We just raised a $30M Series A: Read our story

Veracode Security Labs OverviewUNIXBusinessApplication

Veracode Security Labs is the #1 ranked solution in our list of top Application Security Training Software. It is most often compared to Codebashing: Veracode Security Labs vs Codebashing

What is Veracode Security Labs?

Veracode Security Labs shifts application security knowledge left, training developers to tackle modern threats in the evolving cybersecurity landscape by exploiting and patching real code, and applying DevSecOps principles to deliver secure code on time. Through hands-on labs that use modern web apps written in your chosen languages, developers learn the skills and strategies that are directly applicable to an organization's code. With detailed progress reporting, email assignments, and a leaderboard, developers are encouraged to continuously level up their secure coding skills. When development is empowered to fix security defects and reduce risk, security teams are better supported to scale AppSec programs, meet compliance requirements, and achieve business outcomes.

Veracode Security Labs is also known as Veracode Developer Training.

Veracode Security Labs Buyer's Guide

Download the Veracode Security Labs Buyer's Guide including reviews and more. Updated: September 2021

Veracode Security Labs Customers
McKESSON, Alfresco
Veracode Security Labs Video

Pricing Advice

What users are saying about Veracode Security Labs pricing:
  • "It's expensive. Know that going in. Your organization, your programmers, and your product will be better for it though."
  • "The pricing for qualified startups should only charge for Veracode Developer Training."

Veracode Security Labs Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
JS
Senior Software Developer at a pharma/biotech company with 201-500 employees
Real User
Top 5Leaderboard
Produces reliable software scans but overall database scanning needs to be improved

Pros and Cons

  • "The deployment didn't take that long."
  • "Its ability to handle more types of files and making it work better with databasing and other API could be improved."

What is our primary use case?

I have used it and looked at it from the perspective of its analysis, if you will, of database files, SQL, MCL SQL. I also looked at other components, Java and such, but not as in-depth. Personally, I think it was a little difficult trying to get it to profile those particular files to get them loaded in; however, it was honestly probably user error — just my misunderstanding of how to use the software more than anything else which is why it took a little longer. The Java stuff was a lot more streamlined. The database stuff was not as robust.

We used this solution to identify vulnerabilities. Essentially, load stuff up, find out what it finds. The next step is (assuming we have enough people to fix the higher priority ones) to look at some of the tips or remediation. Generally, just to find out what's wrong.

We're a smaller company, we had roughly 10 people or less using this solution. I don't think anyone is actively using it as much now because of project work, etc.

I am not familiar with how many other people are using it currently. Probably not many because the project work is different. Previously, there were more business needs for us to build more software but things have changed a little bit in the company. That requirement is different now from a corporate perspective.

How has it helped my organization?

Mainly it's just quality. The level of comfort that we have now just from using the product. Again, there may be some other people at the company that had used it a lot more than me but just knowing, having another set of eyes, gives you a comfort level. 

What needs improvement?

The database portion of it where it's loading and analyzing. That seemed to be a little more laborious compared to the Java stuff which was easier to use and more streamlined.

Its ability to handle more types of files and making it work better with databasing and other API could be improved. That would be really nice.

What do I think about the stability of the solution?

It seemed generally stable. The database stuff didn't seem to be working as well, as fast. It wasn't as responsive. In other words, we'd load something up and then we find out that it loaded everything but there were zero results that it found when it did the analysis. We tried it again and we got the same thing.

What do I think about the scalability of the solution?

It seemed like it could handle volumes. It was pretty fast, too.

How are customer service and technical support?

When the person I referenced earlier needed help, it seemed like he was able to get the help he needed — they were pretty responsive. He didn't mention that there were any issues with technical support.

Which solution did I use previously and why did I switch?

No, I don't think we did. We had looked at the reviews and started using Veracode.

How was the initial setup?

I wasn't that involved in the initial setup of it — the bootstrapping and getting it all ready on the cloud. That being said, setting up a profile for it to do its thing was pretty easy to do. That was pretty straightforward.

The deployment didn't take that long. I don't think it took the guy very long to do it. There was probably some stuff that was done before I started using it. I'm not familiar with what was done but I don't think it was much more than just getting a trial account and such. 

What about the implementation team?

I don't recall who deployed it, but one person can look after deployment and maintenance. The CIO looked after it — he was a "Jack of all trades" type.

