Veracode Overview

What is Veracode?

Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

Veracode Buyer's Guide

Download the Veracode Buyer's Guide including reviews and more. Updated: March 2021

Veracode Customers

State of Missouri, Rekner

Veracode Video

Veracode Archived Reviews (More than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Evan Christoe
AVP, IS Manager with 1,001-5,000 employees
Real User
Dec 18, 2018
Substantially reduces the number of unmitigated flaws in our code

What is our primary use case?

We use Veracode to scan custom-developed code for flaws.

What other advice do I have?

I would recommend it. It covers all our custom-developed applications and will expand as new applications and services are added. We have 50-plus users of Veracode. Their roles include InfoSec, developers, development managers, QA, and configuration management. In terms of deployment and maintenance, we have four people in configuration management and InfoSec.
SH
ChiefInfaf47
Chief Information Security Officer with 501-1,000 employees
Real User
Nov 19, 2018
Helped us address our critical vulnerabilities through static scanning

What is our primary use case?

We use it for static checking.

Pros and Cons

  • "One of the valuable features is that it gives us the option of static scanning. Most tools of this type are centered around dynamic scanning. Having a static scan is very important."

    What other advice do I have?

    I would absolutely recommend Veracode. I've suggested to one of the larger agencies that they implement the solution and that they come to see what we've experienced and how we use the tool. I really like Veracode. That is one of the reasons that we brought them onboard ten years ago. Of course, they were new back then. The different aspects of the offerings that Veracode provides to their customers are somewhat unique and, right now, I couldn't ask another thing from them. We have approximately 30 Java developers and four or five testers. There are also project managers using it. We have one…
    Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: March 2021.
    475,208 professionals have used our research since 2012.
    it_user673734
    Chief Technology Officer at a tech vendor with 201-500 employees
    Vendor
    Nov 19, 2018
    Increases our confidence in the security of our sever-side and mobile apps

    What is our primary use case?

    We use it for security scanning of SaaS and mobile software that we develop: one server-side and two mobile applications. Most customers require SAST and DAST scanning in order to purchase.

    Pros and Cons

    • "It has an easy-to-use interface."
    • "We would like a way to mark entire modules as "safe." The lack of this feature hasn't stopped us previously, it just makes our task more tedious at times. That kind of feature would save us time."

    What other advice do I have?

    Be aware that the first run will find a lot of issues, many of which are not real issues; it will take time to understand that. Don't change object names as that will confuse it. Make sure you get development buy-in early. We're looking to expand its use within the development organization and are looking into another license. Currently, we have four users of the solution, myself (security) and developers. The four of us also maintain it.
    AK
    Ashish Kulkarni
    Global Presales Head - Security Assurance at Wipro Technologies
    Consultant
    Oct 17, 2018
    Provides faster scans but with a higher number of false positives

    What is our primary use case?

    Static application security testing, which is the primary use case.  There were different web applications which were scanned using this tool.

    How has it helped my organization?

    Veracode scans provide a higher number of false positives. Also, the overall reporting structure is complicated, and it's difficult to understand the report.

    What is most valuable?

    Veracode provides faster scans compared to other static analysis security testing tools.

    What needs improvement?

    Veracode should provide support to more software languages, like ABAP.

    For how long have I used the solution?

    Less than one year.
    Michael Stricklen
    Executive Director at Parthenon-EY
    Real User
    Oct 15, 2018
    It has almost completely eliminated the presence of SQLi vulnerabilities. Needs more timely support for newer languages and framework versions.

    What is our primary use case?

    Scanning web-facing applications for potential security weaknesses. Helping to document the introduction of technical debt in our code bases.

    How has it helped my organization?

    It gives feedback to developers on the effectiveness of their secure coding practices.   It has almost completely eliminated the presence of SQLi vulnerabilities.

    What is most valuable?

    Multiple languages and framework support: We can use one tool for our SAST needs. Developers report liking the IDE integration provided by this tool.

    What needs improvement?

    More timely support for newer languages and framework versions.   Integration with Slack is another request from our developers.

    For how long have I used the solution?

    Trial/evaluations only.
    JB
    reviewer923928
    Team Lead / Architect at a tech services company with 1,001-5,000 employees
    User
    Sep 13, 2018
    We use its static analysis during development to eliminate vulnerability issues

    What is our primary use case?

    I use Veracode to run scans on .NET applications, web applications and Windows/fat form applications. I also use it to make deployments in three-tier environments: the application server tier, web server tier and the database tier.

    How has it helped my organization?

    Veracode has improved our penetration testing process.  We use Veracode static analysis during development to eliminate vulnerability issues.

    What is most valuable?

    I have found the user interface extremely helpful in prioritizing issues. It allows me to prioritize the work to help resolve an issue.

    What needs improvement?

    They should improve on the static scanning time.

    For how long have I used the solution?

