1. Home
  2. Application Security Tools
  3. Veracode Reviews
  4. User Review of Veracode
Meets our needs, but the UI experience is wanting
July 27, 2020

Meets our needs, but the UI experience is wanting

Anonymous | TrustRadius Reviewer
Score 6 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)
  • Dynamic Analysis (DAST)

Overall Satisfaction with Veracode

Veracode is used by our organization in order to figure out known vulnerabilities in our infrastructure, and also for guidance with fixing them. We do that in order to protect our business from undesirable events like a data breach, data loss, etc.
  • Veracode's DAST (dynamic) and SAST (static) scans helped us to figure out existing vulnerabilities in our web apps. It also provided detailed information, and appropriate OWASP, CWE, etc. links to help our engineers remediate those vulnerabilities.
  • Veracode's scans can be configured to run automatically on a schedule. With DAST, every time a scan runs, it automatically recognizes earlier issues that have been fixed and adds any new issues to the flaw inventory it maintains for any app.
  • Veracode's Software Composition Analysis module identifies vulnerabilities in the dependencies that our apps use. It very conveniently lets us know whether we use the affected/vulnerable parts of any dependency.
  • Veracode's UI is highly non-intuitive and a pain to work with. It's not a SPA (single-page app), it doesn't look visually appealing (feels like it's from another era), and navigating around is hard.
  • Although with DAST/dynamic scans, the flaws that are reported in each successive scan get collected in a flaw inventory, where one can see which former issues were fixed, and which are pending a fix. This option is not available with SAST/scan issues for some reason.
  • When creating a SAST scan manually, the time taken to upload files and validate them (before the scan can be initiated) is very high, and cannot be explained away by relying on internet speed. Also, files are uploaded sequentially, not parallel. This means that it can take hours before the scan is initiated.
  • We have only started using Veracode in the past few months, and not identified any tangible impact. However, since our potential customers insist on us not having vulnerabilities and conduct independent checks, it does have the potential of helping us there. Also, there is a value attached to being less vulnerable to data breach or loss and compromise of our production systems, any of which will have a material impact on the appeal of our service.
Snyk has a much better and more intuitive UI, but as far as I know does not provide DAST and SAST like Veracode does. When it comes to SCA, you might be better off going with Snyk.
The response is usually prompt.

Do you think Veracode delivers good value for the price?

Not sure

Are you happy with Veracode's feature set?

Yes

Did Veracode live up to sales and marketing promises?

Yes

Did implementation of Veracode go as expected?

No

Would you buy Veracode again?

No

Although Veracode is good at identifying known flaws or vulnerabilities in software and providing guidance with remediating them, the experience of managing and assigning vulnerabilities can be significantly improved, along with the ease of using the user interface.

If you're using GitHub to host your repositories, it alerts you about the vulnerable dependencies in your app, and although the tool is not as robust as Veracode's SCA, it may meet your needs still.