My Veracode Review
October 12, 2020
My Veracode Review
Score 1 out of 10
Vetted Review
Verified User
Modules Used
- Static Analysis (SAST)
- Software Composition Analysis (SCA)
Overall Satisfaction with Veracode
Veracode is standard tooling adopted within the company to secure our software.
- The SCA agent is pretty fast at executing.
- The user interface is a mess.
- Reporting is inconsistent, different views give conflicting data
- False-positive management is too basic.
- Collaboration is absent.
- No public availability for open source
- No integration in GitHub PR view
- Very slow at uploading artifacts for static analysis
- Wasting a lot of time trying to get useful information from the user interface
- SSO is so cumbersome that I have to explain to people how to get in from OKTA as there isn't a decent login page.
- Some customers force us to get the security reports from Veracode by contract, which is the only reason why we haven't ditched it yet.
- We had to hire a Security Architect to deal with the tool as for developers it's so unusable that it wastes a lot of their time.
- Snyk and WhiteSource
Snyk and WhiteSource have fewer features. WhiteSource UI is as bad as Veracode; Snyk is integrated better in GitHub but provides decent results only for JavaScript. The best one for reporting and quality of results across languages is Meterian, which does not appear in this list, or the open-source OWASP dependency check (although it requires lots of work to create a file for false-positives).
Do you think Veracode delivers good value for the price?
Not sure
Are you happy with Veracode's feature set?
No
Did Veracode live up to sales and marketing promises?
I wasn't involved with the selection/purchase process
Did implementation of Veracode go as expected?
No
Would you buy Veracode again?
No