Veracode Review
September 03, 2020

Veracode Review

Anonymous | TrustRadius Reviewer
Score 6 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)
  • Software Composition Analysis (SCA)
  • Developer Training

Overall Satisfaction with Veracode

Veracode is being used by development teams in my organization. We use Veracode to identify security vulnerabilities in the code base of developers so that they could fix it before releasing their code to production. We integrate Veracode solutions to the developer's CI/CD pipeline on Jenkins or TeamCity tools. We also encourage them to use Veracode on their respective IDEs.

Pros

  • Good support. We have a dedicated manager and engineer who are true professionals. Also, their support is quick to reply and are pretty good at handling issues that we raise.
  • Compatibility. Supports all major programming languages and developer tools
  • REST API is available to get analytics from the tool.

Cons

  • Inconvenient Integration to CI/CD. They don't have a compatible plugin to use on Jenkins or TeamCity so we ourselves need to come with a custom solution for how to integrate with the CI tool. It is more inconvenient in this respect than e.g Checkmarx.
  • More work to set up a scan. Due to the nature of the tool (it accepts compiled binaries rather than source code), developers need much more work to set up a scan correctly. There is a long list of requirements for how binary files need to be packaged and compiled in order to be ready for scanning in Veracode.
  • No Asynchronous Scanning. A scan has to be completed fully before another scan can be triggered which in an agile environment is inconvenient. There is a workaround with REST API though which again requires more work from the developer's side.
  • Confusing workflow for SCA service. They have 2 parallel solutions for SCA that require separate integration and have separate UIs which is confusing.
  • Access roles are not very flexible and cannot be changed easily.
  • Transparency. It has a very good capability of gathering and showing analytics of data pulled from the scans about the security posture of applications.
Checkmarx for SAST is easier to integrate and use. It also has a nicer and more convenient UI that shows you the source code and the context of the vulnerabilities identified. However, it is more expensive, not on the cloud so you need your own infrastructure, and it doesn't have such good analytics capabilities.
Sonatype for SCA has a firewall solution to block vulnerable 3rd-party libraries which Veracode doesn't have.
Veracode support is really good. They are very responsive and there is the option to set up consultation calls with them from the portal.

Do you think Veracode delivers good value for the price?

Not sure

Are you happy with Veracode's feature set?

No

Did Veracode live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Veracode go as expected?

No

Would you buy Veracode again?

No

I think it is best suited for smaller companies that have strong development teams with more time on their hands to integrate Veracode. It is probably not such a good solution for big companies with hundreds of development teams with various levels of expertise as it is quite difficult to standardize and requires much more work from the development team than other tools e.g Checkmarx.

Comments

  • Colleen Reidy | TrustRadius Reviewer
    Colleen Reidy
    (Vendor Representative) commented 5 years ago
    Thank you for your feedback. We take customer satisfaction seriously and want to make sure we continue to improve. We have shared this feedback with our product management and user experience teams. Regarding your point about CI/CD integration, we wanted to make sure you were aware about our fully supported integrations for both Jenkins and TeamCity. Both can be found in their respective marketplaces. We also wanted to make sure you are aware of our Pipeline Scan , which is a command line driven static analysis tool that supports multiple simultaneous scans of the same code base and uses the same scanning engine as our regular static analysis product. Again, thanks for the input and the opportunity to improve.

More Reviews of Veracode

  1. Home
  2. Application Security Tools
  3. Veracode Reviews
  4. User Review of Veracode