Veracode is a DAST solution that we use for automated security scans of our APIs and front end. We perform daily scans of our applications so we can act on the results quickly instead of routine security audits that we might do yearly or quarterly. It's a complement to the standard penetration test suite.

Veracode helps us improve our overall security and build trust with our customers. For example, some of our customers have strict security requirements, and they need us to use more products. It helps our business by building confidence in our products' security. Veracode improves our sales and helps us secure contracts because we can demonstrate what we are doing to the clients. 

We can use it in our dev environment to detect issues early before they get into production. It saves time equivalent to one full-time security engineer. We have around 60 people on the team, but we don't need a security engineer. Our regular engineers can fix the issues themselves based on Veracode's report. 

I like Veracode's ease of integration and onboarding. You can quickly and easily get started with a new project or application. That's one area where Veracode shines relative to other tools we've evaluated. Other tools need more work or an engineer to do the setup. With Veracode, you can do the onboarding in a few steps quickly. 

Another beneficial feature is Veracode's reporting. The report not only outlines the security issues in detail but also offers some solutions. Even if one of our backend engineers isn't specialized in security, they can still fix the issue solely based on the suggestions in the report. 

When Veracode updates the pool of tests and security checks, it could be a little more transparent about what it is releasing. It's not clear what it's adding. They do thousands of checks, and when they add more, there aren't many details about what the new tests are doing. 

I have used Veracode for 2 years.

I rate Veracode 10 out of 10 for stability.

I rate Veracode support 8 out of 10.

Positive

Veracode is the first tool we purchased specifically for DAST testing. We we use altered secure tools, and we used to do penetration test, but using people. Right? Not not automated.

Deploying Veracode was straightforward. There weren't many steps. We needed to prepare our API specifications and set up our system. 

The price is worth it. You have to consider the cost versus the security Veracode provides. It's also cheaper than the other solutions we considered. 

I rate Veracode 9 out of 10. 

We use the solution for identifying bugs before deployment in the software-side cycle process.

It can be integrated with our CL and CDProp pipeline, and it can be used with multiple integrations in our Visual Studio Code editor. That's the main use case.

We've saved a lot of time since using Veracode. We've also been able to cut down on costs since we require a lot of penetration tests for testing our software. Veracode helps us drastically reduce these costs. We've cut our costs down by 40%.

The solution provides us with a feature that we can directly use with static and dynamic analysis. With static analysis, we can use it while the app is not running, and with dynamic analysis, we can scan our application while it is running. It provides efficiency and also saves a lot of time for penetration testing and bug testing.

The capabilities of the analysis of the code base can help us effectively detect potential vulnerabilities. This is the most valuable feature we found. It can be integrated with multiple code editors, and it can also be integrated with various CI/CD pipelines.

The dynamic analytics is efficient. It helps us identify bugs while the app is running. We find that this ability is way better than its competitor.

Our impression of the solution's ability to prevent vulnerable code from going into production is positive. Prior to Veracode, we used to deploy our apps, and it used to be an expensive process to fix the bugs and all the potential vulnerabilities after deployment. Now, we have access to AI. It has AI tools, which have been trained with a lot of data sets. It helps us to detect bugs and fix them.

We use the free access to VeriCloud's application security consulting team. The consulting team has helped us a lot, and we've had positive experiences with the vendors. It is efficient and very fast. It takes less than two or three days, and they always respond positively. They are really fast at solving our problems. It's important for us to have access to an application security consulting team at no extra cost.

We use Veracode's AI-generated fixes. They make fewer errors and are very accurate. We've had a very positive experience. They've saved approximately seven hours of debugging and error finding versus the manual penetration testing process. 

The solution's policy reporting for insurance compliance with industry standards and regulations is very helpful. It's fast as well. The team helps us at every step of the product life cycle. They provide us with very useful visibility into things like static analysis, composition analysis, and manual penetration. It significantly helps us to reduce the time that we have to manually fix the bugs, and it also provides us with an efficient solution for future cases via past analysis through its data algorithm. We've saved six to eight hours compared to manual fixing.

