Veracode Review
September 03, 2020

Veracode Review

Anonymous | TrustRadius Reviewer
Score 6 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)
  • Software Composition Analysis (SCA)
  • Developer Training

Overall Satisfaction with Veracode

Veracode is being used by development teams in my organization. We use Veracode to identify security vulnerabilities in the code base of developers so that they could fix it before releasing their code to production. We integrate Veracode solutions to the developer's CI/CD pipeline on Jenkins or TeamCity tools. We also encourage them to use Veracode on their respective IDEs.
  • Good support. We have a dedicated manager and engineer who are true professionals. Also, their support is quick to reply and are pretty good at handling issues that we raise.
  • Compatibility. Supports all major programming languages and developer tools
  • REST API is available to get analytics from the tool.
  • Inconvenient Integration to CI/CD. They don't have a compatible plugin to use on Jenkins or TeamCity so we ourselves need to come with a custom solution for how to integrate with the CI tool. It is more inconvenient in this respect than e.g Checkmarx.
  • More work to set up a scan. Due to the nature of the tool (it accepts compiled binaries rather than source code), developers need much more work to set up a scan correctly. There is a long list of requirements for how binary files need to be packaged and compiled in order to be ready for scanning in Veracode.
  • No Asynchronous Scanning. A scan has to be completed fully before another scan can be triggered which in an agile environment is inconvenient. There is a workaround with REST API though which again requires more work from the developer's side.
  • Confusing workflow for SCA service. They have 2 parallel solutions for SCA that require separate integration and have separate UIs which is confusing.
  • Access roles are not very flexible and cannot be changed easily.
  • Transparency. It has a very good capability of gathering and showing analytics of data pulled from the scans about the security posture of applications.
Checkmarx for SAST is easier to integrate and use. It also has a nicer and more convenient UI that shows you the source code and the context of the vulnerabilities identified. However, it is more expensive, not on the cloud so you need your own infrastructure, and it doesn't have such good analytics capabilities.
Sonatype for SCA has a firewall solution to block vulnerable 3rd-party libraries which Veracode doesn't have.
Veracode support is really good. They are very responsive and there is the option to set up consultation calls with them from the portal.

Do you think Veracode delivers good value for the price?

Not sure

Are you happy with Veracode's feature set?

No

Did Veracode live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Veracode go as expected?

No

Would you buy Veracode again?

No

I think it is best suited for smaller companies that have strong development teams with more time on their hands to integrate Veracode. It is probably not such a good solution for big companies with hundreds of development teams with various levels of expertise as it is quite difficult to standardize and requires much more work from the development team than other tools e.g Checkmarx.