Veracode Archived Reviews (More than two years old)

Filter by:Reset all filters
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
JorgeIzquierdo
User
Product Manager at GMS
Jun 13 2018

What do you think of Veracode?

What is our primary use case?

We are Veracode partners/distributors in Quito, Ecuador.  At this moment, I am reviewing the solution. 

How has it helped my organization?

It helps me to detect vulnerabilities.

What is most valuable?

I use the SAST feature the most.

What needs improvement?

All areas of the solution could use some improvement.

For how long have I used the solution?

Trial/evaluations only.
Real User
Lead Security Engineer at a tech vendor with 201-500 employees
May 24 2018

What is most valuable?

Scanning of .war and .jar.

How has it helped my organization?

It helps in achieving secure programming. Veracode provides us with industry best practices according to OWASP, CERT, and SANS. Our customers get the security of bug-free… more»

What needs improvement?

Raw file scans and dynamic scans would be an improvement, instead of dealing with code binaries.

What's my experience with pricing, setup cost, and licensing?

The pricing is good for static code analysis.

Which solution did I use previously and why did I switch?

We used SonarQube but to improve security in SAST we choose this.

What other advice do I have?

Implement this solution if you see WAF and SOC in your future.

Which other solutions did I evaluate?

Checkmarx, SonarQube.
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: April 2020.
425,604 professionals have used our research since 2012.
Real User
VP Worldwide Delivery Acceleration at a financial services firm
May 23 2018

What is most valuable?

Because it is a SaaS offering, I do not have to support the infrastructure.

How has it helped my organization?

It improved our security posture. In terms of cost savings relating to code fixes since implementing Veracode, I'm not sure there are any. How do you quantify reputational damage from a security… more»

What needs improvement?

Some important languages are not supported.

What's my experience with pricing, setup cost, and licensing?

Negotiate for the best deal.

What other advice do I have?

Make sure the supported languages align with your developers.

Which other solutions did I evaluate?

Fortify, App Scanner, Checkmarx.
Elina Petrovna
Real User
Professor at BitBrainery University
May 22 2018

What is most valuable?

* Dynamic analysis of on-premises applications using the Veracode proxy module. * Static analysis of applications, on which I share property with third-parties.

How has it helped my organization?

I can have quick results by just uploading compiled components. It gives me an idea about the most important vulnerabilities and fast remediation tips.

What needs improvement?

* Management of false positives * Agile best practices: Violation detection. * Support for more programming languages, like SQL. * Support for more frameworks for Java… more»

What's my experience with pricing, setup cost, and licensing?

Costs are reasonable. No special infrastructure is required and the license model is good.

Which solution did I use previously and why did I switch?

I used SonarQube. It lacks of real enterprise-wide security detection. I continue to use Fortify and AppScan, while I am using Veracode.

What other advice do I have?

I wish Veracode support had more SDLC integration tools.

Which other solutions did I evaluate?

I evaluated Kiuwan, Coverity, and Klocwork
Real User
CISO at Laboratory Corporation of America Holdings
May 17 2018

What is most valuable?

Veracode helps me in several implementations over a couple of industry sectors in a number of ways. My coding, especially the code we develop, has a number of faults per line and that costs me money and time to fix those, into the… more»

How has it helped my organization?

Interestingly enough, Veracode has evolved over time. Their chief designer has been a leader in security for many years and his insights into applications, and what we now consider DevOps, has been very helpful for the industry. The… more»

What needs improvement?

As we move to more of a mobile space, much of the code was developed on desktops, mobile laptops, and things. Mobile apps run differently and they have a different runtime. Chris Wysopal and I have talked several times over the past few… more»

Which solution did I use previously and why did I switch?

Any previous solutions would have been more than 10 years ago, and I don't remember why we switched. It's like the car you drive or the shoes you like to wear: Once they work - and it has worked in multiple sectors - there is no reason to… more»

What other advice do I have?

On the rating scale is there anything above 10? If there are no ones and tens, it would be the closest to 10. They have always been supportive. We have had to change, do course corrections during implementations, or particular types of… more»
Real User
VP at a non-tech company with 11-50 employees
May 17 2018

What is most valuable?

