Veracode's Software as a Service, the key to success
June 19, 2020

Veracode's Software as a Service, the key to success

George Garza | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)
  • Software Composition Analysis (SCA)
  • Dynamic Analysis (DAST)
  • Penetration Testing

Overall Satisfaction with Veracode

We use Veracode in four ways:

  1. As part of our software development process where we scan 35 applications with Static Application Security Testing and Software Composition Analysis to detect and resolve security exposures prior to General Availability releases. These scans are automated to run multiple times per week.
  2. At GA we deploy and run our hosted applications in security test environments while executing Dynamic Application Security Testing to ensure our systems remain secure.
  3. During operations in our hosted environments we engage manual Penetration Testing from Veracode to complement our security program.
  4. Finally we use Static Application Security Testing and Software Composition Analysis to evaluate customer requested modifications prior to delivery and deployment into production environments.
  • Software as a service is the primary strength which results in a highly supported program.
  • Very effective program management focused on quick ramp up and continuous improvement for sustained business value.
  • Highly effective technology which most would identify first. In our case it is assumed the technology provider is superior making the service and program management key differentiators.
  • The leadership team, who created a very effective approach to securing software, brings credibility to the table. They remain accessible and offer guidance and support to our executive team.
  • The only suggestion I have is for them to establish a Security Consulting arm where customers could engage them, as a paid service, for establishing overall security programs. With that said Veracode is very generous with their time even if not being paid.
  • Mention of Veracode during customer sales meetings is always received very positively. For closing deals security related friction is removed.
  • Automated scanning with high frequency drives flaw management cycle times to a minimum. Reduction in labor to run scans, low false positive rate drives engineering efficiency, and high frequency reduces/eliminates escape rate resulting in cost avoidance due to "rework."
  • Defending our solutions security becomes a non-event. We find most customer based scanning is plagued with high false positive rates due to ineffective configuration or poor technology. We simply state our approach with Veracode and no longer reviewing customer initiated reports. Many customers become very interested in how Veracode avoids false positives.
Software as a service is a key factor. Programs are easy to establish and quick to ramp up. Low false positive rates means lower engineer fatigue and frustration. Data path exposure makes resolution obvious and easier. Other providers tend to sell technology and many times do not provide support (guidance) after the sale or they depend on third party organizations to attempt so. Veracode provide the entire package from creation to implementation.
Veracode sees no differentiation between technology and support. Their model is "Software as a Service." Other providers sell technology.

Do you think Veracode delivers good value for the price?


Are you happy with Veracode's feature set?


Did Veracode live up to sales and marketing promises?


Did implementation of Veracode go as expected?


Would you buy Veracode again?


Veracode is a well suited partner to provide guidance for implementing an effective application and environment securing technology program. The core focus is to identify, prevent and resolve problems created by customer organizations within their solutions. What I would like to see is a transition upstream (paid) consulting for organizing the entire development pipeline and process regardless of technologies used. We have had numerous sessions with the Veracode Executive/Management team to discuss strategies even outside the scope of their technology. These were not paid events and as a result we limit our requests to do so. If they were paid events we would probably request more.