It helps with intelligent software composition, ISC, allowing us to test fast and get fast feedback around third-party library vulnerabilities, and have a quality gate around the CVEs, and so on.

I work as a digital consultant helping customers with their digital transformation side, with the primary focus on reliability engineering, SecDevOps, and Cloud. I have multiple clients using this same product. My clients are from different industries such as retail, consumer goods, travel, hospitality, and energy.

Veracode provides visibility into application status at every phase of development, as it's how we stitch it together, allowing us to introduce it at various phases to gain fast feedback. This capability increases the velocity in DevSecOps processes as developers receive feedback on vulnerabilities before committing, reducing the overall rework.

It helps developers save time significantly. For instance, if I take a library and assume it's going to work until it reaches QA or UAT, where we find out there's a vulnerability, that can require extensive effort for code refactoring or redesigning; Veracode helps prevent that before the pull request is merged.

Veracode impacts the overall security posture by maintaining data integrity, ensuring we are not exposed to threats from third-party libraries with known vulnerabilities. From my perspective as a SecDevOps evangelist, Veracode is crucial for an organization's shift-left security strategy. Veracode's SCA perspective offers tools that facilitate shift-left security by providing feedback before failures occur in the development process.

All three of Veracode's offerings are valuable: SCA, SAST, and DAST. It helps identify security loopholes right in the development phase, allowing developers to get feedback around what kind of vulnerabilities exist as soon as they check in the code or even before that in their IDE.

It would be better if we had a channel for direct communication with the engineering team to speed up the process of providing feedback. 

I think Veracode has most areas covered, but I'm not sure if they have something around container scanning yet, which is important as workloads become containerized or serverless.

Regarding innovative features offered by Veracode, it would be beneficial for them to open up a channel to broadcast new developments and features to help us adapt. We are currently integrating Veracode using their GitHub Workflow app, but it's not yet mature.

It has been more than five years. 

We have an enterprise license and direct connection with the Veracode team. I consulted their team about a couple of issues or bugs in the product that weren't matching our requirements, and we provided feedback that they took back to address. 

I would assess their help as eight out of ten in terms of how they assist with the issues I bring to them. It's good to have access to their team at no extra cost with the license, as most SaaS platforms include consulting as part of their offerings, but access to the engineering team is crucial for faster feedback on the product fix process.

Positive

I do have experience with other testing tools such as Mend and Polaris. The main differences between Mend, Polaris, and Veracode lie in the specific functionalities and how each integrates with enterprises. Overall, the basic functionalities remain similar. In comparing Veracode's breadth of end-to-end testing versus Mend, I find Veracode to clearly be a winner in the SCA segment. Other than that, both are pretty much equal in the SAST and DAST areas.

When it comes to the initial setup, it's both straightforward and complex. While the product is mature, it requires integrators. For example, I'm using GitHub Flow, but the GitHub app to plug in is not sufficiently mature.

I have not examined Veracode's pricing in detail, but from an industry perspective, I see that there is a tendency toward Veracode, which suggests competitive pricing.

I would rate Veracode's ability to prevent vulnerable code from going into production at an eight out of ten because AI is evolving, and there are other tools emerging that help by proactively changing the code without needing the developer to take action, ensuring that pull requests are handled before going into production. 

We just got the Veracode Fix feature, but we need to understand it more deeply to know if it just performs code fixes or handles dependencies as well. Can it arrange or adjust my versions to make sure that the library that I'm using does not have any vulnerabilities? We have not enabled AI-generated fixes because we need to try it out and see how it performs, especially concerning human intervention in auto-upgrading or automatic patching in production. I am yet to explore the continuous delivery and continuous deployment aspects to provide feedback on that. 

I would recommend Veracode to others, as it maintains strong industry adoption.

Overall, I would rate Veracode an eight out of ten.

My use case for Veracode includes utilizing the SSA and SAST modules as part of improving the code that we are developing in the company, and we have 130 developers that we are trying to onboard in this platform. We have been able to onboard 100 more or less in these months, and the idea is to change the way they are developing because we want them to heavily use the IDE integration. 