    Three to five years.
    MW
    Michael Ward
    Managing Director at Harrods
    User
    Jul 11, 2018
    Provides the capability to track remediation and the handling of identified vulnerabilities. The application does not support API or Dynamic Application Security Testing

    What is our primary use case?

    We are planning on introducing a static code analysis tool to support a DevOps effort in our environment. The objective of the solution is to allow the team to identify vulnerabilities in the source code and improve the hygiene of the developed code before deployment.

    Pros and Cons

    • "Allows us to track the remediation and handling of identified vulnerabilities."
    • "Provides the capability to track remediation and the handling of identified vulnerabilities."
    • "The security team can track the remediation and risk acceptance statistics."
    • "The solution does not support Dynamic Application Security Testing."
    • "The current version of the application does not support testing for API."
    ST
    Associat7de6
    Associate Director
    Real User
    Jul 5, 2018
    Provides security of different Shadow IT activities in our environment, however there are limitations on reporting causing bottlenecks

    What is our primary use case?

    Application security scanning.

    Pros and Cons

    • "The tech support has been very much on the forefront of contacting customers. They help us by making sure all the processes have been outlined and are being followed. They regularly look with us at the whole platform process."
    • "It provides security of different Shadow IT activities in our environment, especially around application development and website hosting."
    • "We would like the consolidation of all the different modules. This would help, so then we would be able to see analytics and results on one screen, like a single pane of glass."
    • "Once your report has been generated, you need to review the report with consultation team, especially if it is too detailed on the development side or regarding the language. Then, you need some professional help from their end to help you understand whatever has been identified. Scheduling consultation takes a longer time. So, if you are running multiple reports at the same time, then you need to schedule a multiple consultation times with one of their developers. There are few developers on their end who work can work with your developers, and their schedules are very tight."

    What other advice do I have?

    I would rate the product as an eight out of 10 for recommend it to colleagues. I would rate the overall product as a seven out of 10.
    JI
    JorgeIzquierdo
    Product Manager at GMS
    User
    Jun 13, 2018
    All areas of the solution could use some improvement. It helps me to detect vulnerabilities.

    What is our primary use case?

    We are Veracode partners/distributors in Quito, Ecuador.  At this moment, I am reviewing the solution. 

    How has it helped my organization?

    It helps me to detect vulnerabilities.

    What is most valuable?

    I use the SAST feature the most.

    What needs improvement?

    All areas of the solution could use some improvement.

    For how long have I used the solution?

    Trial/evaluations only.
    it_user873405
    Lead Security Engineer at a tech vendor with 201-500 employees
    Real User
    May 24, 2018
    Our customers get the security of bug-free code, but raw file scans would help

    What is our primary use case?

    SAST. We have not yet integrated it into our software development lifecycle as it doesn't have the feature that enables us to integrate it with our repository.

    Pros and Cons

    • "Scanning of .war and .jar is key for us."
    • "Raw file scans and dynamic scans would be an improvement, instead of dealing with code binaries."

    What other advice do I have?

    Implement this solution if you see WAF and SOC in your future.
    it_user877104
    VP Worldwide Delivery Acceleration at a financial services firm
    Real User
    May 23, 2018
    Improved our security posture without the overhead of supporting infrastructure

    What is our primary use case?

    SAST vulnerability scanning. Veracode is embedded in our release pipeline.

    Pros and Cons

    • "Because it is a SaaS offering, I do not have to support the infrastructure."
    • "Some important languages are not supported."
    • "We have encountered occasional issues with scalability."

    What other advice do I have?

    Make sure the supported languages align with your developers.
    Elina Petrovna
    Professor at BitBrainery University
    Real User
    May 22, 2018
    Does software composition analysis, discovering open source software weaknesses

    What is our primary use case?

    C++ financial application acting as hub for my academic accounting system. Application, which my institution partially owns, was analyzed after just having compiled the code. This happens seldom in academic software. It does software composition analysis, discovering open source software weaknesses.

    Pros and Cons

    • "I can have quick results by just uploading compiled components."
    • "It gives me an idea about the most important vulnerabilities and fast remediation tips."
    • "It does software composition analysis, discovering open source software weaknesses."
    • "It could be improved with support for more programming languages, like SQL."

    What other advice do I have?

    I wish Veracode support had more SDLC integration tools.
    it_user873351
    CISO at Laboratory Corporation of America Holdings
    Video Review
    Real User
    May 17, 2018
    Enables me to provide better code, faster, so my time to market is less

    Pros and Cons

    • "I don't have to have a team of developers behind me that keep up with all the latest threats because the subscription service they provide for me does that."

      What other advice do I have?

      On the rating scale is there anything above 10? If there are no ones and tens, it would be the closest to 10. They have always been supportive. We have had to change, do course corrections during implementations, or particular types of coding. I have just never had a problem. My loyalty to the product has been primarily due to the service and the expedience in which they solve any problems we have.
      it_user873348
      VP at a non-tech company with 11-50 employees
      Video Review
      Real User
      May 17, 2018
      Enables us to provide secure code training packages to our customers

      What other advice do I have?