Veracode has had a positive impact on our organization's ability to fix flaws compared to the prior. It has reduced our costs and time, and it has also provided us with multiple security functions. That, and it's made our application a lot more secure. It really helps our devs free up time due to less debugging needed on their part.

The solution has helped us a lot with our overall security posture. Many security features were fixed prior to release, and we've been able to reduce manpower and employee count. We've reduced teams from six or seven people to two or three. 

The integration capabilities with our existing development tools are very good. The integration process was easy. It has stable APIs.

The solution does take a bit more time when we use it for multiple processes. When we use it for a single process, it takes up less time. The cost also goes up when we use it for multiple processes. 

I have been using the solution for six months.

The solution is very stable. We haven't come across any bugs. 

Our security team of three uses the solution. 

It's great for scaling. We can use it on multiple projects which involve multiple security flows.

Technical support has been very fast and efficient. The team helps us at every phase of the development cycle. 

Positive

We did not use a different solution. Previously, we relied on manual testing. 

We deployed the solution in about three months. We had a team of eight working on the implementation. During the process, I was in charge of, IT was in charge of security, and the AI algorithm.

We don't require any maintenance.

Even after six months, we've seen an ROI. In terms of resources, it's great for cost-cutting. It also generally cuts costs by 40%.

The pricing is moderate for particular processes. However, if we take an entire process in general, it can be costly. It's more economical to use it for single purposes instead of generalizing processes. 

Thanks to its algorithm, Veracode is an on-demand service that can be very cost-effective. With so many features, we no longer require many people to test.  

If they are worried about pricing, people should try out their demo feature, which is available online. That way, they can demo and evaluate how it would work for them. If it works for their team and product, they may find it can optimize their processes. Of course, it depends on the use case. 

I'd advise colleagues considering Veracode to evaluate the specific requirements for their application and do an in-depth analysis. I would recommend it as a product.

I'd rate the solution ten out of ten. 

We use Veracode mainly for legacy software audits.

The most valuable feature of Veracode is the binary scan feature for auditing, which allows us to audit the software without the source code. Veracode's most valuable feature is the verified vulnerability database, and we can do a full software audit at our company, including all of the systems.

Veracode should provide more flexibility in its pricing and licensing modules so that it could be more affordable for all types of projects and not only for very active mission-critical projects.

With the solution's security audit feature, an enterprise should be able to cover all of its applications with the desktops. Veracode is simply too expensive for that. If you know about the price of a web application, and if you multiply it by 1,000, the return on investment doesn't work. It's okay for one or two projects running very fast, but it doesn't work for all the legacies. So, it's a huge amount of money.

There should be some lighter tool that allows you to do some audit scanned one time. Only ten percent of the applications are actively developed. About 90% of the other applications have no projects or budgets, but we are still vulnerable. It is too much if you buy it for all of that.

I have been using Veracode for three years.

Veracode is a completely stable solution, and we had no problems with its stability. The solution was a bit slow, but it was stable.

We didn’t face any issues with the solution’s scalability.

We know only one person from Veracode, and he supported us when we had issues, and he was able to solve everything.

Positive

We have previously used Checkmarx. Veracode's pricing is cheaper than Checkmarx, and it has some unique features like binary scan. In Hungary, Checkmarx is installed more than Veracode.

The solution’s initial setup was very easy. Only one or two people are needed for the initial setup of the solution.

Veracode is a very expensive product.

Veracode can list a lot of vulnerabilities, but processing all of them is a time- and resource-intensive process. I think Veracode has no innovative features because a lot of other software can do that. In our opinion, innovative features are a commodity with Veracode, but they are doing a good job.

The solution's ability to provide visibility into application status at every phase of development is valuable. It can be faster, but it can also slow down because our backlog may be much longer. There will be a lot of vulnerabilities or false positives that have to be processed. So, it is not black and white, but it is safer. Veracode has helped our developers save time.

Veracode has had a very low impact on our organization’s overall security posture because it is a very expensive product. An enterprise with 1,000 applications uses the solution for one or two applications. Veracode does not need any maintenance because it's cloud-based.

