Veracode Reviews

Veracode provides capacity to quickly start a secure development project based on continue scanning to detect vulnerabilities. Currently the mobile and web digital channels have turned into the main platforms for users' experience, but also the most critical in terms of fraud [or] attacks risks and the dynamic analysis is a good approach to overcome any risk; however, when implementing a dynamic analysis it is highly important to understand that actions to solve risks could be released automatically.

Veracode will suit any organization that wants to integrate security into their build pipeline.

Account managers are extremely helpful, always ready to assist with any issues we have. I've seen vendors with account executives that schedule too many meetings and send too many emails in the process of trying to be helpful and I've seen vendors who don't really care about the customers, too. However, Veracode has just the right amount of communication. Neither more nor less. It makes them easier to work with.

Responses from the support team are pretty quick as well.

​Veracode is great for static, dynamic, and software composition analysis. I would like to see Veracode compete with SonarQube code quality to detect coding flaws

Veracode is good for static analysis of common programming languages. The results are easy to understand and take action on. But it's not immediate, you need some time in the cycle to detect and fix issues: if you're pushing to prod 50 times a day, figure out where this fits in the process. Also, it's not as useful where configuration or deployment are the major concerns.

For our case of big product development, Veracode is a very well suitable platform. It allows pretty seamless integration with the development lifecycle and provides very informative results.

Veracode will suit any organization that wants to integrate security into their build pipeline.

It is well suited if you are running SAST/DAST, but as with any solutions, there is no one size fits all, and it definitely had false positives as well, like any other scanners. I did not have a hand in deciding to purchase this, but it works decent and we can automate it. However I am located in SEA, and I find the upload speeds are very very slow. Something to take note of.

Update: 22 Nov 2020. In spirit of transparency, I dropped the rating from 7 to 2 because I was invited to write the review by the vendor (Principal of Customer Advocacy) on 9 October in exchange for a small incentive for my time. However more than a month has passed and there have been no replies despite followup emails to them. I would have expected much better and am sorely disappointed. I treat timely emails very seriously and especially not getting a single reply from vendors. Granted this is not a technical support ticket, but still unprofessional and not something I would expect from someone from Customer Advocacy. This is the main reason for the rating drop. Please draw your own conclusions from this experience I have.

No replies and emails were ignored from Colleen Reidy (Principal, Customer Advocacy).

You can do the upload process manually or automated the upload via CICD as well. It takes a long long time to upload it to the servers (from SEA region at least) and the UI is kinda confusing to me. There was some kind of refresh on the UI last year, but UX can be improved.

Well Suited

• Well suited for modern programming languages
• Super good for organisations which do not have a big IT budget to spend on infrastructure
• Veracode Security consultation is invaluable for teams/Business Units which do not have a dedicated security team
• These culminate and make it ideal for a startup to quickly benefit from Veracode's setup leanness to get going on Security scanning

Less Appropriate

• For scanning large legacy applications/software (huge code base, multiple platforms to build, platform specific languages used)

- Almost no setup required and easy to configure
- Very easy to use, intuitive UI with integrated analytics and learning portals.
- Seamless to review the results, triage them, generate reports.
- Security progression of the product/application is tracked via successive scans.
- Privileges/Roles nicely fine grained and tightly controlled to let teams "view" only their products.

- Easy to create support cases, right from the platform itself instead of visiting any other website or customer support portal.
- Privilege to create the cases granted to all users of the platform by default instead of restricting to only the Admins.
- Responses/updates to the case very promptly given. Escalation channels available via the customer success managers.
- Delegation of the user-generated cases to the platform admins of the organisation very quickly done, the scope permitting.
- Security consultation, a form of support unique to Veracode, can be very easily availed post-scan.

Our relationship with Veracode has gotten steadily better over the years. In truth, I would be interested in moving more of my security validation processes to Veracode primarily because I've found it to be easier to work with than my other vendors.

Currently, Application Scanning and MPT are the two areas that I can use Veracode. I am interested in its static analysis tools but currently, we aren't using the programming languages they support. This may change.

I also would like to use Veracode for Network Vulnerability Scanning but it doesn't offer an option there so we work with other vendors. They are also not an option for intrusion monitoring/detection so we have to use other vendors.

