I use Veracode in multiple places including static code analysis, penetration testing, and dynamic code analysis. It is part of our pipeline and integrates well with Bitbucket and Git pipelines.

The ease of integration with Bitbucket pipelines and Git pipelines is vital for us. Veracode allows us to easily summarize issues and provide quick, actionable insights. It offers confidence by preventing exposure to vulnerabilities and helps ensure that we are not deploying vulnerable code into production.

Veracode can improve the licensing model as it is a bit confusing. 

Additionally, threat modeling and asset management could be made more general rather than very specific.

I have had experience with Veracode for a few years now, at least a couple of years.

I have seen an upward rating of eight or more out of ten. They are very responsive and quick to help with queries within our scope.

Positive

We considered other solutions but have stuck with Veracode due to an enterprise level licensing deal and it serving our immediate important needs.

The licensing model is a little confusing, but we have a good relationship in terms of how it is set up. The pricing and model align with the needs of the developer community and the cybersecurity office.

I would recommend this solution as it is adaptable for threat modeling and penetration testing on contemporary tech stacks. 

Overall, I rate the solution an eight out of ten.

We use Veracode for static and dynamic application security testing (SAST and DAST) on our web applications to ensure there are no vulnerabilities.

So, my use case for Veracode is pretty much for DAST and SAST protection. I'm a pen tester and DevSecOps engineer. I evaluate the vulnerabilities and mark them as false positives if needed. I also manually exploit them. If we're unable to understand something, we raise a ticket to the Veracode team and get consultancy from them.   

So we are developing an application named Euro Car Parts, Car Parts 4 Less. It is an application which consists of multiple car parts and vehicle parts and everything. We are dependent on Veracode for that application, so it is quite helpful. 

As threats are increasing day by day. There are new vulnerabilities that come up these days, and applications get compromised. Veracode quite helps us with the latest security configurations, OWASP standards, and SAST standards. So it is really helping us and improving our security posture with each upgrade, each scan.

It's robustness is the main benefit to the organization. As it gets upgraded with time, it also improves the coverage – security configuration coverages and vulnerability coverages. It also updates itself with the latest known vulnerabilities that are uploaded to the NVD, OWASP, or other databases. So it gets upgraded itself with that. And so with each upgrade, it gets better and better.

The solution offers the ability to prevent vulnerable code from going into production.

It provides us with a report containing multiple remediations and mitigations for each vulnerability. For example, if it finds a cross-site scripting vulnerability, it will also include references like CWE and CVE records, instructions on how to fix it, and the specific line of code or module where the vulnerability is present. This helps us fix the issues accordingly.

I'm a penetration tester and DevSecOps engineer. I evaluate the findings, mark false positives, and manually exploit vulnerabilities if they exist. If we need further clarification, we raise a ticket with the Veracode team and get consultancy from them.

We are a software development team. If we find a vulnerability, I exploit it and come back with the best possible mitigation, and the dev team fixes it. If we use Veracode Fix, it might use third-party implementations or make changes we aren't aware of. We need to be very aware of what our application is using internally. It should be known to us.

As per my experience, the solution's policy reporting ensures compliance with industry standards. It comes with multiple features. I get the most out of it, and it's good.

The solution provides visibility into application status at every phase of development. Like static analysis, dynamic analysis, software composition, and manual penetration tests - throughout the SDLC

We have a pipeline that I maintain. I use the Veracode API account and have integrated it with AWS and our Jenkins pipeline. We use Snyk for SCA and Veracode for SAST scanning. 

At the earliest stage of the build, the SAST scan runs along with the JS and PHP files. It provides us with reports, which are then handed over to the other tools we depend on. If I validate the report or check the Veracode dashboard and find vulnerabilities, I mark them as false positives or existing issues.

We work on multiple projects, but the one I'm handling these days only uses Veracode for SAST. It's been about one and a half years since I've been working with Veracode and this project. It is quite impressive. 

There are some things Veracode cannot find, like code obfuscations inside the code and some insecure randoms. Sometimes, it misses those flaws. But overall, if I compare it with other tools, it is better. I will definitely recommend others to use this tool.