Veracode is very important to our organization’s shift-left security strategy when we have a project with enough sources to provide the license. I use Veracode’s cloud version. The return on investment with Veracode is good for one or two mission-critical projects running in the company. For other things, users should use open-source solutions or much cheaper products like SonarQube that are not as good as Veracode.

The fact that Veracode scans only binary code and doesn't scan source code concerns me sometimes. Sometimes, we have to do some source repository audits. We cannot use Veracode for source repository audits because it scans only binary code. I would recommend Veracode to other users.

Overall, I rate the solution ten out of ten.

We use Veracode to scan the applications.

Veracode's ability to prevent vulnerable code from entering the production environment is good.

Using Veracode's ASC team is easy. I can send them an email and arrange a call from the app. They were helpful when I had issues or questions about using the app.

Free access to the ASC team is a significant advantage because they possess in-depth knowledge of the product and are readily available for assistance.

It is innovative when it comes to features.

Veracode helps our organization with security scanning. We realized the benefit of Veracode as soon as it was deployed.

The policy reporting is valuable because it provides two key benefits: first, it generates a security score for our application. Second, it offers comprehensive reporting that details both the vulnerabilities found and the potential risks they pose to our application.

Veracode can provide visibility into application status at every phase of development.

It assists our application team in fixing flaws by identifying issues and guiding the team toward resolving them.

Veracode helps our developers save time by ensuring the code is secure.

Veracode helps us improve our overall security posture. When a Veracode report shows no vulnerabilities, it indicates a strong security position. This allows the security team to sign off on approvals more efficiently, as a clean Veracode report is a key factor in their evaluation process.

Veracode is a valuable tool for a shift-left security strategy. It helps save overall development time, money, and effort by identifying and resolving security vulnerabilities early in the development lifecycle.

I find Veracode's SASD feature to be the most beneficial because it enables us to proactively identify security vulnerabilities in our application code before deployment. This static analysis helps ensure a secure application rollout across all environments.

The scanning takes a lot of time to complete.

Veracode offers comprehensive visibility into application security throughout the development lifecycle. However, due to cost constraints, we are not currently utilizing all available analysis types.

I would like Veracode to introduce infrastructure as code scanning.

Instead of relying on emails, it would be beneficial if Veracode offered a built-in tool for logging and managing issue tickets.

Veracode sometimes performs maintenance without notifying clients in advance, which can cause disruption.

I have been using Veracode for two years.

For the most part, Veracode is stable but there are times when we have downtime due to maintenance that we are not informed of.

I would rate the scalability of Veracode nine out of ten.

Technical support has been great at fixing any issues I've had.

Positive

My client in the banking industry previously used Black Duck before switching to Veracode.

Veracode's end-to-end testing offers a significant advantage over other solutions by providing a comprehensive security solution. This includes capabilities for static analysis, dynamic scanning, and even penetration testing. However, the cost associated with dynamic scanning and penetration testing may deter some clients from utilizing these features.

I don't have firsthand knowledge of Veracode pricing, but based on client feedback, it seems to be expensive with additional fees for certain features.

I would rate Veracode eight out of ten.

Maintenance is performed by Veracode.

During a Veracode evaluation, consider the following factors: Evaluate the time required for Veracode to complete a scan. Faster scans allow for quicker feedback and integration into development workflows. Consider the overall cost of Veracode, including licensing fees and any associated charges for scans. Assess Veracode's orchestration tools, particularly its compatibility with your existing CI/CD pipeline. Ideally, Veracode should offer seamless integration for easy adoption. Evaluate the availability and variety of connectors Veracode offers for integration with your development tools. A wider range of connectors simplifies the integration process.

My company produces one of the most secure fabrics that you can find. Veracode is integrated into our development cycle through Jira. We do a full static analysis with Veracode and use Burp Suite to review the findings. The most common attack vector we find in Java code is SQL injection. When SQL injection shows up, you send a screenshot and a report to your executive team. They see the screenshot and say, "Oh, they're seeking injection here." 