      For us, whenever we are selecting a partner, vendors to work with who are going to be working with our customers, we have to make sure that they align regarding customer support philosophy, and that is the reason we selected to work with Veracode. I would definitely rate Veracode a 10 out of 10, based on our customer feedback. Whenever we know the relationship is going well between Veracode and our customers, it reflects very well on us.
      it_user873345
      Cyber Security Engineer at a consumer goods company with 1,001-5,000 employees
      Video Review
      Real User
      May 17, 2018
      Provides an all-in-one metrics location, I can see where everything is across my full portfolio

      Pros and Cons

      • "What's important for me, from Veracode, is the all-in-one metrics location. I can see where everything is across the entire portfolio of applications I have in this program, and I can report out on it."
      • "When we scan binary, when we perform binary analysis, it could go faster. That has a lot to do with the essence of scanning binary code, it takes a little bit longer. Certain aspects, depending on what type of code it is, take a little long, especially legacy code."

      What other advice do I have?

      I give Veracode a solid nine out of 10 because it is a full-featured product. It is not just something that they are selling to you and then leaving you to figure out how to use it. They actually help you every single step of the way and they want to show you how to do it. Their testers, their application security consultants, really help you and help educate the developers. They walk you through every step of the way.
      Suzan Nascimento
      SVP Application Security at a financial services firm with 10,001+ employees
      Video Review
      Real User
      May 17, 2018
      Remediation consulting calls with the vendor help us find vulnerabilities much faster

      Pros and Cons

      • "The most valuable feature is the remediation consulting that they give. I feel like any vendor can identify the flaws but fixing the flaws is what is most important. Being able to have those consultation calls, schedule them in the platform, and have that discussion with an applications expert, that process scales well and that is what has allowed a lot more reduction of risk to happen."
      • "One of the best things they offer is the scalability. The fact that you can work with it through the cloud means that if you have unintegrated business units, you don't have to worry about having a solution on-prem and having the network connection; you don't have to worry about giving up source code, you are just sending your binary files for most of the applications. So it scales much faster."
      • "I would like to see more technical support for some of the connectors, some more detailed diagrams or run-books on how to install some of stuff; more hand-holding in the sense of understanding our environment."
      • "They cover a lot of languages already and it doesn't make sense for them to cover legacy languages but I know there is a need for covering legacy languages."

      What other advice do I have?

      I would give Veracode a nine out of 10 because it scales incredibly well, they have very qualified people working there who are able to clearly articulate what the problems are when they are talking in a remediation or consultation call. They are very knowledgeable, they are not condescending when they talk to a developer. The tool is very easy to consume. It's not like looking at a menu with 20 pages at a restaurant, it's very simple to digest. They have a lot of API connectors, they cover a lot of languages and it just scales. You can't beat that. Finally, the relationship is great with…
      it_user866175
      Information Security Engineer Team Lead at a hospitality company with 1,001-5,000 employees
      Real User
      May 2, 2018
      Reporting and mitigation features allow our developers to work independently

      What is our primary use case?

      Dynamic and static code analysis.

      Pros and Cons

      • "The developers' awareness of the security weaknesses within their code has improved. They aren't just mitigating these issues, they are realizing these are, in fact, issues that have to be dealt with."
      • "The one thing we really liked about Veracode when we got it was the consultation calls; that our developers are able to schedule them on their own, instead of going to a "gatekeeper." They upload their code, they have questions, they schedule it, they speak with someone on the other side who is an expert, they can speak developer-to-developers."
      • "It's not "one policy fits all." I really like that Veracode allows me to set up specific policies that I can apply to applications."
      • "The only areas that I'm concerned with are some of the newer code libraries, things that we're starting to see people dabble with. They move quickly enough to get them into the Analysis Engine, so I wouldn't even say it is a complaint. It is probably the only thing I worry about: Occasionally hitting something that is built in some other obscure development model, where we either can't scan it or can't scan it very well."
      • "I would also like to see some improvement in the speed. That is really the only complaint, but in all reality we have a massive Java application that needs to be scanned. Our developers are saying, "It takes 72 hours to scan it." That is probably the nature of the beast, and I'm actually pretty accepting of that time frame, but since it's a complaint that I get, faster is always better. I don't necessarily think that the speed is bad as it is, just that faster would be better."

      What other advice do I have?

      My advice is what I mentioned in the pricing/licensing section above, you really need to understand what it is you are looking to do. Also, take into account a data sensitivity for the applications. It's not "one policy fits all." I really like that Veracode allows me to set up specific policies that I can apply to applications. Understand which are your critical apps that deal with critical, very sensitive data, and then apply a more rigorous scan model to them, versus internal applications that perhaps don't deal with as much PII, with as much sensitive information, and aren't available to…
      it_user852402
      Software Security Consultant at DXC Technology
      Consultant
      Apr 17, 2018
      Code scanning is fast with current, updated algorithms

      What is our primary use case?

      Provides static code analysis of the customers' applications from all industries. It includes any type of code and scripts, but mostly Java, .Net, C++, and C# environments.

      How has it helped my organization?

      The solution is a specialist in SAST that you can rely on. Code scanning is fast with current, updated algorithms.

      What is most valuable?

      Provides consistent evaluation and results without huge fluctuations in false positives or negatives. 

      What needs improvement?

      It should include more informational, low level, vulnerability summaries and groupings. Large related groups of low level vulnerabilities may amount to a design flaw or another avenue for attack.

      For how long have I used the solution?

      More than five years.
      it_user854784
      Director Security and Risk OMNI Cloud Operations at a tech vendor with 1,001-5,000 employees
      Real User
      Apr 12, 2018
      Keys for us are the static scanning and the ability to set policy profiles specific to us

      What is our primary use case?

      Application development and secure code development.

      Pros and Cons

      • "Valuable features for us are the static scanning of the software, which is very important to us; the ability to set policy profiles that are specific to us; the software composition analysis, to give us reports on known vulnerabilities from our third-party components."
      • "Veracode is a cloud-based platform, where they manage all the back-end, and they do a lot of analysis during the scans, and they do a lot of post-scan reconciliation."
      • "That it is a cloud-based solution is very valuable to us. We don't need that hardware running our scans and hosting the environment to be scanned. Also, the technology, the static scanning versus dynamic scanning produces a much better result, a more accurate result."

        What other advice do I have?

        We recommend Veracode to colleagues all the time. I'd give the advice of not getting hung up on trying to compare the static scanning to the dynamic scanning, that's number one. Don't even compare them. If you're doing neither, do statics first. It'll get the majority of your exposures addressed. Then you come in, in a second round, and do dynamic. Dynamic really becomes more of a confirmation of security. The other piece of advice I'd give is to "follow the directions." Make sure they understand how they're supposed to compile code. Take the advice of the program management team with their…
        it_user854052
        Head of Technology. at a tech services company with 11-50 employees
        Real User
        Apr 11, 2018
        Allows us to prove our security levels to vendors, helps with our HIPAA security policies

        What is our primary use case?

        Certifying the application security of my SAS-based application code base.

        Pros and Cons

        • "It allows us to prove our security levels to vendors, and additionally helps us with our HIPAA security policies."
        • "Mitigation review isn't always super easy."
        • "Straightforward to set up, but the configuration of the rules engine is difficult and complicated."

        What other advice do I have?

        Do your research, make sure you implement the tools you need. I am very likely to recommend Veracode to a colleague.
        it_user854049
        Chief Compliance Officer at a financial services firm with 51-200 employees
        Real User
        Apr 11, 2018
        Ad-hoc scanning during the development cycle, reporting for audits, are key features

        What is our primary use case?

        We test each major release of our software using Veracode static and dynamic testing. We also do manual penetration testing annually.

        Pros and Cons

        • "Ad-hoc scanning during the development cycle and reports for audits are valuable features."
        • "I would like to see these features: entering comments for internal tracking; entering a priority; reports that show the above."

        What other advice do I have?

        Have them guide you through your first scan - make sure to add hours to your initial contract for that. I am very likely to recommend Veracode to colleagues.
        it_user854046
        DevOps Release Engineer at a tech services company with 51-200 employees
        Real User
        Apr 11, 2018
        Makes us aware of any potential code security vulnerabilities in our products

        What is our primary use case?

        Scanning for code security vulnerabilities within our company's products.

        Pros and Cons

        • "Informs me of code security vulnerabilities. Bamboo build automation with Veracode API calls are used.​"
        • "The user interface could be more sleek. Some scanning requirements aren't flexible. Some features take some time for new users to understand (like what exactly "modules" are)."

        What other advice do I have?

        I am very likely to recommend Veracode to colleagues. Veracode is great.
        it_user797976
        Global Application Security at a pharma/biotech company with 10,001+ employees
        Real User
        Apr 9, 2018
        Static and Dynamic Analysis have improved the speed of our inspection process

        What is our primary use case?

        We use it to assess or do security inspections of our software that we produce or assemble. We have a very large portfolio of software across our enterprise. The Veracode system is a platform that scales with the dynamics of our organization. We have people that are in many locations, in the US and abroad. The fact that the Veracode platform is essentially a cloud-based platform, that makes it scalable.

        Pros and Cons

        • "The Static and Dynamic Analysis capabilities are very valuable to us. They've improved the speed of the inspection process."
        • "In some cases we use their APIs; they're not as rich as I would like."
        • "The on-platform reporting needs to be opened up much more. We'd like to be able to look at the inspection data from a trending perspective in a much more open manner. I need to be able to sort and filter much more flexibly than I can today."
        • "Another thing I need is continued support for the new languages today that are popular. Most of them are scripting languages more so than real, fourth-generation, commercial grade stuff; we're evolving. Most applications are using so much open-source that, quite frankly, it would be great to see Veracode, or anybody else, extend their platform to where they are able to help secure open-source platforms or repositories."

