you fix it. Next time that you want to add new code, you don't want to repeat that mistake. So, you're already adopting the original suggestion, then writing more security code.

If we continued to scan and fix issues, which is an ongoing battle because every day as there are new vulnerabilities, we are on the safe side.

It is faster to adopt and use because it's a SaaS software. As a service tool, we didn't have to deal with any installation emails. We also didn't have to download packages, upgrade, or maintain their on-prem machine, which is usually the case for on-prem solutions. This is a critical point that we needed to consider when adopting the right tool. So, SaaS was a deal breaker for us. 

I don't have any complaints about the policy reporting for ensuring compliance with industry standards and regulations. It is good and a mandatory part of our process.

We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it.

About six months.

The technical support was good. Even with the time zones changes, they took the examples that we provided about how our call works and investigated them. When they didn't get an answer initially, they contacted someone else to assist. Overall, our experience was good.

The turnaround time and response times are good. We always got a response, even if they said, "It will take a while, as we are still investigating." One day after always, we always got a response, even if it was, "We need time to investigate." 

I would differentiate between the initial response time for our needs and the resolution time for the issue. The representative themselves respond pretty quickly to our needs. We exchange phone calls with them or email, and they responded quickly. Some of the issues that we experienced were due to our specific code languages and packages that didn't work smoothly with the tool. For those, the representative had to approach the Veracode R&D team. It took more time to involve R&D, but we eventually got a resolution from them after a few days.

To get into the solution, it took some tries to understand the structure of our repository and the code that we were using to write dependencies, etc. So, it took a bit of time, but then in the end, the solution was easy to connect.

It took about a month until we completed integration of Veracode tools into our own systems. Eventually, the tools needs to scan our code that resides on our machines in our on-prem environment. The integration of Veracode on the cloud with the on-prem repository and our processes took time. We worked with the Israeli representative of Veracode to help us. However, it was about a month overall until we stabilize it.

An Israeli sales representative for Veracode came to our office and worked very closely with us. They escorted us through the process of doing the PoC, examining the results and tools, and how to use them. We found it straightforward. There were some hiccups and some problems in the beginning, but not something significant in the general overview. It was easy and fast to adopt.

Our customers demand that we provide secure software. Veracode is giving us the mandate of claiming that our code is more secure because we are using an external third-party, neutral tool to examine our code and expose vulnerabilities. By fixing them, Veracode takes some of the responsibility, which is kind of a diploma that we can wave when we are negotiating with our customers.

We compared it with other tools as part of our proof of concept to adopt the right tool. Eventually, we selected Veracode because the tool provided us the easiest, fastest solution for our two use cases.

When we did the PoC to compare it with other tools, before we decided to adopt Veracode, one of the benefits that we saw is its reports are more focused on real issues. Other scanning tools that we tried, they produced much bigger reports with hundreds of vulnerabilities. That is too many vulnerabilities, so you cannot manage them nor decide where to focus. Using Veracode helps us focus where we need to.

We have used a Checkmarx tool, which is a competitor of Veracode. We have also examined Micro Focus Fortify and some other monitoring tools, which gave us a partial solution, had only static code analysis, or had only the open sources for composition part. We wanted one tool which does everything; we found Veracode all-encompassing.

The solution is efficient when creating secure software. Though, it depends on how you adopt the tool and how frequently you're running it. As long as you keep it as part of your routine and frequently run the tool, you will catch vulnerabilities closer to real-time. Eventually, you will improve the security of your software.

We haven't seen a lot of false positives. However, the tool points us to vulnerabilities to fix, which because of our behavior or software, we don't necessarily need to fix because we have other protections.

We are not using it for cloud software. Our solution is only on-prem.

I would rate this solution as an eight out of 10.

We're required to make sure we have no high or very high security issues in our code. Veracode is a code reviewer to prevent hacking and other bad things from happening.

The way it helps our company is that the code is secure. It also helps with our customers because I believe they can request a copy of the report. It lets them know that we're doing the best we can to provide secure software.

The solution has helped build my security skills as a developer. Now, as I proceed forward, I know what to look for when coding items. I'll be coding a little bit more defensively from what I've learned, from all the errors that it has found. Some of the stuff I wasn't even aware of. I also became aware of things that Veracode verified, but I really couldn't fix.

The policy reporting for ensuring compliance with industry standards and regulations is excellent. It identified most of the issues that our penetration testers look for and gave me a way to look at the line numbers of the code that needed fixing, and that was a huge help. It also gave me samples of code for what was going wrong and it enabled my supervisors and me to go through the whole project and fix 99 percent of the issues we had.

