Superior code scanning enabling faster and more secure code.
December 14, 2024
Superior code scanning enabling faster and more secure code.
Score 9 out of 10
Vetted Review
Verified User
Modules Used
- Static Analysis (SAST)
- Software Composition Analysis (SCA)
- Dynamic Analysis (DAST)
Overall Satisfaction with Veracode
We use Veracode to perform Static Application Security Testing (SAST) and Software Composition Analysis (SCA) scans against our code, repositories, and CI/CD pipelines for code deployments. We also utilized the IDE integration for software engineers to identify code issues earlier in the development lifecycle.
One of the areas Veracode excels in is their reporting. Our application development releases required a Veracode report to be included showing now high/critical findings.
One of the areas Veracode excels in is their reporting. Our application development releases required a Veracode report to be included showing now high/critical findings.
Pros
- SAST scanning
- SCA scanning
- Reporting
- CI/CD integration
Cons
- UI and UX felt a little outdates in some of the screens.
- Lack of flexibility on their outdated pricing model. This has since been corrected in 2023/2024.
- High effectiveness in detecting insecure code
- Streamlined release cycle by building security controls into deployments
- Highly customizable reporting simplifying reporting to stakeholders.
My preference is to consolidate when possible. The product offerings need to meet a certain level of standards. I would not select a product for the sake of consolidation if the module was not up to standard.
Very important. My role requires continuous evaluation of our security posture and program maturity. Dashboards and reporting are integral to ensuring the data I report to executives and program stakeholders is relevant and accurate.
All. We use the IDE integration to scan code as it is being developed, we integrate into the CI/CD pipeline to scan PR and code merges. We also use the SCA module to scan our code repositories for evolving threats within open source libraries.
By integrating at all stages of our SDLC, Veracode has allowed us to increase of release velocity by ensuring security scans take place throughout the development lifecycle rather than at a point in time later in the process which would add delays for remediations.
- Snyk and SonarQube Cloud
I found SonarQube to have some decent data for code quality checks but it underperformed for code security.
Snyk is a decent product and strong competitor to Veracode for SCA. Snyk's SAST offering is not as good as Veracode and does not support as many languages.
Veracode outperforms in SAST and DAST capabilities as well as reporting functionality.
Snyk is a decent product and strong competitor to Veracode for SCA. Snyk's SAST offering is not as good as Veracode and does not support as many languages.
Veracode outperforms in SAST and DAST capabilities as well as reporting functionality.
Do you think Veracode delivers good value for the price?
Not sure
Are you happy with Veracode's feature set?
Yes
Did Veracode live up to sales and marketing promises?
Yes
Did implementation of Veracode go as expected?
Yes
Would you buy Veracode again?
Yes
Comments
Please log in to join the conversation