We run the scan before each deployment. If the dev team builds a new module or something, we scan it along with all the files. If we find anything, we get it fixed. That's how it works.

Veracode is quite important to the organization's shift-left security strategy because we make a scan for each deployment. Sometimes, if I think we need to perform a shift-left, I just make a scan before deployment and check for any misconfiguration or vulnerability in the code.

Before deployment, we upload our JavaScript and PHP files to Veracode for static analysis. It returns a report with multiple vulnerabilities or security misconfigurations. We then correct them to ensure they don't exist on our production server.

The key point of Veracode is that it's an all-in-one solution. It has all the logs, features, and reports in one place. Compared to other tools where you need to access different platforms and modules to check results and scan reports, Veracode provides everything in a centralized location. That's what I like about Veracode.

There is room for improvement in Veracode's plugin, its API plugin. I think that API or we need to install some Java .jar file for that. This is the main challenge I have faced because it gets very hectic while integrating it with our pipelines. But it is working fine now. It is not a very big deal, but this area should be improved.

I have been one and a half years, like, 15 to 16 months.

It is a stable solution. The stability is good, so I would rate it a nine out of ten.

It is a scalable product. I would rate it a nine out of ten.

Each time I raise a ticket regarding something, they are very quick about the responses and get connected instantly, like, right after one day. They reply very fast.

So, the customer service and support are good. Last month, I had a call with two consultants regarding some vulnerabilities. There were some issues where code was reported as a cross-site scripting, but that was from a library we were using. I tried to exploit them manually, but it didn't reflect any cross-site scripting issues. They came back with the solution real quick. They just wanted us to remove an attribute we had used inside. We got that removed, and it got fixed. It is working fine now. So, no issues. It is quite fast. I don't have any complaints.

Positive

Earlier, I used tools like Snyk, Fortify, and Checkmarx. Each tool has its own pros and cons. 

Veracode is a bit slow compared to Snyk and other tools in the market. 

But the best thing about Veracode is that you can get everything in one place. You don't need to switch between different domains, tabs, or profiles. 

Everything you want is on the same spot, on the same page. So, it is very easy to compare and check things out.

There's no different approach because every tool runs a scan, gets back to us with reports, and we validate them. We get the mitigation, check the responses, and check the actual line of code or security misconfiguration that needs fixing. The approach remains the same. I will try to exploit it manually, determine if it is a false positive or an existing issue. Then we give a green flag, and it moves ahead to deployment.

The deployment is complex. There are multiple things we need to check before getting our application to deploy.

So, the setup's complexity could be improved or simplified, in my opinion.

The scan doesn't take that much time to complete. You just need to sync it with your application and the scan. You just need to make the configuration and use the API into AWS or Jenkins pipeline. So, it will take five to six hours to integrate, not more than that. But with the tests, to make sure that it is working fine with the deployment and all, it takes one day.

The solution doesn't require any maintenance; at least I didn't face anything. I just wait for the upgrade. It gets upgraded with the latest known vulnerabilities, and it gets better and improved. 

There are three teams on board: the dev team, another dev team, and the QA team. It consists of about eighteen people.

It saves us around 30% of the time.  It is worth the investment because security must be the first step when developing an application. You use someone's data, especially if you work with e-commerce, banking, health, or welfare applications. You need to be very aware and secure about it. 

Each user's data must be protected, and their privacy should not be compromised. So, it is very important to maintain the security configurations and ensure there are no vulnerabilities. I believe it is worth the investment.

It works quite well as per market standards. The other tools also charge the same, whether it's SAST or other security tools. They are quite similar.

I would recommend others to use it because it is very robust and has everything in one place. You don't need to move to any different apps or domains, or different platforms to get things done. You will get the mitigation, you will get the vulnerabilities, you will get everything at one place on the dashboard. So I will definitely recommend it. 

It is not as fast as Snyk, but it is scalable, and it has more coverage, I think, compared to Snyk because it gets back to us with vulnerabilities that Snyk cannot find. So, I will recommend it to my friends. 

Overall, I would rate it an eight out of ten. 