It provides visibility into application status across all testing types in a centralized view. The report is very good at showing that. We are not allowed to install anything until it passes the Veracode test. We have to fix all errors before we can install our software. It absolutely helps reduce risk exposure for our software.

I haven't come across any false positives.

The reporting being highly accurate is pretty cool. I use another product and I was always looking for answers as to what line, which part of the code, was wrong, and what to do about it. Veracode seems to have a solid database to look things up and a website to look things up. We've had very few issues that we have actually had to contact Veracode about.

It does give some guidance, up to a point, for fixing vulnerabilities. It does a pretty good job of that. We went from a bunch of errors to a handful that I needed help with, and that was mostly because they provided some good information for us to look at. If I had been using this product a long time ago, I would have been able to anticipate a lot of things that Veracode discovered. The product I'm working on is about 12 years old and this was the first time we ran scans on it using Veracode. It identified quite a few issues. If you're starting a new project, it would be a good place to start. Once you get used to what people like penetration testers are looking for, this is a good tool to prevent having a pen test come back bad.

The Static Analysis Pipeline Scan is very good. It found everything that we needed to fix.

The triage indicator was kind of hard to find. It's a very small arrow and I had no idea it was there.

We have been using Veracode for about three months.

The stability seems pretty good. There was only one instance where the site was down.

I don't think Veracode has any problems with scalability. My company is very big. There are about 1,000 of us, all developers, using the solution. It's being used throughout the company for all our products.

I would give their technical support five stars out of five. They were on point and they helped us identify resolutions for some of our issues that we couldn't figure out.

We used Fortify. I was not involved in the decision to switch.

I don't really know about the pricing, but I'd say it's worth whatever Veracode is charging, because the solution is that good. It's just a good product, overall.

The biggest lesson I have learned from using Veracode is that there isn't an answer for everything. But when an area needs to be mitigated the mitigation process is fairly easy.

It's pretty efficient, but in my case it took a long time to upload my information. It was a very big project, so I was not surprised that it took a long time, but it was mostly because of the internet around here. It would take a long time to upload the DLL and run the static analysis. It would take about two hours, but again, it's a large project.

Overall, it does a very good job of preventing vulnerable code from going into production. It identified issues that were not detected in penetration tests and allowed us to lock them down.

We use both the static and the dynamic scanning. What we do is run the code through the scanner once we make any modifications. And periodically, we also run the dynamic to connect several applications. We use Veracode to check for specific vulnerabilities such as cross-site scripting. When we are checking for those vulnerabilities, we take a portion of code that is going to be generated and we run the scanner.

We work a lot with open sources. Using the Static Analysis, the Dynamic Analysis, and the scan module, we can control everything we do via Veracode. Moreover, because all our applications are security applications, keeping a high security standard is really important.

The visibility into application status across all testing types in a single dashboard is helpful because, even if you are running different types of scans, you have everything in one place. You have a unique dashboard to control all the applications, and that is good.

Overall, we've never had any problem with vulnerable code going into production. It's quite a solid tool. We have a really good feeling with this solution.

The most valuable feature is actually the support provided by Veracode. Once you start to use the platform, you can mount the IDE plugin for your script. The advantage is that you can run the scan and check what the problem is and you can fix it yourself. Support could be used to address something that could go beyond your skills. If you use Veracode Greenlight, you have a small pop-up that you can use to interact directly with the team and you can ask a consultant to advise how an issue can be fixed. One of the good things about the Greenlight plugin is that it is very simple. There are several guides that tell you how to install it. It's a matter of one or two minutes and you are ready to go.

Once you check something, they provide links, not manually, it's all automated. When you want to check into a vulnerability you click and open the website where there is a description. If this is not enough of an answer, you can ask directly by scheduling an appointment with a Veracode guy.

Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced. They don't teach you how to develop in Java, Python, PHP or C#, but they instruct you about the best practices that should be adopted for secure code developing and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool. And as far as I know, there are no other competitors that offer it.

The best stuff is the training: this enables your team to adopt the same programming approach, although these people have a different background or joined the projects in a different phase. Doing that, they can take the training and be aligned so that they all write code in a good way.

We also use the Static Analysis Pipeline Scan and it's quite good. They provide several of the most common templates for pipelines. You see the process, while you program, right up until you package an application, and that the platform is able to detect things that are a blocking point. Before deploying to the production, you already know what is doing. And the speed of the Pipeline Scan is quite good.

Another good feature is the policy reporting for ensuring compliance with industry standards and regulations. We test compliance for medical devices, for GDPR, and for payment methods. These are all good. If you are not correctly prepared on one of these sets of regulations, you know that Veracode is going to take care of it using pre-prepared templates. But we can also customize our own policy if we are facing a unique use case. Even if it's not really common, we can take a regulation and build it the way we want it to look.

In addition, you can check everything from the dashboard. Veracode provides a web portal that is connected with your account and through that you can check the status of all the deployments that were run. And suppose you also have an application that is quite complex. You can deploy and upload it through the portal. When it is ready, you receive a notification from the portal that the job has been done and that you can check the results. When you go to the dashboard, you have the OWASP vulnerabilities. There is a really simple graphic with the colors showing how many vulnerabilities have been found and how much these vulnerabilities are repeated in your code. It also tells you the potential effect, if it is a backdoor data breach, for example, etc. It also suggests what you can do to remediate. It might suggest modifying code or changing the status of some part of the development, or updating a third-party.

And if you have people on different projects, there is also a role management feature, so you can select, for example, that people who are working on a given project can only see that project. If you are running something with different levels of classifications, for example, if you have an external consultant, it does not affect the confidentiality of the system. When people are collaborating, not all people are at the same level of an NDA. It is good that each person can see only their part implementing Need-To-Know.

It also integrates with developer tools. We use IntelliJ and Eclipse, among others.

They should invest in mobile security.

I have been using Veracode since 2017.

We have never faced a problem or any downtime.

We haven't perceived any issue when it comes to scalability. But it's true that if you have more tenants, the response of the scanners is going to get released quicker.

I would rate Veracode's technical support at nine out of 10. They would probably deserve a 10 but it is not as quick as it should be. They need to increase the support workforce. The support people are well-prepared, but it can sometimes take one or two days to get the right guy to do support.

The previous solution that we were working with was mainly focused on the quality of the coding. We are happy with Veracode because it's focused on security.

The initial setup is very simple. The Veracode guy who accompanied us made it appear really straightforward.

It's a SaaS solution so once it's prepared on the Veracode side, to deploy onsite may take up to a couple of hours to get everything prepared, mainly due to the configuration, for a simple implementation. Overall, setting up the product is quite straightforward. 

In terms of managing the code, it's quite simple for us because we are all technical guys. Once we saw it working, it was really easy to manage. We have three people who use the solution and they are all developers.

The Veracode team is replying fast and the proved a strong expertise in every challenge.

We could save some money having an on-premise solution, but the fact that this is a SaaS means we can be sure that it's updated. It's outsourced. In terms of cost, I don't see a big advantage, but in terms of operations there is because we don't have to take care of it. We know that if, somewhere else in the world, somebody detects a vulnerability, a few minutes later we will already have a patch. This is extremely important for us. Nobody in our company has to touch anything to get this.

If we had to designate one or two people to take care of maintenance of an application, at some moment one of them might not be updating things. With Veracode, we know that we don't have to worry. We just have to focus on our development. We don't consider maintenance at all because it's all managed.

The pricing is quite standard. It's not cheaper, it's not more expensive.

We looked at other vendors but we selected Veracode because it had a top rating in industry reviews. For us, that was like a warranty.

We were skeptical about running scans with a cloud-based solution, but then we saw the benefits. Everything is up to date without us having to lift a finger. We know we don't have to take care of maintenance. 

Also, if you work in the domain of medical devices, payment methods, or other things that are related to privacy, Veracode provides all these modules. This is a big advantage.

Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly.

False positives are not a main problem. The platform does try to overprotect but, of course, a system like this can only understand the syntax and not the semantics. So it's overprotective when there is a doubt. Sometimes, we ignore some of the advice received.

We use it for static checking.

We are a state agency, we're not a private-sector company. What we're able to do is take our main web-based application, which is not only for internal use but which the citizens of Ohio also use, and we can run this application, and others as well, through Veracode to ensure that we've done our job, our due diligence.

We print out a report, we see the rating of the vulnerabilities that have been found: "critical" and "high", "moderate" and "low." We've been able to go from having critical vulnerabilities to where we're now into the more moderate range. We've shown improvement through the years. We can provide that information to our superiors, and to people who come in and audit us, to show that we've made progress on scanning.

When we find a vulnerability, we do pass it on to our developers and they've been able to go in and adjust the code so that the vulnerability is no longer there. The goal, of course, is that these findings will help them as they develop new code so that these vulnerabilities are not a part of the next application. We run a follow-up scan to make sure the vulnerability has been cleared.

The benefit, at this point, has been more internal than for our customers. Obviously we don't want them to have a problem so that they could then, theoretically, actually see the benefit. We try to be proactive.

• Having the option of static scanning. Most tools of this type are centered around dynamic scanning. Having a static scan is very important.
• Utilizing the software as a service. We do the scanning of the compiled code ourselves but it's on their servers, which is a plus.
• Technical support is available if needed and that is advantageous.
• Having online education and training is also advantageous. 

I attended a meeting of one of the security organizations I am associated with. At the meeting were security professionals from several major retail companies. The topic of discussion happened to be application development security. When the question was asked concerning what tools are being used, many of these major retail companies said they are using Veracode. However, they were quick to comment that the product is too expensive and that there are too many false positives which take too much time to remediate.

The stability is very good. They haven't had too many updates or upgrades. They did a major upgrade several years ago but it came out just fine. It has been a really good product.

I'd call us a "mid-range" agency, so it's not like we have a ton of applications that we're changing and updating. It's good for us, but I can't really answer how scalable it is because we're not really big.

I don't believe that the team has had any problem going on to the website, downloading the static code, or running scans. They do it quite often without any issue and are able to read the report and rectify whatever vulnerability has been discovered. There has not been a problem walking through those steps. It's been pretty straightforward. And if our team has any problems, we've got access to someone that we can schedule a call with to work out the issues.

We haven't had to call tech support too often, but when we have had to call them, support has been good in terms of resolution time.

I was involved, on a cursory level, with the setup. Our implementation strategy was to focus on our main web-based application. The way that they developed the application here was under one static set of code, so we could scan this code and, in essence, be able to check the vulnerability of most of the applications from the different business in our agency.

We did not use an integrator or a third-party. We did it with the help of Veracode.

We are a state agency, so we're not for profit. I tell everybody we don't make money, we spend money. To frame it in the context of the public sector, I think we are giving our citizens peace of mind. When they come in to write a permit, and we send them to a service that collects payment, that jumping-off point is secure and safe. It would be more in those terms, rather than the bottom line.

In the public sector, return on investment is not a term that is easily understood because we do not invest. But total cost of ownership is something that we can put our arms around. When we think about potential data breaches, Veracode has certainly helped us. When you think about the cost of the product and that I have one person, not ten people, running this tool, the total cost of ownership is low. I have no devices or servers, I didn't have to do any of that here onsite. It's all in the cloud. The total cost of ownership, given the services they provide, is very low, in my opinion.

We're always looking to save the taxpayers' money. I used to tell my vendors, sharpen those pencils and make the tip laser-sharp. When it can be, I want it to be less expensive, but you get what you pay for too. Vendors need to be fair and I think Veracode has been fair.

We use their SaaS solution and it's just an annual subscription.

The state of Ohio decided to bring AppScan in and that's an IBM tool. IBM became a major vendor in the state of Ohio. But what happened is that AppScan does not offer static code vulnerability checking; dynamic is something they do offer, but it's not as complete and comprehensive as a static scan is. Even the state has gone away from AppScan, but we were looking at it, we were starting to get set up for it. But evidently, other agencies haven't found it to be as useful. So we're not going that direction, we're staying with Veracode. 

There would have been cost savings associated with going with AppScan but we decided, because the state was not going that way, that we were not going that way either.

I would absolutely recommend Veracode. I've suggested to one of the larger agencies that they implement the solution and that they come to see what we've experienced and how we use the tool.

I really like Veracode. That is one of the reasons that we brought them onboard ten years ago. Of course, they were new back then. The different aspects of the offerings that Veracode provides to their customers are somewhat unique and, right now, I couldn't ask another thing from them.

We have approximately 30 Java developers and four or five testers. There are also project managers using it. We have one person who manages running of the scans and that person might have one or two other people to help.

We haven't really been utilizing it to its full potential. We probably utilize it once or twice per quarter. We are planning to increase the capacity that we've purchased. However, we're getting ready to elect a new governor in Ohio. With that election, things will change, according to his or her desires. Right now, we're in a holding pattern waiting for November to come and go.

In terms of integrating the solution into our existing software development lifecycle, because we started so long ago - before the software development lifecycle was fully implemented - we were doing Veracode testing just because it was a good idea. Then we actually developed a lifecycle. We got into scrums and it just naturally worked its way in, so when we actually hired a testing group, Veracode was already a part of the process.