Filter Ratings and Reviews
Filter 41 vetted Veracode reviews and ratings
Reviews (1-25 of 26)
August 01, 2020
Most well-rounded security tool
We use it in the IT department to scan websites for security vulnerabilities. We aim to catch static and dynamic flaws before releasing code to production. We are incorporating it into our Agile development process with the goal to become more mature with that integration so that we can have an Advanced Application Security Program.
- Scan as a service
- Less false positives
- Helpful support
- Scans can take a long time.
- Need more feedback for active scans.
- Has to compile.
Veracode is being used by the whole organization especially for the static code scan, DAST, and penetration testing.
- Clear identification of possible vulnerabilities and clear direction or possible resolution guidance
- Detailed report pinpointing the area of trouble
- Good and prompt support over call to get clarification on the identified vulnerabilities
- More documentation around different security scan services provided by Veracode would help the users to opt for more refined scans and gain more knowledge around the same.
July 31, 2020
Safeguard for our online business application
I am one of the developers of our Insight.partners.org application. This is an online application used by many hospitals and research institutes under the Partners umbrella. With the help of Veracode static and dynamic scan, we are able to identify potential security weaknesses and implement fixes before release.
- Visual Studio integration
- Support of CD/CI build with Veracode scan
- Prompt response from Veracode support
- Some static scans take a very long time, ie. 14 days in my case.
As per my knowledge, Veracode is used across the organization for compliance and security validation of in-house apps. Now all compliance and security composition analysis is done by Veracode. Based on the report, we apply our fixes so that it will be vulnerability proof. To be honest, it is quite irritating that Veracode is always getting updated frequently. We cannot cope with the pace. But at the same time, it is good because it made us aware of vulnerabilities that may impact our BAU.
We have a nightly pipeline in Jenkins that will generate the report and send it across stakeholders. Also when we commit in Github, that triggers a build lifecycle. Now this build lifecycle also has a toggle to include Veracode scan in build lifecycle if we want to. The default toggle condition is on.
We have a nightly pipeline in Jenkins that will generate the report and send it across stakeholders. Also when we commit in Github, that triggers a build lifecycle. Now this build lifecycle also has a toggle to include Veracode scan in build lifecycle if we want to. The default toggle condition is on.
- Frequent vulnerability update
- Painless triage flaws feature
- Provides vulnerability fix information as part of SCA
- GreenLight plugin can be improved so that we can scan the whole project (max file limitation is 1 MB).
- Project-specific false positive: We have one transitive dependency and we never used it in our application. Still it will show as SCA vulnerability, because we cannot mark it as false positive at project scope.
- Organization-specific MBD: For example, we have a common jar that is used to provide cross-organization functionality and it has Veracode issues. But whenever we update this common jar version all MBD will reopen. This is not blocking us. But as per DRY it is a time waste.
Resolve Systems is a platform that helps in automating across the entire IT ecosystem. It is a Java-based platform with multiple components involved and a user-facing interface to access the tool. Veracode is used across the whole organization to perform static scan in GitHub-based code repo and dynamic scans on a running deployed system. Veracode reports are helpful for Resolve in making the systems more secure and shared with the customers if they ask about the security of the product.
- Static Scan and Identifying Vulnerabilities
- Daily Scans with hooks provided in GitHub
- Reporting for executives and detailed levels for engineers
- Allowing to do multiple scans in case of fixes made
- Providing details of the vulnerability and recommend solutions
- Dynamic scans are not that good - Burp gives us better results.
- Static scans look for words like "password" but skips "p_assword."
July 21, 2020
Great solutions together in the same platform
It is used by the whole organization, not only development. It helps us fix vulnerabilities quicker, reinforce our security policies, and it even helps our decision making. It gives us indicators that help us to see our evolution in the maturity of our development teams. Veracode helps us guarantee that the solutions we develop for our clients are secure.
- Output of indicators
- Integrations
- Easy to use and manage
- Auditing
- Integrations: they could be more customizable
- Veracode License: this needs to be more transparent
- Veracode DAST: needs to be more customizable. I want to be able to define the types of attacks that are going to occur.
July 21, 2020
Good security suite with not-so-good support model
We use Veracode across our banking product Good Money across various functions. We use Veracode as part of our security best practices of shifting left.
