TrustRadius: an HG Insights company

Veracode

Score8.7 out of 10

213 Reviews and Ratings

What is Veracode?

Veracode provides advanced application security solutions, trusted by enterprises to develop and maintain secure software. Its platform identifies exploitable risks, speeds up vulnerability remediation, and reduces security debt at scale using a proprietary AI-assisted remediation engine.

Read more details.

Media

Screenshot of a fix
Screenshot of the Veracode Platform
Screenshot of SCA
Screenshot of SCA Github

1 / 4

Screenshot of a fix

Who Buys & Uses Veracode

Veracode User Experience

Use Cases and Deployment Scope

It is used across the organization. We are using it for static analysis of our code. We have selected the policy that requires our release code to minimize the level of security faults. Beside static analysis we use Software Composition Analysis and we found it very helpful in rectifying vulnerabilities from third-party libraries.

Pros

  • Good integration with Jenkins and Visual Studio.
  • Parsing the code well.
  • It has good dashboard.
  • SCA graphs for transitive dependencies are very useful in identifying the vulnerabilities.

Cons

  • The main problem is slow speed of the scan - it took 11 weeks in one instance.
  • The problem was ongoing for number of months and eventually they managed to slash the running time to one day. However, since than the running time usually takes 2-3 days as the scan always stop during the run.
  • While SCA for Java works very well, there are number of issues on the C++ side. It can not recognize the libraries build by default from source code third-party vendors
  • Especially newer version produces lots of False Positives

Most Important Features

  • Thorough scan of our code.
  • Integration with our release process.
  • Accurate info about vulnerabilities in third-party libraries

Return on Investment

  • At the moment due to very slow speed to the scan, we can not fully integrate it in our development process.
  • However, we are using it for our release process.
  • The analysis that Veracode software provides gives us and our client confidence that we are producing the secure code.

Alternatives Considered

GitHub

Other Software Used

Microsoft Office 2016 (discontinued), Microsoft Visual Studio, IntelliJ IDEA, Notepad++, Microsoft 365, Atlassian Jira

Usability

Secure your code from IDE to production

Use Cases and Deployment Scope

We use it a a SAST and SCA tool for all the developments in our organization. All our developers analyze the code they write using the IDE plugin and Veracode Fix to help make the software more secure.

Pros

  • IDE integration
  • Gitlab Enterprise integration
  • Reporting for Product Owners

Cons

  • SAML integration when you have multiple domains
  • Scan whole repos to get a sense of security maturity
  • Authorization model for reports and dashboard

Return on Investment

  • No critical or high vulnerabilities get to production
  • Complex onboarding on teams that don't work following enterprise guidelines or that doesn't have experts devs
  • Once the devs have it working and integrated to the IDE it is easy to use for them

Alternatives Considered

Sonatype Platform, GitLab and Fortify by OpenText

Other Software Used

Appdome, OneTrust Third-Party Management, HackEDU

My experience with Veracode

Use Cases and Deployment Scope

* We run static scans on a regular basis (integrated in our continuous integration) on all our major branches.
* We review the Software Composition Analysis and the "Triage flaws" section on a regular basis (minimum every week).
* We run a dynamic scan before each major version release.
* Our goal is to fix all the Very high/high/medium vulnerabilities this year. We'll then look at the minor ones.

Pros

  • Report generation
  • Flaws description and remediation strategy
  • Consultation requests

Cons

  • Scan results stability: from one scan to another, additional flaws appear whereas code did not change.
  • Entry points selection: hard to be sure selection is optimal, should be automatized or hidden.
  • Branches management: we currently use sandboxes to scan different branches of our software. Would be good to have real branches management.

Return on Investment

  • Adoption by developers: they are more aware of security aspects.
  • Allows us to see where we are in terms of applicative security
  • We're able to deliver clear security reports to our clients

Alternatives Considered

JFrog Security (Xray), Coverity Static Analysis (SAST) and CheckMark 1095

Other Software Used

SonarQube, JFrog Security (Xray), OWASP ZAP

My experience using Veracode tool

Use Cases and Deployment Scope

I have been using Veracode for nearly 2 years, we are using its SAST and DAST features. Previously there was no source code validation in our software development life cycle. We used this tool to shift the security to left, and tried to make the process as automate as possible. The best use case of this tool is that it can be fit anywhere with flexible plugins at different stages of SDLC. Even the support is very good and co-operative.

Pros

  • Veracode does integrate into IDE where the development starts. IDE Scans will help in reducing the versions of code.
  • The best thing about Veracode is, that it is a SAAS platform, and we can run the scan and do our other work parallelly.
  • Veracode dynamic analysis is pretty good as it clearly shows the requests it sends to the server and the response it receives from the server. Which helps in analyzing the vulnerabilities more easily.

Cons

  • Reporting work can be improved.

Return on Investment

  • I am a senior security engineer, I could not give you the numbers, but I can see the difference before Veracode and after Veracode into the business.

Alternatives Considered

SonarQube, Qualys VMDR and JFrog Security (Xray)

Other Software Used

SonarQube, Qualys VMDR, JFrog Security (Xray)

Good SaaS service for finding security vulnerabilities in code.

Use Cases and Deployment Scope

In my organization, Veracode is used as an enterprise mandate to scan any application or service built by the development teams before deploying it into higher or pre-production/testing environments. After the scans, the security team reviews the results to mitigate or fix the vulnerabilities found by Veracode static and dynamic scans following the recommendations provided by the tool, sometimes like upgrading a third-party library to a newer version through SCA.

Pros

  • It is good at recommending fixing issues with third-party dependencies used in application code with detailed version information and knowing which version fixes what.
  • It has a very nice interface for triaging flaws. One can sort the vulnerabilities found in code from Very Likely to be exploited to least likely to be exploited.
  • There is a collections feature that allows us to group together groups of application profiles belonging to the same suite of applications.

Cons

  • The Veracode CLI can be provided as a setup or installer file instead of the powershell command to install it from the script.
  • There should be a copy feature that takes comments from vulnerabilities found in one application profile and imports them into matching flaws of another application profile.
  • The automated module selection at the review step just after the upload should be better at identifying entry points and should select only custom-developed code modules instead of third-party ones (at least the common ones).

Return on Investment

  • It has a positive impact on easier PCI DSS compliance.
  • It boasts the security aspect of any application developed in the organization, so there are fewer chances of exploits, which equals less damage to business and reputation.
  • There is no need to set up in-house scanning systems, which saves the cost of maintaining that solution, so it is another positive impact.

Alternatives Considered

Sonatype Vulnerability Scanner