We use Veracode mainly for legacy software audits.

The most valuable feature of Veracode is the binary scan feature for auditing, which allows us to audit the software without the source code. Veracode's most valuable feature is the verified vulnerability database, and we can do a full software audit at our company, including all of the systems.

Veracode should provide more flexibility in its pricing and licensing modules so that it could be more affordable for all types of projects and not only for very active mission-critical projects.

With the solution's security audit feature, an enterprise should be able to cover all of its applications with the desktops. Veracode is simply too expensive for that. If you know about the price of a web application, and if you multiply it by 1,000, the return on investment doesn't work. It's okay for one or two projects running very fast, but it doesn't work for all the legacies. So, it's a huge amount of money.

There should be some lighter tool that allows you to do some audit scanned one time. Only ten percent of the applications are actively developed. About 90% of the other applications have no projects or budgets, but we are still vulnerable. It is too much if you buy it for all of that.

I have been using Veracode for three years.

Veracode is a completely stable solution, and we had no problems with its stability. The solution was a bit slow, but it was stable.

We didn’t face any issues with the solution’s scalability.

We know only one person from Veracode, and he supported us when we had issues, and he was able to solve everything.

Positive

We have previously used Checkmarx. Veracode's pricing is cheaper than Checkmarx, and it has some unique features like binary scan. In Hungary, Checkmarx is installed more than Veracode.

The solution’s initial setup was very easy. Only one or two people are needed for the initial setup of the solution.

Veracode is a very expensive product.

Veracode can list a lot of vulnerabilities, but processing all of them is a time- and resource-intensive process. I think Veracode has no innovative features because a lot of other software can do that. In our opinion, innovative features are a commodity with Veracode, but they are doing a good job.

The solution's ability to provide visibility into application status at every phase of development is valuable. It can be faster, but it can also slow down because our backlog may be much longer. There will be a lot of vulnerabilities or false positives that have to be processed. So, it is not black and white, but it is safer. Veracode has helped our developers save time.

Veracode has had a very low impact on our organization’s overall security posture because it is a very expensive product. An enterprise with 1,000 applications uses the solution for one or two applications. Veracode does not need any maintenance because it's cloud-based.

Veracode is very important to our organization’s shift-left security strategy when we have a project with enough sources to provide the license. I use Veracode’s cloud version. The return on investment with Veracode is good for one or two mission-critical projects running in the company. For other things, users should use open-source solutions or much cheaper products like SonarQube that are not as good as Veracode.

The fact that Veracode scans only binary code and doesn't scan source code concerns me sometimes. Sometimes, we have to do some source repository audits. We cannot use Veracode for source repository audits because it scans only binary code. I would recommend Veracode to other users.

Overall, I rate the solution ten out of ten.

We use Veracode to scan the applications.

Veracode's ability to prevent vulnerable code from entering the production environment is good.

Using Veracode's ASC team is easy. I can send them an email and arrange a call from the app. They were helpful when I had issues or questions about using the app.

Free access to the ASC team is a significant advantage because they possess in-depth knowledge of the product and are readily available for assistance.

It is innovative when it comes to features.

Veracode helps our organization with security scanning. We realized the benefit of Veracode as soon as it was deployed.

The policy reporting is valuable because it provides two key benefits: first, it generates a security score for our application. Second, it offers comprehensive reporting that details both the vulnerabilities found and the potential risks they pose to our application.

Veracode can provide visibility into application status at every phase of development.

It assists our application team in fixing flaws by identifying issues and guiding the team toward resolving them.

Veracode helps our developers save time by ensuring the code is secure.

Veracode helps us improve our overall security posture. When a Veracode report shows no vulnerabilities, it indicates a strong security position. This allows the security team to sign off on approvals more efficiently, as a clean Veracode report is a key factor in their evaluation process.

Veracode is a valuable tool for a shift-left security strategy. It helps save overall development time, money, and effort by identifying and resolving security vulnerabilities early in the development lifecycle.

I find Veracode's SASD feature to be the most beneficial because it enables us to proactively identify security vulnerabilities in our application code before deployment. This static analysis helps ensure a secure application rollout across all environments.

The scanning takes a lot of time to complete.

Veracode offers comprehensive visibility into application security throughout the development lifecycle. However, due to cost constraints, we are not currently utilizing all available analysis types.

I would like Veracode to introduce infrastructure as code scanning.