For us, it's the partnership. We have always been very strong partners with Veracode. They provide excellent training to our sales team, so we are able to work with our customers to show them the value of secure code training.

How has it helped my organization?

It has helped us be more secure, and it has helped us put a package together for our customers that will take into consideration training, all the way down to the coding level.

What needs improvement?

More integration into the specific application; an open API would be good. Aside from that, I think they do a really good job in terms of the features they have.

What other advice do I have?

For us, whenever we are selecting a partner, vendors to work with who are going to be working with our customers, we have to make sure that they align regarding customer support philosophy, and that is the reason we selected to work with… more»

Which other solutions did I evaluate?

When it comes to secure coding, Veracode is the only one we really considered.
Real User
Cyber Security Engineer at a consumer goods company with 1,001-5,000 employees
May 17 2018

What is most valuable?

For me, at the program manager level, I'm not a developer. What I do is run applications through a security program. What's important for me, from Veracode, is the all-in-one metrics location. I can see where everything is across the entire… more»

How has it helped my organization?

It has given us visibility into the applications we have that are participating in the application security program.

What needs improvement?

Speed. When we scan binary, when we perform binary analysis, it could go faster. That has a lot to do with the essence of scanning binary code, it takes a little bit longer. Certain aspects, depending on what type of code it is, take a… more»

Which solution did I use previously and why did I switch?

I have done a lot of product comparisons in my time, in information security. A lot of them are modules of a product, there is no single pane of glass. When I talk about metrics, I want to see everything in a single pane of glass, I want to… more»

What other advice do I have?

I give Veracode a solid nine out of 10 because it is a full-featured product. It is not just something that they are selling to you and then leaving you to figure out how to use it. They actually help you every single step of the way and… more»
Suzan Nascimento
Real User
SVP Application Security at a financial services firm with 10,001+ employees
May 17 2018

What is most valuable?

The most valuable feature is the remediation consulting that they give. I feel like any vendor can identify the flaws but fixing the flaws is what is most important. Being able to have those… more»

How has it helped my organization?

It has allowed us to scale and find vulnerabilities much faster than previous manual tools. It has allowed us to educate developers on it to use the consultation calls.

What needs improvement?

I would like to see more technical support for some of the connectors, some more detailed diagrams or run-books on how to install some of the stuff; more hand-holding in the sense of understanding our… more»

Which solution did I use previously and why did I switch?

At a previous company, we were using HPE Fortify. We couldn't scale because it was an on-prem solution. Therefore, after five years, we decided to break out of the mold and use a SaaS solution. We… more»

What other advice do I have?

I would give Veracode a nine out of 10 because it scales incredibly well, they have very qualified people working there who are able to clearly articulate what the problems are when they are talking… more»

Which other solutions did I evaluate?

HPE Fortify, Checkmarx, IBM AppScan. It really was between HPE Fortify, most of the time, and Veracode. I typically like Veracode because it is a SaaS solution. You have other providers now that do… more»
Real User
Information Security Engineer Team Lead at a hospitality company with 1,001-5,000 employees
May 02 2018

What is most valuable?

The reporting and mitigation features which allow our people to work on their own.

How has it helped my organization?

It has given us insight into the actual flaws that are out there, and the speed at which they're getting mitigated. Now, we're starting to see quantitative metrics to show the overall risk with code… more»

What needs improvement?

The only areas that I'm concerned with are some of the newer code libraries, things that we're starting to see people dabble with. They move quickly enough to get them into the Analysis Engine, so I… more»

What's my experience with pricing, setup cost, and licensing?

I think the pricing is in line with the rest of the tools. I think you get what you pay for. It is certainly not inexpensive, but the value proposition is there. There are certainly cheaper tools, but… more»

Which solution did I use previously and why did I switch?

We used HP WebInspect, which is now under the Fortify umbrella. HP WebInspect was just terrible. Had we used the on-demand cloud piece - which is why I perhaps have to pull my comment back - maybe we… more»

What other advice do I have?

My advice is what I mentioned in the pricing/licensing section above, you really need to understand what it is you are looking to do. Also, take into account a data sensitivity for the applications… more»
Consultant
Software Security Consultant at DXC Technology
Apr 17 2018

What do you think of Veracode?

What is our primary use case?

