My Veracode Review
October 01, 2020

My Veracode Review

Yaniv Toplian | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)
  • Software Composition Analysis (SCA)
  • N/A

Overall Satisfaction with Veracode

We are using the tool to scan our code for vulnerabilities on a regular basis and fix the issues.
Secondly, we are using the software composition for 3rd-party open sources to indicate any vulnerabilities and upgrade possibilities related both to vulnerabilities and license issues and their support types.

Pros

  • It's a SaaS, which we aim to use.
  • We want a tool to pinpoint real vulnerabilities and not just throw 1000s of them.
  • We wanted a tool to support mitigation action and to keep it for the next runs as well.

Cons

  • We purchased 2 licenses and sometimes we get alerted on over use. Veracode checks this issue, as it seems to be the tool's problem.
  • The UX could be more intuitive.
  • It didn't find any vulnerabilities in our client-side code base, which I think is weird.
  • Our customers demand that we will use such a tool.
  • We keep the code clean from vulnerabilities as much as possible.
  • We upgrade our 3rd-party open sources due to the scanning.
With Fortify we got 1000s of vulnerabilities and we just could not overcome them and in each scan we discovered more and more in scales that were not managed. Also, the tool was on-prem and we had to deal with upgrades and server issues and maintain it by our IT guys. The tool didn't support some of our coding languages that Veracode does support.
In the beginning, we had several issues, mainly related to uploading our code projects for scanning. We dealt a lot with the PDB files and their format. Later, we had issues with how to integrate the tool to be automatically triggered by our CI/CD process and as we use TFS it was not an easy task. For all of that, we had to get support from Veracode/Veracode representatives. It could have been easier.
It's a new tool so there is a learning curve to adopt, learn, and use it. Overall, it was okay. Still, there are some UX improvements to consider, to navigate more easily to find your project and its related sub-project libraries.

Do you think Veracode delivers good value for the price?

Yes

Are you happy with Veracode's feature set?

Yes

Did Veracode live up to sales and marketing promises?

Yes

Did implementation of Veracode go as expected?

Yes

Would you buy Veracode again?

Yes

Veracode is useful because it is offered as SaaS, provides the option to mitigate issues, remembers the mitigated issues so you can filter them out in the next scanning, and is pretty easy to use. The SW composition tool also very beneficial as it scans all 3rd parties and open sources and points to license and vulnerabilities issues.

Aspects that could be improved include needing faster support if we have problems or questions, finding UI/client-side vulnerabilities, and integration into our CI (using TFS) process, which wasn't so trivial and we had to get their support.

Comments

More Reviews of Veracode