We use Veracode for static code analysis of our applications in two main ways: reactively and proactively. For the reactive approach, we run automatic scans nightly after developers merge changes from feature branches into the release branch. Proactively, we use the Veracode Greenlight plugin, which checks for vulnerabilities when developers try to commit code, even on feature branches, only allowing commits after passing these checks.

I appreciate Veracode's SAST and SCA features, which help to find open-source vulnerabilities. I'd estimate it's about 98% accurate, though some false positives occasionally exist. Our team has been using it for a long time. 

We sometimes use the free access to the tool's application security consulting team. We reach out to them when we've tried to change our code based on its recommendations but still can't achieve 100% green status. They help us fix issues in real-time through screen sharing and development work.

We saw the tool's benefits long ago when we first implemented it. Security is a top priority for us when working for a bank. We recognized the solution as one of the best tools in the market and decided to integrate it into our pipeline. We set up quality checks in our pipelines so that any code with high or critical vulnerabilities can't even be deployed to the development environment. This proved helpful for our team. Now, we have a quality gate that checks the Veracode status before any code goes into production. If Veracode scanning shows no vulnerabilities, the code can only be deployed to production. We strictly follow this process and have made Veracode an integral part of our Software Development Life Cycle approach.

Veracode has also helped us save time, especially with its proactive approach. The Greenlight plugin works directly in our IDE and is particularly helpful.

The solution should include monthly guidelines, a calendar, or a newsletter highlighting the top vulnerabilities and how to resolve them using Veracode. Its  policies should be up-to-date with NIST standards and OWASP policies.

I think if it could be enhanced with AI capabilities similar to Copilot, it could be even more beneficial in guiding developers and catching potential issues early in the development process. The solution should also come up with docker images. 

I have been using the product for six years. 

The product's support is good. 

Positive

The solution's deployment is easy. 

I rate the overall product an eight out of ten. 

Static scanning is one component of Veracode. That feature we use heavily to scan all the custom code we write weekly. We use another component called software composition analysis to scan all of our open-source packages. These are the two primary use cases that we have for Veracode.

It flags any security flaws or bad practices. Veracode has its own database for many vulnerabilities identified on the SCA side. They use a tool called SourceClear, which validates vulnerabilities in any of these packages. The scanner itself is pretty good at identifying some of the flaws in either the code or the open-source packages.

Our organization is more secure than without Veracode. It has improved our security posture because we're running it. It's hard to gauge what that would be without it because we haven't had any security issues since I joined the company. 

Veracode is very good at ensuring compliance with industry standards. It has helped us fix flaws. We know what's there, and there's generally a decent explanation for fixing each flaw. It's a quicker time to market. It's easy to figure out the problem and solve it so that we don't have exposed vulnerabilities in the market. 

It has helped developers save time. We generally resolve all our flaws within seven to 20 business days after they are identified. Veracode is crucial to our shift-left strategy. We have automated scans, so we scan all our code every weekend. Today is one of those days, so it's usually the time when we come in, see there's a new problem, and immediately start working on it.

Static scanning and software composition analysis are very helpful. My colleagues and I don't need to be experts on all of those ancillary things, so we can focus more on the business deliverables.

They have a pretty good tool that allows me to run scans of my local integrated development environment. I can find a lot of those flaws a lot sooner than I would if I had to wait for these cloud-based scans. They've come out with some sort of automated fix feature. I haven't used it, but they gave us a demo of it, and that one looks promising. I don't know if it's ready for prime time yet. 

The usability isn't good in Veracode. Sometimes, it will show a problem, but it's difficult to go into their tool and figure out where it is. You primarily use a web browser to access their system. It requires a lot of clicks. The static analysis is a separate part of their system from the SCA, so that's a bit difficult. They haven't fully integrated that. It's difficult for the consumer.

We have used Veracode for about five years. 

Veracode's stability is 50-50. They deploy new versions of their engine. Recently, the new version identified flaws in the code that were six months to a year old.  

Veracode seems to scale pretty well. We scan 60 to 70 applications every weekend without any problems. 

I rate Veracode's support engineers eight and their frontline support four. Their engineers are typically good and helpful. If I open a tech support ticket, I usually get a Veracode engineer. Those guys are good. I would rate their other support people poorly. 