Provides static code analysis of the customers' applications from all industries. It includes any type of code and scripts, but mostly Java, .Net, C++, and C# environments.

How has it helped my organization?

The solution is a specialist in SAST that you can rely on. Code scanning is fast with current, updated algorithms.

What is most valuable?

Provides consistent evaluation and results without huge fluctuations in false positives or negatives. 

What needs improvement?

It should include more informational, low level, vulnerability summaries and groupings. Large related groups of low level vulnerabilities may amount to a design flaw or another avenue for attack.

For how long have I used the solution?

More than five years.
Real User
Director Security and Risk OMNI Cloud Operations at a tech vendor with 1,001-5,000 employees
Apr 12 2018

What is most valuable?

* The static scanning of the software is very important to us. * The ability to set policy profiles that are specific to us. * The software composition analysis, to give… more»

How has it helped my organization?

We do automated scanning, so we use it as part of our development cycle. We do both automated security scanning as well as our own automated testing. We run the two in… more»

What needs improvement?

It's really hard to criticize something that has become somewhat seamless for us. If they wanted to expand their capabilities into other areas of security, that would be… more»

What's my experience with pricing, setup cost, and licensing?

We're very comfortable with their model. We think they're a good value. We worked very closely with Veracode on understanding their license model, understanding what… more»

Which solution did I use previously and why did I switch?

Prior to working with Veracode, we used a self-applied application. That is, we had the solution on-premise, but just could never quite get the routine approach that we've… more»

What other advice do I have?

We recommend Veracode to colleagues all the time. I'd give the advice of not getting hung up on trying to compare the static scanning to the dynamic scanning, that's… more»

Which other solutions did I evaluate?

I'd rather not give out competitor names. But the method we were using in the past was what is called dynamic scanning, or DAST. That required we have an environment that… more»
Real User
Head of Technology. at a tech services company with 11-50 employees
Apr 11 2018

What is most valuable?

Static and dynamic scans of the code. It is part of our release cycle.

How has it helped my organization?

It allows us to prove our security levels to vendors, and additionally helps us with our HIPAA security policies. Also, CA Veracode has provided AppSec best practices and guidance to our teams. Finally, it makes the IT Governance process of… more»

What needs improvement?

Mitigation review isn't always super easy.

What's my experience with pricing, setup cost, and licensing?

Pricing/licensing is complicated.

What other advice do I have?

Do your research, make sure you implement the tools you need. I am very likely to recommend Veracode to a colleague.
Real User
Chief Compliance Officer at a financial services firm with 51-200 employees
Apr 11 2018

What is most valuable?

* Ad-hoc scanning during the development cycle * Reports for audits In terms of integrating Veracode into our existing software development lifecycle, there are regular… more»

How has it helped my organization?

Ensures our code and system are 100% compliant. In terms of APPSec best practices and guidance to our team, the Knowledgebase available on the Veracode system is a great… more»

What needs improvement?

* Entering comments for internal tracking * Entering a priority * Reports that show the above

What's my experience with pricing, setup cost, and licensing?

Negotiate some, but their prices are reasonable.

Which solution did I use previously and why did I switch?

We did use a previous solution. It didn't satisfy our needs technically, and the customer service and its cost were not satisfactory.

What other advice do I have?

Have them guide you through your first scan - make sure to add hours to your initial contract for that. I am very likely to recommend Veracode to colleagues.

Which other solutions did I evaluate?

HPE Fortify.
Real User
DevOps Release Engineer at a tech services company with 51-200 employees
Apr 11 2018

What is most valuable?

Informing me of application security vulnerabilities. Bamboo build-automation with Veracode API calls are used.

How has it helped my organization?

Made our company aware of any potential code security vulnerabilities. Also, customers can use our products knowing they are verified by top organizations as safe.

What needs improvement?

* The user interface could be more sleek. * Some scanning requirements aren't flexible. * Some features take some time for new users to understand (like what exactly "modules" are).

What's my experience with pricing, setup cost, and licensing?

We are satisfied.

What other advice do I have?

I am very likely to recommend Veracode to colleagues. Veracode is great.

Which other solutions did I evaluate?

None. We might look into Checkmarx.
Real User
Global Application Security at a pharma/biotech company with 10,001+ employees
Apr 09 2018

What is most valuable?