We mostly use Visual Studio Code, and we have them using the integration plugin with Veracode so that they can fix the security issues at dev time. When we have the product in the pipeline, and we run the scans again, it's a green light.

Veracode Fix has affected our time to remediate security flaws in cases where we've been able to use it correctly because the proposals were on point, and it's been great. 

We've seen that in the same sprint that we were developing the features, now those features are implemented without any technical security debt. What happened before was that we needed another sprint to solve those technical debts. So we haven't seen an increase in time, and the speed of development of the teams is better, and now the product is being delivered with less technical debt.

One of the aspects I appreciate most about Veracode is that even though we have a license for developers, we don't get charged by the users who don't develop code but are only trying to access the platform to see the reports or the dashboard, such as architects who do some code reviews but don't develop. That's a nice feature that doesn't happen on other platforms that we analyzed. 

Another feature that we appreciate significantly is Veracode Fix and how it's integrated with Visual Studio Code. Even though it has some room for improvement, the key usage for us is to be able to solve everything. The developers also learn how and why they have to solve the security vulnerabilities detected. At the same time, they are developing the feature. Veracode Fix has affected our time to remediate security flaws in cases where we've been able to use it correctly because the proposals were on point, and it's been great.

Regarding room for improvement, we have some problems when onboarding new projects because the build process has to be done in a certain way, as Veracode analyzes the binaries and not the code by itself alone. If the process is not configured correctly, it doesn't work. That's one of the things that we are discussing with Veracode. Something positive that we've been able to do is submit formal feature requests to them, and they are working on them; they've already solved some of them. This encourages us to propose new ideas and improvements. Another improvement that we asked for this use case is to be able to configure how Veracode Fix proposes and fixes because sometimes it makes proposals using libraries that go against our architecture design made by the enterprise architecture team. For example, we want them to propose using another library, and that's something we already asked Veracode, and they are working on it. We want to specify when you see this kind of vulnerability, you can only propose these two options.

I have been using Veracode for nine months.

It's not that easy to onboard, but once they have been onboarded on the platform, and the pipeline configured alongside the product configured, it works effectively.

I have contacted the technical support and customer support. With Veracode's technical support, for some issues, it has been really difficult for them to understand the problem, and they ask us to do some tests we've already told them we completed in the first ticket. I think there is room for improvement there. However, we are also working with premier support, where we have an engineer assigned to our account. When we work with him on one of our problems, it gets solved much faster. Now we always try to add this engineer to all of our tickets so that we can solve everything faster. That's because we have the premier support as part of our agreement.

Positive

The initial deployment was difficult. We had some problems with the SSO integration. But Veracode found a fix, and they are delivering the final solution to production. It took us a lot of time to get that mitigation, and it's not that fast to onboard the dev teams. We are having meetings with each team depending on the language they are using and the type of application; it may be really fast or take up to a week for them to have the product integrated. My expectation was that it was going to be faster.

For us, it wasn't the most expensive solution proposed. Part of our decision to get Veracode was that when we evaluated against other products, Veracode was cheaper. What they need to measure is that you need a tool that is efficient and works for your products and how you develop, which has a nice level of detection and a low level of false positives. We make an evaluation and only choose tools that offer a good balance between providing good detections and a low amount of false positives. What was happening with SonarQube was that we had lots of false positives, making teams not care about the vulnerabilities because most were false positives. Regarding price, the evaluation should focus on how efficiently they will recover their investment, considering the time saved through the use of Veracode Fix, for example, and the ability to fix code at dev time compared to the problems faced when fixing after the product is already deployed.

We have used some alternatives to Veracode for some of the use cases. For example, for SAST, we've been using SonarQube from Sonatype and also some IDE plugins that we've asked the developers to use, but we didn't have any centralized platform to manage and false positives or findings. For SSA, we've been using Renovate Bot and also SonarQube and some of the GitLab integrations that we've been using for some use cases. The only one that we've used as an enterprise solution for all the products was SonarQube and Renovate Bot; the other tools were tested with a small number of teams.