Instead of relying on emails, it would be beneficial if Veracode offered a built-in tool for logging and managing issue tickets.

Veracode sometimes performs maintenance without notifying clients in advance, which can cause disruption.

I have been using Veracode for two years.

For the most part, Veracode is stable but there are times when we have downtime due to maintenance that we are not informed of.

I would rate the scalability of Veracode nine out of ten.

Technical support has been great at fixing any issues I've had.

Positive

My client in the banking industry previously used Black Duck before switching to Veracode.

Veracode's end-to-end testing offers a significant advantage over other solutions by providing a comprehensive security solution. This includes capabilities for static analysis, dynamic scanning, and even penetration testing. However, the cost associated with dynamic scanning and penetration testing may deter some clients from utilizing these features.

I don't have firsthand knowledge of Veracode pricing, but based on client feedback, it seems to be expensive with additional fees for certain features.

I would rate Veracode eight out of ten.

Maintenance is performed by Veracode.

During a Veracode evaluation, consider the following factors: Evaluate the time required for Veracode to complete a scan. Faster scans allow for quicker feedback and integration into development workflows. Consider the overall cost of Veracode, including licensing fees and any associated charges for scans. Assess Veracode's orchestration tools, particularly its compatibility with your existing CI/CD pipeline. Ideally, Veracode should offer seamless integration for easy adoption. Evaluate the availability and variety of connectors Veracode offers for integration with your development tools. A wider range of connectors simplifies the integration process.

My company produces one of the most secure fabrics that you can find. Veracode is integrated into our development cycle through Jira. We do a full static analysis with Veracode and use Burp Suite to review the findings. The most common attack vector we find in Java code is SQL injection. When SQL injection shows up, you send a screenshot and a report to your executive team. They see the screenshot and say, "Oh, they're seeking injection here." 

This has now become a top priority. We're going to pause all these redundant features that we're making here and ensure our code is secure with no SQL injection vulnerabilities. Veracode finds everything, and the security engineers do the penetration test using the results. You provide a report showing where the issue is, and developers can fix it. We also use Veracode to train security engineers and teach them how to file reports.

My case is different from other individuals. I worked for a startup, so we had to find a way to capitalize on all the resources in Veracode. Larger organizations are not leveraging the built-in dashboard. That aspect is what people want to know about. They want to see how their money is being spent on security. The biggest problem with security is getting funding. None of these executives believe anything these users are saying until they can see the results.

They want that dashboard report. In less than three weeks, a junior security engineer can learn to create a dashboard easily that will allow the organization to stay on top of the most important things. They need to show the stakeholders that we're doing something here. They'll get the certification and see the dashboards. You now have something that's actually worth $2,000. With these other ones, who knows what you'll get. 

It allows us to provide a certificate showing stakeholders and potential customers the proof that we take security seriously. Everyone says that they're on top of their security and have all these things in place. In a sales call, we can immediately respond to any questions about our security posture by pointing them to a link showing that your company was among the few companies that completed the full certification process. Veracode has four levels of certification, and we are at level three, I believe. 

To my knowledge, Veracode is the only real devSecOps pipeline that captures every component of the software delivery cycle, from sandbox and staging to development and production. You need to go through those four phases and ensure the code is secure by the time it hits production. Veracode handles all those phases seamlessly and can be automated with Jenkins.

Veracode is highly efficient at fixing flaws. A single person can go through and do a penetration test after collecting the data from Veracode. Instead of telling developers where the issue is, they can show them in the code editor for the static analysis. They can assign tasks to the team using Jira, so developers almost never need to do that work. They actually almost never go back and fix any of these vulnerabilities. That's why I was my company's most hated and most loved man. I forced them to do it.

I like Veracode's API. You can put it into a simple bash script and run your own security testing from your MacBook in less than 15 minutes. Veracode's application security consulting team is very helpful. They're responsive and follow up quickly. 

Veracode would benefit greatly from more training resources. The videos are great, but I would like more hands-on training writing a script, validating a script with a unit test in a different language, etc. That's something that would be very valuable. 

We have used Veracode for more than four years.

Veracode is highly stable. It very rarely crashes. 

I rate Veracode support 10 out of 10. Their customer support is incredible. If I have any issues, I can immediately connect with their support team and have a real working solution within one week.

