IT Central Station is now PeerSpot: Here's why
Buyer's Guide
Software Composition Analysis (SCA)
July 2022
Get our free report covering Synopsys, Snyk, Sonatype, and other competitors of JFrog Xray. Updated: July 2022.
619,967 professionals have used our research since 2012.

Read reviews of JFrog Xray alternatives and competitors

Evan Gertis - PeerSpot reviewer
Penetration Tester at NetFoundry
Real User
Top 20
The scanning process helps to significantly improve our standards and best practices
Pros and Cons
  • "The solution's ability to help create secure software is very valuable. We're a zero-trust networking company so we want to have the ability to say that we're practicing security seriously. Having something like Veracode allows us to have confidence when we're speaking to people about our product that we can back up what we're doing with a certification, with a reputable platform, and say, "This is what we're using to scan an application. Here's the number of vulnerabilities that are on an application. And here's the risk that we're accepting.""
  • "The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We don't want people to feel like they're missing out on something or that they're not following directions in the right way."

What is our primary use case?

We use software composition analysis and static code analysis. We use a software composition analysis component to identify third-party vulnerabilities in our software. And then we use the static composition analysis to analyze flaws within our application on the front-end and the back-end.

We also use Veracode for static composition and software composition analysis and static code analysis because we need a way to identify vulnerabilities and flaws in the application and relay that information to our developers.

The manual penetration testing is not really used as much.

Having a centralized view is probably one of the most important aspects of the platform. We need to have some way of looking at all the flaws and all the vulnerabilities in one centralized view. 

Having this has improved our visibility into application status. It's very important because it's the way that we communicate flaws to our developers. And without it, we'd be missing out on an opportunity to explain what seems to be fixed and what needs to be managed.

How has it helped my organization?

Veracode helps us to reduce security debt. We're finding that issues like cross-site scripting injection, injection, and those sorts of vulnerabilities are getting addressed more quickly. And we don't really have to worry about where those are, whether that's being fixed or not because we can see them in the platform and we can see the score increase every time those get fixed.

The solution's ability to help create secure software is very valuable. We're a zero-trust networking company so we want to have the ability to say that we're practicing security seriously. Having something like Veracode allows us to have confidence when we're speaking to people about our product that we can back up what we're doing with a certification, with a reputable platform, and say, "This is what we're using to scan an application. Here's the number of vulnerabilities that are on an application. And here's the risk that we're accepting."

Using Veracode SCA helped increase productivity for our security and development teams. Every week we do a vulnerability report and we look at the flaws that were reported by Veracode. Our process essentially goes by meeting with developers, looking at the report, finding out which flaws are the most important ones to fix first. After we've done that, we set up a sprint and we have developers work out two to three of those tickets until they're complete. We've done that now for about six months. We increased our application score from a pretty low level all the way up to Veracode Level Three, so above 90. We don't have any high severity or high vulnerabilities and we don't have any mediums and applications anymore. Following that process is extremely helpful. We also utilize the Veracode dashboards as well. We use the Veracode dashboard to monitor our progress in triaging flaws. Then we want to make sure that things are actually getting fixed. And then we can count those metrics by looking at those dashboards.

It has definitely improved our security posture and communication with developers. I think that now developers are taking our security seriously, whereas before it was something that was always important, but there was no real way of actually tracking what was getting done. Now that we have the tool that we can use to track what's getting done, we're making objectives and setting goals, and working towards this.

What is most valuable?

We use the screening process to help our security professionals and developers fix flaws in the code. It's probably the most utilized security tool that we have at our company.

Scanning with Veracode SCA reduces scan times by a few seconds. It also helps to increase our fixed-rate by 14%.

The scanning process helps to significantly improve our standards and best practices.

The mitigation recommendations provided by the scanning engine of Veracode are important for developers to understand. They need to know how to fix things. So just giving them a blank vulnerability and saying, "this is the issue," doesn't really help. They need something that tells them how to fix the flaw and where to fix the flaw.

Veracode helped us with certification and audit. We're working towards Veracode Level Four right now, we've achieved Veracode Level Three status, and we're looking forward to reaching the next certification level. The goal of that is to eventually have all of our third-party vulnerabilities and mitigate them so that we're in good standing and we don't have anything coming from a third-party library that could possibly compromise our application. Once we get to that fourth certification Veracode Level Four, that would be great.

What needs improvement?