We don't use some of these tools because we don't have the license for them. We are not using Veracode for DAST or for manual penetration testing, but we are using the other ones, and they give visibility through the process. I think that Veracode does it, but since we are not using DAST, we are only part of the development process before going to the runtime environments. So we are not checking anything on runtime. That part of the process, where you have the product running and you make real tests on the running product, we are not solving with Veracode, but that's mainly because we don't have the DAST licenses. The way we are using Veracode now means that since we haven't finished the rollout yet, we are not putting any restrictions on our pipelines so that they can only go to production if Veracode didn't find any critical vulnerability. Now, we are not using it as a blocker, so it depends on the team. Some teams don't want to appear in red in the reports from the last pipeline scan, so they are delivering much more secure code to production. Other teams don't care and still deliver with the same vulnerabilities, but that's something that varies from team to team. Generally, most teams have improved a lot, for example, by updating all the libraries and reducing all the critical and high vulnerabilities, delivering to production only with low or medium vulnerabilities.

It helps our organization's ability to fix flaws very quickly. It helps in that aspect. We have fixes, remediation guidance to help fix issues. Veracode provides a training platform for developers to ensure they have awareness and knowledge, so they have a place to get information. It helps our developers save time, but we don't have many metrics on that.

When it's used, it's helpful. That's about making people use it and requiring it to be used. It has been used at times, and we could get issues resolved and things fixed. It was quite advantageous for some time. I'm in a different part of the team now, and I've seen that since I've left, the numbers have gone the other way. Somebody was showing me how they just got big old backlogs of things, and they're not even able to keep up with issues. That's when they're working with Code Fix. They try to get them to use Veracode Fix, which will speed up things for development, so the security team's support team will not be backlogged.

It gives notifications to prevent vulnerable code from going into production. It doesn't stop anything from going into production, but it notifies you. You can then consider not promoting that code. The values and assessments it provides can be introduced in the different areas in our development cycle and pipeline.

Regarding visibility into application status in every phase of development, such as static analysis, dynamic analysis software, and SAST, I would say that's not possible when considering every phase of development, such as requirements and architecture, as it's not part of that. However, from where it is engaged in the software development lifecycle standpoint, it provides that information.

The most valuable features include the total developer experience, along with regulator exposure and DevOps pipeline. It encompasses everything as an enterprise solution. In an enterprise, you want developers to be able to do things easily. You want to be able to monitor development in IDEs and the environment states of working pipelines. You want to integrate DevOps pipelines that do scan assessments and evaluation, and promotion to later stages in the pipeline and testing cycles. You still want your security team to be able to access data or pull information for evaluations or regulatory compliance, and report back to corporate compliance.

For the teams that use it, it does affect the time to remediate security flaws. It fixes issues directly in the IDE while you're doing it.

Many teams now have IDE plug-ins and the ability to generate fixes in the code. It's becoming more of a standard thing. They focus on creating security fixes and tools. A nice addition would be if it could be extended for scenarios with custom cleansers.

I've used Veracode for a while now.

Their support is pretty good.

Positive

I don't know why they switched, but it was the decision made before I joined the company, and then the pandemic hit. It was delayed, but it had already been paid for, so eventually the switch happened.

They did evaluate other options before choosing Veracode. I'm not familiar with the process they used, but they absolutely did evaluate. I've seen documentation, and Checkmarx was on that list as well.

From a policy standpoint, industry policy and related matters, you have to adjust and adapt things for systems and solutions. It's capable, but another part of the company is responsible for some of that. We may not necessarily get feedback, so with the ability to use it effectively, I don't think we've matured as an organization to take advantage of it effectively.

Veracode isn't important to the organization's shift-left security strategy itself. It's a tool. You have the strategy, you set the strategy, and you find a solution that will adhere to and work with the strategy. That's generally the goal. Veracode works well with the strategy once you decide and define it. Strategy is set, and then you select the tool.

Veracode is a very good tool, especially from a compliance standpoint. I would rate it an eight out of ten.

We have now switched to another solution but our use case was SAST.

