Veracode Room for Improvement

Kyle Engibous
Systems Architect at a tech vendor with 201-500 employees
From a technical standpoint, I'm pretty happy with everything. The one thing I'd like to be able to do is schedule dynamic scans. Today we're kicking those off manually, but I believe that it's something have on their roadmap. Other than that, I don't really get too involved in the cost sides of things that's in my job, I'm more of a technical focus, but I have heard from my manager and a couple other people that the solution is quite expensive. So that is possibly one factor that could turn somebody away from Veracode. But, like I said, I really don't know much more about that. Technically, I'm very impressed and happy with what they've had to offer. View full review »
Director Security and Risk OMNI Cloud Operations at a tech vendor with 1,001-5,000 employees
It's really hard to criticize something that has become somewhat seamless for us. If they wanted to expand their capabilities into other areas of security, that would be fine. They're a very knowledgeable group of people. We do meetings with them on a pretty regular basis. We gain insights from their perspectives. To me, if they just broadened their footprint into the areas that their feet feel comfortable going into, we'd have no problem pursuing that. View full review »
Sebastian Toma
Engineering Security Manager at Nextiva
Veracode owns SourceClear. They bought them in 2017 or 2018, and they still are not fully integrated with the actual Veracode dashboards. Right now, you have to use two separate tools from the same company. One for the static analysis and dynamic analysis, then the second one for the third-party dependency. That is an area that they need to improve the service. Veracode needs to bring the second tool in already to the dashboard so that we don't have to use two separate logins. We don't want two different sets of jobs that we have to upload into two different places, etc. Veracode also needs better integration of their tools to each other. Veracode should make it easier to navigate between the solutions that they offer, i.e. between dynamic, static, and the source code analysis. The SDA feature is on the website. Veracode should integrate SourceClear with the company product line finally after two years. I would love to see that. Veracode did not previously support Python 3. They just released the support for Python 3. Keeping updates coming quicker would be the main thing that I would love to see, i.e. to have all these solutions better integrated. View full review »
Find out what your peers are saying about Veracode, SonarQube, Micro Focus and others in Application Security. Updated: January 2020.
391,616 professionals have used our research since 2012.
Information Security Engineer Team Lead at a hospitality company with 1,001-5,000 employees
The only areas that I'm concerned with are some of the newer code libraries, things that we're starting to see people dabble with. They move quickly enough to get them into the Analysis Engine, so I wouldn't even say it is a complaint. It is probably the only thing I worry about: Occasionally hitting something that is built in some other obscure development model, where we either can't scan it or can't scan it very well. I would also like to see some improvement in the speed. That is really the only complaint, but in all reality we have a massive Java application that needs to be scanned. Our developers are saying, "It takes 72 hours to scan it." That is probably the nature of the beast, and I'm actually pretty accepting of that timeframe, but since it's a complaint that I get, faster is always better. I don't necessarily think that the speed is bad as it is, just that faster would be better. View full review »
Chief Information Security Officer with 501-1,000 employees
I attended a meeting of one of the security organizations I am associated with. At the meeting were security professionals from several major retail companies. The topic of discussion happened to be application development security. When the question was asked concerning what tools are being used, many of these major retail companies said they are using Veracode. However, they were quick to comment that the product is too expensive and that there are too many false positives which take too much time to remediate. View full review »
Global Application Security at a pharma/biotech company with 10,001+ employees
They've improved the speed of the inspection process. I'd never want the inspection process to become something that's suspect. False positives would diminish confidence in the results; if we don't continue to focus on reducing false positives... that is number one. The on-platform reporting needs to be opened up much more. We'd like to be able to look at the inspection data from a trending perspective in a much more open manner. I need to be able to sort and filter much more flexibly than I can today. I don't have the on-platform flexibility to sort and filter inspection data, and that's not good. Another thing I need is continued support for the new languages today that are popular. Most of them are scripting languages more so than real, fourth-generation, commercial grade stuff; we're evolving. Most applications are using so much open-source that, quite frankly, it would be great to see Veracode, or anybody else, extend their platform to where they are able to help secure open-source platforms or repositories. Currently, I have to have another supplier in my tool chain and that means I have to extract data from different tool repositories to see one holistic picture of security quality, risks, and vulnerabilities. It would be great if I could see it all in one place, but I have to harvest the information from Veracode, harvest information from Rapid7, harvest information from Sonatype, just so that I can get a good, round perspective of where my first-party and third-party code, and the components in the dependent libraries, are in terms of weaknesses, risks, and vulnerabilities. That's a burdensome activity. If Veracode spent more time providing more plug-ins to other competitors' environments, or provided very open APIs so we could harvest data, bring it into one lens so that we can look at the security inspection data through one set of dashboards, it would provide a lot more value from a governance perspective. View full review »