This has now become a top priority. We're going to pause all these redundant features that we're making here and ensure our code is secure with no SQL injection vulnerabilities. Veracode finds everything, and the security engineers do the penetration test using the results. You provide a report showing where the issue is, and developers can fix it. We also use Veracode to train security engineers and teach them how to file reports.

My case is different from other individuals. I worked for a startup, so we had to find a way to capitalize on all the resources in Veracode. Larger organizations are not leveraging the built-in dashboard. That aspect is what people want to know about. They want to see how their money is being spent on security. The biggest problem with security is getting funding. None of these executives believe anything these users are saying until they can see the results.

They want that dashboard report. In less than three weeks, a junior security engineer can learn to create a dashboard easily that will allow the organization to stay on top of the most important things. They need to show the stakeholders that we're doing something here. They'll get the certification and see the dashboards. You now have something that's actually worth $2,000. With these other ones, who knows what you'll get. 

It allows us to provide a certificate showing stakeholders and potential customers the proof that we take security seriously. Everyone says that they're on top of their security and have all these things in place. In a sales call, we can immediately respond to any questions about our security posture by pointing them to a link showing that your company was among the few companies that completed the full certification process. Veracode has four levels of certification, and we are at level three, I believe. 

To my knowledge, Veracode is the only real devSecOps pipeline that captures every component of the software delivery cycle, from sandbox and staging to development and production. You need to go through those four phases and ensure the code is secure by the time it hits production. Veracode handles all those phases seamlessly and can be automated with Jenkins.

Veracode is highly efficient at fixing flaws. A single person can go through and do a penetration test after collecting the data from Veracode. Instead of telling developers where the issue is, they can show them in the code editor for the static analysis. They can assign tasks to the team using Jira, so developers almost never need to do that work. They actually almost never go back and fix any of these vulnerabilities. That's why I was my company's most hated and most loved man. I forced them to do it.

I like Veracode's API. You can put it into a simple bash script and run your own security testing from your MacBook in less than 15 minutes. Veracode's application security consulting team is very helpful. They're responsive and follow up quickly. 

Veracode would benefit greatly from more training resources. The videos are great, but I would like more hands-on training writing a script, validating a script with a unit test in a different language, etc. That's something that would be very valuable. 

We have used Veracode for more than four years.

Veracode is highly stable. It very rarely crashes. 

I rate Veracode support 10 out of 10. Their customer support is incredible. If I have any issues, I can immediately connect with their support team and have a real working solution within one week.

Positive

Deploying Veracode is easy. I had the best customer success manager at Veracode helping me. After deployment, Veracode requires little maintenance. 

Veracode is inexpensive and cost-effective. The licensing model is unambiguous. You know what you are getting. They also give you several seats for training. That's why it would benefit them to improve the training because more people could take advantage of it and use certifications. Some certifications for other products don't have much real value, but Veracode is a product many companies use, so it could help people get jobs.

If you're concerned about the cost, you should meet with a representative to talk about pricing. Veracode is flexible, and they're willing to let companies try the platform or test different features. They will work with companies to get to the point where they'll use it.

I used JFrog X-ray with homegrown scripts for testing the code. It was terrible. We chose Veracode because it is more scalable. We could run scans on any code, and it was reliable. Also, their documentation was up to date. With other software providers, you would find an issue in the documentation, and they would backtrack, saying, "Oh, no one's using that." 

Veracode immediately responds to the community. You have people in the community supporting each other and suggesting new features. Software providers say they're open to suggestions. Veracode will quickly get something from the community and immediately put it into development. JFrog has the same stuff as they did four years ago. They haven't changed anything. 

I rate Veracode 10 out of 10. Veracode is constantly changing and improving. 

We use Veracode for static application security testing, dynamic testing, and software composition analysis. My company's engineering team has about 50 people who use Veracode across multiple product lines. 

The main benefit of Veracode is that we can deliver better, more secure software. Our customers also trust Veracode. When we share the Veracode report, they see that we have gone through all the due diligence.

Veracode aligns with SOC, ISO, and other types of certifications. It helps with compliance that Veracode has all these reporting formats. The solution provides visibility at every stage of development. We have automated almost everything through integration with Jenkins. As soon as the developer commits, it triggers the static scan for the main branches. We don't need to trigger the scan manually or do a follow-up to see if it's done scanning. 