Positive

Deploying Veracode is easy. I had the best customer success manager at Veracode helping me. After deployment, Veracode requires little maintenance. 

Veracode is inexpensive and cost-effective. The licensing model is unambiguous. You know what you are getting. They also give you several seats for training. That's why it would benefit them to improve the training because more people could take advantage of it and use certifications. Some certifications for other products don't have much real value, but Veracode is a product many companies use, so it could help people get jobs.

If you're concerned about the cost, you should meet with a representative to talk about pricing. Veracode is flexible, and they're willing to let companies try the platform or test different features. They will work with companies to get to the point where they'll use it.

I used JFrog X-ray with homegrown scripts for testing the code. It was terrible. We chose Veracode because it is more scalable. We could run scans on any code, and it was reliable. Also, their documentation was up to date. With other software providers, you would find an issue in the documentation, and they would backtrack, saying, "Oh, no one's using that." 

Veracode immediately responds to the community. You have people in the community supporting each other and suggesting new features. Software providers say they're open to suggestions. Veracode will quickly get something from the community and immediately put it into development. JFrog has the same stuff as they did four years ago. They haven't changed anything. 

I rate Veracode 10 out of 10. Veracode is constantly changing and improving. 

We use Veracode for static application security testing, dynamic testing, and software composition analysis. My company's engineering team has about 50 people who use Veracode across multiple product lines. 

The main benefit of Veracode is that we can deliver better, more secure software. Our customers also trust Veracode. When we share the Veracode report, they see that we have gone through all the due diligence.

Veracode aligns with SOC, ISO, and other types of certifications. It helps with compliance that Veracode has all these reporting formats. The solution provides visibility at every stage of development. We have automated almost everything through integration with Jenkins. As soon as the developer commits, it triggers the static scan for the main branches. We don't need to trigger the scan manually or do a follow-up to see if it's done scanning. 

The solution saves time by reporting issues and recommendations that help developers fix the reported vulnerabilities faster. I estimate that it improved developer productivity by about 10 percent.

Veracode has good support for microservices, and I also like the sandbox environment. For example, when introducing a new component, we can scan it in a sandbox environment. It will not impact the main environment. When our team fixes it, they. can push it to the production environment when the results are acceptable. 

The solution effectively prevents vulnerabilities from entering production. We've drastically reduced our third-party VAPT-reported issues. Before Veracode, the third-party VAPT analysis reported hundreds of issues per application. Now it's down to about 20, and Veracode can address most of them.

The interface is one thing I find a little challenging. Veracode's interface feels a little outdated compared to other solutions, and it could be modernized. I'm mostly happy with the features, but Veracode could add Docker image scanning. 

I have used Veracode for about six years.

Veracode seems stable. I don't recall facing any issues. 

Veracode is scalable.

I rate Veracode support eight out of 10. They are quite good at responding to issues. 

Positive

We tried AppScan and Snyk.  From an integration perspective, Snyk is a little better integrated with our pipelines and ticketing system. 

I can't recall the deployment well, but I think it was straightforward. Veracode requires no maintenance after deployment. 

I have not calculated the return on investment, but I think it's at least 200 percent. 

We aren't paying the listed price. We get some discounts, but we get a lot of value from it regardless of what we're paying. We look at the overall cost of what we would spend without a tool like Veracode. The longer you delay fixing security vulnerabilities, the more it will cost you during the later stages. By integrating it into the development cycle earlier, it helps to keep total costs lower.

We evaluated multiple scanning solutions before choosing Veracode, and we perform a mandatory comparative analysis annually. Veracode's scanning engine is more innovative and provides a more detailed analysis relative to Snyk and AppScan. It performs much better in terms of the number of issues discovered. 

I rate Veracode 10 out of 10. When implementing Veracode, you need to develop a workflow or a process. It becomes easier if you have that in place. For example, you can create a workflow where you scan inside the sandbox and approve those fixes before moving to production. 

Also, you should have separate people for raising issues, remediation, and approval. That way, you will have some control over which issues are mitigated and for what reason. That process flow has to be set up properly. Another aspect of successful implementation is automation. Your team needs to invest time in automating and embedding scanning in your pipelines. 

We use Veracode to identify vulnerabilities in code to ensure the security and integration of the apps.

Veracode effectively identifies vulnerabilities within the code. My role is to analyze these vulnerabilities and assign a severity level before forwarding them to the development team. This allows them to address the issues before deployment to production.