Dave Cheli
Chief Technology Officer
The Web portal, at times, is not necessarily intuitive. I can get around when I want to but there are times when I have to email my account manager on: "Hey, where do I find this report?" Or "How do I do this?" They always respond with, "Here's how you do it." But that points to a somewhat non-intuitive portal. With that said, I hate when companies redo their portals all the time. So it's kind of a catch-22, but that would be my only critique. View full review »
Associate Director
They are already working on, but we are looking forward to seeing it. We would like the consolidation of all the different modules. This would help, so then we would be able to see analytics and results on one screen, like a single pane of glass. Once your report has been generated, you need to review the report with consultation team, especially if it is too detailed on the development side or regarding the language. Then, you need some professional help from their end to help you understand whatever has been identified. Scheduling consultation takes a longer time. So, if you are running multiple reports at the same time, then you need to schedule a multiple consultation times with one of their developers. There are few developers on their end who work can work with your developers, and their schedules are very tight. Therefore, you have the report ready if you want a consultation, then it sometimes takes more than three to four days to arrange a meeting. I feel to wait four days to get a consultation and understand the report around the whatever has been identified is a bottleneck. View full review »
Information Technology at a insurance company with 51-200 employees
It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help (but not now, now that I've learned it). View full review »
Senior Infrastructure Engineer at a healthcare company with 5,001-10,000 employees
Reporting. Some of the reporting features of Veracode do need improvement. They do not have the most robust access to data. That would be a bit more beneficial to a lot of our clients as well as our actual in-house staff. I've been talking to our program management at Veracode about that, and that is actually on their radar to have that improved, I think actually this year. That would probably be the biggest area, access to more granular data that we could pull and use on a regular basis. Better dashboards. That kind of information. View full review »
Suzan Nascimento
SVP Application Security at a financial services firm with 10,001+ employees
I would like to see more technical support for some of the connectors, some more detailed diagrams or run-books on how to install some of the stuff; more hand-holding in the sense of understanding our environment. They cover a lot of languages already and it doesn't make sense for them to cover legacy languages but I know there is a need for covering legacy languages. My biggest need, the kind of feature I would want, is more on the technical support side. View full review »
CISO at Laboratory Corporation of America Holdings
As we move to more of a mobile space, much of the code was developed on desktops, mobile laptops, and things. Mobile apps run differently and they have a different runtime. Chris Wysopal and I have talked several times over the past few years about how to address that. I'm not sure that there is a good answer yet, because it is so complex. But I'm pretty sure with Chris' track record that they are going to come up with a very good way to do that in the near future. View full review »
Dennis Miller
VP Development
Going through the mitigation is probably the hardest thing to do and that's still an ongoing process. If there is a code issue to mitigate, it sometimes takes a little bit longer than what you would think. It might not be anything that they're doing. It's just their engine is changing and our code is changing so we have two things moving. We get a good score one time, scan it again on a new release and the score drops because the engine is picking up more things. I don't know if they could do anything about that. It's just one of those things you might just have to live with. View full review »
Tim Jee
Cyber Security Engineer at a Consumer Goods with 1,001-5,000 employees
Speed. When we scan binary, when we perform binary analysis, it could go faster. That has a lot to do with the essence of scanning binary code, it takes a little bit longer. Certain aspects, depending on what type of code it is, take a little long, especially legacy code. In our case, we have quite a bit of older code. It takes some time to get through. View full review »
Divakar Rai
Senior Solutions Architect at NessPRO Italy
This is not a very elaborate application. I think that the suggestions are between thirty-five and eighty percent accurate, with most cases being about seventy-five percent. Some of them are references where you have to go and determine whether they are direct threats, or not. At the point in time when we were using this solution, we had older coders and the way Veracode tests for vulnerabilities may have been affected by the code style. I found that there were far too many warnings and some false positives. Of course, this comes with every product, and there are multiple tools that are used. Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them. View full review »
Vice President of Technology at TKM INFOTECH
Technically there is nothing wrong with Veracode. The only issue that we have is uploading the code, the process of actually uploading and getting our results back. All of that is a little cumbersome. One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications. So we would like to see a kind of a graphical representation of the problem areas. I would like to know which file is the biggest source of issues for me so that I can focus on resolving the issue, as a project manager. With how it is now, I am able to do this but I have to take out the whole PDF file and extract it. It takes up a lot of my time. I would like to see better strategic reporting. It would be great to get better graphical reporting. View full review »
