Great for automation and reporting of application security testing
September 03, 2020
Great for automation and reporting of application security testing

Score 8 out of 10
Vetted Review
Verified User
Modules Used
- Static Analysis (SAST)
- Software Composition Analysis (SCA)
Overall Satisfaction with Veracode
Veracode is used by our organization to conduct static application security test (SAST) scans. The SAST scans are either manually submitted through the Veracode portal or automated via CI/CD integration. It is being used across the whole organization for all custom-developed applications. Veracode's usage addresses requirements to run SAST scans on all custom-developed applications before releasing to production.
Pros
- Analytics - Veracode has the most powerful reporting/dashboard feature I have seen across all other SAST vendors.
- App sec program improvement - Veracode program managers take a stake in your organization's security posture and guides you through the enhancement of your overall SDLC.
- Technical support - Veracode support is very prompt and the "consultation" feature is a must-have.
Cons
- Licensing - it is not easy to determine license consumption in a given time frame and the reliance on analysis size leads to large license consumption and issues.
- Auditing - it is not a very straightforward process for developers to triage flaws/review issues in the portal.
- Faster go-to-market speeds due to SAST integration and timely triage of findings
- Visibility into security posture of entire portfolio
- High license costs when applications are not packaged correctly for scanning
Our organization uses both Fortify and Veracode. Veracode is great for any applications using third party components and testing applications that Fortify doesn't support. Veracode is typically faster with supporting new technologies, given the reliance on binaries as compared to source code in Fortify. Veracode has much better reporting than Fortify.
Do you think Veracode delivers good value for the price?
No
Are you happy with Veracode's feature set?
Yes
Did Veracode live up to sales and marketing promises?
I wasn't involved with the selection/purchase process
Did implementation of Veracode go as expected?
I wasn't involved with the implementation phase
Would you buy Veracode again?
Yes
Comments
Please log in to join the conversation