Veracode Room for Improvement

Sebastian Toma
Engineering Security Manager at Nextiva
Veracode owns SourceClear. They bought them in 2017 or 2018, and they still are not fully integrated with the actual Veracode dashboards. Right now, you have to use two separate tools from the same company. One for the static analysis and dynamic analysis, then the second one for the third-party dependency. That is an area that they need to improve the service. Veracode needs to bring the second tool in already to the dashboard so that we don't have to use two separate logins. We don't want two different sets of jobs that we have to upload into two different places, etc. Veracode also needs better integration of their tools to each other. Veracode should make it easier to navigate between the solutions that they offer, i.e. between dynamic, static, and the source code analysis. The SDA feature is on the website. Veracode should integrate SourceClear with the company product line finally after two years. I would love to see that. Veracode did not previously support Python 3. They just released the support for Python 3. Keeping updates coming quicker would be the main thing that I would love to see, i.e. to have all these solutions better integrated. View full review »
Chief Information Security Officer with 501-1,000 employees
I attended a meeting of one of the security organizations I am associated with. At the meeting were security professionals from several major retail companies. The topic of discussion happened to be application development security. When the question was asked concerning what tools are being used, many of these major retail companies said they are using Veracode. However, they were quick to comment that the product is too expensive and that there are too many false positives which take too much time to remediate. View full review »
Sr. Security Architect at a financial services firm with 10,001+ employees
We've had one occasion where a sub-product upgrade required action on our part faster than we initially understood it needed to happen. This ended up being relatively minor. One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive. Separately, I find the results console somewhat confusing. When you are running multiple scan types for the same application, I've sometimes found it difficult to sort out where issues came from when I need that information. View full review »
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: April 2020.
431,275 professionals have used our research since 2012.
Divakar Rai
Senior Solutions Architect at NessPRO Italy
This is not a very elaborate application. I think that the suggestions are between thirty-five and eighty percent accurate, with most cases being about seventy-five percent. Some of them are references where you have to go and determine whether they are direct threats, or not. At the point in time when we were using this solution, we had older coders and the way Veracode tests for vulnerabilities may have been affected by the code style. I found that there were far too many warnings and some false positives. Of course, this comes with every product, and there are multiple tools that are used. Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them. View full review »
Vice President of Technology at Cogniphi Technologies Pvt Ltd
Technically there is nothing wrong with Veracode. The only issue that we have is uploading the code, the process of actually uploading and getting our results back. All of that is a little cumbersome. One of the things that we have from a reporting point of view, is that we would love to see a graphical report. If you look through a report for something that has come back from Veracode, it takes a whole lot of time to just go through all the pages of the code to figure out exactly what it says. We know certain areas don’t have the greatest security features but those are usually minor and we don’t want to see those types of notifications. So we would like to see a kind of a graphical representation of the problem areas. I would like to know which file is the biggest source of issues for me so that I can focus on resolving the issue, as a project manager. With how it is now, I am able to do this but I have to take out the whole PDF file and extract it. It takes up a lot of my time. I would like to see better strategic reporting. It would be great to get better graphical reporting. View full review »
Riley Black
Senior Security Analyst at a health, wellness and fitness company with 1,001-5,000 employees
Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk. Right now I have to jailbreak an iPhone and Root an Android to intercept and fuzz requests with a Burp Suite Proxy. That is a very time-consuming process and there are lots of dependencies. It would be very helpful if we can upload and .ipa or .apk into a Veracode simulator, provide credentials and run a Dynamic scan accordingly. Fuzzing functionality on API resources, HTTP Methods, and Parameters would also be very useful in testing our Web and API Application Firewalls, response pages, and other WAAF actions. View full review »
Rick Spickelmier
Chief Technology Officer at a tech vendor with 201-500 employees
We would like a way to mark entire modules as "safe." The lack of this feature hasn't stopped us previously, it just makes our task more tedious at times. That kind of feature would save us time. View full review »
Managing Principal Consultant at a tech vendor with 11-50 employees
This solution does a good job, but it is limited to only a few technologies. I would like to see expanded coverage for supporting more platforms, frameworks, and languages. Specifically, I would like to see support for mobile frameworks like Xaramin and React JS, as well as extended support for iOS applications. View full review »
Evan Christoe
AVP, IS Manager with 1,001-5,000 employees
We would like to see improvement in reporting, in particular, end dates on mitigations. View full review »
Software Engineer at a financial services firm with 501-1,000 employees
I think for us the biggest improvement would be to have an indicator when there's something wrong with a scan. For instance, we have CI scans that run automatically, and sometimes the files don't get upload and/or processed by Veracode. Now, there's a static scan that hasn't been completed, which blocks all future scans. The only way we know this is an issue is going into the Web UI, check each application, and look for stalled scans. This is time-consuming and frustrating. View full review »
VP Engineering at a tech services company with 201-500 employees
It needs better controls to include/exclude specific sections when creating a report that can be shared externally with customers and prospects. View full review »
Michael Stricklen
Executive Director at Parthenon-EY
* More timely support for newer languages and framework versions. * Integration with Slack is another request from our developers. View full review »
Team Lead / Architect at a tech services company with 1,001-5,000 employees
They should improve on the static scanning time. View full review »
Ashish Kulkarni
Manager at Wipro Technologies
Veracode should provide support to more software languages, like ABAP. View full review »
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: April 2020.
431,275 professionals have used our research since 2012.