        What other advice do I have?

        I hold Veracode in high regard. It's a good organization to work with, and it's a very conscientious organization. I'm always a recommender of the solution set.
        it_user846645
        VP Development
        Real User
        Mar 29, 2018
        The scans have helped us make our code more secure, but mitigation can take a long time

        What is our primary use case?

        To certify that we have valid code, and that the developers are working with valid structures and writing good code.

        Pros and Cons

        • "The coding standards in our development group have improved. From scanning our code we've learned the patterns and techniques to make our code more secure. An example would be SQL injection. We have mitigated all the SQL injection in our applications."

          What other advice do I have?

          I am highly likely to recommend Veracode to colleagues. Make sure, once you scan and find issues with your code, that the developers know how to remediate those issues so they don't go through them again. It's going to take some time to get through your first set of scans and mitigations. To fix your code is not straightforward. But once you do that and implement it back through your whole development cycle, they identify the issues and it's very easy to fix them, once you know and have gone through it once.
          it_user841116
          Information Security Lead Analyst at a consumer goods company with 10,001+ employees
          Real User
          Mar 26, 2018
          We have learned from the recommended remediation strategies, making future code better

          What is our primary use case?

          Security scanning.

          Pros and Cons

          • "It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security."
          • "In terms of application security best practices and guidance to our teams, their engineering staff is really excellent. They provide our developers with suggestions and they take those to heart. They've learned from the recommended remediation strategies provided by the Veracode security engineers. That makes all of their future code better."
          • "The scanning is a little slow, but other than that it's fine. It's usually when the binaries get up into the multi-hundred megabyte size."

          What other advice do I have?

          I recommend it all the time. It's an important aspect of a complete security program. Not necessarily this product, but source code, fraud detection. I'd give it an eight out of 10 because it's pretty straightforward, but you still have to mostly wrap it with organizational policies that encourages its use. It's not a product - and I don't think it's really a product category - that sells itself to the end-user. They see benefits, but they do have to be convinced to use it.
          it_user842937
          Systems Architect at a tech vendor with 201-500 employees
          Real User
          Popular
          Mar 26, 2018
          Enables us to automatically submit each new build for scanning and get results directly into our JIRA

          What is our primary use case?

          Security scanning of the applications, of software that my company built.

          Pros and Cons

          • "With the tools that Veracode provides, our developers are actually able to comprehend what the vulnerability was and then resolve it. So a lot of knowledge has been grown as a result, around security, with our developers."
          • "The most important feature is the static scanning analysis, and the reason is that it can tell us vulnerability in that code, right before we go ahead and push something to production or provide something to a client... Dynamic scanning actually hits our Web applications, to try to detect any well known Web application vulnerabilities as well."
          • "Veracode has a nice API that they provide to allow for custom things to be built, or automation. We actually have integrated Veracode into our software development cycle using their API. We actually are able to automatically, every time a new build of a software is completed, submit that application, kick off a scan, and we get results in a much more automated fashion."
          • "When those scans kick, Veracode integrates back into our JIRA and actually open tickets with the appropriate development teams. We can use that as a measurement of vulnerabilities opened, closed; we can tie them to releases. So, we get a whole lot more statistical information about security in our software products."
          • "The one thing I'd like to be able to do is schedule dynamic scans. Today we're kicking those off manually, but I believe that it's something have on their roadmap."

          What other advice do I have?

          I would advise that you figure out a way to integrate it into your software development lifecycle in a way that it's not intrusive to your developers. That was really something that I set out to do. I didn't want my developers to have to go into their code, and kick off scans, and upload their code. So, I would really suggest looking at your integrations, your JIRA, your Jenkins, all of your add-ons, and hopefully that fits into the SDLC process, and then automating via their API. Essentially, what we were able to achieve is, my developers still live within JIRA and the issues get opened from…
          Dave Cheli
          Chief Technology Officer
          Real User
          Mar 15, 2018
          Integrates easily into our workflow, Jenkins submits the code and the analysis runs automatically

          What is our primary use case?

          The primary use is as a static analysis tool. But we also use Greenlight and dynamic, and we're currently having a manual penetration test.

          Pros and Cons

          • "It eases integration into our workflow. Veracode is part of our Jenkins build, so whenever we build our software, Jenkins will automatically submit the code bundle over to Veracode, which automatically kicks off the static analysis. It sends an email when it's done, and we look at the report."
          • "When we do have errors, Veracode is always available, their consultants, to help us either mitigate the error, or provide technical assistance on pointing exactly where the problem is and how we could probably fix it. I'm always amazed at how knowledgeable they are."
          • "They also have what's called a Software Composition Analysis that can point out errors and fixes for third-party software frameworks, which is very nice."
          • "The Web portal, at times, is not necessarily intuitive. I can get around when I want to but there are times when I have to email my account manager on: "Hey, where do I find this report?" Or "How do I do this?" They always respond with, "Here's how you do it." But that points to a somewhat non-intuitive portal."