Whenever Veracode releases a new feature, we seek the expertise of Veracode's application security consulting team to understand its functionality and how it contributes to code security. The team demonstrates exceptional responsiveness and promptly addresses our questions, eliminating the need for unnecessary back-and-forth communication.

In today's digital world, cybersecurity is more important than ever. Veracode offers a comprehensive suite of features that help developers secure their code through automated scanning. This scanning identifies vulnerabilities and detects malicious code, preventing it from entering production.

Veracode has helped reduce our time to remediate security flaws.

The policy reporting for ensuring compliance with industry standards and regulations has been positive for our organization.

Veracode provides visibility into application status at every phase of development.

It has been instrumental in enhancing our organization's ability to fix flaws while simultaneously reducing our manpower requirements allowing us to focus on other issues.

Veracode has helped our developers save 20 percent of their time.

Implementing Veracode has significantly bolstered our security posture. We can uncover more vulnerabilities and streamline our detection process. We've become more proactive in identifying and addressing security threats. This allows us to focus on building secure applications with confidence.

Veracode has proven to be a solid choice for our organization's shift-left security strategy, compared to other solutions like Darktrace.

To ensure secure software from development to deployment, we leverage Veracode throughout our CI/CD pipeline, enhancing our app security at every stage.

Veracode helps us prevent vulnerable code from entering production, strengthening our third-party application security.

Among Veracode's features, vulnerability scanning stands out for its effectiveness in identifying and remediating security weaknesses, ultimately mitigating threats to our applications. 

The integration capabilities have positively affected our existing development tools when integrating with other cloud solutions. It is easy to integrate and the support team is helpful during the integration process.

Veracode helped improve our compliance posture with our existing solutions.     

The automation of Veracode is great because we no longer have to run manual testing. 

The weekly report logs are great because we can address any vulnerability issues that are detected quickly.

Veracode runs comprehensive scans and links the vulnerable code to the weekly reports identifying what services are affected and forecasting the next steps.

The GUI requires significant simplification, as its current complexity creates a steep learning curve for new users.

I would like Veracode to introduce more sophisticated AI features.  

I have been using Veracode for one year.

I would rate the stability of Veracode nine out of ten.

Veracode supports scaling up whenever we want to keep up with our growing app portfolio.

I would rate the scalability of Veracode eight out of ten.

The experience I had with their technical support has been great.

Positive

I recently changed companies, and my current employer does not use Veracode. However, I have discussed implementing it with them because it offers more mature features compared to other solutions.

The initial deployment took around four months and required five people.

Veracode is affordable for large organizations, but its pricing may be out of reach for small and medium companies.

I would rate Veracode an eight out of ten. Veracode's pricing hinders my overall rating of the solution. 

Veracode was deployed in two regions with 25-plus users.

Veracode requires some maintenance to keep the scanning accurate.

While I highly recommend Veracode, affordability for smaller organizations may be a significant hurdle due to its pricing structure. It's crucial to carefully evaluate their budget constraints and explore alternative solutions if necessary.

I used Veracode in my previous company. My role was to assist the team in identifying the vulnerabilities in the reports. I identified those and diverted them. The software team was responsible for taking appropriate actions to fix those.

We used Veracode in our environment to have account verifications or transaction confirmations. Apart from that, we had event registration as well as membership confirmation.

Veracode provides visibility into application status at every phase of development. My role was to analyze the vulnerabilities and pass them on to the software team. The severity of a risk was provided by us, and the software team was responsible for mitigating that. It helped us a lot in mitigating the vulnerabilities. We were able to proactively react to anything malicious.

It helped with early vulnerability detection and automated security testing. These were two things for which I usually used to use Veracode.

The static analysis and the dynamic testing methodologies for security vulnerabilities helped us in our development process. It allowed our developers to address issues before they became complex or expensive to fix. That was one of the things that helped us a lot.

Veracode helped us with the Log4j vulnerability. At that time, we relied completely on Veracode.

Veracode helped our developers save time. Proactively fixing the vulnerabilities saved a lot of time. It saved 50% to 60% of the time. Fixing them after the sprint is over takes more resources and time and also costs us. Veracode saved time as well as the cost.

Veracode helped us with the shift-left security strategy, but we did not rely much on Veracode for that because we already had something for that. Veracode was good enough overall.