The Static and Dynamic Analysis capabilities are very valuable to us.

How has it helped my organization?

We are able to create business policies, and the Veracode system allows us to enforce those policies. That's at the very high level. We're looking at improving the overall security quality of our software. We use it as a platform to help enable that process. Veracode, in and of itself, is doing… more»

What needs improvement?

They've improved the speed of the inspection process. I'd never want the inspection process to become something that's suspect. False positives would diminish confidence in the results; if we don't continue to focus on reducing false positives... that is number one. The on-platform reporting needs… more»

What other advice do I have?

I hold Veracode in high regard. It's a good organization to work with, and it's a very conscientious organization. I'm always a recommender of the solution set.
Real User
VP Development
Mar 29 2018

What is most valuable?

We just use the static scan, it's all we got into as of now. We're happy with that, it seems to work very well for us.

How has it helped my organization?

The coding standards in our development group have improved. When we scan our code - at the end of a build cycle we'll go through and scan our code - from those scans… more»

What needs improvement?

Going through the mitigation is probably the hardest thing to do and that's still an ongoing process. If there is a code issue to mitigate, it sometimes takes a little bit… more»

What's my experience with pricing, setup cost, and licensing?

We get good value out of what we have right now.

Which solution did I use previously and why did I switch?

We used the built-in solution inside of Microsoft Visual Studio, and we switched because Veracode had more cohesive scanning abilities and found a lot more issues with our… more»

What other advice do I have?

I am highly likely to recommend Veracode to colleagues. Make sure, once you scan and find issues with your code, that the developers know how to remediate those issues so… more»

Which other solutions did I evaluate?

We had a couple of products that we looked at, but went with Veracode.
Real User
Information Security Lead Analyst at a consumer goods company with 10,001+ employees
Mar 26 2018

What is most valuable?

Catching coding flaws before they go live. Regarding integrating Veracode into our software development lifecycle, we started out with it being used only as a web interface, and now developers are… more»

How has it helped my organization?

It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security. In terms of application security best… more»

What needs improvement?

It's a pretty dynamic product. It's changing all the time and improving.

What's my experience with pricing, setup cost, and licensing?

I'm not the pricing guy. Licensing is pretty flexible. It's a little bit weird, it's by the size of the binary, which is a strange way to license a product. So far they've been pretty flexible about… more»

Which solution did I use previously and why did I switch?

Veracode is the first professional solution I've used. It was in place when I got to the company.

What other advice do I have?

I recommend it all the time. It's an important aspect of a complete security program. Not necessarily this product, but source code, fraud detection. I'd give it an eight out of 10 because it's pretty… more»
Real User
Systems Architect at a tech vendor with 201-500 employees
Mar 26 2018

What is most valuable?

The most important one is the static scanning analysis, and the reason is that it can tell us vulnerability in that code, right before we go ahead and push something to… more»

How has it helped my organization?

We have a large developer base at our company ranging in a variety of skills sets. Some are very security aware, others really don't have the knowledge. What Veracode… more»

What needs improvement?

From a technical standpoint, I'm pretty happy with everything. The one thing I'd like to be able to do is schedule dynamic scans. Today we're kicking those off manually… more»

What's my experience with pricing, setup cost, and licensing?

If you're licensing, and you're looking at licensing models, you might want to ask Veracode about their microservice, depending on the company. If you are a microservice… more»

Which solution did I use previously and why did I switch?

We had never done anything like this in the past. This was the solution that we chose. We didn't really evaluate anything else. I know that my boss has been a fan of some… more»

What other advice do I have?

I would advise that you figure out a way to integrate it into your software development lifecycle in a way that it's not intrusive to your developers. That was really… more»

Which other solutions did I evaluate?

There were some, but we didn't get serious about them because they didn't have everything that we wanted.
Dave Cheli
Real User
Chief Technology Officer
Mar 15 2018

What is most valuable?

Certainly it eases integration into our workflow. Veracode is part of our Jenkins build, so whenever we build our software, Jenkins will automatically submit the code… more»

How has it helped my organization?

Firstly, it prevents me from putting out software that has security vulnerabilities, which is a big thing and can be one of the most important things. Also, we just… more»

What needs improvement?