Veracode was crucial to our shift-left security strategy, as we implemented it into our transformation projects. We defined internal strategies to use Veracode in the earlier stages of application development. Each sprint received application code, and we consistently scanned it using Veracode, reducing many security flaws early in development. This proactive approach helped developers to address any remaining flaws. Additionally, we defined a Jira workflow specifically for SAST bugs to track and manage security issues effectively.

Veracode helped with policy compliance. We have proposed Veracode for SAST to our stakeholder in the banking plarform. They have specific security policies that the code needs to accommodate. We have two sets of policies defined: one is the default policy in Veracode, and the other is provided by stakeholders from the chief security team, who have imported policies relevant to the banking platform. The default policy is not sufficient to ensure the code is secure, so stakeholders provided more security policies relevant to their domain and the platform.

Our actual application code was a CAT-A application, meaning it had to pass SAST and DAST testing for deployment into production. This was a mandatory check from our perspective to get the code deployed into production. We have internal strategies to implement Veracode in different phases of our application deployment. Before going into production, we do SAST testing in lower environments and then one round of testing in higher environments based on bug-fixing code. We are cautious about deploying directly into production after completing security testing in Veracode because we continually receive bug-fixing code from different applications. So, we defined our strategy this way.

Veracode provided visibility into application status at every phase of development, including static analysis, dynamic analysis, composition, and penetration.

Most of the fixes relate to password encryption or some kind of SQL injections. If there are any security flaws verified against the policies defined by our stakeholders, as well as Veracode's, and if they pose a potential risk of breaches, Veracode provides excellent recommendations for fixing those security flaws. This detail helps us address the issues efficiently, as it specifies where fixes need to be applied and the implications of ignoring them. The options for developers to provide false positive comments or justification through Jira tickets if a fix cannot be implemented for a particular release are also very useful. These features in Veracode significantly aid developers in addressing security flaws in the code.

Because scanning takes a long time for uploading any kind of large application code, I would estimate we saved around 30% to 40%. After implementing our strategy for SAST within our platform, we started doing SAST scanning in Veracode for every sprint. This frequency is crucial because, without Veracode, it could be very difficult to implement such a strategy in the earliest stages of application development.

Veracode had a positive impact on our security posture. 

The good thing about Veracode is that when one scans the respective application code, all the people who are part of the transformation project can update their reviews. If there are any security flaws or vulnerabilities identified, they are able to provide sufficient justification or details about the security flaws. This helps developers fix the respective flaws in the application code, which we appreciated because it made it very easy for us to assist with fixing the application code from the development perspective.

Its cost and the long scanning times for large applications are the areas for improvement. We had integrated Veracode with other tools in the DevOps pipeline, such as Ansible and Jenkins. However, we faced a challenge, so we implemented Veracode offline, out of the DevOps pipeline. We had issues with scanning large applications. Scanning took a lot of time, so we kept it outside the DevOps pipeline to avoid delaying deployments. We defined different strategies to utilize Veracode for analyzing static-related security bugs in application code.

I would rate it a seven out of ten for stability. If the Veracode server is down, we experience many issues during the scan, and sometimes the scan gets interrupted, requiring us to restart it.

For scalability, I would rate it a nine. It has a good capacity to scale effectively.

We had 15 to 20 licenses.

We never used Veracode support. We only worked with the stakeholders provided by the customer. They were supportive. 

The responsiveness and quality of documentation from Veracode are notable compared to other tools we are currently using, where we often struggle to find the same level of support.

Positive

It was easy.

I estimate we saved around 60% to 70% of our resources with Veracode.

Pricing-wise, I find it a bit expensive because it's based on the number of users requesting access to Veracode.

Lower budget products may struggle to incorporate all of Veracode's capabilities into their processes.

We were looking for a tool in the market that could provide support for SAST or static analysis security testing. We wanted to implement it in the earlier phases of our transformation project. We looked into the analysis of different tools in the market, and then we decided that Veracode was the right tool at the time to provide more support for the SAST testing in our transformation project.