- Availability of wide variety of security measures
- Detailed documentation
- Poor support model
- Account Managers are unable to render technical help
June 19, 2020
Veracode's Software as a Service, the key to success
We use Veracode in four ways:
- As part of our software development process where we scan 35 applications with Static Application Security Testing and Software Composition Analysis to detect and resolve security exposures prior to General Availability releases. These scans are automated to run multiple times per week.
- At GA we deploy and run our hosted applications in security test environments while executing Dynamic Application Security Testing to ensure our systems remain secure.
- During operations in our hosted environments we engage manual Penetration Testing from Veracode to complement our security program.
- Finally we use Static Application Security Testing and Software Composition Analysis to evaluate customer requested modifications prior to delivery and deployment into production environments.
- Software as a service is the primary strength which results in a highly supported program.
- Very effective program management focused on quick ramp up and continuous improvement for sustained business value.
- Highly effective technology which most would identify first. In our case it is assumed the technology provider is superior making the service and program management key differentiators.
- The leadership team, who created a very effective approach to securing software, brings credibility to the table. They remain accessible and offer guidance and support to our executive team.
- The only suggestion I have is for them to establish a Security Consulting arm where customers could engage them, as a paid service, for establishing overall security programs. With that said Veracode is very generous with their time even if not being paid.
It's used by the Information Security team to review the source code of all our products. Veracode helps us do quick checks before a release and the Software Composition Analysis module has made it very easy to identify and keep track of all the OSS components used in our products. The way Veracode flags the license violation issues as well has been extremely helpful.
- Sophisticated UI
- Integration into CI/CD pipelines
- Informative reports
- Cover more types of vulnerabilities
- Simplify the process of marking and approving mitigations
We used it for manual penetration testing on our web application. This resulted in a report stating how vulnerable/not vulnerable our web application is to hackers/exploiters.
- Communicates with customer well
- Performed the task well
- Nothing I can think of
We have banking, automotive, and Insurance clients primarily. I am using Veracode for an insurance company containing online premium payments and some banking transactions. Veracode is used by various projects across my organization. Veracode is used to decode all security vulnerabilities.
- Veracode focuses on their core solutions which I have great respect for as it is why they succeed.
- Easy to Start and Scale with Elastic Compute Power
- Rapid Risk Reduction
- The scanner in the area of Static Analysis under Non-Fix by (informational-low) Policy needs improvement. It keeps on changing the count.
- CWE ID 404 is having up's and down's
- The Veracode profile changes. It keeps on giving some additional count.
Veracode was used to identify possible security issues using static code analysis.
- It's a robust analysis that looks at all of the code submitted.
- Veracode is current on the latest CVE issues.
- The report is hard to work with and requires mouseovers to get at critical information.
- Exporting the report leaves out critical information.
- There were many false positives reported.
- The UI for marking remediations is convoluted and difficult.
- The process for uploading code is difficult and poorly documented.
It is used by our developers. It addresses our Application development before being put into production and continuously while in production. It helps our developers with their code and 3rd party components that are used in the application. It also is used for the dynamic scanning of web-facing applications.
- Points out where exactly the vulnerabilities are and what impact they have.
- It provides CVE, which is good if you want to drill down further into why the issue is being cited and what the vulnerability really is.
- It provides 3rd party components and replacements for those libraries.
- Developers complain about various components of the 3rd party library not being used, but yet, they are called out in Veracode as being vulnerable. These components are bundled into the package but are not specifically used.
- The email notifications need to be more explicit about which application and which particular vulnerability.
- Each time a scan is submitted, force the user to change the name on the scan. My users do not change the scan description and the date that is displayed in the log is the scan description, which shows an old scan date and description.
July 27, 2020
Meets our needs, but the UI experience is wanting
Veracode is used by our organization in order to figure out known vulnerabilities in our infrastructure, and also for guidance with fixing them. We do that in order to protect our business from undesirable events like a data breach, data loss, etc.
- Veracode's DAST (dynamic) and SAST (static) scans helped us to figure out existing vulnerabilities in our web apps. It also provided detailed information, and appropriate OWASP, CWE, etc. links to help our engineers remediate those vulnerabilities.
- Veracode's scans can be configured to run automatically on a schedule. With DAST, every time a scan runs, it automatically recognizes earlier issues that have been fixed and adds any new issues to the flaw inventory it maintains for any app.
- Veracode's Software Composition Analysis module identifies vulnerabilities in the dependencies that our apps use. It very conveniently lets us know whether we use the affected/vulnerable parts of any dependency.
