DIR Veracode
Updated August 04, 2020
DIR Veracode
Score 9 out of 10
Vetted Review
Verified User
Modules Used
- Static Analysis (SAST)
- Software Composition Analysis (SCA)
- Dynamic Analysis (DAST)
Overall Satisfaction with Veracode
It is used by our developers. It addresses our Application development before being put into production and continuously while in production. It helps our developers with their code and 3rd party components that are used in the application. It also is used for the dynamic scanning of web-facing applications.
- Points out where exactly the vulnerabilities are and what impact they have.
- It provides CVE, which is good if you want to drill down further into why the issue is being cited and what the vulnerability really is.
- It provides 3rd party components and replacements for those libraries.
- Developers complain about various components of the 3rd party library not being used, but yet, they are called out in Veracode as being vulnerable. These components are bundled into the package but are not specifically used.
- The email notifications need to be more explicit about which application and which particular vulnerability.
- Each time a scan is submitted, force the user to change the name on the scan. My users do not change the scan description and the date that is displayed in the log is the scan description, which shows an old scan date and description.
- Its been an excellent tool. that's why we've been using them this long.
- Their support is excellent.
- I'm not sure what there is that they can improve but if I was pressed for something, I'd say maybe their first line of support to have more answers.
- They should also make it easier and improve the way password changes occur. I am the admin for the product at my company and the users have a lot of problems changing their passwords with the email that's sent to them from my admin console.
I didn't select Veracode, someone else did prior to me getting to this office.
Do you think Veracode delivers good value for the price?
Yes
Are you happy with Veracode's feature set?
Yes
Did Veracode live up to sales and marketing promises?
Yes
Did implementation of Veracode go as expected?
Yes
Would you buy Veracode again?
Yes
Using Veracode
| Pros | Cons |
|---|---|
Like to use Easy to use Technical support not required Convenient | Slow to learn Lots to learn |
- Its easy to read their reports and understand vulnerabilities and the severity ratings and how the ratings are derived
- Its also easy to read and understand the vulnerabilities and the associated cwe and data from the National Vulnerability Database.
- When triaging flaws its easy to see where the flaw in the various modules are and how to correct them. Why the flaw was called out and how it can be corrected.
- Resetting passwords should be easier. As the Veracode Admin for my department, I have to contact support to have passwords reset because somehow or the other the email sent by Veracode for a password reset doesn't help the user reset their password.
- When I get notifications for "updated SCA results", and click on the link in the email, it takes me to the SCA results for all profiles in my organization. Why can't it take me to just the profiles using the affected library?
- There are some things in user administrator that I don't understand and what its purpose is.