Share your experience using Continuous Dynamic (formerly WhiteHat Dynamic)

I have been using Veracode for the last two years, which is one of the security scans that is part of our organization and is mandatory for all products to be scanned by this tool.

We use Veracode for DAST scans, which involves dynamic scanning of our web application. Veracode only supports web application scanning for security vulnerabilities, and it performs black box testing on our application for security issues and cybersecurity testing methodology.

Our product is in the backup and recovery space and has a web interface for it. Since it is a relatively new product that we have, we perform Veracode scans every month to ensure that whatever we are developing is in compliance with Veracode standards. To identify any early vulnerabilities we introduce in our development process, we conduct monthly scans. Initially, I used to perform scans manually by logging into Veracode and following the step-by-step procedure to execute a scan, but now we have automated it somewhat. Although Veracode does not provide a tool for automating scans, we have found a workaround using Selenium to automate it ourselves. We are using Veracode to identify early security issues in our development.

One benefit is that we have automated the scanning process. There is a first layer of security where every month Veracode scans run and share a report on whether there are any high severity vulnerabilities in our application. This is beneficial as it provides a base-level security layer that helps us identify entry-level issues early on using Veracode. This tool is able to track basic issues.

Veracode seems to be a basic security testing tool because we have observed that Veracode was not able to find some actually severe vulnerabilities in our application. When we later conducted penetration testing with a dedicated pen testing team, we found many security issues that I feel should have already been identified through Veracode if it were doing its dynamic testing properly. These vulnerabilities were relatively simple for Veracode to find in our application, but they were not found by Veracode and instead were found by the other team. Even another product called ZAP, the ZAP tool from OWASP, which we have used, identified issues that Veracode could not identify.

Honestly speaking, Veracode is just our compliance scan that we have to do but don't want to do, as it is part of our compliance testing. Regarding any particular feature, I will say the Veracode UI is the only noteworthy aspect. It is not that easy to use, but if you spend some time, you will be okay with it, though it is not that good. I honestly do not feel its UI is comfortable or its reporting is clear because it is not really understandable what exact issue we have. They should make it simpler. In my opinion, Veracode lacks significantly in most parts, including its UI, its reporting, ease of use, and the features that it provides. I do not have any favorite feature and just use it for the sake of our compliance.

Veracode can improve to stand in this market. They do not have to do much; they just need to improve their UI experience and add more documentation within the application rather than just creating documentation pages on different websites. They need to ensure their web application guides whoever uses it. Since whoever uses Veracode must be a technical person, they just need to guide them to the actual points. They can also improve their security capabilities by adding more filters to identify what vulnerabilities their application has. They need to improve their scanning engine to scan for more critical defects. Also, the integration part can be enhanced by adding features to integrate with a CLI, such as introducing a CLI version or a Jenkins plugin. If such features exist, they should show it as a pop-up, signaling that they have a new feature. Currently, it feels Veracode from two years ago is still the same, so that is something Veracode needs to improve.

They can improve the security part. Some of the severe security issues were never caught by Veracode in the reports. In fact, I have never seen any high or critical severity issues pop up in my Veracode report. That is one thing they can improve on their scanning ability to catch high severity issues. Next is integration; Veracode does not provide any tools to integrate with Jenkins or CLI. I do not even know if there is any CLI for Veracode that I can use to automate in my pipeline. The last thing is the UI interface that they have, as it is a bit confusing. I remember we did not have the capability to handle authentications of our internal application. We had to write Selenium code using a Selenium IDE. To write a Selenium script for a Veracode scan, you have to download a Selenium IDE, record it, and then paste that file into Veracode. I can see that Selenium IDE is already decommissioned, so it is no longer used by anyone. Still, we have to use it because Veracode only supports that kind of file for Selenium to automate. They can add more ways to authenticate our application using normal JavaScript or Python or Shell script. I feel these are the four main points.

They can document it more by adding tooltips into the application that explain why a parameter is required and what other options are available. For the same example with the Selenium script, they can add a link to their documentation that explains what other kinds of scripts can be written for authentication. I feel they can also make the UI more intuitive so that whoever uses it can guide themselves, as whoever uses Veracode is already a technical person.

I have not seen any outages because it is on our private cloud. However, I have observed that it is not that reliable in terms of security because Veracode was not able to find some security threats in our application that existed since the product was developed. I feel it is less reliable, considering that Veracode has the responsibility to find common issues such as path traversal vulnerabilities or issues with broken authentication mechanisms. There were security issues I feel should have been caught by Veracode, but it does not instill the reliability I expect.

I have never experienced its scalability. I have worked on a single product and performed scans for only one product, so I am not sure how it works at scale.

I never got a chance to deal with customer support. Most of the issues I faced were resolved within our organization. I have never contacted them.

Negative

In my previous company, I used SonarQube, which we implemented into our pipelines and was comparatively easy. However, in this company, they do not use SonarQube; they use Veracode. I did not switch solutions; I just switched companies, which is why I am now using Veracode.

If I had a chance to replace it, I would go with SonarQube or something else because it has more features.