The solution saves time by reporting issues and recommendations that help developers fix the reported vulnerabilities faster. I estimate that it improved developer productivity by about 10 percent.

Veracode has good support for microservices, and I also like the sandbox environment. For example, when introducing a new component, we can scan it in a sandbox environment. It will not impact the main environment. When our team fixes it, they. can push it to the production environment when the results are acceptable. 

The solution effectively prevents vulnerabilities from entering production. We've drastically reduced our third-party VAPT-reported issues. Before Veracode, the third-party VAPT analysis reported hundreds of issues per application. Now it's down to about 20, and Veracode can address most of them.

The interface is one thing I find a little challenging. Veracode's interface feels a little outdated compared to other solutions, and it could be modernized. I'm mostly happy with the features, but Veracode could add Docker image scanning. 

I have used Veracode for about six years.

Veracode seems stable. I don't recall facing any issues. 

Veracode is scalable.

I rate Veracode support eight out of 10. They are quite good at responding to issues. 

Positive

We tried AppScan and Snyk.  From an integration perspective, Snyk is a little better integrated with our pipelines and ticketing system. 

I can't recall the deployment well, but I think it was straightforward. Veracode requires no maintenance after deployment. 

I have not calculated the return on investment, but I think it's at least 200 percent. 

We aren't paying the listed price. We get some discounts, but we get a lot of value from it regardless of what we're paying. We look at the overall cost of what we would spend without a tool like Veracode. The longer you delay fixing security vulnerabilities, the more it will cost you during the later stages. By integrating it into the development cycle earlier, it helps to keep total costs lower.

We evaluated multiple scanning solutions before choosing Veracode, and we perform a mandatory comparative analysis annually. Veracode's scanning engine is more innovative and provides a more detailed analysis relative to Snyk and AppScan. It performs much better in terms of the number of issues discovered. 

I rate Veracode 10 out of 10. When implementing Veracode, you need to develop a workflow or a process. It becomes easier if you have that in place. For example, you can create a workflow where you scan inside the sandbox and approve those fixes before moving to production. 

Also, you should have separate people for raising issues, remediation, and approval. That way, you will have some control over which issues are mitigated and for what reason. That process flow has to be set up properly. Another aspect of successful implementation is automation. Your team needs to invest time in automating and embedding scanning in your pipelines. 

We use Veracode to identify vulnerabilities in code to ensure the security and integration of the apps.

Veracode effectively identifies vulnerabilities within the code. My role is to analyze these vulnerabilities and assign a severity level before forwarding them to the development team. This allows them to address the issues before deployment to production.

Whenever Veracode releases a new feature, we seek the expertise of Veracode's application security consulting team to understand its functionality and how it contributes to code security. The team demonstrates exceptional responsiveness and promptly addresses our questions, eliminating the need for unnecessary back-and-forth communication.

In today's digital world, cybersecurity is more important than ever. Veracode offers a comprehensive suite of features that help developers secure their code through automated scanning. This scanning identifies vulnerabilities and detects malicious code, preventing it from entering production.

Veracode has helped reduce our time to remediate security flaws.

The policy reporting for ensuring compliance with industry standards and regulations has been positive for our organization.

Veracode provides visibility into application status at every phase of development.

It has been instrumental in enhancing our organization's ability to fix flaws while simultaneously reducing our manpower requirements allowing us to focus on other issues.

Veracode has helped our developers save 20 percent of their time.

Implementing Veracode has significantly bolstered our security posture. We can uncover more vulnerabilities and streamline our detection process. We've become more proactive in identifying and addressing security threats. This allows us to focus on building secure applications with confidence.

Veracode has proven to be a solid choice for our organization's shift-left security strategy, compared to other solutions like Darktrace.

To ensure secure software from development to deployment, we leverage Veracode throughout our CI/CD pipeline, enhancing our app security at every stage.

Veracode helps us prevent vulnerable code from entering production, strengthening our third-party application security.