Neutral

Veracode is straightforward to deploy. It's a general automated dev ops strategy. It's a responsibility shared among 20 to 30 people.

Veracode is a decent value, depending on what you're trying to achieve. It's pretty good for security flaws.

I rate Veracode six out of 10. I would recommend Veracode to others. The scanner is best in class, but the rest, not so much. 

Veracode helps to prevent vulnerable code from going into production. They are providing remediation support. They provide a specific solution. If a code has any vulnerability, they provide the snippet of that code. They also provide recommendations. Their support team is very active. If you have any concerns related to the vulnerabilities, they schedule a call and resolve your issues. That is very good.

With Veracode, there are fewer false positives as compared to other tools. It provides genuine vulnerabilities. It is also user-friendly. They are not only sticking to SAST testing. They also have pen testing.

The visibility that Veracode provides is good. They provide a proper dashboard for everything. We have visibility into the application status at every phase of development - Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Test. I am satisfied with it. We have not integrated it with our DevOps pipeline, but it has all the features for easy integration.

Veracode helps us to fix flaws. They provide very good recommendations. It is very easy for a developer to fix the flaws. They provide a specific solution.

Veracode has helped our developers save time. It has been very useful.

In my experience, Veracode is one of the most powerful tools available in the market from a security perspective. It is a market leader in source code analysis.

I am expecting some AI-related features in it. Also, if someone is using AI-generated code, Veracode should be able to detect that.

I have more than 12 years of experience working with Veracode. 

It is stable. There are no unplanned downtimes. If they are going to have downtime because of maintenance or any other reason, they communicate that to you a week before. They not only inform you by email. They also alert you through their portal.

Their support is good. I would rate them a ten out of ten. 

Positive

I work with almost all the tools available in the market. Its competitors are AppScan and Fortify. Synopsys is also there, and Checkmark is also there.

Veracode is the best tool as of now. That is because of the quality of the product and technical support. Veracode supports all the testing options.

Veracode is a leading tool in the market for code security. It is all about the source code review from a security perspective. It identifies the vulnerabilities in the source code. Apart from this, they also provide services for run-time code. If you have your application in production, it can also find vulnerabilities in that. They also support software composition. If your application is using a third-party library, they can identify the vulnerabilities in that.

It is straightforward. It is easy to deploy because it is a cloud-based service. It does not take long.

They are a mature company. They have already worked a lot on all the things. They keep on coming up with new features. Their R&D team is very good.

The ROI is in terms of time savings and security. If an attack happens because of a vulnerability, it costs a company and impacts its reputation. No one should be compromising on security.

As compared to others, it is a costly solution. It is overpriced, and many organizations with a limited budget cannot afford it. That is why they are going for other tools, but those tools are not that effective. Veracode is better in terms of quality. If you want good service, you have to pay for it.

I am working at a consultancy, and I did a PoC with five or six top tools in the market. I found Veracode to be the best in every aspect.

I am currently looking for some AI-powered tools. I am exploring the AI capabilities of various tools.

Overall, I would rate Veracode a nine out of ten. With AI capabilities, it would be a ten.

We use Veracode to find any vulnerabilities and for risk management.

There are multiple ways to use Veracode. We can use Veracode directly in our ID environment, and we can use it in the UI environment in our platform. We can integrate it with GitHub or GitLab. We can also install SourceClear as an agent.

It helps to reduce the application risk rate. It checks for any vulnerabilities or CVE IDs against its database. If any vulnerabilities are present, it gives suggestions, remediations, and fixes. They have recently started with Veracode Fix, so the auto-fix capability is there for your code.

Previously, it was very difficult to find vulnerabilities and scan threats. It is a primary need to maintain the security of our code. Veracode is a good option. It provides all kinds of features for developers.

Veracode checks for vulnerabilities in the static code, third-party libraries, and infrastructure. If there are any vulnerabilities in your static code, it will provide them. It can also auto-fix them with Veracode Fix. For Web APIs, there is a solution called DAST Essentials. It came out recently, but it is a very good solution.

It has been a year since I have been using Veracode, and it has been very helpful. It gave me the vulnerabilities present in my code, such as SQL injection, and the fixes for them. It gives good suggestions to improve the score of our code base. It gives a lot of things.