The scanning is most valuable. The scans given by Veracode are one of the key features that I like.

The integration with DevOps pipelines is seamless. 

The scans were sometimes not accurate in version 2022. There were some false positives in the vulnerability reports. We used to get false positives, and we were responsible for checking all of the alerts and determining whether they were true positives or false positives. They might have already improved it. If they have not, they can look into how to mitigate false positives.

I have used Veracode for almost two years. 

It is stable.

It is scalable. The agents were deployed on about 2,000 machines. For administration, we had a SOC team. It was filler work for them, but we had a team of 13 people.

Dennis from Veracode helped us right from the deployment. If there was any critical task, he used to help us with that. We hardly had to reach out to their support for any issues.

I have used different solutions. I have used Darktrace. I have used CrowdStrike and Carbon Black. In my current company, I am using CrowdStrike.

When I was using Veracode, each agent needed to be deployed on each machine. I do not know what they are using now. CrowdStrike is a single platform with a single agent. You can deploy it on all the machines. That is one of the advantages. Moreover, I have become used to the GUI of CrowdStrike over the last year or so. I am more comfortable with CrowdStrike, but it depends on person to person. I would rate Veracode an eight and CrowdStrike a nine out of ten. I am a bit biased toward CrowdStrike because I am currently using it in my organization. I am not using Veracode here.

I was involved in its deployment. It was super easy. The support that was provided by them was fabulous.

There was a delay from our end. It took us almost 90 days to deploy it, which included approvals and other things.

We had a consultant from Veracode. His name was Dennis. We were satisfied with his job. 

I used it for two years in my last organization, and we saved a lot of costs. It was not related to the product; it was related to the risks that we used to get. On the technology side, it surely saved a lot.

They keep on working on their product. They keep on upgrading that. The threat landscape keeps on evolving, and there are new threats every day. The Veracode team helped us in mitigating and remediating them and guiding us with those particular threats. I would surely recommend Veracode. I even tried to recommend it over here, but I am not one responsible person for that decision over here.

They have recently introduced a feature called "Veracode Fix" that produces AI-generated fixes. I read about it somewhere. It does vulnerability identification and prioritization and some behavioral analysis. It does dynamic analysis of any malware or any abnormal or malicious behavior. It is evolving. One more thing that I read was pattern recognition. The AI algorithm that has been provided recognizes patterns. It can assist in recognizing patterns and trends in security data.

It has policy reporting for ensuring compliance with industry standards and regulations, but we did not use that.

To those who want to use Veracode or any similar solution, I would advise being aware of their environment and security posture and seeing where it fits into their security posture. If they proactively work on the alerts provided by Veracode, they will surely save a lot of money, time, and resources. I would suggest working proactively on the alerts given by Veracode.

Overall, I would rate Veracode an eight out of ten.

Previously, finding security issues in our complex healthcare software was a time-consuming process. Manually reviewing all logs took half our time. However, Veracode has revolutionized our workflow.

With Veracode's automated solution, we now receive daily reports highlighting security vulnerabilities. This allows us to address issues promptly, significantly reducing the previous two to three-week investigation period.

Veracode also eliminates the need for manual testing, freeing up our team for other tasks. Its user-friendly interface provides comprehensive scans, and detailed reports, and even pinpoints specific lines of code causing issues.

This shift-left approach has greatly improved our development process, resulting in fewer customer complaints. Proactive vulnerability detection and efficient issue resolution have significantly enhanced our team's productivity.

Veracode does a great job preventing vulnerable code from going into production. For enterprise-level companies, saving time is paramount. Previously, manual testing took days and still didn't uncover as many issues as Veracode now identifies. Despite having a skilled testing team, their workload has been reduced by 70 percent thanks to Veracode. This newfound efficiency has revealed vulnerabilities we wouldn't have found otherwise. Veracode excels at showcasing issues and their severity, extending beyond violation errors to encompass potential security risks and logic-related issues. Its user-friendly interface simplifies the process for all users, regardless of their technical expertise. As a developer, I recognize the immense effort behind Veracode's seamless operation. It automates the grunt work, freeing up our developers to focus on other tasks.

The policy reporting for ensuring compliance with industry standards and regulations is good. Veracode covers a vast majority of industry standards and identifies areas within our code that don't comply with those standards, providing remediation suggestions.