Among Veracode's features, vulnerability scanning stands out for its effectiveness in identifying and remediating security weaknesses, ultimately mitigating threats to our applications. 

The integration capabilities have positively affected our existing development tools when integrating with other cloud solutions. It is easy to integrate and the support team is helpful during the integration process.

Veracode helped improve our compliance posture with our existing solutions.     

The automation of Veracode is great because we no longer have to run manual testing. 

The weekly report logs are great because we can address any vulnerability issues that are detected quickly.

Veracode runs comprehensive scans and links the vulnerable code to the weekly reports identifying what services are affected and forecasting the next steps.

The GUI requires significant simplification, as its current complexity creates a steep learning curve for new users.

I would like Veracode to introduce more sophisticated AI features.  

I have been using Veracode for one year.

I would rate the stability of Veracode nine out of ten.

Veracode supports scaling up whenever we want to keep up with our growing app portfolio.

I would rate the scalability of Veracode eight out of ten.

The experience I had with their technical support has been great.

Positive

I recently changed companies, and my current employer does not use Veracode. However, I have discussed implementing it with them because it offers more mature features compared to other solutions.

The initial deployment took around four months and required five people.

Veracode is affordable for large organizations, but its pricing may be out of reach for small and medium companies.

I would rate Veracode an eight out of ten. Veracode's pricing hinders my overall rating of the solution. 

Veracode was deployed in two regions with 25-plus users.

Veracode requires some maintenance to keep the scanning accurate.

While I highly recommend Veracode, affordability for smaller organizations may be a significant hurdle due to its pricing structure. It's crucial to carefully evaluate their budget constraints and explore alternative solutions if necessary.

I used Veracode in my previous company. My role was to assist the team in identifying the vulnerabilities in the reports. I identified those and diverted them. The software team was responsible for taking appropriate actions to fix those.

We used Veracode in our environment to have account verifications or transaction confirmations. Apart from that, we had event registration as well as membership confirmation.

Veracode provides visibility into application status at every phase of development. My role was to analyze the vulnerabilities and pass them on to the software team. The severity of a risk was provided by us, and the software team was responsible for mitigating that. It helped us a lot in mitigating the vulnerabilities. We were able to proactively react to anything malicious.

It helped with early vulnerability detection and automated security testing. These were two things for which I usually used to use Veracode.

The static analysis and the dynamic testing methodologies for security vulnerabilities helped us in our development process. It allowed our developers to address issues before they became complex or expensive to fix. That was one of the things that helped us a lot.

Veracode helped us with the Log4j vulnerability. At that time, we relied completely on Veracode.

Veracode helped our developers save time. Proactively fixing the vulnerabilities saved a lot of time. It saved 50% to 60% of the time. Fixing them after the sprint is over takes more resources and time and also costs us. Veracode saved time as well as the cost.

Veracode helped us with the shift-left security strategy, but we did not rely much on Veracode for that because we already had something for that. Veracode was good enough overall.

The scanning is most valuable. The scans given by Veracode are one of the key features that I like.

The integration with DevOps pipelines is seamless. 

The scans were sometimes not accurate in version 2022. There were some false positives in the vulnerability reports. We used to get false positives, and we were responsible for checking all of the alerts and determining whether they were true positives or false positives. They might have already improved it. If they have not, they can look into how to mitigate false positives.

I have used Veracode for almost two years. 

It is stable.

It is scalable. The agents were deployed on about 2,000 machines. For administration, we had a SOC team. It was filler work for them, but we had a team of 13 people.

Dennis from Veracode helped us right from the deployment. If there was any critical task, he used to help us with that. We hardly had to reach out to their support for any issues.

I have used different solutions. I have used Darktrace. I have used CrowdStrike and Carbon Black. In my current company, I am using CrowdStrike.

When I was using Veracode, each agent needed to be deployed on each machine. I do not know what they are using now. CrowdStrike is a single platform with a single agent. You can deploy it on all the machines. That is one of the advantages. Moreover, I have become used to the GUI of CrowdStrike over the last year or so. I am more comfortable with CrowdStrike, but it depends on person to person. I would rate Veracode an eight and CrowdStrike a nine out of ten. I am a bit biased toward CrowdStrike because I am currently using it in my organization. I am not using Veracode here.

