Veracode

The interface is easy to figure out, the information is well presented, and the reporting features are easy to consume, however, the interface is slow, and integrating with CI/CD could be better. Occasionally scans fail and need to be manually cleared using the web interface, and instead of Veracode automatically re-scanning every once in a while (when the Veracode engine updates), we have to schedule re-scans on our side, which adds some CI/CD setup burden to the process.

Once you become accustomed to using Veracode, you will more thoroughly understand the many ways in which you can use their tools. My only complaint is that it can be a bit daunting for new users of the platform. Perhaps some "Introduction to Veracode Tools" would be helpful for new users.

It takes a bit of time to get developers up to speed on setups, triage, working with defects, etc. For developers who have a backgound in scanners and computer science, they can more rapidly understand concepts like taint analysis and that makes it simpler for them to gain the best uses from the product(s). Since all scanning is tied to an application, it's easy to find everything one needs to know about the app's security and lifecycle in one place.

I believe this platform to be one of the most user friendly out there. After evaluating some other competitor platforms, I've seen one other that comes close to ease of use and others not so much. That is one of the main reasons we continue to renew with Veracode. Areas for improvement continue to be the analytics section and a very quick to annoy idle timer.

Good functionality but could be presented better.

For people who don't use the Veracode platform all the time it can be a little challenging, so when I need developers to check on a vulnerability I may need to hop on a call to walk them through the UI. Otherwise the integrations with pipelines, IDEs, reporting tools is pretty easy.

Overall Veracode's static scanning tool works well and is pretty intuitive. I do find myself trying to remember how to find certain features or screens from time to time, but I eventually stumble upon them. To be fair, I am only in the tool once every three months. I do find their dynamic scanning tool a bit confusing regarding the setup and configuration of a target URL. I do eventually find things but I do believe this process could be improved upon.

My security team finds the solution easy to use, easy to communicate to other internal departments (dev, dev ops) as well as preparing executive reports for quarterly reviews.

It is very easy and intuitive to use.

You can do the upload process manually or automated the upload via CICD as well. It takes a long long time to upload it to the servers (from SEA region at least) and the UI is kinda confusing to me. There was some kind of refresh on the UI last year, but UX can be improved.

- Almost no setup required and easy to configure
- Very easy to use, intuitive UI with integrated analytics and learning portals.
- Seamless to review the results, triage them, generate reports.
- Security progression of the product/application is tracked via successive scans.
- Privileges/Roles nicely fine grained and tightly controlled to let teams "view" only their products.

It is a pretty easy-to-use solution for security nerds, developers, and product managers.

Setting up the scans isn't too difficult and there is documentation on them. Navigating the portal and understanding the report is not as easy as we would've liked. The end to end process was quite confusing and we did not see or receive any documentation on it.

It offer versatile interface for kicking off code security scanning. We can submit for code scanning from Visual Studio on application we are still working on. We can manually upload our application files for scanning using the web interface. We can also install Veracode extension to our TFS instance to kick off automatic code scanning in our building/release definitions.

Veracode provides scanning results and, especially on SAST and DAST, is very fast and easy to use and has updated plugins.

This used to be terrible. Had a difficult time figuring out where information was. Partly this was due to duplicative features, jargon labels, and user navigation. However, in the seven years I've been using the product, it has gotten better.

Some of my issues were associated with trying to get scans to work unassisted. Now that scans, once set up, just run periodically, I don't have to deal with that as much. Part of this might also be that I've learned what I need to know about getting around. And still part of this assessment is in comparison to other tools out there that are even worse.

Still, they could benefit from an investment in a full useability redesign from someone with an outside perspective, modernizing the UX but also studying and working through the bigger usability concerns. I would love to see better diagnostic tools around getting scans to work so I wouldn't need their tech support people to get scans to work. However, as long as the scheduler keeps going, my needs on this get ever rarer.

The UI is dated, messy, unresponsive, a real nightmare. SourceClear before it was integrated was better, now it's a mess that only support can explain.

I think this is a place that could be improved. Maybe you guys need a good UX architect. There is plenty that the product can do, but sometimes you need to do a lot of digging to find it.

The platform has many features that were not relevant to use, retrieving the different reports was not always straightforward and sometimes required special assistance. Overall I think the platform could use a UX refresh. I did not have considerable issues using the platform, however I think some less technical users would require significant training in order to effective use the product to meet their various needs.

The analysis just takes longer. I think all other aspects from scan time, to reporting, to compliance checking are all great. But when I go to do analysis of the findings, I have to dig through my project to find each file with findings and drag it into the browser. Just takes a lot longer sadly.

Some products are straightforward to use and 'just work', whereas others are not. The instructions are well documented.

It's a new tool so there is a learning curve to adopt, learn, and use it. Overall, it was okay. Still, there are some UX improvements to consider, to navigate more easily to find your project and its related sub-project libraries.

Veracode is a great product, with a plethora of training resources and very intuitive GUI.

I give this a 10/10 score because Veracode is pretty straightforward when it comes to overall usability.

Now that we know how Veracode wants us to prepare and submit our code for scanning, it's pretty straightforward. Still, I would like for Veracode to have a module that would connect with Xcode so that creating and submitting the archives for scanning is more baked-in.