Updated August 04, 2020
Score 9 out of 10
- Static Analysis (SAST)
- Software Composition Analysis (SCA)
- Dynamic Analysis (DAST)
Overall Satisfaction with Veracode
It is used by our developers. It addresses our Application development before being put into production and continuously while in production. It helps our developers with their code and 3rd party components that are used in the application. It also is used for the dynamic scanning of web-facing applications.
- Points out where exactly the vulnerabilities are and what impact they have.
- It provides CVE, which is good if you want to drill down further into why the issue is being cited and what the vulnerability really is.
- It provides 3rd party components and replacements for those libraries.
- Developers complain about various components of the 3rd party library not being used, but yet, they are called out in Veracode as being vulnerable. These components are bundled into the package but are not specifically used.
- The email notifications need to be more explicit about which application and which particular vulnerability.
- Each time a scan is submitted, force the user to change the name on the scan. My users do not change the scan description and the date that is displayed in the log is the scan description, which shows an old scan date and description.
- Its been an excellent tool. that's why we've been using them this long.
- Their support is excellent.
- I'm not sure what there is that they can improve but if I was pressed for something, I'd say maybe their first line of support to have more answers.
- They should also make it easier and improve the way password changes occur. I am the admin for the product at my company and the users have a lot of problems changing their passwords with the email that's sent to them from my admin console.
I didn't select Veracode, someone else did prior to me getting to this office.
Because they're good except for some issues experienced with front line support some time ago.
Do you think Veracode delivers good value for the price?
Are you happy with Veracode's feature set?
Did Veracode live up to sales and marketing promises?
Did implementation of Veracode go as expected?
Would you buy Veracode again?
I think the roles that it plays for our organization serve its purpose very well. Maybe they should couple their product with a better pen testing solution because that falls in line with the types of things Veracode already does.
Like to use
Easy to use
Technical support not required
Slow to learn
Lots to learn
- Its easy to read their reports and understand vulnerabilities and the severity ratings and how the ratings are derived
- Its also easy to read and understand the vulnerabilities and the associated cwe and data from the National Vulnerability Database.
- When triaging flaws its easy to see where the flaw in the various modules are and how to correct them. Why the flaw was called out and how it can be corrected.
- Resetting passwords should be easier. As the Veracode Admin for my department, I have to contact support to have passwords reset because somehow or the other the email sent by Veracode for a password reset doesn't help the user reset their password.
- When I get notifications for "updated SCA results", and click on the link in the email, it takes me to the SCA results for all profiles in my organization. Why can't it take me to just the profiles using the affected library?
- There are some things in user administrator that I don't understand and what its purpose is.
I am not a full time administrator of Veracode and although it has made many improvements in the past year or two, previous to that it was very difficult to use. I still think for people like me who work in a small security software without a thick budget and not a lot of resources it is difficult to use and understand all the bells and whistles and everything it has to offer.