In general, I have really grown to appreciate and trust Veracode as a vendor. Support has been good, their MPT testers have been thorough and competent, and their executives have been available and open to my issues.

I have had periodic issues making scans work effectively. I can't seem to self-service my way through them. Still, Veracode support people have been able to help get my scans to work and once they are scheduled, things are pretty smooth. The user interface has been rough historically but is getting better.

This used to be terrible. Had a difficult time figuring out where information was. Partly this was due to duplicative features, jargon labels, and user navigation. However, in the seven years I've been using the product, it has gotten better.

Some of my issues were associated with trying to get scans to work unassisted. Now that scans, once set up, just run periodically, I don't have to deal with that as much. Part of this might also be that I've learned what I need to know about getting around. And still part of this assessment is in comparison to other tools out there that are even worse.

Still, they could benefit from an investment in a full useability redesign from someone with an outside perspective, modernizing the UX but also studying and working through the bigger usability concerns. I would love to see better diagnostic tools around getting scans to work so I wouldn't need their tech support people to get scans to work. However, as long as the scheduler keeps going, my needs on this get ever rarer.

Veracode is great for deep scans of your codebase, as well as performing deep scans against your online application. I have been using it for several years, and it has consistently gotten more and more thorough while vastly improving performance.

Make sure, though, that your language is supported. Veracode supports several, but it doesn't support everything.

Veracode Support has been great. Any time I have had a question, they have responded in a prompt manner. I'd say nine out of ten times they are able to resolve any issues that have come up with a short email exchange. For issues requiring a bit more investigation, their consultants are tops.

Once you become accustomed to using Veracode, you will more thoroughly understand the many ways in which you can use their tools. My only complaint is that it can be a bit daunting for new users of the platform. Perhaps some "Introduction to Veracode Tools" would be helpful for new users.

Excellent for finding issues during static code analysis and dynamic application testing and linking those issues back to CVE/CVSS security standards. Also excellent at providing reporting artifacts for compliance processes and helping prioritize issues by severity. Additionally very helpful during the assessment, remediation and remediation review processes. This is why we are a repeat Veracode customer.

I have had several highly technical issues related to our Static, Dynamic, and Manual Penetration testing activities with Veracode, and each time I was able to schedule a consultation for myself and my team members quite easily using the Veracode platform and have our technical issue resolved expeditiously, which was very much appreciated.

The platform has many features that were not relevant to use, retrieving the different reports was not always straightforward and sometimes required special assistance. Overall I think the platform could use a UX refresh. I did not have considerable issues using the platform, however I think some less technical users would require significant training in order to effective use the product to meet their various needs.

Veracode is useful because it is offered as SaaS, provides the option to mitigate issues, remembers the mitigated issues so you can filter them out in the next scanning, and is pretty easy to use. The SW composition tool also very beneficial as it scans all 3rd parties and open sources and points to license and vulnerabilities issues.

Aspects that could be improved include needing faster support if we have problems or questions, finding UI/client-side vulnerabilities, and integration into our CI (using TFS) process, which wasn't so trivial and we had to get their support.

In the beginning, we had several issues, mainly related to uploading our code projects for scanning. We dealt a lot with the PDB files and their format. Later, we had issues with how to integrate the tool to be automatically triggered by our CI/CD process and as we use TFS it was not an easy task. For all of that, we had to get support from Veracode/Veracode representatives. It could have been easier.

It's a new tool so there is a learning curve to adopt, learn, and use it. Overall, it was okay. Still, there are some UX improvements to consider, to navigate more easily to find your project and its related sub-project libraries.

Veracode is well suited for Static Code scans for an organization that wants to push security to the left of the development cycle. It has given Resolve Engineers a good sense of security and its needs when it comes to engineering.

Veracode is less suitable for dynamic scans as I can see that it did not work much for the Resolve product.

We have not used the support system that much so far, but as I hear from the Sales team, I guess they are really smart engineers who can help us solve the security issues or at least point us to the right direction when it comes to resolving the security vulnerabilities found by the system.

For any compiled language, Veracode does a great job of scanning for vulnerabilities. It's not quite there for interpreted languages like Javascript, possibly because of the complexity of scanning something that can be run through different systems and interpreted differently by them. They're also not really fit for a general "code quality" review, as they focus only on security flaws.