The Web portal, at times, is not necessarily intuitive. I can get around when I want to but there are times when I have to email my account manager on: "Hey, where do I… more»

What's my experience with pricing, setup cost, and licensing?

I think it's a great value. It's at a price point that a small company like mine can afford to use versus, if it was too exorbitant, I wouldn't be able to use this… more»

Which solution did I use previously and why did I switch?

Veracode was really my first introduction to static code analysis. The way I came across it in my previous company was, they were going through security due diligence and… more»

What other advice do I have?

CA Veracode provides application security (AppSec) best practices and guidance to our teams in a couple ways. First of all, they have an e-learning module that has courses… more»

Which other solutions did I evaluate?

When I was at the last company, I looked at HPE (now Micro Focus) Fortify vs Veracode and maybe IBM had a product, but they were overly complex and overly expensive. I… more»
Real User
Information Technology at a insurance company with 51-200 employees
Mar 14 2018

What is most valuable?

It is great to have such insight into code without having to upload the source code at all. It saves a lot of NDA paperwork. The Visual Studio plugin allows the developer… more»

How has it helped my organization?

We used to revise code with free tools (like VCG) but they are not even in the same universe. Veracode static analysis allows us to pinpoint issues - from a simple… more»

What needs improvement?

It can take time to find options if you don’t use the interface a lot. At some point, a bit of interface restyling may help (but not now, now that I've learned it).

What's my experience with pricing, setup cost, and licensing?

The licensing and prices were upfront and clear. They stand behind everything that is said during the commercial phase and during the onboarding phase. Even the most… more»

Which solution did I use previously and why did I switch?

VCG (Visual Code Grepper) but I am not even going to compare them. VCG is as good as they come, but Veracode is a different breed. An application went through VCG and we… more»

What other advice do I have?

In terms of integrating Veracode into our existing software development lifecycle, as our two existing applications are quite mature, and not changed often, we have not… more»

Which other solutions did I evaluate?

Competitors were evaluated but seemed, at once, too bloated or not relevant to all our specific requests. We were not interested in buying a product (such as a standalone… more»
Real User
Senior Infrastructure Engineer at a healthcare company with 5,001-10,000 employees
Mar 13 2018

What is most valuable?

The most important features, I would say, are the scanning abilities and the remediation abilities within the product. Scanning because, obviously, we want to make sure… more»

How has it helped my organization?

We've been able to provide reports to our clients that show applications are either flaw-free, or in the process of being remediated, and give them timely status updates… more»

What needs improvement?

Reporting. Some of the reporting features of Veracode do need improvement. They do not have the most robust access to data. That would be a bit more beneficial to a lot of… more»

What's my experience with pricing, setup cost, and licensing?

Just do your research. Make sure you're getting the best price on this. It can be expensive to do this, so I would just make sure that you're getting the proper number of… more»

Which solution did I use previously and why did I switch?

We were not using a previous vendor prior to this. We've used other vendors like Nessus for pen testing. We still use those. Veracode was just more of an addition.

What other advice do I have?

In terms of Veracode providing AppSec (application security best practices) and guidance to our teams, they've been able to adapt their scanning and remediation in their… more»

Which other solutions did I evaluate?

I was not part of the evaluation team on this, unfortunately. But I believe the other options were evaluated as well, but I don't have access to that information.
Real User
Project Manager at a tech vendor with 501-1,000 employees
Mar 11 2018

What is most valuable?

We use the results of the scan to identify vulnerabilities in the product.

How has it helped my organization?

We have used the results of scans to train our people and make them more sensitive to security issues during development, although we haven't done any specific integration of Veracode into our software development cycle. Engineers are… more»

What needs improvement?

Calypso (our application) is large and the results take up to two months. Further, we also have to package Calypso in a special manner to meet size guidelines.

Which solution did I use previously and why did I switch?

We did not have a previous solution. We picked this product because our partner (SAP) uses it.

What other advice do I have?

When asked, we let our customers and partners know that we use Veracode and that we are happy with it.
Real User
Assistant Vice President of Programming and Development at a financial services firm with 501-1,000 employees
Mar 11 2018

What is most valuable?

