My Veracode Review
October 12, 2020
My Veracode Review
Score 1 out of 10
- Static Analysis (SAST)
- Software Composition Analysis (SCA)
Overall Satisfaction with Veracode
Veracode is standard tooling adopted within the company to secure our software.
- The SCA agent is pretty fast at executing.
- The user interface is a mess.
- Reporting is inconsistent, different views give conflicting data
- False-positive management is too basic.
- Collaboration is absent.
- No public availability for open source
- No integration in GitHub PR view
- Very slow at uploading artifacts for static analysis
- Wasting a lot of time trying to get useful information from the user interface
- SSO is so cumbersome that I have to explain to people how to get in from OKTA as there isn't a decent login page.
- Some customers force us to get the security reports from Veracode by contract, which is the only reason why we haven't ditched it yet.
- We had to hire a Security Architect to deal with the tool as for developers it's so unusable that it wastes a lot of their time.
The support for Veracode is incredibly good and helpful and removes lots of frustration in using such a bad product. Still, sometimes they are ashamed as well of what they support, for example, when they had to explain the cumbersome SSO login that not even the most amateurish open source tool has.
The UI is dated, messy, unresponsive, a real nightmare. SourceClear before it was integrated was better, now it's a mess that only support can explain.
Do you think Veracode delivers good value for the price?
Are you happy with Veracode's feature set?
Did Veracode live up to sales and marketing promises?
I wasn't involved with the selection/purchase process
Did implementation of Veracode go as expected?
Would you buy Veracode again?
It's a product that does a lot of things in a very unusable way. It's been chosen as it ticks plenty of boxes but the quality of what's provided makes its reports and issue integration pretty useless. I always have to revert to other tools I trust more like Meterian or OWASP.