Veracode Review
September 03, 2020
Veracode Review
Score 6 out of 10
Vetted Review
Verified User
Modules Used
- Static Analysis (SAST)
- Software Composition Analysis (SCA)
- Developer Training
Overall Satisfaction with Veracode
Veracode is being used by development teams in my organization. We use Veracode to identify security vulnerabilities in the code base of developers so that they could fix it before releasing their code to production. We integrate Veracode solutions to the developer's CI/CD pipeline on Jenkins or TeamCity tools. We also encourage them to use Veracode on their respective IDEs.
- Good support. We have a dedicated manager and engineer who are true professionals. Also, their support is quick to reply and are pretty good at handling issues that we raise.
- Compatibility. Supports all major programming languages and developer tools
- REST API is available to get analytics from the tool.
- Inconvenient Integration to CI/CD. They don't have a compatible plugin to use on Jenkins or TeamCity so we ourselves need to come with a custom solution for how to integrate with the CI tool. It is more inconvenient in this respect than e.g Checkmarx.
- More work to set up a scan. Due to the nature of the tool (it accepts compiled binaries rather than source code), developers need much more work to set up a scan correctly. There is a long list of requirements for how binary files need to be packaged and compiled in order to be ready for scanning in Veracode.
- No Asynchronous Scanning. A scan has to be completed fully before another scan can be triggered which in an agile environment is inconvenient. There is a workaround with REST API though which again requires more work from the developer's side.
- Confusing workflow for SCA service. They have 2 parallel solutions for SCA that require separate integration and have separate UIs which is confusing.
- Access roles are not very flexible and cannot be changed easily.
- Transparency. It has a very good capability of gathering and showing analytics of data pulled from the scans about the security posture of applications.
Checkmarx for SAST is easier to integrate and use. It also has a nicer and more convenient UI that shows you the source code and the context of the vulnerabilities identified. However, it is more expensive, not on the cloud so you need your own infrastructure, and it doesn't have such good analytics capabilities.
Sonatype for SCA has a firewall solution to block vulnerable 3rd-party libraries which Veracode doesn't have.
Sonatype for SCA has a firewall solution to block vulnerable 3rd-party libraries which Veracode doesn't have.
Do you think Veracode delivers good value for the price?
Not sure
Are you happy with Veracode's feature set?
No
Did Veracode live up to sales and marketing promises?
I wasn't involved with the selection/purchase process
Did implementation of Veracode go as expected?
No
Would you buy Veracode again?
No