          What other advice do I have?

          CA Veracode provides application security (AppSec) best practices and guidance to our teams in a couple ways. First of all, they have an e-learning module that has courses that we have required our developers to take. That's a best practice. Secondly, when we do have errors, Veracode is always available, their consultants, to help us either mitigate the error, or provide technical assistance on pointing exactly where the problem is and how we could probably fix it. I'm always amazed at how knowledgeable they are. They also have what's called a Software Composition Analysis that can point out…
          it_user837504
          Information Technology at a insurance company with 51-200 employees
          Real User
          Mar 14, 2018
          Give us insight into code without having to upload it, saving a lot of NDA paperwork

          What is our primary use case?

          We test two mission-critical web applications (C# Web forms).

          Pros and Cons

          • "Veracode static analysis allows us to pinpoint issues - from a simple hard-coded test password, to more serious issues - and saves us lot of time. For example, it raises a flag about a problematic third-party DLL before development invests time heavy using it."
          • "It is great to have such insight into code without having to upload the source code at all. It saves a lot of NDA paperwork. The Visual Studio plugin allows the developer to seamlessly upload the code and get results as he works, with no manual upload. The code review function is great. It allows you to find flaws in source code."
          • "It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help."

          What other advice do I have?

          In terms of integrating Veracode into our existing software development lifecycle, as our two existing applications are quite mature, and not changed often, we have not taken steps to have Jenkins or another CI tool that would allow us to get the full power from the Veracode environment. We look forward doing it, starting with the next app that gets developed from scratch. CA Veracode provided AppSec best practices and guidance to our security and development team during the kickoff phase. They offered assistance on specific code issues that were hard to fix, and guidance on preparing a…
          it_user836430
          Senior Infrastructure Engineer at a healthcare company with 5,001-10,000 employees
          Real User
          Mar 13, 2018
          Scanning helps ensure our code is flaw-free, and remediation tools help developers track and manage flaws

          What is our primary use case?

          Application security management.

          Pros and Cons

          • "The most important features, I would say, are the scanning abilities and the remediation abilities within the product. Scanning because, obviously, we want to make sure that our application code is flaw-free. And the remediation tools are helpful to the developers to help them track and manage their flaws."
          • "Reporting. Some of the reporting features of Veracode do need improvement. They do not have the most robust access to data. That would be a bit more beneficial to a lot of our clients as well as our actual in-house staff. I've been talking to our program management at Veracode about that, and that is actually on their radar to have that improved, I think actually this year."

          What other advice do I have?

          In terms of Veracode providing AppSec (application security best practices) and guidance to our teams, they've been able to adapt their scanning and remediation in their SDLC, which is something we did not have really before. It's been a little bit of "not the best honeymoon" so far, doing this with our developers, but they've started coming along here in the past year and a half. The advice I'd give is look around, make sure it's the right fit for you. Make sure that the tools they offer are a good fit for your organization. And make sure this is something that you really feel would be good…
          it_user835104
          Project Manager at a tech vendor with 501-1,000 employees
          Real User
          Mar 11, 2018
          We use scan results for training to increase sensitivity to security issues during development

          What is our primary use case?

          Static code scan.

          Pros and Cons

            • "Calypso (our application) is large and the results take up to two months. Further, we also have to package Calypso in a special manner to meet size guidelines."
            • "Because our application is large, it takes a long time to upload and scan."

            What other advice do I have?

            When asked, we let our customers and partners know that we use Veracode and that we are happy with it.
            BM
            Assistan84a9
            Assistant Vice President of Programming and Development at a financial services firm with 501-1,000 employees
            Real User
            Mar 11, 2018
            Allows us to streamline identification of vulnerabilities and quickly address them

            What is our primary use case?

            Static code analysis for internally developed critical systems.

            Pros and Cons

            • "When we expanded our definition of critical systems to include an internal application to be scanned by Veracode, we had initial scans that produced hundreds of vulnerabilities. We expected this, based on how the code was treated previously, but the Veracode platform allowed us to streamline our identification of these items and develop a game plan to quickly address them."
            • "Code analysis tool to help identify code issues before entered into production."
            • "Vulnerability Management and mitigation recommendations help with resolution of issues found, prior to deployment to production."
            • "Developer Sandboxes help move scanning earlier within the SDLC."
            • "The only notable problem we have had is that when new versions of Swift have come out, we have found Veracode tends to be a bit behind in updates to support the new language changes."
            • "The Greenlight product that integrates into the IDE is not available for PHP, which is our primary language."