Assistant Vice President of Programming and Development at a financial services firm with 501-1,000 employees
The only notable problem we have had is that when new versions of Swift have come out, we have found Veracode tends to be a bit behind in updates to support the new language changes. Also the Greenlight product that integrates into the IDE is not available for PHP, which is our primary language. View full review »
Information Security Lead Analyst at a Consumer Goods with 10,001+ employees
It's a pretty dynamic product. It's changing all the time and improving. View full review »
VP of Services at a tech vendor with 51-200 employees
The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but sometimes it causes more work on our end. View full review »
Mike McAlpen
CISSP, CISM at a tech services company with 1,001-5,000 employees
I think they are doing pretty well. It would help if there were a training module that would explain how to more effectively integrate the SAST product into the build tool, Jenkins or Bamboo. I think that's a real good idea. View full review »
Application & Product Security Manager at a insurance company with 1,001-5,000 employees
* Better APIs * Reporting that I can easily query through the APIs * Preferably, a license model that I can predict It would save us time when integrating with the APIs. Difficult APIs are annoying to work with and we have to trial/error our way through the integrations. The more straightforward and friendly they are, the less we have to trial/error. View full review »
Rick Spickelmier
Chief Technology Officer at a tech vendor with 201-500 employees
We would like a way to mark entire modules as "safe." The lack of this feature hasn't stopped us previously, it just makes our task more tedious at times. That kind of feature would save us time. View full review »
Elina Petrovna
Professor at a government with 51-200 employees
* Management of false positives * Agile best practices: Violation detection. * Support for more programming languages, like SQL. * Support for more frameworks for Java: .NET, Python, PHP, C, and C++. View full review »
Israel Varela
VP Sales at a non-tech company with 11-50 employees
More integration into the specific application; an open API would be good. Aside from that, I think they do a really good job in terms of the features they have. View full review »
Siddharth Kundalkar
Director Software Engineering at a tech services company with 51-200 employees
We use Ruby on Rails and we still don't have any support for that from Veracode. The static scans on Java lack microservices architecture scanning. We have developed an in-house pattern for this and the scans can't take care of it as a single entity. View full review »
Managing Principal Consultant at a tech vendor with 11-50 employees
This solution does a good job, but it is limited to only a few technologies. I would like to see expanded coverage for supporting more platforms, frameworks, and languages. Specifically, I would like to see support for mobile frameworks like Xaramin and React JS, as well as extended support for iOS applications. View full review »
Chief Compliance Officer at a financial services firm with 51-200 employees
* Entering comments for internal tracking * Entering a priority * Reports that show the above View full review »
Project Manager at a tech vendor with 501-1,000 employees
Calypso (our application) is large and the results take up to two months. Further, we also have to package Calypso in a special manner to meet size guidelines. View full review »
Evan Christoe
AVP, IS Manager with 1,001-5,000 employees
We would like to see improvement in reporting, in particular, end dates on mitigations. View full review »
Terry Chu
DevOps Release Engineer at a tech services company with 51-200 employees
* The user interface could be more sleek. * Some scanning requirements aren't flexible. * Some features take some time for new users to understand (like what exactly "modules" are). View full review »
Head of Technology. at a tech services company with 11-50 employees
Mitigation review isn't always super easy. View full review »
Lead Security Engineer at a tech vendor with 201-500 employees
Raw file scans and dynamic scans would be an improvement, instead of dealing with code binaries. View full review »
VP Worldwide Delivery Acceleration at a financial services firm
Some important languages are not supported. View full review »
Michael Ward
Managing Director with 1,001-5,000 employees
The solution currently does not support Dynamic Application Security Testing which is an important facet of application security testing. In addition, the current version of the application does not support testing for API. View full review »
Michael Stricklen
Executive Director at a consultancy with 10,001+ employees
* More timely support for newer languages and framework versions. * Integration with Slack is another request from our developers. View full review »
Team Lead / Architect at a tech services company with 1,001-5,000 employees
They should improve on the static scanning time. View full review »
Software Security Consultant at a tech services company
It should include more informational, low level, vulnerability summaries and groupings. Large related groups of low level vulnerabilities may amount to a design flaw or another avenue for attack. View full review »
Ashish Kulkarni
Manager at a tech services company with 10,001+ employees
Veracode should provide support to more software languages, like ABAP. View full review »
Product Manager with 201-500 employees
All areas of the solution could use some improvement. View full review »
Find out what your peers are saying about Veracode, SonarQube, Micro Focus and others in Application Security. Updated: January 2020.
391,616 professionals have used our research since 2012.