I started using Veracode Fix about one month back. It can automatically fix whatever vulnerabilities are present in the code. In GitHub, it shows the line numbers that it has fixed. It also provides a reason to fix them. It also gives a report based on your policies. If any high-severity vulnerability was there, it tells you how it was fixed. Everything is given in detail in the reports. It is very good.

Veracode's policy reporting is good for ensuring compliance with industry standards and regulations. I would rate it an eight out of ten for that.

Veracode provides visibility into application status at every phase of development, but the option of infrastructure and deployment security is not there in Veracode. They have probably started working on that.

We use third-party libraries, and it suggests using only the safest versions. It gives suggestions on vulnerabilities that are present and how to fix them. It is very good. It makes our code secure.

Veracode saves 10% to 20% time of developers. 

I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabilities. It maps everything for you. It gives suggestions and remediations.

They should provide infrastructure management. They have not included any infrastructure security. Kubernetes images are also not there.

Their scanning engine is sometimes a little bit slow. They can improve the scan time.

I have been using Veracode for more than one year.

It is stable. I would rate it an 8 out of 10 for stability.

It is scalable. We have 5 projects. In every team, 2-3 people are using Veracode. We have a dashboard, and through that dashboard, we log in to our account. We are also using a GitHub wrapper.

We have a sprint of 2 weeks, so every 2 weeks, we deploy code. We have a team of 10 people, and at a time, at least 5 people are involved in the deployment.

They have an Application Security Consultation team. Veracode support is also there. We can email them for any issues, and we can also connect with the ACS team through a Zoom meeting.

Their documentation is also very good. In the case of any issues, we follow the documentation.

Neutral

I have previously worked with SonarQube. The decision to switch to Veracode was taken by our management.

Veracode is better than SonarQube. In SonarQube, you need to give individual code, and then it fetches the details. With Veracode, you can get details about your entire application. Veracode Fix is also there to auto-fix the code. For web applications also, so many things are there with Veracode.

It is a very good product. Veracode Fix is also there. It gives very good solutions about the code and its reusability and fixes. It has been there for the last 17 years. Without such a solution, it is very difficult to find vulnerabilities and manage fixes. 

I would recommend using Veracode. It has good features. It scans your source code and your third-party libraries. There are a lot of new products in the market, but Veracode is good.

Overall, I would rate Veracode an 8 out of 10.

We are quite new to security systems. We have not adopted Veracode at the enterprise level. We are using the GitHub Advanced Security system. We were looking for static code analysis or software configuration analysis tools in the market. That is when we explored Veracode.

We want to centralize our security systems so that any repository that developers are using or creating in our organization follows the same set of standards. We want to have all the security checks and all the static code analysis done at the same level and with one client.

We have had challenges with security because developers come from different organizations and different backgrounds. They have different ways of coding. Based on their experience, they write the code, but there is a very high chance of having vulnerabilities in their code. The PR reviews used to take a lot of time for the reviewer. By implementing such a solution at the enterprise level, we assume that we will save a lot of time for developers and code reviewers because everything will be done by the tool. It will impact us a lot.

Veracode is quite good. It checks the security vulnerabilities in our packages. It discovers them very nicely, but it is not a tool for improving code quality. It does not provide very good static code analysis.

Veracode's policy reporting is fine for ensuring compliance with industry standards and regulations.

Veracode provides visibility into application status at every phase of development.

Veracode saves our developers' time. They are not doing manual PR reviews. It has saved about 20% of the time because we are still in the adoption phase.

We have a lot of confidential data of clients. We do not want our application to be exposed outside. We have configured a code quality gate, so before production itself, it blocks the PR deployment and allows it once all the security checks are passed.

Veracode is one of the tools that helps to verify external dependencies. Veracode helps a lot there.

One thing that I like about Veracode is that it is quite a good tool for dynamic application testing. It is a little bit better than DeepSource and SonarQube in terms of software composition analysis and dynamic application testing. 

When I was looking into it, my initial impression was that it has a good UI as compared to other competitors.

A negative issue I found is that it has a subscription-based model. 