            What other advice do I have?

            I would definitely recommend CA Veracode. Just make sure you define a process for your developers prior to implementing the technology.
            it_user833553
            CISSP, CISM at a tech services company with 1,001-5,000 employees
            Real User
            Mar 8, 2018
            SAST, DAST, and Greenlight point out potentially insecure coding and how to fix it

            What is our primary use case?

            We use it for a lot of things and they're all primary: SAST, DAST, and Greenlight.

            Pros and Cons

            • "For our rapid, secure DevOps cycle, we have integration of the Vericode API into our build tool, and Greenlight into our IDE."
            • "It would help if there were a training module that would explain how to more effectively integrate the SAST product into the build tool, Jenkins or Bamboo."
            • "It would help to have more training for developers to help them set it up."

            What other advice do I have?

            I recommend CA Veracode all the time. I am a public speaker, frequently on the speaker circuit, and I recommend it all the time. There are really three solutions at the top of the industry ratings, and Veracode is the best, in my opinion. We are a good customer and we had been for a long time. I actually am a bit of an evangelist for them when I'm doing public speaking.
            it_user833550
            VP of Services at a tech vendor with 51-200 employees
            Real User
            Mar 8, 2018
            We're much more security conscious when writing code, to meet the benchmarks it gives us

            What is our primary use case?

            Dynamic and static scanning.

            Pros and Cons

            • "We use it to get our scan results and see where our software is vulnerable or not vulnerable."
            • "The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but it sometimes causes more work on our end."

            What other advice do I have?

            I would be highly likely to recommend working with CA Veracode to colleagues. I rate it an eight out of 10. It's a good product - I can't say that it's lighting my world on fire - but it does what it needs to do. Just be prepared that it's going to take effort from all aspects of the business to be able to utilize and achieve the goal that you're looking to achieve with the product.
            SK
            Siddharth Kundalkar
            Director Software Engineering at a tech services company with 51-200 employees
            Real User
            Mar 7, 2018
            We do release with both static and dynamic scans, and mitigating the flaws identified

            What is our primary use case?

            To have a third-party analyze our code and make recommendations from a security perspective.

            Pros and Cons

            • "All the features provided by Veracode are valuable, including static scan, dynamic scan, and MPT (Manual Penetration Testing)."
            • "We use Ruby on Rails and we still don't have any support for that from Veracode."
            • "The static scans on Java lack microservices architecture scanning. We have developed an in-house pattern for this and the scans can't take care of it as a single entity."

            What other advice do I have?

            We have made process changes and improvements, although Veracode is not tightly integrated into our CI/CD platform yet. I am very likely to recommend to colleauges that they work with CA Veracode.
            it_user831864
            Application & Product Security Manager at a insurance company with 1,001-5,000 employees
            Real User
            Mar 6, 2018
            Allows us to integrate with it through automated processes, but needs better APIs

            What is our primary use case?

            Static analysis.

            Pros and Cons

            • "Also, our customers benefited from the added security assurance of our applications, as they’ve been able to identify OWASP top-10 application vulnerabilities without a manual tester."
            • "Static analysis scanning engine is a key feature."
            • "It needs better APIs, reporting that I can easily query through the APIs and, preferably, a license model that I can predict."

            What other advice do I have?

            Regarding measures taken to integrate Veracode into our existing software development lifecycle, we have 100% API integration. We use the Jenkins plugin as a last resort, but we are moving away from that. The AppSec best practices and guidance to our security and development teams are manifested in the static analysis it provides. In terms of advice to others looking into implementing this project, I would say don’t use the UI, and do what you can to have license conversations up front. It depends on the use case and budget, but I would recommend CA Veracode to colleagues.
            it_user797976
            Global Application Security at a pharma/biotech company with 10,001+ employees
            Video Review
            Real User
            Jan 22, 2018
            Its has the ability to scale and not produce a lot of false positives

            Pros and Cons

            • "It has the ability to scale, and the fact that it doesn't produce a lot of false positives."
            • "It does nearly everything, but penetration testing."

            What other advice do I have?

            I never give 10s. I would give it a nine. It does nearly everything, but penetration testing. It covers such a broad breadth of our portfolio. In our business, we have applications written in so many different languages. Finding something that can consistently scan and not generate false positives across the paradigm or the whole ecosystem of languages, that is impressive. It is speed of inspection, the accurateness of the inspection outcomes, and frankly, it has fairly good business analytics embedded on the platforms. So, it does a lot more for us than not.
            it_user778905
            Technical Director at a financial services firm with 1,001-5,000 employees
            Real User
            Jan 3, 2018
            Enables us to quickly discover, understand, triage, and remediate our software's vulnerabilities

            What is our primary use case?

            Software security, static code scanning. It has performed very well.

