Veracode Review
July 22, 2020

Veracode Review

Prajit Gandhi | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)
  • Software Composition Analysis (SCA)

Overall Satisfaction with Veracode

As per my knowledge, Veracode is used across the organization for compliance and security validation of in-house apps. Now all compliance and security composition analysis is done by Veracode. Based on the report, we apply our fixes so that it will be vulnerability proof. To be honest, it is quite irritating that Veracode is always getting updated frequently. We cannot cope with the pace. But at the same time, it is good because it made us aware of vulnerabilities that may impact our BAU.

We have a nightly pipeline in Jenkins that will generate the report and send it across stakeholders. Also when we commit in Github, that triggers a build lifecycle. Now this build lifecycle also has a toggle to include Veracode scan in build lifecycle if we want to. The default toggle condition is on.

Pros

  • Frequent vulnerability update
  • Painless triage flaws feature
  • Provides vulnerability fix information as part of SCA

Cons

  • GreenLight plugin can be improved so that we can scan the whole project (max file limitation is 1 MB).
  • Project-specific false positive: We have one transitive dependency and we never used it in our application. Still it will show as SCA vulnerability, because we cannot mark it as false positive at project scope.
  • Organization-specific MBD: For example, we have a common jar that is used to provide cross-organization functionality and it has Veracode issues. But whenever we update this common jar version all MBD will reopen. This is not blocking us. But as per DRY it is a time waste.
  • It does raincheck on security vulnerabilities before we move things to production. That is a big relief.
  • For critical projects it has good ROI.
1. We need only a few features and detailed reporting for static analysis. Veracode is enough to suit that need.
2. We have not used other products since 2013. So Veracode became de-facto standard for us.
We had a few issues and consulted a Veracode expert in the past. It was quick and provided us what we needed at that moment. Even If we couldn't recollect correctly, the representative suggested some recommended ways to use plugins as well.

Do you think Veracode delivers good value for the price?

Not sure

Are you happy with Veracode's feature set?

Yes

Did Veracode live up to sales and marketing promises?

Yes

Did implementation of Veracode go as expected?

Yes

Would you buy Veracode again?

Yes

Veracode is well suited for quick vulnerability checks & identifying the fix. No need to check other websites like we used to do before Veracode--a big time-saver when we do a production release.

It is less appropriate for a few projects with lower budgets. Due to that constraint, we cannot use Veracode for those projects.

Comments

More Reviews of Veracode

  1. Home
  2. Application Security Tools
  3. Veracode Reviews
  4. User Review of Veracode