The JIRA integration automation aspect of it could be improved significantly. We want to have a way to create tickets that are going to allow people to work through those flaws that we're finding. We don't want people to feel like they're missing out on something or that they're not following directions in the right way. And we have a process in place where there's a set of tickets and people can work on them. It just seems that people are more focused. They tend to pay attention to what they're doing and there's accountability. So having a more rigorous JIRA integration would be very helpful.

For how long have I used the solution?

I have been using Veracode for over a year. 

What do I think about the stability of the solution?

It's a very stable product, and I think that the team at Veracode is constantly putting in more effort into trying to make it into a better platform. They take feedback seriously. They constantly improve the platform. They are working towards adding features that developers are requesting. So it's always changing, there's always something new being added to it, which is very good.

What do I think about the scalability of the solution?

Large enterprises are probably following a very different practice from what we're following. I think that smaller organizations are going to have an easier time using something like Veracode because of the flexibility of the different API tools that they have available. An enterprise might have a more complicated time scaling it. The issue with that is that the enterprise is probably going to use a proxy and having to deal with the networking issues, it's going to become very difficult for that to scale. However, in a small company, those situations are mitigated pretty easily by getting two or three people together. So we move through those very fast, we're extremely agile. We're always forward moving. We're always rapidly developing. I think each company has its own specific way of handling scalability, it's always been easy just because we're a very collaborative team. We know how to work with each other and we're always receptive to each other's feedback. I can't really speak for other companies, but I can tell you that we find it pretty scalable. That's really just our culture though.

I run all of the administration and I direct people in what needs to be done. So, that's about it. In total, about seven people are really using it.

We are using it to its fullest extent. Even the manual penetration testing aspect of the platform is very useful. The manual penetration testing aspect of the platform is something that would be nice to incorporate because the cost is significantly less than other security companies. For example, InfoSec is about $3,000 more than Veracode, for any organization that wants an all-encompassing security platform. But what we get with Veracode is a platform that provides software composition analysis, static code analysis, Docker Container Scanning, manual penetration testing results, and dashboards that show the progress for moving through all of those issues. And that's probably the most important aspect of the platform.

Once they introduced the prebuilt dashboards that really reduced the amount of friction with upper management. Typically, my mentor said that almost all issues in any business organization come down to personal relationships and opinions, so when Veracode introduced those dashboards, it removed the ability for people to give opinions about what was being done and what wasn't being done.

We're driven by facts as people, so we can look at those metrics and say, "This is what's actually getting done." And there's no ambiguity. Then really that just removes all opinion from any sort of conversation.

How are customer service and support?

They monitor all of the conversations in the platform on the Veracode community. My rep is very responsive. He answers community questions. He votes up really important questions and the issues are getting answered quickly. That's the most important part because then the business, if we run into an issue on Monday and we spend two or three days trying to debug the issue, we haven't figured it out. You can go to a place and actually get an answer. Whereas some organizations try to use a tool that's custom made and they're going to run into an issue where it's intractable. It can't be solved. However, with Veracode, customer support has always been able to find some sort of solution. Anytime I've ever had a problem, it's always been resolved 100%. There's never been a time where it's gone unresolved. I can't say that about every tool.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We used a combination of things. We use Sonar, Veracode, and JFrog Artifactory just give us a diverse picture of what vulnerabilities are in the application and how we can fix them. Veracode seems to always provide the best feedback. Other platforms really aren't at the same level, they provide reports and those reports are usually very static and they're not very informative. Whereas with Veracode, the platform is very interactive. You can tell that it was designed for users and Sonar is the same way. Sonar is very static. Even in Bitbucket, you can now scan your code with Snyk.

How was the initial setup?

The initial setup was pretty straightforward. The best way to handle it is to get the Java JAR file for the upload, use the terminal on any given laptop, like a Mac or a Linux, and create a small script that uploads a couple of JAR files up to the platform.

Once that's complete, once you have a proof of concept that works with just a couple of lines, then the next step is to move that into a pipeline. Preferably something like Jenkins. Jenkins allows people to run scripts. You can just run Dash straight in a pipeline. Once you have that setup, you pull all that down into the Jenkins pipeline.

Once that's done, you now have all of the binaries that need to be scanned, and you can set the pipeline to run a scan on a weekly cadence. If you want to take it a step further, you could actually move that into a build pipeline and really follow shift-left practices where you're moving the security aspect of the development cycle further up the pipeline. Flaws are being found before they go into production rather than after they're in production. So that would be my recommended approach for working through that problem.