I was involved in its deployment. It was super easy. The support that was provided by them was fabulous.

There was a delay from our end. It took us almost 90 days to deploy it, which included approvals and other things.

We had a consultant from Veracode. His name was Dennis. We were satisfied with his job. 

I used it for two years in my last organization, and we saved a lot of costs. It was not related to the product; it was related to the risks that we used to get. On the technology side, it surely saved a lot.

They keep on working on their product. They keep on upgrading that. The threat landscape keeps on evolving, and there are new threats every day. The Veracode team helped us in mitigating and remediating them and guiding us with those particular threats. I would surely recommend Veracode. I even tried to recommend it over here, but I am not one responsible person for that decision over here.

They have recently introduced a feature called "Veracode Fix" that produces AI-generated fixes. I read about it somewhere. It does vulnerability identification and prioritization and some behavioral analysis. It does dynamic analysis of any malware or any abnormal or malicious behavior. It is evolving. One more thing that I read was pattern recognition. The AI algorithm that has been provided recognizes patterns. It can assist in recognizing patterns and trends in security data.

It has policy reporting for ensuring compliance with industry standards and regulations, but we did not use that.

To those who want to use Veracode or any similar solution, I would advise being aware of their environment and security posture and seeing where it fits into their security posture. If they proactively work on the alerts provided by Veracode, they will surely save a lot of money, time, and resources. I would suggest working proactively on the alerts given by Veracode.

Overall, I would rate Veracode an eight out of ten.

Previously, finding security issues in our complex healthcare software was a time-consuming process. Manually reviewing all logs took half our time. However, Veracode has revolutionized our workflow.

With Veracode's automated solution, we now receive daily reports highlighting security vulnerabilities. This allows us to address issues promptly, significantly reducing the previous two to three-week investigation period.

Veracode also eliminates the need for manual testing, freeing up our team for other tasks. Its user-friendly interface provides comprehensive scans, and detailed reports, and even pinpoints specific lines of code causing issues.

This shift-left approach has greatly improved our development process, resulting in fewer customer complaints. Proactive vulnerability detection and efficient issue resolution have significantly enhanced our team's productivity.

Veracode does a great job preventing vulnerable code from going into production. For enterprise-level companies, saving time is paramount. Previously, manual testing took days and still didn't uncover as many issues as Veracode now identifies. Despite having a skilled testing team, their workload has been reduced by 70 percent thanks to Veracode. This newfound efficiency has revealed vulnerabilities we wouldn't have found otherwise. Veracode excels at showcasing issues and their severity, extending beyond violation errors to encompass potential security risks and logic-related issues. Its user-friendly interface simplifies the process for all users, regardless of their technical expertise. As a developer, I recognize the immense effort behind Veracode's seamless operation. It automates the grunt work, freeing up our developers to focus on other tasks.

The policy reporting for ensuring compliance with industry standards and regulations is good. Veracode covers a vast majority of industry standards and identifies areas within our code that don't comply with those standards, providing remediation suggestions.

Veracode provides comprehensive visibility into application security throughout the entire Software Development Lifecycle. During the coding stage, Veracode scans the entire codebase for vulnerabilities. Additionally, we utilize Veracode's static analysis capabilities for further security assessment. Once the product is published and deployed to the production environment, Veracode analyzes the entire software stack to identify any potential security risks. In short, Veracode plays a vital role in various stages of our software development and production process.

Veracode has significantly improved our speed in fixing software flaws. It has also transformed our approach to addressing issues. Previously, we spent considerable time investigating the root cause of errors in the code. Now, thanks to Veracode, we can devote more of our intellectual resources to directly fixing the system, which ultimately results in a more efficient product for our users.

It has significantly reduced our build time. We automate our builds every day, running them between 3:00 AM and 5:00 AM. Once the build is complete, Veracode scans the entire build and provides a report by 6:00 or 7:00 AM. This allows us to review any new issues in the build by the time we start work at 9:00 AM, enabling us to address them quickly. Previously, this process took several days, but with Veracode, it now takes just a few hours. We now continuously review and fix issues every day, leading to significant time savings compared to our previous weekly review process.