* Code analysis tool to help identify code issues before entered into production. * Vulnerability Management and mitigation recommendations help with resolution of issues found, prior to deployment to… more»

How has it helped my organization?

When we expanded our definition of critical systems to include an internal application to be scanned by Veracode, we had initial scans that produced hundreds of vulnerabilities. We expected this… more»

What needs improvement?

The only notable problem we have had is that when new versions of Swift have come out, we have found Veracode tends to be a bit behind in updates to support the new language changes. Also the… more»

What's my experience with pricing, setup cost, and licensing?

Pricing seems fair for what is offered, and licensing has been no problem. All developers are able to get the access they need.

What other advice do I have?

I would definitely recommend CA Veracode. Just make sure you define a process for your developers prior to implementing the technology.

Which other solutions did I evaluate?

Yes, but too long ago to remember which ones.
Real User
CISSP, CISM at a tech services company with 1,001-5,000 employees
Mar 08 2018

What is most valuable?

SAST, DAST, and Greenlight are the most important features because today it's important for our regulatory compliance law to keep our product coding relatively secure. For… more»

How has it helped my organization?

By using this product, we can point out not only any potentially insecure coding, but how to fix it. It's a requirement, a legal requirement. So we benefit by not breaking… more»

What needs improvement?

I think they are doing pretty well. It would help if there were a training module that would explain how to more effectively integrate the SAST product into the build… more»

What's my experience with pricing, setup cost, and licensing?

Pricing is worth the value.

Which solution did I use previously and why did I switch?

Never. I've been using it for 20 years. I tried others, like HPE's and IBM's, when I was with Visa, but this is the best.

What other advice do I have?

I recommend CA Veracode all the time. I am a public speaker, frequently on the speaker circuit, and I recommend it all the time. There are really three solutions at the… more»

Which other solutions did I evaluate?

They didn't have products before this one. This one pre-dated them.
Real User
VP of Services at a tech vendor with 51-200 employees
Mar 08 2018

What is most valuable?

The ability to run scans. It's a critical piece of why we use the platform. We use it to get our scan results and see where our software is vulnerable or not vulnerable. It's part of our SDLC now.

How has it helped my organization?

We're being much more security conscious whenever we're writing code, and we're trying to make sure it's giving us a benchmark, and to make sure we meet that, on a release cycle. In terms of AppSec… more»

What needs improvement?

The user interface can sometimes be a little challenging to work with, and they seem to be changing their algorithm on what is an issue. I understand why they do it, but sometimes it causes more work… more»

What's my experience with pricing, setup cost, and licensing?

It's worth the value.

What other advice do I have?

I would be highly likely to recommend working with CA Veracode to colleagues. I rate it an eight out of 10. It's a good product - I can't say that it's lighting my world on fire - but it does what it… more»

Which other solutions did I evaluate?

We did evaluate other options, but I can't remember who we looked at.
Siddharth Kundalkar
Real User
Director Software Engineering at a tech services company with 51-200 employees
Mar 07 2018

What is most valuable?

All the features provided by Veracode are valuable.

How has it helped my organization?

We do not pass our release without performing a static and a dynamic scan, and mitigating the flaws identified. In terms of how our customers have benefited from the added application security of our… more»

What needs improvement?

We use Ruby on Rails and we still don't have any support for that from Veracode. The static scans on Java lack microservices architecture scanning. We have developed an in-house pattern for this and… more»

What's my experience with pricing, setup cost, and licensing?

I think licensing needs to be changed or updated so that it works with adjustments. Pricing is expensive compared to the amount of scanning we perform.

What other advice do I have?

We have made process changes and improvements, although Veracode is not tightly integrated into our CI/CD platform yet. I am very likely to recommend to colleauges that they work with CA Veracode.

Which other solutions did I evaluate?

WhiteHat.
Real User
Application & Product Security Manager at a insurance company with 1,001-5,000 employees
Mar 06 2018

What is most valuable?

Static analysis scanning engine, because we need to do static analysis; that’s why we bought the product.

How has it helped my organization?

It has allowed us to integrate with it through automated processes, which saves us a lot of time and effort. Also, our customers benefited from the added application… more»

What needs improvement?