Veracode support is fairly responsive on issues. We haven't had to use them much.

Veracode is the most well rounded security tool I have used to scan both dynamic and static code in my career. Scanning as a service means I don't have to setup my own infrastructure and application, or deal with upgrades. But it does mean you will be put in a queue with others.

Veracode support is prompt and always there to help. They are willing to get on a call with you to resolve the issue as much as possible. I have wanted more information from them at times but I have only interacted with a few support staff. They will have to escalate to other team members depending on complexity.

Veracode is very useful for Internet-facing web applications as the risk of vulnerabilities keeps changing from time to time. On the other hand, Veracode also helps us with identifying vulnerabilities that surface and being up to date on all the latest developments in the area of website security.

I got a prompt response and all the clarification I needed about the security scan report. This helps the team and organization to mitigate the security risk.

Veracode is a perfect fit for back end development with business logic implementation. (I don't recommend implementation, though.)

For straight UI with calls to the backend to retrieve data, it is not that essential to use Veracode scan. I see most times the score is pretty high, but it is still a security lock to make sure there are fewer security breaches.

Most of the time, I can get prompt support through email or scheduled support sessions (every Thursday). I can do ad hoc support through the Veracode portal too.

Veracode is well suited for quick vulnerability checks & identifying the fix. No need to check other websites like we used to do before Veracode--a big time-saver when we do a production release.

It is less appropriate for a few projects with lower budgets. Due to that constraint, we cannot use Veracode for those projects.

We had a few issues and consulted a Veracode expert in the past. It was quick and provided us what we needed at that moment. Even If we couldn't recollect correctly, the representative suggested some recommended ways to use plugins as well.

Good scenarios: Veracode is very adaptable. We have multiple projects, and it helps us very well. Big projects or small projects, it's very good.

Bad Scenarios: For me, two scenarios didn't go so well. The first one is if you are using JIRA as your bugging tracker, the integration didn't work for me. The second is if you need to scan APIs endpoints, which Veracode currently doesn't.

We went through a lot of questions about the solutions, integrations, etc. when we were in the implementation stage. All the times we contacted Veracode's support our questions were solved in less than a week.

Veracode is suitable for companies that are both getting started and ramping up App Sec programs.
It is less suitable for programs that are not self-serve due to the fact that their support model is not world-class and requires repeated follow-up.

Poor turn around time even for Sev1 tickets--very surface-level support.

Veracode is well suited for any company that has software pipelines, companies that need to comply with different regulations and standards.

The few times we needed to contact support, they helped us and followed-up until the issue was resolved completely.

Veracode achieved what it set out to (manual pen testing) very well. For any questions we had, they were happy to provide us with the answers and they were very responsive.

They were very responsive and reached out to the correct people to make sure that we got the answers we needed. For example, when we did not know how to download the correct report, they got back to us quickly with an explanation on how to download the correct report.

It suits for all applications where security is a concern, especially for banking, insurance, and online transactions.

They operate a "service-based solution," removing many of the obstacles typical of on-premise scan solutions. Availability to program management, technical support, and executive interactions are all part of the system.

Overall, Veracode is one of the best, if not the best, products for application security out in the market. It is a great platform for keeping track of flaws and being able to report on them. Their support services and program management services are excellent, as they hire really good persons to handle these areas. There is still room for improvement in their analytics area.

Having worked with their support and program management teams now for over 4 years, I've been exposed to many support requests, concerns, and issues. We have even had one negative issue with their support team process, that was immediately addressed at their upper levels, and those upper-level management persons worked with me directly on the concerns. We recently had an issue with their mitigation process, and although it did take time to resolve, it was handled very professionally and escalated to the highest levels to address our concerns. Needs that have arisen from us as a customer have been addressed immediately and worked out with me directly by some of their most senior personnel to make sure our concerns are met. Again, their support services are among the best out there.

I believe this platform to be one of the most user friendly out there. After evaluating some other competitor platforms, I've seen one other that comes close to ease of use and others not so much. That is one of the main reasons we continue to renew with Veracode. Areas for improvement continue to be the analytics section and a very quick to annoy idle timer.