Veracode provides comprehensive visibility into application security throughout the entire Software Development Lifecycle. During the coding stage, Veracode scans the entire codebase for vulnerabilities. Additionally, we utilize Veracode's static analysis capabilities for further security assessment. Once the product is published and deployed to the production environment, Veracode analyzes the entire software stack to identify any potential security risks. In short, Veracode plays a vital role in various stages of our software development and production process.

Veracode has significantly improved our speed in fixing software flaws. It has also transformed our approach to addressing issues. Previously, we spent considerable time investigating the root cause of errors in the code. Now, thanks to Veracode, we can devote more of our intellectual resources to directly fixing the system, which ultimately results in a more efficient product for our users.

It has significantly reduced our build time. We automate our builds every day, running them between 3:00 AM and 5:00 AM. Once the build is complete, Veracode scans the entire build and provides a report by 6:00 or 7:00 AM. This allows us to review any new issues in the build by the time we start work at 9:00 AM, enabling us to address them quickly. Previously, this process took several days, but with Veracode, it now takes just a few hours. We now continuously review and fix issues every day, leading to significant time savings compared to our previous weekly review process.

Veracode has significantly enhanced our security posture by improving our security practices and increasing the efficiency of our security team. Additionally, we are now experiencing a decrease in the number of errors reaching production. Previously, our development process involved developers building and deploying code, then sending it to the security team for evaluation and subsequent feedback. This cycle is often repeated multiple times, leading to delays and inefficiencies. However, with the implementation of Veracode Greenlight, developers are now empowered to test their code directly, effectively shifting our first layer of security. This shift has enabled us to deliver even more secure products while simultaneously saving substantial amounts of time.

I would like Veracode to add more language support.

To use the Veracode extensions, we need to create a file in a folder and name it "prevention and filters." It would be more user-friendly if Veracode could automate this process by creating the file automatically when the Greenlight extension is installed. Additionally, a pop-up tool for security could be shown to guide users through the process making it more user-friendly.

I have been using Veracode for six months.

Veracode has been a stable platform for us to date.

Veracode can scale based on the price tier selected. I would rate the scalability of Veracode a nine out of ten.

The Veracode support team is excellent. I had an issue removing an account, so I emailed support. They created a case for me within one minute and sent me an automated email with a registered ticket. Within five to ten minutes, I was contacted by a support representative who quickly understood my problem.

My account had expired on the platform but hadn't been deleted from the backend. The representative understood this right away and provided a solution for a hard delete. He was also very knowledgeable but explained that he needed the administrator's permission to proceed. He suggested I add him to the thread, and everything was resolved smoothly.

Positive

I would rate Veracode a nine out of ten.

Minimal maintenance is required for Veracode.

We are not concerned that Veracode does not scan source code, as we believe scanning binary code is a more advantageous option.

Since security is paramount for applications, utilizing Veracode to identify and remediate vulnerabilities is a wise investment. This approach frees up valuable time and resources, allowing for more efficient progress.

We use Veracode for SAST and SCA. We are moving towards dynamic analysis as well. We use it now to scan our artifacts and reports, and very soon we are going to use the Veracode plugin for our IDE to have immediate results for security analysis purposes.

Before integrating Veracode, we were getting so many security vulnerabilities on higher branches. We integrated it to fix that. It prevents vulnerable code from going into production. We have fewer vulnerabilities and bugs.

We are getting the security vulnerability results on a day-to-day basis. Our pipeline is running every hour, and we are getting early feedback, giving us a shift-left approach. On a daily basis, we are able to rectify issues rather than find them in production or pre-production.

It provides visibility into application status at every phase of development. We have our initial feature branch, or low-level branch, and then we commit. The pipeline is running, so we will know about things immediately. This is quite valuable for us.

The SCA, agent-based analysis, is valuable. SAST and DAST take time, while this is quite fast. It gives the results very quickly. We have implemented it into our CI/CD pipeline.

Another aspect that is quite good is the policy reporting for ensuring compliance with industry standards and regulations. Initially, we were using freeware tools, but we are quite impressed with how Veracode gives the most detailed and latest vulnerability and security information.

I have been using Veracode for almost a year.

It's a stable solution. There are no problems. The stability is a seven or eight out of 10.

We connected with Veracode's support a couple of times, and we got a different answer each time.