What other advice do I have?

If you're interested in using this solution, you should take advantage of the trial and throw some real-life example code at it and try to figure out how you're going to deal with that. Once you get the results back, just do a trial.

On a scale from one to ten, I would give this solution a rating of seven.

It's hard to really put a number on it but it's just mainly because of my experience with the databasing analysis. Databasing is so prevalent and so important, the security of that, it shouldn't be as hard as it seemed to be when we were trying to analyze SQL code as it was, compared to the Java stuff.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
reviewer1360620
Chief Technology Officer at a tech services company with 11-50 employees
Real User
Top 20
E-learning option enables our developers to dig deeper into the security issues

Pros and Cons

  • "Our developers are more security-aware and are writing better code. The e-learning option allows our developers to dig deeper into the security issues. Topics such as sanitizing input, carefully configured logging output, and other typical sources of vulnerabilities."
  • "Developers frequently complain to me about the user interface and the difficulty in navigating the web site."

What is our primary use case?

Our use cases are for both dynamic and static scanning of web applications. The application is cloud-based in a major cloud provider. We schedule scans at regular intervals that support various compliance efforts within the enterprise. The application has a modern design with a responsive UI that adapts to the display of the device being used. Veracode seems to have little trouble scanning our application. Overall, we are happy with the service that Veracode provides us although the cost does seem quite high in my opinion.

How has it helped my organization?

Our developers are more security-aware and are writing better code. The e-learning option allows our developers to dig deeper into the security issues. Topics such as sanitizing input, carefully configured logging output, and other typical sources of vulnerabilities. We have a better understanding of the proper configuration of web servers and web proxies as well. The Atlassian integration has helped manage our compliance paperwork in a more automated way also. Overall, we are happy with the service that Veracode provides to us.

What is most valuable?

The Atlassian integration is the most valuable aspect of this solution. Many other security platforms don't seem to have this feature or want an exorbitant amount of money to get it. Automated integrations such as these make compliance much easier to track and maintain. Additionally, the integrations help with agile processes such as DevOps. We are able to schedule things like scan submissions to Veracode that aids in automatic, regular scanning of our web application. Veracode also allows for customizing your corporate policy for things such as remediation deadlines.

What needs improvement?

Developers frequently complain to me about the user interface and the difficulty in navigating the web site. I too have had some very frustrating moments trying to find things. I do not find the dashboards all that helpful though they are pretty and there seem to be plenty of them. I am running out of critiques to say about Veracode but it seems I must use 500 characters regardless of what I need to say. It seems like an arbitrary requirement. I'm still not at 500 yet. Can I say that this requirement should be cut in half?

For how long have I used the solution?

We have been using Veracode for a little over two years.

What do I think about the stability of the solution?

Rock solid. I don't think we've ever had issues being able to access the system. Whenever we have needed to log in and look at something in our results, we have always been able to do so. The only stability issues we have had is with the dynamic scan authenticating into our web app. Sometimes for no understandable reason, it will stop authenticating. However this has only happened a couple of times.

What do I think about the scalability of the solution?

Scalability seems fine. Have not noticed any issues.

How are customer service and technical support?

Service and support is always helpful and knowledgeable. Turnover seems to be an issue. We are frequently being assigned new staff to our account. So far though, the level of service has been great.

Which solution did I use previously and why did I switch?

We tried to do it manually ourselves with Burp Suite Pro but it was too cumbersome and no integrations with Atlassian.

How was the initial setup?

Straightforward and web-based. 

What about the implementation team?

Configured ourselves with some assistance setting our policy configuration as I recall. Veracode staff is knowledgeable and always helpful. 

What was our ROI?

Difficult to quantify. What's the cost if you ignore security?

What's my experience with pricing, setup cost, and licensing?

It's expensive. Know that going in. Your organization, your programmers, and your product will be better for it though. 

Which other solutions did I evaluate?

I spoke with Checkmarx as well. At the time, Veracode seemed to be cheaper.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about Veracode Security Labs. Get advice and tips from experienced pros sharing their opinions. Updated: September 2021.
541,462 professionals have used our research since 2012.
reviewer1491885
Application Security Engineer at Charles Schwab
Real User
Top 20Leaderboard
Hands-on and effective, practical, and has a web-based interface requiring no installation

Pros and Cons

  • "The best part is that this is all within the web browser, so the developer doesn't have to install any development environments or download anything to work through the training."
  • "Web application development covers much of the industry, but there are also developers working with these other technologies that could benefit from a learning environment more specific to their technologies."

