Veracode Review from Security Engineer Perspective
Updated June 14, 2022
Veracode Review from Security Engineer Perspective
Score 10 out of 10
Vetted Review
Verified User
Modules Used
- Static Analysis (SAST)
Overall Satisfaction with Veracode
We use Veracode as our Static Analysis Security Testing tool. As a security engineer I am administering Veracode and managing/ supporting our developers with using Veracode. It is our main application security code analysis tool and has been built into all of our processes, automation, and developer pipelines and reporting tools.
- The tool seems to have been build for automation.
- As a security engineer, I prefer the types of findings discovered through DAST or IAST since I can easily verify findings, but the SAST findings may be easier for the developers since it points to the area of code.
- While it's hard to get developers to take advantage of the consultation calls, I like the fact we can get a highly technical person to walk us through any type of Veracode question.
- The UI has gone through times of instability which can be a pain when things are broken.
- Selecting the correct modules for large applications can be a headache as well as stressful since you need to get that portion right to get the types of results you need.
- There is a bit of a learning curve to navigating Veracode so I see developers who don't use it often struggle to get to their scan results and handle them properly.
- After building up the automation of submitting scans it pretty much runs its self.
- When it's working well it's great, but you need to be on the lookout for any hiccups it had that will cause your automation to break.
The overall product selection was done by someone else for many reasons.
What I liked more about Contrast than Veracode was the type of results it gave. Findings were a lot more actionable since these were observable exploits that could be easily tested by the security team against the QA environments, it gave you examples of which parameter to exploit which made verification easy. The other portion of the scan results I liked more were the severity ratings. I disagree with how Veracode has set some of the vulnerability severity ratings where a JavaScript exec() is a critical severity (even though it's really just a DOM based XSS), and something like XXE or Path Traversal is only a medium, even though you can do a lot more damage with something like that.
The down side to Contrast was how involved different teams had to be to get scan results on time. Veracode makes doing constant scanning very easy every time there is an update in the code.
What I liked more about Contrast than Veracode was the type of results it gave. Findings were a lot more actionable since these were observable exploits that could be easily tested by the security team against the QA environments, it gave you examples of which parameter to exploit which made verification easy. The other portion of the scan results I liked more were the severity ratings. I disagree with how Veracode has set some of the vulnerability severity ratings where a JavaScript exec() is a critical severity (even though it's really just a DOM based XSS), and something like XXE or Path Traversal is only a medium, even though you can do a lot more damage with something like that.
The down side to Contrast was how involved different teams had to be to get scan results on time. Veracode makes doing constant scanning very easy every time there is an update in the code.
Do you think Veracode delivers good value for the price?
Not sure
Are you happy with Veracode's feature set?
Yes
Did Veracode live up to sales and marketing promises?
I wasn't involved with the selection/purchase process
Did implementation of Veracode go as expected?
Yes
Would you buy Veracode again?
Yes