Veracode has significantly enhanced our security posture by improving our security practices and increasing the efficiency of our security team. Additionally, we are now experiencing a decrease in the number of errors reaching production. Previously, our development process involved developers building and deploying code, then sending it to the security team for evaluation and subsequent feedback. This cycle is often repeated multiple times, leading to delays and inefficiencies. However, with the implementation of Veracode Greenlight, developers are now empowered to test their code directly, effectively shifting our first layer of security. This shift has enabled us to deliver even more secure products while simultaneously saving substantial amounts of time.

I would like Veracode to add more language support.

To use the Veracode extensions, we need to create a file in a folder and name it "prevention and filters." It would be more user-friendly if Veracode could automate this process by creating the file automatically when the Greenlight extension is installed. Additionally, a pop-up tool for security could be shown to guide users through the process making it more user-friendly.

I have been using Veracode for six months.

Veracode has been a stable platform for us to date.

Veracode can scale based on the price tier selected. I would rate the scalability of Veracode a nine out of ten.

The Veracode support team is excellent. I had an issue removing an account, so I emailed support. They created a case for me within one minute and sent me an automated email with a registered ticket. Within five to ten minutes, I was contacted by a support representative who quickly understood my problem.

My account had expired on the platform but hadn't been deleted from the backend. The representative understood this right away and provided a solution for a hard delete. He was also very knowledgeable but explained that he needed the administrator's permission to proceed. He suggested I add him to the thread, and everything was resolved smoothly.

Positive

I would rate Veracode a nine out of ten.

Minimal maintenance is required for Veracode.

We are not concerned that Veracode does not scan source code, as we believe scanning binary code is a more advantageous option.

Since security is paramount for applications, utilizing Veracode to identify and remediate vulnerabilities is a wise investment. This approach frees up valuable time and resources, allowing for more efficient progress.

We use Veracode for SAST and SCA. We are moving towards dynamic analysis as well. We use it now to scan our artifacts and reports, and very soon we are going to use the Veracode plugin for our IDE to have immediate results for security analysis purposes.

Before integrating Veracode, we were getting so many security vulnerabilities on higher branches. We integrated it to fix that. It prevents vulnerable code from going into production. We have fewer vulnerabilities and bugs.

We are getting the security vulnerability results on a day-to-day basis. Our pipeline is running every hour, and we are getting early feedback, giving us a shift-left approach. On a daily basis, we are able to rectify issues rather than find them in production or pre-production.

It provides visibility into application status at every phase of development. We have our initial feature branch, or low-level branch, and then we commit. The pipeline is running, so we will know about things immediately. This is quite valuable for us.

The SCA, agent-based analysis, is valuable. SAST and DAST take time, while this is quite fast. It gives the results very quickly. We have implemented it into our CI/CD pipeline.

Another aspect that is quite good is the policy reporting for ensuring compliance with industry standards and regulations. Initially, we were using freeware tools, but we are quite impressed with how Veracode gives the most detailed and latest vulnerability and security information.

I have been using Veracode for almost a year.

It's a stable solution. There are no problems. The stability is a seven or eight out of 10.

We connected with Veracode's support a couple of times, and we got a different answer each time.

Neutral

We used to use Snyk and other tools. The switch to Veracode was an enterprise-level discussion, and I was not involved.

It took some time to see the benefits, around six to eight months.

Although Veracode doesn't scan source code, only binary code, I'm not concerned because we can scan the source code with an SCR tool.

Veracode hasn't yet helped our developers save time. Their development time has increased because, initially, we were only taking the security and vulnerability issues on the higher branches. Now it is on lower branches as well, so the development time has increased. In the local branches, if a report indicates something has not passed, we are not allowing them to merge their code into higher branches.

We have it deployed in a multi-cloud and hybrid environment. We are using AWS, Azure, and VMware vSphere.

Overall, I would recommend Veracode. It is quite helpful.