I went through and I actually added container scanning now, so in Veracode at this point, we're running software composition analysis, static code analysis, and on top of that Docker container scanning. So it's a pretty big product. The thing that would be more helpful is better Jira automation since that aspect keeps track of what's getting done. Then essentially you have a full pipeline setup that automates the generation of tickets, scanning, and just takes care of itself. It's a self-service security tool.

The setup took around a week.

What was our ROI?

We have absolutely seen ROI. We have buy-in from upper management and developers. We have a lot of people who are very excited about what we're doing and we're working towards that.

We've personally seen a major decrease in vulnerabilities and we've seen an increase in awareness for security. So people actually have conversations about security now, and they're taking it seriously. It's no longer an issue that gets swept under the rug. I think a lot of smaller organizations would benefit from having a tool that showed them what is being done, as opposed to someone just saying this is what we're doing if they can see the results that really improve. So, once we added that, we saw a decrease in vulnerabilities, we decreased our third-party vulnerabilities from a pretty significant level and attended the three down to single digits, which is huge for any organization.

What's my experience with pricing, setup cost, and licensing?

The thing that I'll go back to is when one of my mentors said to me "Evan, security is a critical aspect of any organization. People don't always believe in it. And the best way to sell it is to explain what could go wrong." So when we compare what could go wrong, having a third-party vulnerability, like a graph library, such as the one that Equifax used, which led to a $3 million lawsuit, and their reputation was destroyed. When you compare that to paying $8,000 for an application, it's a no-brainer. Once the reputation of an organization has been tarnished, that's it. The whole thing is completely over. Really everyone loses faith and once people lose trust, it's almost impossible to get people to believe in a vision.

It's definitely worth it considering what could go wrong. The DevOps Mantra is to always be prepared for what could go wrong. Most things are going to go wrong.

Having a static cost gives people confidence. And once people start using it, if the price changes, then that's going to be dependent on how much they're getting out of it.

Which other solutions did I evaluate?

I definitely looked at other security platforms, but Veracode seems to have the most performance.

With Xray, essentially you upload your builds, once you've uploaded your build, you index it. And after you index it, it'll give you a security report. Now, the thing with that is you have to make a policy, you get a report, the report comes out as a PDF and the PDF doesn't really tell you how to fix it. It tells you the fixed version.

The first path of that really was just creating a pipeline that ran a curl request over to Artifactory to generate that PDF. And then on Monday mornings, that was automated. So management can go in, look at that PDF and say, "Oh, okay, these are the things that are happening in our application." Whereas Veracode, is fully automated, it runs the full scan and then creates the tickets. So that's the contrast. 

What other advice do I have?

My advice would be to start with meeting with people from Veracode. Once you meet with the team from Veracode, the best way to handle that is to start asking questions and identifying the things that would be of value so that an organization doesn't start out by paying too much money. Then you're moving away from that being too scared of what the outcome is. I think once they go in and they have a meeting with people and they can actually discuss what they want to do, that's the first step towards planning out how the platform will be used.

I would rate it a ten out of ten. 

Which deployment model are you using for this solution?

Private Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Finto Thomas - PeerSpot reviewer
Information Security Program Preparer / Architect at Alef Education
Real User
Top 20
Gives our teams visibility into copyright and security risks in our code
Pros and Cons
  • "The value I get from IQ Server is that I get information on real business risks. Is something compliant, are we using the proper license?"
  • "Nexus Lifecycle is multiple products. One drawback I've noticed is that there are some differences in the features between the products within Lifecycle. They need to maintain the same structure, but there are some slight differences."

What is our primary use case?

We are in the education industry, but we are a developer-based company. We heavily use lots of public libraries. We use Sonatype Nexus Lifecycle mainly for protecting us from vulnerabilities and license copyright issues. We heavily depend on its database.

It's a hybrid. We have our on-premises instance for our internal security. With Sonatype itself, we use the cloud service, but we have a few modules on-premises, such as IQ Server and the report server. We have deployed those modules on AWS. As a company, we use cloud services 100 percent.

How has it helped my organization?

We have started rolling out to each of our feature teams and so far we have rolled it out to about 30 percent, but we can already see the benefit. It gives our teams easy visibility into the risk inside our code. "Risk" in this case can be copyright, more along the lines of compliance, and security itself, such as vulnerabilities.

From the legal and security perspectives, we have a huge concern about what we use in our product and our platform. Before using Sonatype we had a huge business risk. Since bringing in Sonatype, we have visibility for both the legal and security teams. It enables us to maintain the quality from the third-party libraries.

We follow the CI/CD methodology and Sonatype's impact is really huge because we are able to meet our continuous integration in the DevOps pipeline. The speed of that flow is noticeable. The impact is on both development and operations, together. The integration with the CI/CD pipeline is easy.

