Veracode

Well suited for complex applications in mainstream technologies and/or a requirement for frequent scanning. Less well suited to older or more specialized technologies.

Recieved prompt and helpful replies to support requests.

Good functionality but could be presented better.

I think Veracode would fit into to most organizations application security programs, but if you already are lacking build automation and pipelines you won't be able to harness that portion which is where I see Veracode shining. Doing scans manually would work, but you would be missing out.

Support has always been very helpful both through using their consultation calls, and the email support.

For people who don't use the Veracode platform all the time it can be a little challenging, so when I need developers to check on a vulnerability I may need to hop on a call to walk them through the UI. Otherwise the integrations with pipelines, IDEs, reporting tools is pretty easy.

Use of this platform allows us to better control vulnerabilities and demonstrate to clients that we take our security posture seriously. Of course this, though important, is only one aspect of ensuring our code is as secure as possible. The feature set of the tool is quite mature and serves our needs quite well for the most part.

We have only had to contact support a few times in the nine years we've used their products. For the most part, Veracode has been very responsive either via email or on calls. These requests have either been for something that did not seem to be right in the interface or for scan-finding call-outs.

Overall Veracode's static scanning tool works well and is pretty intuitive. I do find myself trying to remember how to find certain features or screens from time to time, but I eventually stumble upon them. To be fair, I am only in the tool once every three months. I do find their dynamic scanning tool a bit confusing regarding the setup and configuration of a target URL. I do eventually find things but I do believe this process could be improved upon.

It meets our needs.

If you are a smaller company or run less than 500 apps with a very vertical ownership structure, Veracode can be a great tool. Its fairly consistent, fairly mature nature means that it's much less likely to break your existing integrations. Where they struggle is when you are a big enough org where you need to rely on automation and integration support. I have yet to have a single developer that didn't get off a project attempting to integrate with it that didn't look mentally defeated. Their language integrations are not maintained, forcing devs to the web interface, which doesn't always have what you need, meaning you might have to restart and go back to the XML interface rather than their rest interface because they never finished converting to the rest interface. Their API can docs can be at times out of date, but on the whole, are mostly fine. Interfacing with support will also be unavoidable because of limitations around soft deletes and admins have left my team unable to manage the account more times than I am sure support appreciates having to fix.

We use Veracode to perform a static scan of our application after we build it. As per the scan result, we upgrade the security and coding standards of our application. Until we meet the standards as per the Veracode scan, our application code will not be approved. By using Veracode we can learn many new things about software development and coding standards. We can use those in the near future to maintain industry standards.

Veracode is a very good platform for security remediation tools. This is having less cost as compared to other User-friendly User interfaces and is easy to access. Easy to interact if you are having queries related to scanning results. Suggestions for security remediation are very understandable like the cleansing function Veracode helps to remediate flaws without breaking any functionality of the application (code reusability is more )

Veracode is ideally suited for environments where a large amount of code is being released by several agile teams. Code rework and problems in production can be greatly reduced by using this tool. It may also be utilized to incorporate some compliance-specific criteria, which can really serve as a tailgate to prevent the deployment of non-compliant code in production.

Well suited: Monitoring application security throughout its development Not well suited: Fully automatic security assessments

Veracode is very well suited where lots of code are getting deployed with multiple agile teams on production. It can really bring efficiency in code quality, reduce code rework , reduce number of defects in production. It can be also used to include some compliance specific rules which can actually act as a tailgate to stop the non-compliance code getting deployed in production. Eventually as a SAST and DAST-based tool its can be very much efficiently used If the application is quite simple and not that complex, I feel we do not require to include this kind of tools. As the enterprise might not invest in non-complex applications.

Any organisation where software development is undertaken, has to consider Veracode. In this day & age, a business cannot afford to simply deploy software and hope for the best. Cybersecurity threats are one of the fastest growing areas in the modern age, and allowing software to be deployed with security flaws is simply unthinkable. Veracode addresses this problem by providing insight and advise, allowing the developers to remediate before the software goes into production.

We have a few plugins for static analysis in code but those mostly focus on code quality and performance. Veracode covers the "security" part for us. Scanning for vulnerabilities in 3rd party plugins/nugets is also helpful.

Veracode is the most well rounded security tool I have used to scan both dynamic and static code in my career. Scanning as a service means I don't have to setup my own infrastructure and application, or deal with upgrades. But it does mean you will be put in a queue with others.

Veracode support is prompt and always there to help. They are willing to get on a call with you to resolve the issue as much as possible. I have wanted more information from them at times but I have only interacted with a few support staff. They will have to escalate to other team members depending on complexity.

For jar file scans you can use Veracode, other options are there need to explore in Veracode.

It just works and allows for a left shift, which has been shown as a vast reduction in dev work and cost. With policy and other outlines, your security team can help Devs program safer applications and protect your company's platforms from vulnerability...

For application with high security requirements, Veracode is well suited. For example, we develop web application for a big insurance company. The security and protection of data privacy have a high priority here. In our case, Veracode can help a lot during development of the whole application and new features. For a small application with small user group, Veracode is not very appropriate because of the cost and needed efforts.

Well suited for compliant organizations that are agile and fast-moving in today's markets. We use Veracode for both static and dynamic scanning, it provides great insight for the development and security teams. As Director of Security, it is a key tool in use for maintaining compliance and security first applications.

My security team finds the solution easy to use, easy to communicate to other internal departments (dev, dev ops) as well as preparing executive reports for quarterly reviews.

Veracode excels in providing the required information about various languages that are supported by it. It also has good documentation on how to integrate with CICD tools like Jenkins & Azure DevOps. Oncall support from the team for understanding the scope of analysis and configurations is very helpful. With little more documentation around the configuration and languages, Veracode becomes a great must-have tool.

any group developing code that will be externally facing. Any team of developers who need the training to stay current with Security information in regards to their training - OWASP Top 10, etc.

First I thought Veracode was like SonarQube. But Veracode does different things. Otherwise, Veracode could show the issues in the code line, like Sonar does.

IDE plugins help immensely. Lack of profiles on IDE scans.

Veracode is very good for applications where security must be 100%, as it will find a large amount of vulnerability and false positives that can be minimized. It also allows integrations with widely used tools such as Jira and Jenkins, allowing the latter to automate scans efficiently and quickly. Veracode work well with large, medium and small companies, handle a large number of users with different roles, the administration of these is simple and it also has a log to know the records of each of these.

Veracode is well-suited for companies making sure their products are always flawless. Through their portfolio of products, one can make sure every application is free from any vulnerabilities at the earliest in its development lifecycle. It may not suit companies having legacy codebases and applications written in languages that Veracode doesn't support.

I won't recommend it for smaller products.

The best thing about the Veracode is scanning abilities and Developer Training.