Veracode Stands Tall Among the Leading Application Security Platforms
Updated September 01, 2022
Veracode Stands Tall Among the Leading Application Security Platforms
Engineer in Information TechnologyInformation Technology & Services Company, 10,001+ employees
Score 9 out of 10
- Static Analysis (SAST)
- Software Composition Analysis (SCA)
- Dynamic Analysis (DAST)
- Network Discovery
Overall Satisfaction with Veracode
Veracode is being used as an application security service across our organization. We rely upon Veracode as an authority in mitigation efforts. The platform and its scanning services help manage potential flaws found within the applications that we support and host. Developers interact with Veracode and the security team to help resolve any flaws that are discovered.
- I have found the Software Composition Analysis area to be the best among the competing products for Application Security.
- Veracode's support services are impeccable.
- Their program management teams are professional, helpful, and friendly.
- Although an improvement to what was there previously, the Analytics section using Looker, could still use some improvement. It does seem that what Veracode has deployed is a very limited version of Looker. While helpful and useful, there seems to be so much more that Looker does (such as dynamic querying), however, the version that Veracode employs doesn't seem to offer this.
- More user control of administrative functions such as user adding/deleting. Veracode still uses a 'soft delete'/'hard delete' functionality. This can become cumbersome for self-user-administration when a deleted user has to be re-added. A support call is then necessary to have this done.
- Their idle timeout process needs work. While using the Looker tool, you must save your work every few minutes, as their 'Shark-attack-like' idle timeout will sneak up on you and redirect you away in an instant causing you to lose any unsaved work.
- Static flaw analysis section
- Software Composition analysis section
- Analytics dashboard
- APIs both for developer submission of scans, and administrative retrieval of analytic data.
- Veracode has helped in identifying many flawed areas within our applications.
- Veracode's many services have helped our development teams recognize and understand the importance of secure coding standards within their own SDLC.
- This isn't really a dig on Veracode, but despite their best efforts and ours, it still seems to be a hard sell to much of our user community to adopt a system like Veracode as a needed service.
During the course of our using Veracode, we still do evaluate other platforms to see what they offer, and how they compare to Veracode. I do most of the evaluations myself, and I still come back to Veracode as being the overall best platform. Most every platform, for better or worse, still charges about the same yearly amount as Veracode. Mind you, none of them including Veracode, are inexpensive services. But even though some of their competitors have enticing elements to their services, overall Veracode still offers the best service, turnaround time, and support for the money.
Do you think Veracode delivers good value for the price?
Are you happy with Veracode's feature set?
Did Veracode live up to sales and marketing promises?
Did implementation of Veracode go as expected?
Would you buy Veracode again?
Overall, Veracode is one of the best, if not the best, products for application security out in the market. It is a great platform for keeping track of flaws and being able to report on them. Their support services and program management services are excellent, as they hire really good persons to handle these areas. There is still room for improvement in their analytics area.
100 - IT Development, Information security, vulnerability management. Development for the submission of scan and retrieval of findings. InfoSec and VM for administration, processing of analytic data.
1 - Information security personnel, once an application developer with 25 years in that field. Detail oriented with aptitudes in troubleshooting, and loads of patience working with developers that need lots of guidance.
- Application Vulnerability flaw identification and remediation
- Data collection
- Authoritative entity to ensure customer base that our applications are secure
- Some clients want monthly reports on flaw progress, use of APIs to automate monthly retrieval of those specific client reports.
- Hooking Veracode up to the VR module in Service Now to have regular pulls of analytic data into Service Now for further spotlight on flaws and ticket creation.
Evaluating Veracode and Competitors
- Product Features
- Product Usability
- Product Reputation
We wanted something that not only our developers would find easy to use, but would also be easy to implement and administer. This would be a product that most developers use every day or at least most every day. I myself as the administer for our company use it every single day that Im on the job. So it needed to be a platform that provides easy but competent access to flaw data. Veracode does that. Not all the competitors do.
If we had to do it again, we would probably factor in more input from the development teams themselves. Veracode was our first foray into application security - so we had no prior experience. Now 5 years into it, not only myself, but the development teams have had a chance to work with it and find things they like and dont like.
We use it as a SAS service, so really just getting our teams to mold the use of Veracode into their SDLC has been a process of years in the making. It comes down to what your teams are ready and willing to accept and change. Management is key in getting their groups on board with using it regularly. If it doesnt have management backing, your security teams have little to no influence in getting this process off the ground fully.
Change management was minimal - Originally I thought Change management would be crucial in our use of Veracode. In the sense that no applications or updates are implemented without a passing scan to validate its deployment into production. But with contract dates and agreements in place, that process isnt always acceptable.
Having worked with their support and program management teams now for over 5 years, I've been exposed to many support requests, concerns, and issues. We have even had one negative issue with their support team process, that was immediately addressed at their upper levels, and those upper-level management persons worked with me directly on the concerns. We recently had an issue with their mitigation process, and although it did take time to resolve, it was handled very professionally and escalated to the highest levels to address our concerns. Needs that have arisen from us as a customer have been addressed immediately and worked out with me directly by some of their most senior personnel to make sure our concerns are met. Again, their support services are among the best out there.
Problems get solved
Kept well informed
No escalation required
Immediate help available
Support understands my problem
Support cares about my success
Quick Initial Response
We did purchase premium support for Veracode - we do with each contract renewal. Its important to us to have access to knowledgeable representatives on an ASAP as needed basis. The group I work with is always there when needed. Ive worked with several project management teams at Veracode now in our 5 years - all of them have been top notch, including my current group. When there are problems, they address them immediately.
Yes - Ive reported bugs that for the most part have not hindered our experience using Veracode. Most of the bugs I have reported are with the platform itself where it could just use improvement to its feature or presentation. Most of those have just gone into a collective for future fixes or enhancements. The only one that I would really like to see fixed sooner rather than later exists with the Looker analytics - idle timeout.. that is a hinderance.
Just recently actually.. I had a dynamic scan that all of a sudden just stopped working when I updated the password for the credentials I had been using. After trying to diagnose and fix it myself for a week or so, I called in a consultation call for it. Veracode support stepped in and resolved the issue almost immediately. Put in a patch on the internal scanner, and boom - off and running again. Very pleased with the level of support there...
I believe this platform to be one of the most user friendly out there. After evaluating some other competitor platforms, I've seen one other that comes close to ease of use and others not so much. That is one of the main reasons we continue to renew with Veracode. Areas for improvement continue to be the analytics section and a very quick to annoy idle timer.
Like to use
Easy to use
Technical support not required
Quick to learn
Feel confident using
- I think the whole elearning system needs an overhaul.
- The analytics dashboard area can be cumbersome when you are constantly plagued with idle timeouts while you are working on a look.
Yes - Not an app or anything, but you can view the website platform over a mobile device.. difficult to use at best, but it can work when in a serious crunch (no laptop access).. Ive been able to delete a scan when needed over that medium. But the presentation of the site isnt really designed for mobile use, and the display does suffer.