What is our primary use case?

I have used it as part of Veracode's Secure Coding Challenges. The challenges are a competition hosted by Veracode, where community members work through the training in a time-limited fashion. The first members to complete the challenges are deemed the winners.

The challenge topics range among OWASP's top 10 topics. I am an application developer, so the Veracode Security Labs are directly relevant to my work. They help illuminate common coding problems and walk through the appropriate way to fix them.

How has it helped my organization?

Veracode Security Labs walks through a common scenario. A developer inherits a codebase that has issues and has to figure out how to fix them. The platform helps guide the developer through the best way to accomplish this. Learning through a hands-on approach is very effective.

With the hands-on learning approach developers become more secure coders, which means they are less likely to add bugs to the software they are building. This saves time and money in the long run as the mindset of security is shifted left to earlier in the software development lifecycle.

What is most valuable?

The most valuable feature is the guided approach of walking the developer through the best way to fix the issues in the codebase. This approach is hands-on and extremely effective at teaching developers the right way to implement security controls.

Being able to view the codebase, and edit it in order to remediate the vulnerabilities is extremely powerful.

The best part is that this is all within the web browser, so the developer doesn't have to install any development environments or download anything to work through the training.

What needs improvement?

At this point in time, the platform seems to be focused on web-based applications. For additional features, I can see opportunities for other types of technologies, like mobile applications, batch processing, and backend services or message queue processing. I suspect that these additional types of learning would be difficult to provide through a web-based learning environment, but not impossible.

Web application development covers much of the industry, but there are also developers working with these other technologies that could benefit from a learning environment more specific to their technologies.

For how long have I used the solution?

I have used it as part of Veracode's Secure Coding Challenges, starting in late 2020.

What do I think about the stability of the solution?

This is a stable product.

What do I think about the scalability of the solution?

My impressions of the scalability are positive.

Which solution did I use previously and why did I switch?

I have not used another similar solution.

How was the initial setup?

The initial setup is straightforward.

What about the implementation team?

It was deployed through the Veracode Secure Coding Challenge.

Which other solutions did I evaluate?

I did not evaluate other similar products.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
RR
Founder & CEO at a healthcare company with 1-10 employees
Real User
Top 5Leaderboard
Valuable wide-spread features, stable, scalable, easy to install and deploy, with amazing technical support

Pros and Cons

  • "The features are so extensive, which is why they are ahead of the game, and the reason I continue to use this solution."
  • "The only area of this solution that needs improvement is the pricing for startups."

What is our primary use case?

We use Veracode Security Labs along with Veracode Developer Training and other Veracode components in our company for Digitial Health, and security testing.

How has it helped my organization?

Veracode and all of its components have helped us in developing a secure product.

What is most valuable?

All of the features offered in this solution are valuable.

The features are extensive, which is why they are ahead of the game, and the reason I continue to use this solution.

What needs improvement?

The only area of this solution that needs improvement is the pricing for startups.

For how long have I used the solution?

I have been working with Veracode for several years.

What do I think about the stability of the solution?

It's a stable solution. We have no issues with stability.

What do I think about the scalability of the solution?

It's a scalable product.

How are customer service and technical support?

The technical support is amazing! They are very responsive.

Which solution did I use previously and why did I switch?

We also use Veracode Developer Training, Manual Penetration Testing, Static Analysis for the same use case.

How was the initial setup?

The initial setup is straightforward and extremely easy to install.

Deployment only took a few hours.

What about the implementation team?

We have a team in-house.

What's my experience with pricing, setup cost, and licensing?

The pricing for qualified startups should only charge for Veracode Developer Training.

The licensing cost should be fair, and the use cost when the company or the clients release their product to the market should also be fair.

What other advice do I have?

They put together a complete solution that has a number of components. My advice is to take it all. Don't just take just Developer Training or Security Labs or Static Analysis. Rather, take the whole solution and run with it.

