Veracode Reviews

We use the Static Analysis, Dynamic Analysis, and SCA, the software composition analysis.

The Static Analysis has identified flaws.

From a developer point of view, it has really helped me to know about many security best practices that I need to follow.

There are also security specialists, although it's not my area, who work on strategy to mitigate flaws. It classifies things into three levels: high, medium, and low, the latter being the ones that you can live with. It tells you which are very critical and you need to fix. That helps management to determine the strategy of what to fix next.

When you reach a level of security in your application and you get verification from Veracode that your app is secure, that helps in selling products. Mitigating flaws and being sure that your product is secure is going to give you higher credibility with clients and better performance.

In our use case, some of our products have dependencies in separate apps. Before going into production, each dependency has its own sandbox to help us identify the vulnerabilities in that certain dependency. Then there is the software composition analysis, the SCA, that helps us scan all the vulnerabilities when those modules are integrated with each other. Before deploying the whole app into production, we fix the flaws and increase the score. We have a whole company policy that some high-level security experts put in place. Before we move on to the next level of scanning we need to get to a certain score. That has really helped us. Each time, they make the analysis a little harder, to dive deeper into the code and go through different scenarios to find more flaws. That has really helped us have the minimum required number of issues and security flaws, when we go into production.

The most valuable features are the application analyses: 

• Static Analysis
• Dynamic Analysis
• SCA, the software composition analysis, to scan all the models together. 

These are the three features we've mostly been using.

It is easy to use for us developers. It supports so many languages: C#, .NET Core, .NET Framework, and it even scans some of our JavaScript. You just need the extension to upload the files and the reports are generated with so much detail. 

You can detect which line is causing the issue and it gives you some insights about, for example, if you have a dependency problem in your inputs or some known vulnerabilities. It even gives you an article so that you can read about it and know how to mitigate it in some cases. Sometimes there are well-known flaws in third-parties and you should upgrade to another version to resolve your issues. Veracode guides you.

I haven't tried any other platforms, but from what I have seen, it is really fast. You just upload the files, which is easy to do, and you can follow the scanning progress on the platform. Once it's done you get an email and you just access the platform. I don't know what other tools are like, but for me, Veracode is user-friendly.

I would like to see them provide more content in the developer training section. This field is really changing each day and there are flaws that are detected each day. Some sort of regular updates to the learning would help. 

I would also like to see more integration with other frameworks. There were some .NET Core versions that weren't supported back when we started, but now they're providing more support for it.

I've used Veracode since October, 2018.

The solution we are using is stable. So far, it seems to be really practical.

In our company, other products are using it, not just our product. So it's surely being used by other developers. There is also management between the applications. Each team has its own hierarchy in the company and the organizational levels are handled well in the solution. We have an upper manager and the administrator of the app. And each product has its own dashboards and its own access rights, so I cannot see the results of other people.

There was a time when we needed support from them. We organized a call because the license the company had included the possibility to have a support call with one of the Veracode guys, when we first started using it. They were very helpful, showing us how to use it. They provided support on how to integrate the extension. We had a one hour call with them and they were really helpful.

They also asked for some feedback. It feels really good to have that community working together. We feel engaged with the whole Veracode community.

I've participated in some of the online courses, which helped. There are some levels that the team should have. You follow some courses, you get to level one, and then you move on to the next level. Each level of certification was really useful to learn about some of the flaws and some of the vulnerabilities that we could face. They give you some great use cases and how to remedy things in C# and many different languages. The online course also shows you how a developer can make some mistakes in his code, and how those mistakes can be used to bypass app security. By knowing that, you can avoid doing it in the future.

There were also some events organized recently—security labs—and they were also useful. There were tasks and I even had to work on them outside of work, but they were really helpful and a challenge.

The training also helped us to identify the existing vulnerabilities in our code and some of the third-parties that we are using that have vulnerabilities in them. We know we need to upgrade them.

My advice is that you should follow the training, initially. It was really helpful, even at the first level. Then, go on and read all the detailed documentation online. There are even some video tutorials which are really helpful. These are the steps that I followed.

There is a section on the supported frameworks. Veracode supports a wide variety of languages, but it would be good to check that before diving into the analysis and why it's not detecting your code.

I have been really satisfied with the areas of Veracode that I have had a chance to work with.

It has given us visibility into the applications we have that are participating in the application security program.

For me, at the program manager level, I'm not a developer. What I do is run applications through a security program. What's important for me, from Veracode, is the all-in-one metrics location. I can see where everything is across the entire portfolio of applications I have in this program, and I can report out on it. That is one of the more important pieces for me, at the compliance level.

Speed. When we scan binary, when we perform binary analysis, it could go faster. That has a lot to do with the essence of scanning binary code, it takes a little bit longer. Certain aspects, depending on what type of code it is, take a little long, especially legacy code. In our case, we have quite a bit of older code. It takes some time to get through.

As a SaaS product, you have certain expectations for it to be stable. It is a very mature platform so we haven't had any issues with its performance.

It absolutely scales out. Our program is pretty small, but the eventual goal is complete application portfolio coverage. I have no expectation that we are going to have any issues with scaling.

Technical support is great. The folks that I have interacted with, from services all the way through to the pen-testers have been great. They are on par with anybody else out there. In some cases, specifically for applications, they are probably a lot better than most.

I have done a lot of product comparisons in my time, in information security. A lot of them are modules of a product, there is no single pane of glass. When I talk about metrics, I want to see everything in a single pane of glass, I want to see all of my results in one location. A lot of the other application security products out there can't do that yet. They are getting there but Veracode has already been able to do that for years. Veracode can run multiple types of tests and you can see all the results in one area.

When selecting a vendor the most important criteria are 

• scalability
• reliability of results - we want to see results-oriented success.

Setup is very straightforward. Since everything is SaaS, everything is uploaded to the cloud. It's very simple to do. There is no setup on the back-end, initially. Once we start getting a little more sophisticated with integrations we are going to be just fine. Currently, we are early in the program so everything is done manually. So there is no setup. Everything is just done in the cloud.

I give Veracode a solid nine out of 10 because it is a full-featured product. It is not just something that they are selling to you and then leaving you to figure out how to use it. They actually help you every single step of the way and they want to show you how to do it. 

Their testers, their application security consultants, really help you and help educate the developers. They walk you through every step of the way.

To certify that we have valid code, and that the developers are working with valid structures and writing good code.

The coding standards in our development group have improved. When we scan our code - at the end of a build cycle we'll go through and scan our code - from those scans we've learned the patterns and techniques to make our code more secure. An example would be SQL injection. We have mitigated all the SQL injection in our applications.

That is now part of our software development life cycle, to do a static scan before we release to our client base. We mitigate what we have to.

I'm not aware of any cost savings relating to code fixes since implementing Veracode in our development process.

In terms of Veracode providing application security best practices and guidance to our development teams, once we scan the software and we have to go through a mitigation process, we make sure we implement that in the base standards. Once we mitigate a problem, we implement it back into the base to make sure the developers who are still developing code are not going to have the same issues that we just mitigated.

For our customers, they know that we go through another level of application security with our application, one our competitors don't use. They know our code meets a standard and that we implement the standard and the structures. That we have mitigated gives them a little bit of peace of mind that our code is valid, and that it's not going to hurt their infrastructure. 

We just use the static scan, it's all we got into as of now. We're happy with that, it seems to work very well for us.

Going through the mitigation is probably the hardest thing to do and that's still an ongoing process. If there is a code issue to mitigate, it sometimes takes a little bit longer than what you would think. It might not be anything that they're doing. It's just their engine is changing and our code is changing so we have two things moving. We get a good score one time, scan it again on a new release and the score drops because the engine is picking up more things. I don't know if they could do anything about that. It's just one of those things you might just have to live with.

No issues with stability.

No issues with scalability, we're good there.

They're very good. Anything that we've brought up to them, they've responded to us very quickly.

We used the built-in solution inside of Microsoft Visual Studio, and we switched because Veracode had more cohesive scanning abilities and found a lot more issues with our code, when we first scanned it.

It was pretty straightforward.

We get good value out of what we have right now.

We had a couple of products that we looked at, but went with Veracode.

I am highly likely to recommend Veracode to colleagues.

Make sure, once you scan and find issues with your code, that the developers know how to remediate those issues so they don't go through them again.

It's going to take some time to get through your first set of scans and mitigations. To fix your code is not straightforward. But once you do that and implement it back through your whole development cycle, they identify the issues and it's very easy to fix them, once you know and have gone through it once.

We test two mission-critical web applications (C# Web forms).

We used to revise code with free tools (like VCG) but they are not even in the same universe. Veracode static analysis allows us to pinpoint issues - from a simple hard-coded test password, to more serious issues - and saves us lot of time. For example, it raises a flag about a problematic third-party DLL before development invests time heavy using it.

Also, from the very relevant results and issues that were pinpointed by Veracode, I can say that our customer security was greatly enhanced by its use.

It is great to have such insight into code without having to upload the source code at all. It saves a lot of NDA paperwork. The Visual Studio plugin allows the developer to seamlessly upload the code and get results as he works, with no manual upload. The code review function is great. It allows you to find flaws in source code, but the source code never leaves your workstation, it is all client side, no NDA needed.

It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help (but not now, now that I've learned it).

No, we did not detect a single glitch or fault in a year. We once had a periodic maintenance activity on the Veracode platform during a deadline, but it was clearly announced in advance, so we just went around it and had no issues.

No, you don’t have such concerns on Veracode. The process is really "launch and forget" (and wait for results).

The team that assists us with it is just great, especially considering there is a language barrier for some of our employees. Veracode did its best to get those employees in the loop with the chance to attend the meeting, as well with the aid of written English.

VCG (Visual Code Grepper) but I am not even going to compare them. VCG is as good as they come, but Veracode is a different breed. An application went through VCG and we were pretty confident. Then, Veracode results just blew us out of our shoes.

I manage the Veracode suite for my company, and I was personally walked through the various steps. Once I was up and running, we had another two-hour session to explain to us how a proper Veracode assessment should be planned (developers, code reviewers). As a result, I believe we have not only a pretty solid code review process up and running, but this was all provided to us at no additional cost.

What we felt is that the Veracode guys want to enjoy and use their solution first. They are not pushing to get consultancy time if that can be avoided. If you need consultancy time you can have it and the prices are convenient. We did not. All the help came at no additional cost.

It is difficult to assert, but it helps a lot with maintaining compliance with our main customers, and helps us to pinpoint some specific issues. The cost of not having Veracode would be pretty high for us.

The licensing and prices were upfront and clear. They stand behind everything that is said during the commercial phase and during the onboarding phase. Even the most irrelevant "that can be done" was delivered, no matter how important the request was.

The licensing is fair, it is time-limited (e.g. one year) but there is a size cap for every app. If your applications are big (due third-party libraries, for example) you should discuss this beforehand and explore suitable agreements.

Competitors were evaluated but seemed, at once, too bloated or not relevant to all our specific requests. We were not interested in buying a product (such as a standalone program) rather we were interested in getting a tool for creating a process, and Veracode is that.

In terms of integrating Veracode into our existing software development lifecycle, as our two existing applications are quite mature, and not changed often, we have not taken steps to have Jenkins or another CI tool that would allow us to get the full power from the Veracode environment. We look forward doing it, starting with the next app that gets developed from scratch.

CA Veracode provided AppSec best practices and guidance to our security and development team during the kickoff phase. They offered assistance on specific code issues that were hard to fix, and guidance on preparing a credible set of rules for Veracode policy, all this at no additional cost.

As Veracode licensing is generally time-related, I suggest you start the subscription once everything is ready for consumption, assign a specific person to it and declaring it mandatory at the policy level. Losing two months of great value because the devs are too busy, or because they think they don’t need it, or they fear the results, or because no one is taking charge of the Veracode process, is really a pity. Once the clock starts ticking, try to take advantage as much as you can.

I would recommend Veracode to anyone involved in high-risk environments.

We primarily use the solution for article scanning.

The article scanning is excellent. 

The composition analysis and common CBEs attached to it are quite good.

The solution offers a lot of really great analysis. There's lots of good data support.

The licensing model could be improved. 

If they can provide an automatic upload model, that would be really good. Right now we have to upload the NK bucket hosting to get through the analysis. That is kind of cumbersome.

The documentation is poor and the technical support isn't helpful.

We've been using the solution for three or four years.

We don't plan on increasing usage. We are a product company. We have three products that are built. All of them go through this solution. We are not a services company. 

We have about 80 people on the solution currently. They are all developers.

We did previously reach out to technical support. When we had to set up all of the automation, we contacted them for assistance. Their documentation is awful and their response time wasn't ideal.

The initial setup was not complex. It was pretty straightforward. However, the integration and automation of the CI cloud was a nightmare. 

Deployment varies. sometimes it takes three months. Sometimes it only takes one hour. The average is one hour, but we have experienced much, much longer deployment times.

I have no idea what the licensing costs on the solution are. Our IT team handles the details.

We were part of the initiation when the company started. They introduced it and we began using the solution. We're just a customer.

For those companies hoping to automate the solution, I would not recommend it. It's too difficult for those heavily dependant on automation. However, for those companies who want to manually use it, I can recommend the solution. In those cases, it's easy to use even if you won't build it as a part of your automation test tools or on any internet server.

I'd rate them eight out of ten. I'd rate them higher, but they have bad automation and terrible documentation. Other than that, they are very good.

Provides static code analysis of the customers' applications from all industries. It includes any type of code and scripts, but mostly Java, .Net, C++, and C# environments.

The solution is a specialist in SAST that you can rely on. Code scanning is fast with current, updated algorithms.

Provides consistent evaluation and results without huge fluctuations in false positives or negatives. 

It should include more informational, low level, vulnerability summaries and groupings. Large related groups of low level vulnerabilities may amount to a design flaw or another avenue for attack.

Static code scan.

We have used the results of scans to train our people and make them more sensitive to security issues during development, although we haven't done any specific integration of Veracode into our software development cycle. Engineers are better trained, so we hope to see increased compliance with our security guidelines.

We do incorporate the suggested course of action from the Veracode report (AppSec best practices and guidance) in our best practices.

Also, our customers benefit from the fact that the application is more secure.

We use the results of the scan to identify vulnerabilities in the product.

Calypso (our application) is large and the results take up to two months. Further, we also have to package Calypso in a special manner to meet size guidelines.

No issues with stability.

Because our application is large, it takes a long time to upload and scan.

Based on limited usage, we are satisfied.

We did not have a previous solution. We picked this product because our partner (SAP) uses it.

Straightforward.

There are no directly measurable cost savings. We see security improvement as a key part of our product development.

When asked, we let our customers and partners know that we use Veracode and that we are happy with it.

The SAST feature is the most valuable aspect of the solution.

The stability has been quite good overall. The performance is reliable. 

The scalability on offer is good. I don't see any constraints.

From a usability standpoint and the way it can be integrated into the pipelines, etc., it's very good.

It's comprehensive from a feature standpoint. 

The reports on offer are too verbose. They might want to consider t restructuring their reports to better give a very good summary or overview in the first five or so pages and then go ahead and drill into the details of each and every vulnerability beyond that.

The documentation could be improved. They could, for example, provide more details in terms of how to fix issues related to sign-ups. There isn't enough detailed information out there to assist users.

I joined this company very recently. Therefore, I've only used the solution for a few months. However, this company has used Veracode for at least the last two to three years. They've had it for a while.

The stability overall is quite reliable. There are no bugs or glitches. It doesn't crash or freeze. Its performance is very good.

The solution can scale well. If a company is considering expanding, it should be able to do so without issue.

We do have a limited amount of users on the solution right now.

I've never had a need, up to this point, to reach out to technical support. I haven't really come across any technical issues during my short tenure with the product. Therefore, I can't speak to how helpful or responsive they are. I don't have any insights I could share. 

We have a few team members that specialize in the solution.

Our team handles the maintenance of the solution.

I don't have enough information to be able to comment on the cost of licensing the product. That's more of a sales question. I don't handle any aspect of that part of the solution.

We are customers and end-users. We don't really have a business relationship with Veracode.

I'm more from the performance testing side of things. I've just added the security testing to my list of responsibilities recently.

We're using a mix of deployment models. We use both on-premises and cloud deployments. 

It's a good tool. I've done some comparisons with both SAST and DAST. It gives us this end-to-end sort of feature that we appreciate. Therefore, rather than you doing SAST with one tool and DAST with another tool, I prefer going with Veracode, which offers both. 

You can learn both static and dynamic scans with a single tool. You could effectively negotiate a price and do that. If you got some simple apps, from a CAC standpoint, I'd recommend folks to use Veracode.

I'd rate the solution at a seven out of ten.