- Veracode's UI is highly non-intuitive and a pain to work with. It's not a SPA (single-page app), it doesn't look visually appealing (feels like it's from another era), and navigating around is hard.
- Although with DAST/dynamic scans, the flaws that are reported in each successive scan get collected in a flaw inventory, where one can see which former issues were fixed, and which are pending a fix. This option is not available with SAST/scan issues for some reason.
- When creating a SAST scan manually, the time taken to upload files and validate them (before the scan can be initiated) is very high, and cannot be explained away by relying on internet speed. Also, files are uploaded sequentially, not parallel. This means that it can take hours before the scan is initiated.
July 23, 2020
Conflicted Appreciation for Veracode
Providing security insight and review on our software release process. We aim to both improve internal code review as well as maintain customer product satisfaction.
- Customer support is very personable and easy to work with on inquires.
- Thorough documentation on a topic
- Professionalism
- Documentation is too verbose, sometimes easy to get lost in, and requires a representative to translate.
July 21, 2020
Easy to use static code analysis tool
We use Veracode to generate PCI compliance reports necessary for deploying our mobile app software to our users. Since we handle patient health information and also process payments, it is extremely vital for our company to secure our software and be sure that our users and their information are safe and secure.
- Static code analysis and reporting.
- Customer support during call sessions.
- Handling static analysis of iOS apps with non-bit code enabled third-party dependencies.
- More information for why a module cannot be scanned.
Veracode static and dynamic scanning tools are leveraged to ensure our mobile apps and website are free of critical software security issues. We run scans prior to releases to the app stores. Issues found in vendor SDKs are communicated to the vendors as a security and risk transfer mechanism.
- Integration flexibility
- Flaw detection
- RBAC
- Not all info visible in a flaw is easy to export/identify.
- Jira-Veracode integration is a bit cryptic at times.
- Workflow problems aren't obvious.
July 06, 2020
Impressive application security tool set!
We use Veracode as part of our SDLC. We leverage the SAST, DAST, and e-learning for our entire DevOps team(s). This addresses keeping our platforms secure and aware of new vulnerabilities and how to resolve or mitigate our risks.
- Great job with SAST
- Easy integration into your pipeline
- Robust training for new developers
- Not as intuitive as some of the other providers
- Occasionally slow to manage between the different features
- Scanning can take longer than expected without much error handling to let the user know what's happening.
June 05, 2020
Great product for risk management
We engage independent vendors to conduct application and infrastructure-level vulnerability scanning and penetration testing on the SaaS platform. Veracode helps us managing risks in compliance with ISO 27001 requirements, as well as meeting clients' expectations. The reporting structure shows maturity in our Information Management System. The static scans help us identify potential problems before the release.
- Reporting
- Support
- Flaw details
- Policy Management
- Compliance
- Penetration test reporting could be more detailed
- Automation was a bit confusing
- More filters could be available under analytics
May 28, 2020
Veracode delivers great overall SCA value
Veracode (& SourceClear) has been used for Static Code Analysis & Software Composition Analysis for some of our products.
- Software Composition Analysis - found 3rd-party vulnerability issues quickly on each scan
- Static Code Analysis - found specific security issues that detect hidden backdoors and malicious code
- Static Code Analysis works very well for node.js scan.
- Embedded C++ scan doesn't support ARM platform.
- Enable automatic import for SourceClear found issues for each scan into JIRA (Cloud).
It is used by our IT department to mitigate security vulnerabilities. We also use the pipeline scanner in our continuous deployment system to gate any potential security vulnerabilities introduced by new code.
- Great documentation and examples
- Availability of consultations for addressing any concerns after scans
- They have a pipeline scanner, which fits nicely in our deployment strategy.
- Using the console (UI) is a bit cumbersome.
- No CLI
- Cannot adjust timeout for automatic logout.
May 28, 2020
Very powerful product, with some pains
We use Veracode to scan (Dynamic and Static) during our development lifecycle, and we use Veracode Pentests Annually.
- The tools are very granular.
- The Vulnerability Libraries are very big.
- It correlates the different types of scans well.
- Very complicated pricing
- Very high learning curve
- Complicated user interface
Veracode provides multiple security analysis for various software products at my company. We use it to do static analysis, dynamic analysis, and software composition analysis. It is being used across the company to ensure all code projects have high quality, structured code, with a minimal amount of security flaws or vulnerabilities in the app stacks.
- Static scanning.
- Security flaws.