* Better APIs * Reporting that I can easily query through the APIs * Preferably, a license model that I can predict It would save us time when integrating with the APIs… more»

What's my experience with pricing, setup cost, and licensing?

The worst part about the product is that it does not scale at all. Also, microservices apps will cost you a fortune.

Which solution did I use previously and why did I switch?

IBM Security App Scan. In looking at Veracode vs IBM Security App Scan, I switched because of the CI/CD offerings of Veracode.

What other advice do I have?

Regarding measures taken to integrate Veracode into our existing software development lifecycle, we have 100% API integration. We use the Jenkins plugin as a last resort… more»

Which other solutions did I evaluate?

IBM, Coverity.
Real User
Global Application Security at a pharma/biotech company with 10,001+ employees
Jan 22 2018

What is most valuable?

It has the ability to scale, and the fact that it doesn't produce a lot of false positives.

How has it helped my organization?

Scalability and its optimization of security inspections. At the end of the day, I like the fact that it is all prim. It does not require a lot of support on our side. We get the benefit of security inspections and it scales with our… more»

What needs improvement?

Number one, I need analytics, analytics, and more analytics. It is all about risk based management and better decision support, that is why.

Which solution did I use previously and why did I switch?

We had no previous solution. We didn't know we needed to invest in Veracode. It worked out that way through our evaluation process that it was the right solution for us.

What other advice do I have?

I never give 10s. I would give it a nine. It does nearly everything, but penetration testing. It covers such a broad breadth of our portfolio. In our business, we have applications written in so many different languages. Finding something… more»
Real User
Technical Director at a financial services firm with 1,001-5,000 employees
Jan 03 2018

What is most valuable?

* Completeness, comprehensiveness * speed * ease of use We have such a wide variety of users for Veracode, including security champions, development leads, developers themselves, that the ease of use is really quite important, because we… more»

How has it helped my organization?

The benefits are quick discovery and understanding of software vulnerabilities that we are putting in our own code. By discovering them quickly enough, we can triage them and determine the best ways to remediate them and prevent them from… more»

What needs improvement?

I'd like to see an improved component of it work in a DevOps world, where the scanning speed does not impede progress along the AppSec pipeline.

What other advice do I have?

The most important criteria when selecting a vendor are * reliability * customer service. Take advantage of all of the help that Veracode provides, for implementation, operations, and maintenance, because they absolutely know what they're… more»

Which other solutions did I evaluate?

We had been evaluating various different types of source-code scanners. It was a fundamental element of the program and we knew we had to have the best one that would meet a wide variety of applications: development, apps, as well as a wide… more»
Vendor
Senior Information Security Program Manager at a financial services firm with 10,001+ employees
Nov 30 2017

What is most valuable?

* The ability on static scans to be able to do sandbox scans which do not generate metrics. * Gives us every vulnerability that has been identified, so there is no human intervention. Therefore, we can actually look and prioritize our own vulnerabilities as opposed to having someone else try to get in between.

How has it helped my organization?

The benefits are the fact that it identifies our vulnerabilities, and it has improved us by allowing us to pull everything to the left in agreement with our SDLC and with our developers, and have them not only get buy-in because they can run sandbox scans that allow them not to generate metrics, but also run policy scans where we identify what the policy is and what is acceptable. So, it has… more»

What needs improvement?

I would love to be able to do a dynamic sandbox scan. I think that that would allow us to really get a lot more buy-in from the software development teams. We would be able to scan our applications, identify the vulnerabilities, not generate metrics, which would allow the teams to address the vulnerabilities earlier in the cycle, and then have cleaner scans later on. Also, I would maybe like to… more»
Consultant
General Manager - Application Security at a tech consulting company with 51-200 employees
Oct 18 2017

What do you think of Veracode?

How has it helped my organization?

PoC is in progress.

What is most valuable?

Application testing False positives challenges Wide range of platforms and technology assessments

What needs improvement?

It needs to reach the level of Checkmarx's and Fortify Software's capabilities and service levels, or may further loosen the market share.

What do I think about the stability of the solution?

No.

What do I think about the scalability of the solution?

No.

How are customer service and technical support?

Customer Service: A three out of 10. Technical Support: A two out of 10.

Which solution did I use previously and why did I switch?

