Thorough scanning engine and flexible reporting tools, so-so CI/CD and alerting
October 01, 2020

Thorough scanning engine and flexible reporting tools, so-so CI/CD and alerting

Anonymous | TrustRadius Reviewer
Score 7 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)
  • Software Composition Analysis (SCA)

Overall Satisfaction with Veracode

We use Veracode for all the software we build in-house. Being in the financial services industry there's a lot of regulation and emphasis on security, and we've made Veracode a mandatory part of our production deployment process to satisfy some of those requirements. The reports Veracode generates are used by both management and development teams.
  • PDF & web reports are very well laid out.
  • Custom dashboards are very flexible/powerful.
  • Flaw remediation suggestions are specific and helpful for most flaws & languages.
  • Documentation is clear and detailed.
  • Veracode support is excellent.
  • Scan times can be long
  • Atlassian / Bamboo CICD integration isn't the best
  • No alerting functionality when new flaws are found
  • No auto rescan functionality
  • The web interface is slow
  • Several legitimate security vulnerabilities in my team's legacy software were caught and addressed.
  • Change management is made more auditable by quickly attaching scan reports to change tickets.
  • Developers are more security-minded in general when they remember their code is going to be scanned.
SonarQube is faster and can be free, but the security scanning capabilities are a joke compared to Veracode.
Unlike SonarQube, Veracode goes deeper into finding a very wide variety of vulnerabilities and best practices that should be applied to software and provides reporting and support to assist in the process.
My team has contacted Veracode support several times, sometimes regarding how to get it set up, sometimes giving them feedback on false positives, and the Veracode team is always responsive and receptive to our needs. Their security support team is excellent at explaining how a potential flaw works and what the path to remediation looks like.
The interface is easy to figure out, the information is well presented, and the reporting features are easy to consume, however, the interface is slow, and integrating with CI/CD could be better. Occasionally scans fail and need to be manually cleared using the web interface, and instead of Veracode automatically re-scanning every once in a while (when the Veracode engine updates), we have to schedule re-scans on our side, which adds some CI/CD setup burden to the process.

Do you think Veracode delivers good value for the price?

Not sure

Are you happy with Veracode's feature set?

Yes

Did Veracode live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Veracode go as expected?

Yes

Would you buy Veracode again?

Yes

Veracode is excellent when you need good reporting/auditability to satisfy regulatory requirements. It works well for very large organizations and guides even entry-level developers through the process of how to set it up and start resolving flaws.

It's probably not as good for smaller companies, where CI/CD is a top priority, or where cost is a concern.