If Veracode can provide static analysis in terms of how we can improve the code quality, it will be quite a good feature.

I have been using Veracode for 2 years.

It is quite stable.

We have not deployed it on our on-premise system, so it is quite scalable. There are no issues with that. I would rate it a 6 out of 10 for scalability.

We have not used their support extensively, but when we were choosing Veracode, I felt that they have a very good support system. The support they provided was good.

Neutral

I also work with SonarQube. I did not switch from SonarQube to Veracode. We are using a combination of both because SonarQube provides good code quality, but Veracode does not. Veracode provides very good dynamic application testing and software configuration analysis, but SonarQube does not. A combination of both is meeting our needs.

Configuring SonarQube at the cloud level based on our requirements is quite challenging. The support is based on the community. It is not something we consider as an enterprise-level tool, whereas this is not the case with Veracode. These things are better in Veracode.

I was not involved in its deployment. I am in the quality team. The DevSecOps team takes care of its deployment. That team has 8 to 10 people.

It does not require any maintenance. Everything is done automatically by the vendor.

Everything was done in-house.

It is too early for that, but Veracode will save us development effort and time. That will be the return on investment for us in the future. We will be able to measure its overall cost-effectiveness by comparing what we are paying for the service and how much developer time it is saving. 

We are still considering it at the enterprise level. It has a subscription-based model. We find its price a little high based on the features it provides. In addition to the standard licensing costs, there are no additional costs.

To someone who is looking at Veracode but is concerned about the price, I would recommend exploring it themselves. They might not need the same features that we need. They might be looking at some other aspects of security. I would recommend exploring it and doing a price evaluation based on their needs. 

We also explored DeepSource for some time, but we did not go for it. The functionality that DeepSource provides is somewhere between Veracode and SonarQube. Veracode was a little bit better, and that is why we went for Veracode.

We do not use the free access to Veracode's Application Security Consulting team, but we are planning to use it. We have not yet used the Veracode Fix feature that produces AI-generated fixes. It is a new feature.

The fact that Veracode does not scan source code, only binary code, does not concern us. We are using multiple tools. Veracode is one of them.

Overall, I would rate Veracode a 7 out of 10. We are still adopting Veracode. We have not gone through all the features that Veracode provides. Its rating would probably increase after a few months of use. I would recommend Veracode to others.

Veracode is a DAST solution that we use for automated security scans of our APIs and front end. We perform daily scans of our applications so we can act on the results quickly instead of routine security audits that we might do yearly or quarterly. It's a complement to the standard penetration test suite.

Veracode helps us improve our overall security and build trust with our customers. For example, some of our customers have strict security requirements, and they need us to use more products. It helps our business by building confidence in our products' security. Veracode improves our sales and helps us secure contracts because we can demonstrate what we are doing to the clients. 

We can use it in our dev environment to detect issues early before they get into production. It saves time equivalent to one full-time security engineer. We have around 60 people on the team, but we don't need a security engineer. Our regular engineers can fix the issues themselves based on Veracode's report. 

I like Veracode's ease of integration and onboarding. You can quickly and easily get started with a new project or application. That's one area where Veracode shines relative to other tools we've evaluated. Other tools need more work or an engineer to do the setup. With Veracode, you can do the onboarding in a few steps quickly. 

Another beneficial feature is Veracode's reporting. The report not only outlines the security issues in detail but also offers some solutions. Even if one of our backend engineers isn't specialized in security, they can still fix the issue solely based on the suggestions in the report. 

When Veracode updates the pool of tests and security checks, it could be a little more transparent about what it is releasing. It's not clear what it's adding. They do thousands of checks, and when they add more, there aren't many details about what the new tests are doing. 

I have used Veracode for 2 years.

I rate Veracode 10 out of 10 for stability.

I rate Veracode support 8 out of 10.

Positive

Veracode is the first tool we purchased specifically for DAST testing. We we use altered secure tools, and we used to do penetration test, but using people. Right? Not not automated.

Deploying Veracode was straightforward. There weren't many steps. We needed to prepare our API specifications and set up our system. 

The price is worth it. You have to consider the cost versus the security Veracode provides. It's also cheaper than the other solutions we considered. 

