Excellent Code Security Scanning Cloud Service
December 29, 2022

Excellent Code Security Scanning Cloud Service

Mike Clarkson | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)

Overall Satisfaction with Veracode

This is a very thorough tool to statically scan your source code. It works very well for us, and it's always interesting to see how your code writing changes over time as you become more security focused. We are in the process of setting up dynamic scans, but for now we are doing static scans only. They take a little time to complete, but we are scanning our entire software suite so it's to be expected. We have found a number of issues, some of which are in legacy code which we are probably not going to fix as it is actively being replaced.

Pros

  • Static scans
  • User Interface
  • Results of scans with detailed descriptions of what the issue is and how to potentially fix it

Cons

  • The time to complete a static scan
  • A lot of developers just brush it off - but tickets are coming so they have to fix their issues!
  • It's turned me to be a more security-focused developer
I had one support case open with them about an issue I noticed, but it was nothing. The module list stated that a PDB file was missing, but the PDB file was generated and included in the zip file submitted. However, the PDB file it was complaining about was for a library we didn't have. The support technician was very helpful and gave me a couple of suggestions about how I can improve my submissions.
Currently, we use it in our development branch
It's turned me more security focused in my development. Once our other developers start getting tickets to fix the security flaws, I'm sure they'll start thinking that way too!
Sonar cube was quicker, but not as thorough. Both integrated into our CI/CD pipeline, however the integration for Veracode is more straight forward.

Do you think Veracode delivers good value for the price?

Not sure

Are you happy with Veracode's feature set?

Yes

Did Veracode live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Veracode go as expected?

I wasn't involved with the implementation phase

Would you buy Veracode again?

Yes

The ease of integration into our CI/CD pipeline (it only added a couple of minutes extra per build) followed by a weekly static scan of our entire code base which in turn generates results of all the severe items identified. Sometimes they are false positives as it's in libraries we don't control, but we pass on the findings back to the library maintainer(s). Often we have to modify our code slightly to mitigate/patch/fix the issue.

Comments

More Reviews of Veracode