Neutral

We used to use Snyk and other tools. The switch to Veracode was an enterprise-level discussion, and I was not involved.

It took some time to see the benefits, around six to eight months.

Although Veracode doesn't scan source code, only binary code, I'm not concerned because we can scan the source code with an SCR tool.

Veracode hasn't yet helped our developers save time. Their development time has increased because, initially, we were only taking the security and vulnerability issues on the higher branches. Now it is on lower branches as well, so the development time has increased. In the local branches, if a report indicates something has not passed, we are not allowing them to merge their code into higher branches.

We have it deployed in a multi-cloud and hybrid environment. We are using AWS, Azure, and VMware vSphere.

Overall, I would recommend Veracode. It is quite helpful.

We have some applications that connect to external providers or provide external services that users can access from the public internet. We are uploading these applications to Veracode to assess the security threats that our code may pose.

Veracode's analytical capabilities are very good, but I'm not sure if they have prevented security vulnerabilities from going into production in our case because we haven't been using them optimally. We're now working on integrating them into our development pipeline so that we can test applications before they're released. This will also allow us to familiarize ourselves with the sandboxes during development. I believe that if we start using Veracode correctly, it will be very beneficial in preventing security vulnerabilities from going live.

The main benefit of Veracode is the software composition analysis because it helped us identify that we were using some libraries with security flaws. This is important because the individual software components are owned by different smaller teams, and all of those teams contribute to one overall large application. Therefore, there is no single person who would be able to take care of all of the third-party libraries that we are using. Veracode analyzing the libraries that we use is therefore beneficial to us.

Veracode's policy reporting for insurance compliance depends on how our organization uses it. I'm not sure if we're using it to the best of our ability because, for example, I discovered that there is a central space where we can run analysis and sandboxes. Based on what the Veracode expert I spoke to told me, policies should be reported from the danger space, but in our organization, we're reporting them from the Prod CI sandbox. This doesn't seem to be a good solution because the overall application is displayed on the main page, which doesn't reflect what our compliance teams think about our applications. Besides that, I think it comes down to how we're using Veracode within our firm. Overall, I think it's great that the firm can configure certain policies to monitor applications, and the flaw report also enables us to see the flaws that need to be fixed to become compliant, which is a good feature. From Veracode's perspective, everything looks fine.

Over the past year, we discovered a severe security flaw in Lot 4j 1.2.15. We initially believed that this version had been replaced with a newer version that does not have the flaw, but our software composition analysis reports revealed that this is not the case. We still have a few binaries that depend on Lot 4j 1.2.15, which is vulnerable. The software composition analysis results prompted us to schedule a replacement with a new version, which is currently underway.

Veracode has helped us fix flaws effectively. Our security teams enforce monitoring and fix deadlines for reported flaws. If a reported flaw cannot be accepted as a false positive, we must fix it promptly to maintain a high success rate.

Veracode has improved our security posture and will continue to do so as we learn to use the solution more effectively.

I like the way the flaws are reported in the system. It is quite clearly visible where the flaw is coming from, and it is possible to upload the code to see exactly which line was identified as a security threat. I also like the software composition analysis that Veracode provides, because we can see third-party libraries that are used in our software and check if there are any known security flaws in those libraries.

There are many false positives, especially one particular type: reported hard-coded passwords in the code. We do not have hard-coded passwords in our code, but we are using third-party libraries that have variables with passwords in their names. For example, a variable might be named "passwordForCommonFixFile" or "passwordForSecurityStore." Veracode's keyword analysis probably assesses these variables as hard-coded passwords. This is problematic because the false positives are coming from third-party libraries, and we cannot easily check the flaws to see if they are false positives. To fix the problem, we have to compile the code, which we should not have to do. We are forced to accept the false positives because we know from the software and system design that there cannot be hard-coded passwords in the third-party libraries we are using. If the libraries were generic, then there would be no chance that they would have hard-coded passwords for the specific services that we are connecting to. To reschedule the scan, we have to go through some bureaucracy. 

Despite the presence of many false positives, we remain confident in Veracode. However, the impact on developer confidence is negative, as it leads to resistance to enforcing certain development processes, including the use of Veracode in the development pipeline. This is understandable, given the complexity of the process required to reschedule the flaw for a single false positive. This process requires approval from the system owner, a senior manager, and the cybersecurity team.

Veracode has increased the work time of our developers because of the false positives.