I rate Veracode 9 out of 10. 

We use the solution for identifying bugs before deployment in the software-side cycle process.

It can be integrated with our CL and CDProp pipeline, and it can be used with multiple integrations in our Visual Studio Code editor. That's the main use case.

We've saved a lot of time since using Veracode. We've also been able to cut down on costs since we require a lot of penetration tests for testing our software. Veracode helps us drastically reduce these costs. We've cut our costs down by 40%.

The solution provides us with a feature that we can directly use with static and dynamic analysis. With static analysis, we can use it while the app is not running, and with dynamic analysis, we can scan our application while it is running. It provides efficiency and also saves a lot of time for penetration testing and bug testing.

The capabilities of the analysis of the code base can help us effectively detect potential vulnerabilities. This is the most valuable feature we found. It can be integrated with multiple code editors, and it can also be integrated with various CI/CD pipelines.

The dynamic analytics is efficient. It helps us identify bugs while the app is running. We find that this ability is way better than its competitor.

Our impression of the solution's ability to prevent vulnerable code from going into production is positive. Prior to Veracode, we used to deploy our apps, and it used to be an expensive process to fix the bugs and all the potential vulnerabilities after deployment. Now, we have access to AI. It has AI tools, which have been trained with a lot of data sets. It helps us to detect bugs and fix them.

We use the free access to VeriCloud's application security consulting team. The consulting team has helped us a lot, and we've had positive experiences with the vendors. It is efficient and very fast. It takes less than two or three days, and they always respond positively. They are really fast at solving our problems. It's important for us to have access to an application security consulting team at no extra cost.

We use Veracode's AI-generated fixes. They make fewer errors and are very accurate. We've had a very positive experience. They've saved approximately seven hours of debugging and error finding versus the manual penetration testing process. 

The solution's policy reporting for insurance compliance with industry standards and regulations is very helpful. It's fast as well. The team helps us at every step of the product life cycle. They provide us with very useful visibility into things like static analysis, composition analysis, and manual penetration. It significantly helps us to reduce the time that we have to manually fix the bugs, and it also provides us with an efficient solution for future cases via past analysis through its data algorithm. We've saved six to eight hours compared to manual fixing.

Veracode has had a positive impact on our organization's ability to fix flaws compared to the prior. It has reduced our costs and time, and it has also provided us with multiple security functions. That, and it's made our application a lot more secure. It really helps our devs free up time due to less debugging needed on their part.

The solution has helped us a lot with our overall security posture. Many security features were fixed prior to release, and we've been able to reduce manpower and employee count. We've reduced teams from six or seven people to two or three. 

The integration capabilities with our existing development tools are very good. The integration process was easy. It has stable APIs.

The solution does take a bit more time when we use it for multiple processes. When we use it for a single process, it takes up less time. The cost also goes up when we use it for multiple processes. 

I have been using the solution for six months.

The solution is very stable. We haven't come across any bugs. 

Our security team of three uses the solution. 

It's great for scaling. We can use it on multiple projects which involve multiple security flows.

Technical support has been very fast and efficient. The team helps us at every phase of the development cycle. 

Positive

We did not use a different solution. Previously, we relied on manual testing. 

We deployed the solution in about three months. We had a team of eight working on the implementation. During the process, I was in charge of, IT was in charge of security, and the AI algorithm.

We don't require any maintenance.

Even after six months, we've seen an ROI. In terms of resources, it's great for cost-cutting. It also generally cuts costs by 40%.

The pricing is moderate for particular processes. However, if we take an entire process in general, it can be costly. It's more economical to use it for single purposes instead of generalizing processes. 

Thanks to its algorithm, Veracode is an on-demand service that can be very cost-effective. With so many features, we no longer require many people to test.  

If they are worried about pricing, people should try out their demo feature, which is available online. That way, they can demo and evaluate how it would work for them. If it works for their team and product, they may find it can optimize their processes. Of course, it depends on the use case. 

I'd advise colleagues considering Veracode to evaluate the specific requirements for their application and do an in-depth analysis. I would recommend it as a product.

I'd rate the solution ten out of ten.