            Pros and Cons

            • "The benefits are quick discovery and understanding of software vulnerabilities that we are putting in our own code. By discovering them quickly enough, we can triage them and determine the best ways to remediate them and prevent them from happening in the future."
            • "We have such a wide variety of users for Veracode, including security champions, development leads, developers themselves, that the ease of use is really quite important, because we don't assume anything about what those people might already know, or need to know. It just makes it very useful for anyone who has to engage with it."
            • "Tech support is outstanding. Best in class. Absolutely. They bend over backwards to help us. We'll come up with questions and within minutes, we'll get answers. It's amazing. It's truly amazing."
            • "I'd like to see an improved component of it work in a DevOps world, where the scanning speed does not impede progress along the AppSec pipeline."

            What other advice do I have?

            The most important criteria when selecting a vendor are * reliability * customer service. Take advantage of all of the help that Veracode provides, for implementation, operations, and maintenance, because they absolutely know what they're doing.
            it_user779082
            Senior Information Security Program Manager at a financial services firm with 10,001+ employees
            Vendor
            Nov 30, 2017
            Gives us every vulnerability that has been identified, so there is no human intervention

            What is our primary use case?

            The primary use case is application security and application security testing, specifically static and dynamic analysis, and software composition analysis. It has performed excellently.

            Pros and Cons

            • "The ability on static scans to be able to do sandbox scans which do not generate metrics."
            • "I would love to be able to do a dynamic sandbox scan. I think that that would allow us to really get a lot more buy-in from the software development teams."
            it_user712167
            General Manager - Application Security at a tech consulting company with 51-200 employees
            Consultant
            Oct 18, 2017
            Needs to improve service levels and capabilities versus competitors. Provides a wide range of platforms and technology assessments.

            How has it helped my organization?

            PoC is in progress.

            What is most valuable?

            Application testing False positives challenges Wide range of platforms and technology assessments

            What needs improvement?

            It needs to reach the level of Checkmarx's and Fortify Software's capabilities and service levels, or may further loosen the market share.

            What do I think about the stability of the solution?

            No.

            What do I think about the scalability of the solution?

            No.

            How are customer service and technical support?

            Customer Service: A three out of 10. Technical Support: A two out of 10.

            Which solution did I use previously and why did I switch?

            Quality levels, service offerings, pricing, and mainly the features and abundance of technologies provided by others made us switch…
            it_user697020
            Software Developer/Architect at a insurance company with 201-500 employees
            Vendor
            Jul 6, 2017
            Static, dynamic, and manual scan features were useful for us.

            What other advice do I have?

            If it's the first time you are using a security application, be ready for some new tools which you will require you to revitalize the flaws reported. Reports are very well documented. Once you understand what it means and you get used to it, you will see that it is detailed and clearly explained.
            it_user542859
            Security Consultant at a tech company with 501-1,000 employees
            Vendor
            Feb 23, 2017
            Allows developers to run their own scans. I would like to see the false positives corrected.

            What is most valuable?

            Allows developers to run their own scans.

            How has it helped my organization?

            Reduced dependency on the security team to run scans. It helped the organizations to scan a large number of applications on a regular basis.

            What needs improvement?

            I would like to see the following: Correction of the regularly received false positives Options to manage comments and mitigations Better UI functionality

            For how long have I used the solution?

            We have used this solution for a year.

            What do I think about the stability of the solution?

            A few months ago, there were issues with the scanners and tickets were opened. However, they were resolved. This is a stable product.

            What do I think about the scalability of the solution?

            There have not been any scalability…
            Gustavo_Gonzalez
            Technical Program Manager at a engineering company with 10,001+ employees
            Real User
            Feb 9, 2017
            The coverage it provides of the last vulnerabilities reported and of the programming languages is valuable.

            Pros and Cons

            • "The coverage of the last vulnerabilities reported."
            • "To be able to upload source codes without being compiled. That’s one feature that drives us to see other sources."

            What other advice do I have?

            I recommend exhausting all resources and gaining knowledge from different security tools, before making a decision. Veracode is not cheap, but it is a tool capable of giving dynamic, static and even manual scan results in one platform. Veracode is one of very few options out there, and the very best.
            it_user335091
            Senior Security Consultant at a retailer with 1,001-5,000 employees
            Vendor
            Nov 2, 2015
            We were able to easily integrate static code testing into the SDLC process, moving from the waterfall to the agile methodology while still able to integrate Veracode testing within both.

            Valuable Features

            Static code analysis is a valuable feature.

            Improvements to My Organization

            We were able to easily integrate static code testing into the SDLC process. We moved from the waterfall to the agile methodology, and were still able to integrate Veracode testing within both methodologies.

            Room for Improvement

            It's been over a year since I used the product. But when I did, I found there were too many false positives.

            Use of Solution

            I used it for one year.

            Deployment Issues

            No issues encountered.

            Stability Issues

            No issues encountered.

            Scalability Issues

            No issues encountered.

            Customer Service and Technical Support

            Customer Service: 8/10 Technical Support: 8/10