Veracode cannot be taught about security. I would rate Veracode Security Labs a ten out of ten.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
reviewer1561278
Software Architect at a computer software company with 201-500 employees
Vendor
Top 20Leaderboard
Improves security knowledge for coding, and the approach makes learning more interesting

Pros and Cons

  • "It provides a complete review of vulnerabilities & possible fixes for OWASP Top 10 in one place."
  • "Veracode Security Labs should cover more than only the OWASP Top 10."

What is our primary use case?

We are currently evaluating this platform to see if it would help as a company-wide solution. 

If Veracode Security Labs is chosen then in the future, it will help developers, DevOps, and testers to better and more deeply understand threats and remediations related to application code.

In general, Veracode Security Labs will be used to improve the security of the code and help developers in their daily work.

How has it helped my organization?

At this point, we do not yet have an organization-wide improvement. The selection process is still underway. However, Veracode Security Labs is better than other evaluated competitor's solutions so far.

What is most valuable?

The most valuable features are:

  • Knowledge of how to write a secure application, like OWASP ASVS 4.0, that is spread across the web is gathered into one place. This can save months of learning and search on your own.
  • It is possible to earn Veracode certificate levels one, two, and three, after completion of a defined amount of labs.
  • It provides a complete review of vulnerabilities & possible fixes for OWASP Top 10 in one place.
  • The Hack & Fix learning approach makes the learning process more interesting.
  • Solve vulnerabilities using interactive labs & real applications with the language of your choice.

What needs improvement?

The following areas should be improved:

  • Veracode Security Labs should cover more than only the OWASP Top 10. 
  • A more advanced Veracode Security Labs should be added. 
  • More Java-based labs should be added; ideally, all Veracode Security Labs will be available in the Java language.
  • Veracode Security Labs should provide better support for code completion and syntax control (when applied eg. Java) when working on the application code.
  • Some Veracode Security Labs are too easy to complete, although this is a subjective opinion.

For how long have I used the solution?

I have been using Veracode Security Labs for two months.

Which solution did I use previously and why did I switch?

We did not use another solution prior to this one.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
CristobalRodriguez
Principal Information Security Engineer at Sabre
Real User
Top 20Leaderboard
Good coding challenges, but it needs better auto-completion in the IDE

Pros and Cons

  • "The coding challenges were well put together and I was happy to see some of the challenges even had a built-in web browser."
  • "I would have liked to see a bit better auto-completion in the IDE, and there was a typo in one of the questions where the code you were supposed to copy was missing a pair of parentheses."

What is our primary use case?

We use this eLearning product for our developers. We are working on adding it to our enterprise eLearning solution to help get developers to take it.

How has it helped my organization?

We use Veracode Security Labs as our primary security learning platform. It was pretty cool to use for the first time.

What is most valuable?

The coding challenges were well put together and I was happy to see some of the challenges even had a built-in web browser. That made them very convenient.

What needs improvement?

I would have liked to see a bit better auto-completion in the IDE, and there was a typo in one of the questions where the code you were supposed to copy was missing a pair of parentheses. I'm sure the typo messed up a lot of people. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Alon Mantsur
Chief Executive Officer at Cybrella
Real User
Top 5Leaderboard
Intuitive developer training, simple and concise installation

What is our primary use case?

It is one of the best solutions in the market to help train the developers. We mostly use AWS as a server with the solution.

How has it helped my organization?

We are satisfied with the solutions ability to train developers.

What needs improvement?

There could be better integration between the API and the pipeline systems. For example, if you do penetration tests and you want to share the results with the DevOp team's pipeline, you cannot do it automatically because the API is not good enough. 

For how long have I used the solution?

We have been using the solution for approximately three years.

How was the initial setup?

The installation is straightforward.

What other advice do I have?

I rate Veracode Developer Training a nine out of ten.…

What is our primary use case?

It is one of the best solutions in the market to help train the developers. We mostly use AWS as a server with the solution.

How has it helped my organization?

We are satisfied with the solutions ability to train developers.

What needs improvement?

There could be better integration between the API and the pipeline systems. For example, if you do penetration tests and you want to share the results with the DevOp team's pipeline, you cannot do it automatically because the API is not good enough. 

For how long have I used the solution?

We have been using the solution for approximately three years.

How was the initial setup?

The installation is straightforward.

What other advice do I have?

I rate Veracode Developer Training a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate