Veracode, It's a great tool if you can afford it
Glenn Jones | TrustRadius Reviewer
February 28, 2018

Veracode, It's a great tool if you can afford it

Score 9 out of 10
Vetted Review
Verified User
Review Source

Overall Satisfaction with Veracode

Mathematica Policy Research uses Veracode across many websites developed for our clients. We are currently working on setting it up to perform a static security scan when source code is checked into our source control repository. It is used by many of staff in the development departments of the company. It is the first step in the process of making certain we do not deploy applications that have security flaws written into them. We do not allow an application to be deployed if it does not pass the Veracode static scan.
  • Veracode works very well from within Visual Studio for .Net based websites.
  • The API, once figured out, is very useful for performing Continuous Integration/Continuous Deployment (CI/CD) portion of the DevSecOps process.
  • It currently supports most of the development environments that we use ar MPR such as .Net and NodeJS.
  • Some members at Mathematica Policy Research program Python-based websites. The Python Static Analysis has not yet come out in Veracode. We have been waiting for over one year for Python.
  • Speed is a problem with us and Veracode. It can take over two hours at times to get a very simple, single HTML page "website" scanned. This is becoming non-maintainable.
  • Documentation on the XML out files should be provided. I was able to process the XML files but I am sure there are parts that I either did not see or misinterpreted. I t would be nice if the XML was documented.
  • Cut the price or come up with multiple pricing models. We do a lot of small applications that only run for a few months. To make us pay a $7000.00 fee for each website is overly costly. Because of the price we cannot use Veracode on all of the applications we would like to use it on
  • As I already stated, the cost per application is very high which makes the use of Veracode too expensive for many of out applications.
  • The analysis report is accepted by our clients as a proper SSAT report.
  • Most of out competition does not perform any type of SSAT on the applications they create. This is something we offer and be the only one out there doing this type of testing.
Mathematica Policy Research has used a few open source tools to perform SAST. The open source products do not hold up with Veracode. We have also written some of our own custom SAST applications for specific web products. We do not use Veracode for Dynamic Application Security Testing (DAST). We find that that there DAST is just expensive for us to use so we use a different tool.
If you need to perform static application security testing (SAST) and low price is not a problem, then Veracode is a good choice. The speed of the static analysis could also be increased. It is, however, one of the few tools available that can analyze the bytecode of a .Net web application and provide very good analysis of the application. The generated report is also quite good, even though it appears everyone wants a report based on PCI problems, even if your application does not deal with any financial information.