The area with the most room for improvement is the speed and responsiveness of the query, as it is usually very slow. I am not sure if there is a specific space allocated for us that can cause this, but when I open an application and want to click through multiple scans to see the differences, or if I want to do anything else, everything loads very slowly. This makes it much less user-friendly to play around with the GUI and explore the features.

I have been using Veracode for three months.

Veracode is stable but a bit slow.

I have only one experience with Veracode support, but it was very positive. I used the schedule consultation feature in the GUI, which was very useful. We had some questions about how to correctly upload a code, and I was able to schedule a call with a Veracode expert. The support person who helped me provided me with many insights, answered all of my questions, and even went beyond what I asked to explain how to use the feature and improve our process.

Positive

The initial deployment is complex because our system is huge, consisting of hundreds of different binaries. Dozens of teams contribute to the releases, and as a result, a large number of changes are deployed at the same time. This makes it very easy to break something, and there are many people involved in the process.

The deployment required a core team of five, with some additional people on hand to support if anything went wrong. The maximum time for deployment was one day.

I give Veracode a seven out of ten due to the slow speed and the false positives.

We only use Veracode for static analysis. We do not use the other features at all.

We have infrastructure deployed in multiple locations around the world. In my team, 50 people use Veracode. Across the entire organization, it is used by hundreds, if not thousands, of users.

I advise everyone to use Veracode in their development pipelines, so that scans can run very frequently, at least once during each nightly build. This will ensure that reports and flaws are addressed effectively. From my development perspective, I recommend against enforcing specific rules on using Veracode, giving deadlines to fix flaws, or introducing additional bureaucracy. This can worsen the developer experience and lead to developers finding ways to avoid having flaws reported, such as by decreasing the frequency of scans. In my opinion, the more processes and bureaucracy we add, the less useful Veracode will be. 

We use Veracode as part of our development pipelines. It gives us security feedback when we run our applications. Our applications are completely containerized in Docker images with a .NET 4.6 architecture. These are web-based applications, so we want to know that all the HTTP requests are secured. The tool provides us with feedback to ensure that our application security is robust. 

We are primarily running Veracode to check for vulnerabilities after the build. There is no pre-build process. We are running a post-build static analysis and dynamic analysis. We run it at the end of the development process. 

Veracode's ability to detect security vulnerabilities is excellent. We can feel confident that none of the vulnerabilities will make it into production. It doesn't take long to realize the benefits from it. The interface is intuitive. We could start to see value from Veracode within a couple of weeks. 

We don't have many false positives. We're using the tool's default rules and haven't done much customization. We can feel confident in the solution's results. 
We can identify most of the issues before the production stage, and it also enables us to develop better practices in the development process. We also have a security testing team using Veracode to discover vulnerabilities. The discovery of issues after static analysis is super-efficient. It reduces our time spent on these tasks by about 30 percent. 

Veracode has had a positive impact on our overall security posture. It's comprehensive, which is critical because our applications are mostly integrated, so we don't want to take any chances. 

One thing we like is the secret detection feature. It has helped us to discover keys stored in our settings file as a TXT document. We can address that vulnerability by using encryption. We can even scan Docker images for vulnerabilities. Static analysis is another good feature of Veracode because we can run a security scan during development to identify the vulnerabilities.

Veracode helps us prevent vulnerabilities from entering production. We can put it into the pipeline and set an acceptable limit for vulnerabilities. If the number of vulnerabilities is under the threshold, we can deploy automatically. 

Veracode's container scanning could be improved. We containerize all the platforms we use inside a Docker image. For example, we create a Microsoft Docker image that we build our application on top of. I would like Veracode to implement IT scans before we commit the code.

I have only used Veracode for a year.

Veracode is stable. 

Veracode is scalable.

I rate Veracode support eight out of 10. 

Positive

We evaluated another solution briefly but we decided to keep Veracode. Veracode has some issues with container scanning, and we have some container-based applications. We considered bringing in another tool for container scanning, but it was too expensive and Veracode was able to mitigate the issues well enough. 

Veracode is affordable. It offers a good value for the security benefits it offers, especially if you're working with applications that involve payment processing. You cannot afford to take chances there. 

I rate Veracode nine out of 10. I recommend Veracode, depending on the type of application you are scanning. It's a leading solution in this domain. Veracode is the first name that comes to mind when people are talking about security scanning.