Reviews (1-25 of 26)
- Clear identification of possible vulnerabilities and clear direction or possible resolution guidance
- Detailed report pinpointing the area of trouble
- Good and prompt support over call to get clarification on the identified vulnerabilities
- More documentation around different security scan services provided by Veracode would help the users to opt for more refined scans and gain more knowledge around the same.
For straight UI with calls to the backend to retrieve data, it is not that essential to use Veracode scan. I see most times the score is pretty high, but it is still a security lock to make sure there are fewer security breaches.
We have a nightly pipeline in Jenkins that will generate the report and send it across stakeholders. Also when we commit in Github, that triggers a build lifecycle. Now this build lifecycle also has a toggle to include Veracode scan in build lifecycle if we want to. The default toggle condition is on.
- Frequent vulnerability update
- Painless triage flaws feature
- Provides vulnerability fix information as part of SCA
- GreenLight plugin can be improved so that we can scan the whole project (max file limitation is 1 MB).
- Project-specific false positive: We have one transitive dependency and we never used it in our application. Still it will show as SCA vulnerability, because we cannot mark it as false positive at project scope.
- Organization-specific MBD: For example, we have a common jar that is used to provide cross-organization functionality and it has Veracode issues. But whenever we update this common jar version all MBD will reopen. This is not blocking us. But as per DRY it is a time waste.
It is less appropriate for a few projects with lower budgets. Due to that constraint, we cannot use Veracode for those projects.
- Static Scan and Identifying Vulnerabilities
- Daily Scans with hooks provided in GitHub
- Reporting for executives and detailed levels for engineers
- Allowing to do multiple scans in case of fixes made
- Providing details of the vulnerability and recommend solutions
- Dynamic scans are not that good - Burp gives us better results.
- Static scans look for words like "password" but skips "p_assword."
Veracode is less suitable for dynamic scans as I can see that it did not work much for the Resolve product.
- Output of indicators
- Easy to use and manage
- Integrations: they could be more customizable
- Veracode License: this needs to be more transparent
- Veracode DAST: needs to be more customizable. I want to be able to define the types of attacks that are going to occur.
Bad Scenarios: For me, two scenarios didn't go so well. The first one is if you are using JIRA as your bugging tracker, the integration didn't work for me. The second is if you need to scan APIs endpoints, which Veracode currently doesn't.
It is less suitable for programs that are not self-serve due to the fact that their support model is not world-class and requires repeated follow-up.
- As part of our software development process where we scan 35 applications with Static Application Security Testing and Software Composition Analysis to detect and resolve security exposures prior to General Availability releases. These scans are automated to run multiple times per week.
- At GA we deploy and run our hosted applications in security test environments while executing Dynamic Application Security Testing to ensure our systems remain secure.
- During operations in our hosted environments we engage manual Penetration Testing from Veracode to complement our security program.
- Finally we use Static Application Security Testing and Software Composition Analysis to evaluate customer requested modifications prior to delivery and deployment into production environments.
- Software as a service is the primary strength which results in a highly supported program.
- Very effective program management focused on quick ramp up and continuous improvement for sustained business value.
- Highly effective technology which most would identify first. In our case it is assumed the technology provider is superior making the service and program management key differentiators.
- The leadership team, who created a very effective approach to securing software, brings credibility to the table. They remain accessible and offer guidance and support to our executive team.
- The only suggestion I have is for them to establish a Security Consulting arm where customers could engage them, as a paid service, for establishing overall security programs. With that said Veracode is very generous with their time even if not being paid.
- Veracode focuses on their core solutions which I have great respect for as it is why they succeed.
- Easy to Start and Scale with Elastic Compute Power
- Rapid Risk Reduction
- The scanner in the area of Static Analysis under Non-Fix by (informational-low) Policy needs improvement. It keeps on changing the count.
- CWE ID 404 is having up's and down's
- The Veracode profile changes. It keeps on giving some additional count.
- It's a robust analysis that looks at all of the code submitted.
- Veracode is current on the latest CVE issues.
- The report is hard to work with and requires mouseovers to get at critical information.
- Exporting the report leaves out critical information.
- There were many false positives reported.
- The UI for marking remediations is convoluted and difficult.
- The process for uploading code is difficult and poorly documented.
- Points out where exactly the vulnerabilities are and what impact they have.
- It provides CVE, which is good if you want to drill down further into why the issue is being cited and what the vulnerability really is.
- It provides 3rd party components and replacements for those libraries.
- Developers complain about various components of the 3rd party library not being used, but yet, they are called out in Veracode as being vulnerable. These components are bundled into the package but are not specifically used.
- The email notifications need to be more explicit about which application and which particular vulnerability.
- Each time a scan is submitted, force the user to change the name on the scan. My users do not change the scan description and the date that is displayed in the log is the scan description, which shows an old scan date and description.
- Veracode's DAST (dynamic) and SAST (static) scans helped us to figure out existing vulnerabilities in our web apps. It also provided detailed information, and appropriate OWASP, CWE, etc. links to help our engineers remediate those vulnerabilities.