- Code structure.
- Bad UX.
- Too slow.
- Lacks good integrations.
February 28, 2018
Veracode, It's a great tool if you can afford it
Mathematica Policy Research uses Veracode across many websites developed for our clients. We are currently working on setting it up to perform a static security scan when source code is checked into our source control repository. It is used by many of staff in the development departments of the company. It is the first step in the process of making certain we do not deploy applications that have security flaws written into them. We do not allow an application to be deployed if it does not pass the Veracode static scan.
- Veracode works very well from within Visual Studio for .Net based websites.
- The API, once figured out, is very useful for performing Continuous Integration/Continuous Deployment (CI/CD) portion of the DevSecOps process.
- It currently supports most of the development environments that we use ar MPR such as .Net and NodeJS.
- Some members at Mathematica Policy Research program Python-based websites. The Python Static Analysis has not yet come out in Veracode. We have been waiting for over one year for Python.
- Speed is a problem with us and Veracode. It can take over two hours at times to get a very simple, single HTML page "website" scanned. This is becoming non-maintainable.
- Documentation on the XML out files should be provided. I was able to process the XML files but I am sure there are parts that I either did not see or misinterpreted. I t would be nice if the XML was documented.
- Cut the price or come up with multiple pricing models. We do a lot of small applications that only run for a few months. To make us pay a $7000.00 fee for each website is overly costly. Because of the price we cannot use Veracode on all of the applications we would like to use it on
November 18, 2016
Veracode - A step to securing your application
My Veracode Experience was efficient. I used Veracode for an legacy application that was coded in c++. It had many functions used that did not meet up with the security standards.These functions used were not the secure versions released later by Microsoft and thus created threat to the application. Veracode scanned the code with great efficiency and provided us a report of:
1) How secure our application is by giving an initial score.
2) Which line has an issue that could compromise the security of the application.
3) The mitigation that can be used for a particular flaw occurring at a particular line.
4) The severity of the that flaw and what should be the priority to mitigate it.
5) A To-Be score to be achieved by our system so that it meets the security standards and our application becomes secure.
After scanning the code, and identifying the flaws, we segregated those flaws based on priority - High, Medium, Low and worked on the highest flaws at earliest.
1) How secure our application is by giving an initial score.
2) Which line has an issue that could compromise the security of the application.
3) The mitigation that can be used for a particular flaw occurring at a particular line.
4) The severity of the that flaw and what should be the priority to mitigate it.
5) A To-Be score to be achieved by our system so that it meets the security standards and our application becomes secure.
After scanning the code, and identifying the flaws, we segregated those flaws based on priority - High, Medium, Low and worked on the highest flaws at earliest.
- Extremely efficient for large amount of code as it scans and saves time and resources.
- Report given about security of the application is detailed and very easy to work on.
- Secure application and ensures code is safe.
- Available online - SaaS, could be a desktop application too.
Veracode Scorecard Summary
About Veracode
Veracode supports software development by reducing the risk of security breach through comprehensive analysis, developer enablement, and governance tools. Unlike on-premises solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a combination of SaaS technology and on-demand expertise to enable DevSecOps. By integrating with the pipeline, enabling developers to fix security defects, and scaling programs through best practices, Veracode aims to help companies identify and address security flaws more quickly. Veracode is designed to cover all AppSec needs in one solution through a combination of five analysis types available for 24 programming languages, 77 frameworks, and application types as varied as microservices, mainframe, and mobile apps.
The vendor states that Veracode serves more than 2,500 customers worldwide across a wide range of industries, and that the Veracode Platform has assessed more than 14 trillion lines of code and helped companies fix more than 46 million security flaws.
Categories: Dynamic Application Security Testing (DAST), Penetration Testing, Software Composition Analysis, Static Application Security Testing (SAST), Static Code Analysis, Application Security
Veracode Videos (4)
Veracode Downloadables
Veracode Competitors
Micro Focus Fortify on Demand, SonarQube, Checkmarx, Synopsys Coverity Static Application Security Testing (SAST), WhiteHat, HCL AppScan (formerly from IBM)
Veracode Support Options
| Free Version | |
|---|---|
| Phone | |
| Forum/Community | |
| FAQ/Knowledgebase | |
| Video Tutorials / Webinar |
Veracode Technical Details
| Deployment Types: | SaaS |
|---|---|
| Operating Systems: | Unspecified |
| Mobile Application: | No |