Veracode Stands Tall Among the Leading Application Security Platforms
Updated September 01, 2022
Veracode Stands Tall Among the Leading Application Security Platforms
Score 9 out of 10
Vetted Review
Verified User
Modules Used
- Static Analysis (SAST)
- Software Composition Analysis (SCA)
- Dynamic Analysis (DAST)
- Network Discovery
Overall Satisfaction with Veracode
Veracode is being used as an application security service across our organization. We rely upon Veracode as an authority in mitigation efforts. The platform and its scanning services help manage potential flaws found within the applications that we support and host. Developers interact with Veracode and the security team to help resolve any flaws that are discovered.
- I have found the Software Composition Analysis area to be the best among the competing products for Application Security.
- Veracode's support services are impeccable.
- Their program management teams are professional, helpful, and friendly.
- Although an improvement to what was there previously, the Analytics section using Looker, could still use some improvement. It does seem that what Veracode has deployed is a very limited version of Looker. While helpful and useful, there seems to be so much more that Looker does (such as dynamic querying), however, the version that Veracode employs doesn't seem to offer this.
- More user control of administrative functions such as user adding/deleting. Veracode still uses a 'soft delete'/'hard delete' functionality. This can become cumbersome for self-user-administration when a deleted user has to be re-added. A support call is then necessary to have this done.
- Their idle timeout process needs work. While using the Looker tool, you must save your work every few minutes, as their 'Shark-attack-like' idle timeout will sneak up on you and redirect you away in an instant causing you to lose any unsaved work.
- Static flaw analysis section
- Software Composition analysis section
- Analytics dashboard
- APIs both for developer submission of scans, and administrative retrieval of analytic data.
- Veracode has helped in identifying many flawed areas within our applications.
- Veracode's many services have helped our development teams recognize and understand the importance of secure coding standards within their own SDLC.
- This isn't really a dig on Veracode, but despite their best efforts and ours, it still seems to be a hard sell to much of our user community to adopt a system like Veracode as a needed service.
During the course of our using Veracode, we still do evaluate other platforms to see what they offer, and how they compare to Veracode. I do most of the evaluations myself, and I still come back to Veracode as being the overall best platform. Most every platform, for better or worse, still charges about the same yearly amount as Veracode. Mind you, none of them including Veracode, are inexpensive services. But even though some of their competitors have enticing elements to their services, overall Veracode still offers the best service, turnaround time, and support for the money.
Do you think Veracode delivers good value for the price?
Yes
Are you happy with Veracode's feature set?
Yes
Did Veracode live up to sales and marketing promises?
Yes
Did implementation of Veracode go as expected?
Yes
Would you buy Veracode again?
Yes
Using Veracode
100 - IT Development, Information security, vulnerability management. Development for the submission of scan and retrieval of findings. InfoSec and VM for administration, processing of analytic data.
1 - Information security personnel, once an application developer with 25 years in that field. Detail oriented with aptitudes in troubleshooting, and loads of patience working with developers that need lots of guidance.
- Application Vulnerability flaw identification and remediation
- Data collection
- Authoritative entity to ensure customer base that our applications are secure
- Some clients want monthly reports on flaw progress, use of APIs to automate monthly retrieval of those specific client reports.
- Hooking Veracode up to the VR module in Service Now to have regular pulls of analytic data into Service Now for further spotlight on flaws and ticket creation.
Evaluating Veracode and Competitors
- Product Features
- Product Usability
- Product Reputation
We wanted something that not only our developers would find easy to use, but would also be easy to implement and administer. This would be a product that most developers use every day or at least most every day. I myself as the administer for our company use it every single day that Im on the job. So it needed to be a platform that provides easy but competent access to flaw data. Veracode does that. Not all the competitors do.
If we had to do it again, we would probably factor in more input from the development teams themselves. Veracode was our first foray into application security - so we had no prior experience. Now 5 years into it, not only myself, but the development teams have had a chance to work with it and find things they like and dont like.
Veracode Implementation
- Implemented in-house
Change management was minimal - Originally I thought Change management would be crucial in our use of Veracode. In the sense that no applications or updates are implemented without a passing scan to validate its deployment into production. But with contract dates and agreements in place, that process isnt always acceptable.
- User adaptation/acceptance
- Enrollment requirements / license limitations
Veracode Support
| Pros | Cons |
|---|---|
Quick Resolution Good followup Knowledgeable team Problems get solved Kept well informed No escalation required Immediate help available Support understands my problem Support cares about my success Quick Initial Response | None |
We did purchase premium support for Veracode - we do with each contract renewal. Its important to us to have access to knowledgeable representatives on an ASAP as needed basis. The group I work with is always there when needed. Ive worked with several project management teams at Veracode now in our 5 years - all of them have been top notch, including my current group. When there are problems, they address them immediately.
Yes - Ive reported bugs that for the most part have not hindered our experience using Veracode. Most of the bugs I have reported are with the platform itself where it could just use improvement to its feature or presentation. Most of those have just gone into a collective for future fixes or enhancements. The only one that I would really like to see fixed sooner rather than later exists with the Looker analytics - idle timeout.. that is a hinderance.
Just recently actually.. I had a dynamic scan that all of a sudden just stopped working when I updated the password for the credentials I had been using. After trying to diagnose and fix it myself for a week or so, I called in a consultation call for it. Veracode support stepped in and resolved the issue almost immediately. Put in a patch on the internal scanner, and boom - off and running again. Very pleased with the level of support there...
Using Veracode
| Pros | Cons |
|---|---|
Like to use Relatively simple Easy to use Technical support not required Well integrated Consistent Quick to learn Convenient Feel confident using Familiar | None |
- Detailed flaw analysis
- Retrieval of analytic data for report generation
- I think the whole elearning system needs an overhaul.
- The analytics dashboard area can be cumbersome when you are constantly plagued with idle timeouts while you are working on a look.
Yes - Not an app or anything, but you can view the website platform over a mobile device.. difficult to use at best, but it can work when in a serious crunch (no laptop access).. Ive been able to delete a scan when needed over that medium. But the presentation of the site isnt really designed for mobile use, and the display does suffer.