Veracode seems to be a basic security testing tool because we have observed that it was not able to find some actually severe vulnerabilities in our application. When we later conducted penetration testing with a dedicated pen testing team, we found many security issues that I feel should have already been identified through Veracode if it were doing its dynamic testing properly. These vulnerabilities were relatively simple for Veracode to find in our application, but they were not found by Veracode and instead were found by the other team. Even another product called ZAP, the ZAP tool from OWASP, which we have used, identified issues that Veracode could not identify.

Veracode is just our compliance scan that we have to do but do not want to do, as it is part of our compliance testing. Regarding any particular feature, I will say the Veracode UI is the only noteworthy aspect. It is not that easy to use, but if you spend some time, you will be okay with it, though it is not that good. I honestly do not feel its UI is comfortable or its reporting is clear because it is not really understandable what exact issue we have. They should make it simpler. In my opinion, Veracode lacks significantly in most parts, including its UI, its reporting, ease of use, and the features that it provides. I do not have any favorite feature and just use it for the sake of our compliance.

I do not feel Veracode has improved any efficiency in our project. It is just another release check that we have to perform. It did not add any improvement to our efficiency or security life cycle; it is just there. My overall review rating for this product is 6 out of 10.

I have worked on a couple of products, specifically in web application security. I have worked on Invicti, and with respect to PAM, I have worked with BeyondTrust.

I have not worked specifically for AWS cloud environments. However, I did work with web application protection with respect to SAST and DAST offerings of Invicti. Additionally, there is one more product within Invicti's portfolio, which is the software composition analysis, SCA.

I have been working with Invicti for three years overall.

Basically, any web applications which work under the port number 8080 or the HTTPS links are web applications, and all of them can be protected from a dynamic or a static environment through Invicti.

I have worked on firewalls, threat intelligence, and multiple cybersecurity products.

A good scanning engine is what I appreciate about Invicti. When you want to find out the vulnerabilities within your web applications, Invicti has done a thorough job with respect to filtering out the vulnerabilities and identifying the risk factors with respect to the security modules within the solution.

Invicti does have a segment of the solution which works on the automated scanning engine. As long as the license is active, the scanners that work within the solution are pretty effective.

With respect to SAST and DAST, being a real-time scanning engine is one of the portfolios and one of the selling factors of the solution.

Invicti is known to be a solution that works within the hybrid environment, be it cloud, on-premises, or a mix and match across multiple marketplaces. It does a thorough job.

Most importantly, Invicti is a very good SAST and DAST solution that is very competitive in the market with respect to competitors. Invicti is a part of the Magic Quadrant with respect to Gartner's Magic Quadrant and has made a very good customer database and pipeline within the marketplace locally.

With respect to security impacts in terms of support, Invicti is pretty much supportive. With respect to use cases or the POCs I have run on the solution, we have identified a couple of vulnerabilities and Invicti was able to trace them, detect, and quarantine the attacks.

At this time, there is nothing that comes to mind. However, most of the products in the market are pretty much neck-to-neck competitors. Speaking about it, there are a couple of factors which they can work on by identifying features from one another.

Invicti does have a feature where it scans the source code of the applications before they hit the production environment, and that is where the software composition analysis comes into place.

I have been working with Invicti for three years overall.

Invicti is scalable, and you can integrate your web application firewall to the solution. I did not find any limitation.

The tech support is decent enough. Moreover, the local support of the distributors and the partners cover up most of the work. However, at times, you would need tech support from the manufacturer or the vendor themselves. We just open up a ticket and they respond within 24 hours, depending on the severity of the case.

I have not worked with the competition unfortunately. However, I have worked with Cyble.

I did deploy Invicti on a couple of accounts. Mostly it needs a virtual setup. Depending on the license activation and configuration of a couple of policies at the customer's side, you do not have to do much. It is mostly a virtual deployment and very easy.

Local distributors handled the implementation.

Invicti has done a commendable job with respect to ROI. We have had a couple of conversions of recurring business from multiple end users. With respect to being a cost-effective solution and one of the market leaders as an effective solution for SAST and DAST, Invicti has performed very well.

The setup cost is pretty competitive. For example, if you want to talk about the SAST license, it comes to about $150 or sometimes less than $100, depending on the conversion or the number of licenses that the customer requests. It is pretty competitive to the market. Since it is affordable, a lot of SMBs prefer Invicti.

I did not find any difference in features, but the market reach of Qualys with respect to the enterprise segment is huge compared to Invicti. Invicti is pretty much prominent within the SMB marketplace. In terms of features, they are pretty much neck to neck.

I would rate Invicti as a product and solution as an eight out of ten.

I would suggest starting off immediately because, as I mentioned, all the web applications that work under the port number 8080 and follow the HTTPS protocol can be protected. If they want security with respect to web applications, then Invicti is the answer. It is pretty easy to deploy and manage. It is not a very heavy solution to monitor or to manage by the IT teams, and it is pretty easy and scalable as well. I have assigned an overall rating of eight to this product.