Veracode stands out when compared to other solutions, especially regarding predefined security policies and their support for implementing the DevSecOps pipeline.

I do not have concerns about Veracode not scanning source code, only binary code. In previous scans of the same code with different tools, Veracode has identified more security flaws, so I don't worry about the scanning process. It effectively spots the security flaws.

I would recommend Veracode to other users, but you must consider the cost aspect. If an organization has sufficient funds for spending on this SAST tool, I would still strongly recommend it because of the extensive documentation and defined policies. 

Veracode allows for customized policies based on domain and platform, which is beneficial for collaboration among multiple users and teams. 

I would rate Veracode an eight out of ten. Implementing Veracode has been challenging in the DevOps pipeline due to long durations, which can delay production deployments. Hence, we established a separate strategy solely for SAST scanning, leading to my rating of eight.

We use Veracode as a vulnerability scanning tool, which checks our code base and has certain rules and policies that can be updated as per the company policies; it checks our code, finds any vulnerable APIs or libraries, analyzes them, and gives us a report, and then we work on that so that we will use the latest, all non-vulnerable libraries to make the application more secure. 

Veracode provides visibility into application status at every phase of development through static analysis. Veracode definitely affects my DevSecOps processes because without this tool it would be difficult for developers or testers to find vulnerabilities, as in a large-scale production system there are hundreds of thousands of APIs and libraries used, and it's not possible for any individual to check all of them. 

This tool helps to get all the reports, outlining the APIs or libraries with severe vulnerabilities, which need to be fixed, so that is definitely helpful. Veracode positively impacts my ability to fix flaws since it not only gives us the version information but is also integrated with the artifact repository, helping us find all versions. It provides a list of vulnerable versions we are using and recommends upgrading to the non-vulnerable version. 

Veracode helps save time for my developers on the security vulnerability finding. Almost all users in my organization utilize Veracode, numbering in the thousands.

Veracode has a significant impact on my security posture. Without these tools, we would not know which libraries are vulnerable or what kind of attacks might occur, so at least from a security point of view, we can be assured we are using all non-vulnerable versions, providing a level of safety from the project team's perspective. 

The best features in Veracode include static analysis and the early detection of vulnerable libraries; it integrates with tools such as Jenkins.

The policy reporting does assist us with compliance. There are certain rules where fixing vulnerabilities is part of the policy. We have guidelines and we need to resolve them before putting something into a higher environment. It helps with that.

Veracode provides visibility into application status at every phase of development, including static analysis. Without this tool it will be difficult for the developers or the testers in a large-scale production system go through hundreds or thousands of APIs and libraries. It helps us quickly go through and understand what needs to be fixed. It sees everything, finds all versions, and gives us a list of all of the vulnerabilities and which versions have vulnerabilities. 

Improvements can be made to Veracode, particularly in terms of process. If it could be integrated directly with code repositories such as Bitbucket or GitHub, without the need to create a pipeline to upload and decode code, it would simplify the code scan process significantly.

I noticed there is no integration with Bamboo.

I have worked in a project for about five years, and while we do not exactly work in Veracode, we have integrated Veracode with our applications so that it will do all the analysis and give us reports.

Veracode is stable for us.

I am not sure about the scalability of Veracode or where they are hosting their servers.

I have never needed to raise a ticket and work with Veracode experts.

Positive

I have used both Veracode and Checkmarx before choosing Veracode for one of my projects; Veracode is very established and widely used, while Checkmarx is relatively newer and has a smaller user base, though both have their place in the market.

I am not sure how Veracode is managed in terms of deployment, as we use API keys for connection.

The pricing is okay.

I would suggest some static analysis tools should be in place. Either Veracode or CheckMarx. If there's a security gap, you'll never know the cost or effect. You need early detection in place to do all of that fixing. 

I would suggest that a static analysis tool should be in place, either Veracode or Checkmarx, as both help in the SDLC cycle with early detection of security gaps, which is crucial to avoid costly effects later on; so I would say this is a must-do to facilitate early detection and fixing before production.

I'm a Veracode customer.

