Likelihood to Recommend
If you need to perform static application security testing (SAST) and low price is not a problem, then Veracode is a good choice. The speed of the static analysis could also be increased. It is, however, one of the few tools available that can analyze the bytecode of a .Net web application and provide very good analysis of the application. The generated report is also quite good, even though it appears everyone wants a report based on PCI problems, even if your application does not deal with any financial information.
- Veracode works very well from within Visual Studio for .Net based websites.
- The API, once figured out, is very useful for performing Continuous Integration/Continuous Deployment (CI/CD) portion of the DevSecOps process.
- It currently supports most of the development environments that we use ar MPR such as .Net and NodeJS.
- Some members at Mathematica Policy Research program Python-based websites. The Python Static Analysis has not yet come out in Veracode. We have been waiting for over one year for Python.
- Speed is a problem with us and Veracode. It can take over two hours at times to get a very simple, single HTML page "website" scanned. This is becoming non-maintainable.
- Documentation on the XML out files should be provided. I was able to process the XML files but I am sure there are parts that I either did not see or misinterpreted. I t would be nice if the XML was documented.
- Cut the price or come up with multiple pricing models. We do a lot of small applications that only run for a few months. To make us pay a $7000.00 fee for each website is overly costly. Because of the price we cannot use Veracode on all of the applications we would like to use it on
Based on 1 answer
Good support team.
Engineer in EngineeringComputer Software Company, 1001-5000 employees
Mathematica Policy Research has used a few open source tools to perform SAST. The open source products do not hold up with Veracode. We have also written some of our own custom SAST applications for specific web products. We do not use Veracode for Dynamic Application Security Testing (DAST). We find that that there DAST is just expensive for us to use so we use a different tool.
Return on Investment
- As I already stated, the cost per application is very high which makes the use of Veracode too expensive for many of out applications.
- The analysis report is accepted by our clients as a proper SSAT report.
- Most of out competition does not perform any type of SSAT on the applications they create. This is something we offer and be the only one out there doing this type of testing.
Premium Consulting/Integration Services—
Entry-level set up fee?