Quality levels, service offerings, pricing, and mainly the features and abundance of technologies provided by others made us switch…
Vendor
Software Developer/Architect at a insurance company with 201-500 employees
Jul 06 2017

What is most valuable?

We used the application for the web. Static, dynamic, and manual scan features were all very useful for us. All of them helped us fix many security flaws.

How has it helped my organization?

It made us change our approach to coding. We tried to make sure our application stayed secure and safe.

What needs improvement?

The current features were enough for us. Although reports are well documented, it was difficult for us to understand them at first.

What's my experience with pricing, setup cost, and licensing?

I don't know about the prices.

Which solution did I use previously and why did I switch?

We did not use a previous solution. This was the first security application we used.

What other advice do I have?

If it's the first time you are using a security application, be ready for some new tools which you will require you to revitalize the flaws reported. Reports are very well… more»

Which other solutions did I evaluate?

We did not evaluate any alternative solutions.
Vendor
Security Consultant at a tech company with 501-1,000 employees
Feb 23 2017

What do you think of Veracode?

What is most valuable?

Allows developers to run their own scans.

How has it helped my organization?

Reduced dependency on the security team to run scans. It helped the organizations to scan a large number of applications on a regular basis.

What needs improvement?

I would like to see the following: Correction of the regularly received false positives Options to manage comments and mitigations Better UI functionality

For how long have I used the solution?

We have used this solution for a year.

What do I think about the stability of the solution?

A few months ago, there were issues with the scanners and tickets were opened. However, they were resolved. This is a stable product.

What do I think about the scalability of the solution?

There have not been any scalability…
Gustavo_Gonzalez
Real User
Technical Program Manager at a engineering company with 10,001+ employees
Feb 09 2017

What is most valuable?

* Customer and professional support * Live sessions and training * The coverage of the last vulnerabilities reported * The coverage of the programming languages

How has it helped my organization?

We decided to begin a partnership with Veracode, so we can improve our services and provide the customers that trust us with a platform capable to report vulnerabilities… more»

What needs improvement?

* To be able to upload source codes without being compiled. That’s one feature that drives us to see other sources. Compiled code means that the code written is stored in… more»

What's my experience with pricing, setup cost, and licensing?

Veracode is a very complete tool; that drives you to invite customers, the apps team, developers and even the product and marketing team to navigate through the whole… more»

Which solution did I use previously and why did I switch?

I use a portfolio of tools for security consulting, but Veracode is the main app I rely on because customers are happy to be able to track the status of each individual… more»

What other advice do I have?

I recommend exhausting all resources and gaining knowledge from different security tools, before making a decision. Veracode is not cheap, but it is a tool capable of… more»

Which other solutions did I evaluate?

Before choosing this product, many tools were tested, such as HPE WebInspect, AppScan, Checkmarx, etc. Those tools are good, and do their jobs really well. Veracode has… more»
Vendor
Senior Security Consultant at a retailer with 1,001-5,000 employees
Nov 02 2015

What do you think of Veracode?

Valuable Features

Static code analysis is a valuable feature.

Improvements to My Organization

We were able to easily integrate static code testing into the SDLC process. We moved from the waterfall to the agile methodology, and were still able to integrate Veracode testing within both methodologies.

Room for Improvement

It's been over a year since I used the product. But when I did, I found there were too many false positives.

Use of Solution

I used it for one year.

Deployment Issues

No issues encountered.

Stability Issues

No issues encountered.

Scalability Issues

No issues encountered.

Customer Service and Technical Support

Customer Service: 8/10 Technical Support: 8/10

What is Veracode?

Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

Veracode customers

State of Missouri, Rekner

Highlights
The tech support has been very much on the forefront of contacting customers. They help us by making sure all the processes have been outlined and are being followed. They regularly look with us at the whole platform process.
It provides security of different Shadow IT activities in our environment, especially around application development and website hosting.
Allows us to track the remediation and handling of identified vulnerabilities.
Provides the capability to track remediation and the handling of identified vulnerabilities.
The security team can track the remediation and risk acceptance statistics.
We use Veracode static analysis during development to eliminate vulnerability issues
I have found the user interface extremely helpful in prioritizing issues.
See more »
BUYER'S GUIDE
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.