- Veracode's scans can be configured to run automatically on a schedule. With DAST, every time a scan runs, it automatically recognizes earlier issues that have been fixed and adds any new issues to the flaw inventory it maintains for any app.
- Veracode's Software Composition Analysis module identifies vulnerabilities in the dependencies that our apps use. It very conveniently lets us know whether we use the affected/vulnerable parts of any dependency.
- Veracode's UI is highly non-intuitive and a pain to work with. It's not a SPA (single-page app), it doesn't look visually appealing (feels like it's from another era), and navigating around is hard.
- Although with DAST/dynamic scans, the flaws that are reported in each successive scan get collected in a flaw inventory, where one can see which former issues were fixed, and which are pending a fix. This option is not available with SAST/scan issues for some reason.
- When creating a SAST scan manually, the time taken to upload files and validate them (before the scan can be initiated) is very high, and cannot be explained away by relying on internet speed. Also, files are uploaded sequentially, not parallel. This means that it can take hours before the scan is initiated.
If you're using GitHub to host your repositories, it alerts you about the vulnerable dependencies in your app, and although the tool is not as robust as Veracode's SCA, it may meet your needs still.
- Customer support is very personable and easy to work with on inquires.
- Thorough documentation on a topic
- Documentation is too verbose, sometimes easy to get lost in, and requires a representative to translate.
- Static code analysis and reporting.
- Customer support during call sessions.
- Handling static analysis of iOS apps with non-bit code enabled third-party dependencies.
- More information for why a module cannot be scanned.
- Great job with SAST
- Easy integration into your pipeline
- Robust training for new developers
- Not as intuitive as some of the other providers
- Occasionally slow to manage between the different features
- Scanning can take longer than expected without much error handling to let the user know what's happening.
- Software Composition Analysis - found 3rd-party vulnerability issues quickly on each scan
- Static Code Analysis - found specific security issues that detect hidden backdoors and malicious code
- Static Code Analysis works very well for node.js scan.
- Embedded C++ scan doesn't support ARM platform.
- Enable automatic import for SourceClear found issues for each scan into JIRA (Cloud).
- Great documentation and examples
- Availability of consultations for addressing any concerns after scans
- They have a pipeline scanner, which fits nicely in our deployment strategy.
- Using the console (UI) is a bit cumbersome.
- No CLI
- Cannot adjust timeout for automatic logout.
- Veracode works very well from within Visual Studio for .Net based websites.
- The API, once figured out, is very useful for performing Continuous Integration/Continuous Deployment (CI/CD) portion of the DevSecOps process.
- It currently supports most of the development environments that we use ar MPR such as .Net and NodeJS.
- Some members at Mathematica Policy Research program Python-based websites. The Python Static Analysis has not yet come out in Veracode. We have been waiting for over one year for Python.
- Speed is a problem with us and Veracode. It can take over two hours at times to get a very simple, single HTML page "website" scanned. This is becoming non-maintainable.
- Documentation on the XML out files should be provided. I was able to process the XML files but I am sure there are parts that I either did not see or misinterpreted. I t would be nice if the XML was documented.
- Cut the price or come up with multiple pricing models. We do a lot of small applications that only run for a few months. To make us pay a $7000.00 fee for each website is overly costly. Because of the price we cannot use Veracode on all of the applications we would like to use it on
1) How secure our application is by giving an initial score.
2) Which line has an issue that could compromise the security of the application.
3) The mitigation that can be used for a particular flaw occurring at a particular line.
4) The severity of the that flaw and what should be the priority to mitigate it.
5) A To-Be score to be achieved by our system so that it meets the security standards and our application becomes secure.
After scanning the code, and identifying the flaws, we segregated those flaws based on priority - High, Medium, Low and worked on the highest flaws at earliest.
- Extremely efficient for large amount of code as it scans and saves time and resources.
- Report given about security of the application is detailed and very easy to work on.
- Secure application and ensures code is safe.
- Available online - SaaS, could be a desktop application too.
Veracode Scorecard Summary
Veracode supports software development by reducing the risk of security breach through comprehensive analysis, developer enablement, and governance tools. Unlike on-premises solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a combination of SaaS technology and on-demand expertise to enable DevSecOps. By integrating with the pipeline, enabling developers to fix security defects, and scaling programs through best practices, Veracode aims to help companies identify and address security flaws more quickly. Veracode is designed to cover all AppSec needs in one solution through a combination of five analysis types available for 24 programming languages, 77 frameworks, and application types as varied as microservices, mainframe, and mobile apps.
The vendor states that Veracode serves more than 2,500 customers worldwide across a wide range of industries, and that the Veracode Platform has assessed more than 14 trillion lines of code and helped companies fix more than 46 million security flaws.
Veracode Videos (4)
Veracode Support Options
|Video Tutorials / Webinar|
Veracode Technical Details