From an organizational perspective, there is a separate team managing Veracode, and they might find that access valuable. The fact that Veracode doesn't scan source code (only binary code) does not concern me, as that decision is made at the organizational level, and I trust that they are managing all required features. 

I would recommend Veracode to other users. It definitely helps us detect vulnerabilities in code. 

Overall, I would rate the solution an eight out of ten.

I use Veracode to implement solutions with security and to define rules, for example, for the network and the traffic of the network. Those are the main scenarios where I have interacted with Veracode. I use Veracode in the banking sector.

It makes it very easy to track and monitor activity. The visibility via the boards is very good. It enhances operations. 

The flexibility to define rules and the ability to update those rules on the fly are valuable features. It has boards where it is easy to track or monitor the activity. This is something that brings value and enhances the operation. Whenever we need to update a rule or make changes, you need to do it quickly, and this makes it possible. 

Maybe the boards could be made easier to understand or easier to customize.

I've had some interactions with this solution. 

It's quite stable. It's a very good solution.

This is easy to scale. If I need to add new infrastructure, I just need to start scanning or include new segments of the network. It will automatically include new infrastructure or it will escalate. Cloud solutions are easier to scale than on-premise solutions.

I haven't interacted with support. However, it's got good support. They respond very quickly since security is something critical. It will depend on the severity of the requests.

Positive

I was using a legacy solution, and we tried to migrate to a new solution like Veracode. However, I was not a part of deciding which solution to move to.

I was not involved in the initial deployment. 

Especially in banking, security is a must-have. If we have weaknesses in security, it will cost a lot. For example, hacking or people trying to access their networks. The scanners of Veracode bring status of the weaknesses in the current infrastructure. 

It scans and provides reports regarding the servers, the network, and the applications running on those servers. It's a very valuable kind of solution. Trying to do it manually would be costly and increase the risk of mistakes if we try to identify all those bugs in the architecture. Using an automated tool brings cost reduction and more security.

The pricing is competitive. It's not the most expensive solution. It also brings some benefits in comparison to other options. 

I would give Veracode an eight out of ten. 

I do not have any specific advice for people considering using Veracode.

I use Veracode in multiple places including static code analysis, penetration testing, and dynamic code analysis. It is part of our pipeline and integrates well with Bitbucket and Git pipelines.

The ease of integration with Bitbucket pipelines and Git pipelines is vital for us. Veracode allows us to easily summarize issues and provide quick, actionable insights. It offers confidence by preventing exposure to vulnerabilities and helps ensure that we are not deploying vulnerable code into production.

Veracode can improve the licensing model as it is a bit confusing. 

Additionally, threat modeling and asset management could be made more general rather than very specific.

I have had experience with Veracode for a few years now, at least a couple of years.

I have seen an upward rating of eight or more out of ten. They are very responsive and quick to help with queries within our scope.

Positive

We considered other solutions but have stuck with Veracode due to an enterprise level licensing deal and it serving our immediate important needs.

The licensing model is a little confusing, but we have a good relationship in terms of how it is set up. The pricing and model align with the needs of the developer community and the cybersecurity office.

I would recommend this solution as it is adaptable for threat modeling and penetration testing on contemporary tech stacks. 

Overall, I rate the solution an eight out of ten.

We use Veracode for static and dynamic application security testing (SAST and DAST) on our web applications to ensure there are no vulnerabilities.

So, my use case for Veracode is pretty much for DAST and SAST protection. I'm a pen tester and DevSecOps engineer. I evaluate the vulnerabilities and mark them as false positives if needed. I also manually exploit them. If we're unable to understand something, we raise a ticket to the Veracode team and get consultancy from them.   

So we are developing an application named Euro Car Parts, Car Parts 4 Less. It is an application which consists of multiple car parts and vehicle parts and everything. We are dependent on Veracode for that application, so it is quite helpful. 

As threats are increasing day by day. There are new vulnerabilities that come up these days, and applications get compromised. Veracode quite helps us with the latest security configurations, OWASP standards, and SAST standards. So it is really helping us and improving our security posture with each upgrade, each scan.

It's robustness is the main benefit to the organization. As it gets upgraded with time, it also improves the coverage – security configuration coverages and vulnerability coverages. It also updates itself with the latest known vulnerabilities that are uploaded to the NVD, OWASP, or other databases. So it gets upgraded itself with that. And so with each upgrade, it gets better and better.

The solution offers the ability to prevent vulnerable code from going into production.

It provides us with a report containing multiple remediations and mitigations for each vulnerability. For example, if it finds a cross-site scripting vulnerability, it will also include references like CWE and CVE records, instructions on how to fix it, and the specific line of code or module where the vulnerability is present. This helps us fix the issues accordingly.

I'm a penetration tester and DevSecOps engineer. I evaluate the findings, mark false positives, and manually exploit vulnerabilities if they exist. If we need further clarification, we raise a ticket with the Veracode team and get consultancy from them.

We are a software development team. If we find a vulnerability, I exploit it and come back with the best possible mitigation, and the dev team fixes it. If we use Veracode Fix, it might use third-party implementations or make changes we aren't aware of. We need to be very aware of what our application is using internally. It should be known to us.

As per my experience, the solution's policy reporting ensures compliance with industry standards. It comes with multiple features. I get the most out of it, and it's good.

The solution provides visibility into application status at every phase of development. Like static analysis, dynamic analysis, software composition, and manual penetration tests - throughout the SDLC

We have a pipeline that I maintain. I use the Veracode API account and have integrated it with AWS and our Jenkins pipeline. We use Snyk for SCA and Veracode for SAST scanning. 

At the earliest stage of the build, the SAST scan runs along with the JS and PHP files. It provides us with reports, which are then handed over to the other tools we depend on. If I validate the report or check the Veracode dashboard and find vulnerabilities, I mark them as false positives or existing issues.

We work on multiple projects, but the one I'm handling these days only uses Veracode for SAST. It's been about one and a half years since I've been working with Veracode and this project. It is quite impressive. 

There are some things Veracode cannot find, like code obfuscations inside the code and some insecure randoms. Sometimes, it misses those flaws. But overall, if I compare it with other tools, it is better. I will definitely recommend others to use this tool.

We run the scan before each deployment. If the dev team builds a new module or something, we scan it along with all the files. If we find anything, we get it fixed. That's how it works.

Veracode is quite important to the organization's shift-left security strategy because we make a scan for each deployment. Sometimes, if I think we need to perform a shift-left, I just make a scan before deployment and check for any misconfiguration or vulnerability in the code.

Before deployment, we upload our JavaScript and PHP files to Veracode for static analysis. It returns a report with multiple vulnerabilities or security misconfigurations. We then correct them to ensure they don't exist on our production server.

The key point of Veracode is that it's an all-in-one solution. It has all the logs, features, and reports in one place. Compared to other tools where you need to access different platforms and modules to check results and scan reports, Veracode provides everything in a centralized location. That's what I like about Veracode.

There is room for improvement in Veracode's plugin, its API plugin. I think that API or we need to install some Java .jar file for that. This is the main challenge I have faced because it gets very hectic while integrating it with our pipelines. But it is working fine now. It is not a very big deal, but this area should be improved.

I have been one and a half years, like, 15 to 16 months.

It is a stable solution. The stability is good, so I would rate it a nine out of ten.

It is a scalable product. I would rate it a nine out of ten.

Each time I raise a ticket regarding something, they are very quick about the responses and get connected instantly, like, right after one day. They reply very fast.

So, the customer service and support are good. Last month, I had a call with two consultants regarding some vulnerabilities. There were some issues where code was reported as a cross-site scripting, but that was from a library we were using. I tried to exploit them manually, but it didn't reflect any cross-site scripting issues. They came back with the solution real quick. They just wanted us to remove an attribute we had used inside. We got that removed, and it got fixed. It is working fine now. So, no issues. It is quite fast. I don't have any complaints.

Positive

Earlier, I used tools like Snyk, Fortify, and Checkmarx. Each tool has its own pros and cons. 

Veracode is a bit slow compared to Snyk and other tools in the market. 

But the best thing about Veracode is that you can get everything in one place. You don't need to switch between different domains, tabs, or profiles. 

Everything you want is on the same spot, on the same page. So, it is very easy to compare and check things out.

There's no different approach because every tool runs a scan, gets back to us with reports, and we validate them. We get the mitigation, check the responses, and check the actual line of code or security misconfiguration that needs fixing. The approach remains the same. I will try to exploit it manually, determine if it is a false positive or an existing issue. Then we give a green flag, and it moves ahead to deployment.

The deployment is complex. There are multiple things we need to check before getting our application to deploy.

So, the setup's complexity could be improved or simplified, in my opinion.

The scan doesn't take that much time to complete. You just need to sync it with your application and the scan. You just need to make the configuration and use the API into AWS or Jenkins pipeline. So, it will take five to six hours to integrate, not more than that. But with the tests, to make sure that it is working fine with the deployment and all, it takes one day.

The solution doesn't require any maintenance; at least I didn't face anything. I just wait for the upgrade. It gets upgraded with the latest known vulnerabilities, and it gets better and improved. 

There are three teams on board: the dev team, another dev team, and the QA team. It consists of about eighteen people.

It saves us around 30% of the time.  It is worth the investment because security must be the first step when developing an application. You use someone's data, especially if you work with e-commerce, banking, health, or welfare applications. You need to be very aware and secure about it. 

Each user's data must be protected, and their privacy should not be compromised. So, it is very important to maintain the security configurations and ensure there are no vulnerabilities. I believe it is worth the investment.

It works quite well as per market standards. The other tools also charge the same, whether it's SAST or other security tools. They are quite similar.

I would recommend others to use it because it is very robust and has everything in one place. You don't need to move to any different apps or domains, or different platforms to get things done. You will get the mitigation, you will get the vulnerabilities, you will get everything at one place on the dashboard. So I will definitely recommend it. 

It is not as fast as Snyk, but it is scalable, and it has more coverage, I think, compared to Snyk because it gets back to us with vulnerabilities that Snyk cannot find. So, I will recommend it to my friends. 

Overall, I would rate it an eight out of ten. 

We use Veracode for static code analysis of our applications in two main ways: reactively and proactively. For the reactive approach, we run automatic scans nightly after developers merge changes from feature branches into the release branch. Proactively, we use the Veracode Greenlight plugin, which checks for vulnerabilities when developers try to commit code, even on feature branches, only allowing commits after passing these checks.

I appreciate Veracode's SAST and SCA features, which help to find open-source vulnerabilities. I'd estimate it's about 98% accurate, though some false positives occasionally exist. Our team has been using it for a long time. 

We sometimes use the free access to the tool's application security consulting team. We reach out to them when we've tried to change our code based on its recommendations but still can't achieve 100% green status. They help us fix issues in real-time through screen sharing and development work.

We saw the tool's benefits long ago when we first implemented it. Security is a top priority for us when working for a bank. We recognized the solution as one of the best tools in the market and decided to integrate it into our pipeline. We set up quality checks in our pipelines so that any code with high or critical vulnerabilities can't even be deployed to the development environment. This proved helpful for our team. Now, we have a quality gate that checks the Veracode status before any code goes into production. If Veracode scanning shows no vulnerabilities, the code can only be deployed to production. We strictly follow this process and have made Veracode an integral part of our Software Development Life Cycle approach.

Veracode has also helped us save time, especially with its proactive approach. The Greenlight plugin works directly in our IDE and is particularly helpful.

The solution should include monthly guidelines, a calendar, or a newsletter highlighting the top vulnerabilities and how to resolve them using Veracode. Its  policies should be up-to-date with NIST standards and OWASP policies.

I think if it could be enhanced with AI capabilities similar to Copilot, it could be even more beneficial in guiding developers and catching potential issues early in the development process. The solution should also come up with docker images. 

I have been using the product for six years. 

The product's support is good. 

Positive

The solution's deployment is easy. 

I rate the overall product an eight out of ten.