What is most valuable?

From the integration perspective, it is easy to use, out-of-the-box. The GUI is not complex.

I mainly use two modules, the report server and IQ Server. The value I get from IQ Server is that I get information on real business risks. Is something compliant, are we using the proper license?

With IQ Server we are currently running the default policy. We started deploying six months back and our main objectives were identifying any bad licenses in our library or product, and whether we are using any critically vulnerable assets. We have stuck with the default policies and they are giving us huge visibility and, as a result, we are putting a lot of effort into remediation.

In terms of the data quality and the database they have for open source, I'm impressed. For our requirements, the data we get seems to be updated well when it comes to license-type and vulnerabilities.

The solution also blocks undesirable open source components from entering our development lifecycle. We use it for controlling third-party libraries.

What needs improvement?

Nexus Lifecycle is multiple products. One drawback I've noticed is that there are some differences in the features between the products within Lifecycle. They need to maintain the same structure, but there are some slight differences.

Other than that, the tool is very user-friendly and gives the right reports to the right teams.

For how long have I used the solution?

We have been using Sonatype Nexus Lifecycle for about the last six months.

What do I think about the stability of the solution?

Until now, we haven't faced any challenges on the stability front. If there's a challenge, if something is down, we definitely get a direct alert. We are happy with the stability part. Both the software and the infrastructure are good.

What do I think about the scalability of the solution?

There are two aspects to the solution's scalability. The infrastructure scalability is the first part, and that is good. The second part is the developer and the licensing front. When we started the program, we had 60 developers but we now have double that number. There's flexibility on both the infra and the licensing. That is good, as of now.

How are customer service and technical support?

When it comes to cultural adoption, when we put something new in the DevOps pipeline, the positive side is that we have a dedicated professional support team and there is a dedicated person. I'm on the security side, I'm not a developer. So the challenge for me is that when I go to the developers, they have a different language. That support person is always there to support me and I'm very happy with that support and the way they handle us as a customer. I can go to the development team or the department and say that, "If we need any support, let me know." I know that dedicated support person will be there for us. That's very much appreciated. That model is actually helping me to push our development teams to get into this new integration. The support model, with a dedicated person, is very useful.

We have frequent meetings with the person who manages the team, and our dedicated support person from Sonatype. If there's a new update it's like we have permanent support. They help us to update.

I would rate their support at nine out of 10.

Which solution did I use previously and why did I switch?

We were using Sonatype open source, the repository server, for a long time, as a free edition and as a PoC. That's why we picked Sonatype Nexus Lifecycle. 

Before that, we were using a different solution for a period of time. We jumped to Sonatype from our previous solution because it had a limitation on the modules. If I go for a multiple module integration, there is additional cost, whereas with Sonatype, they bundle licenses. There's no limitation. I can go for any number of integrations. That's the reason we switched to Sonatype.

How was the initial setup?

The initial setup was triggered from a template in the cloud, so it was easily set up.

With this implementation, the challenge is awareness. We have 14 development teams, but when we started the program there were 10. The number of development teams continues to increase and they use different tools and techniques in the CI/CD. From my side, in security, the idea is to make them aware. This would be the same whether the product was Sonatype or something else. Making them aware has been a very big challenge for me, to onboard them and make the product effective.

So the initial, technical deployment is easy, but to make it effective, we have had to bring that awareness into focus and do repeated training.

The initial deployment took one or two days, taking into account the infrastructure requirements in AWS. But that's not the issue. We deployed the server, but if nobody's using it there's no value from it. The value comes from being able to integrate all the developers. The dedicated support person was very useful in helping me create that awareness and value from it.

We use a lot of tools in our CI/CD, so the initial month was more of a feasibility test and proof of concept which was validated with multiple scenarios. Then we started onboarding teams, one per month. We work with the Agile methodology in two-week sprints. Each team picked the integration per its own Agile sprint timeline, based on the product owner's priorities. Within the two-week sprint for a given team, we are able to do a full integration for that team. But within those two weeks, if you look at the real effort, it would be a maximum of about two days, including troubleshooting. We have covered 30 to 40 percent of our teams so far. Within the next three to four months we may be able to complete the process and cover 100 percent.

What was our ROI?

When I started with Sonatype six months back, I knew that I wanted to do 10 integrations. When I started integrating with a development team, and getting them more usability, I understood the reality was not 10, it was actually 100. When I ran with another vendor, even though I started with a small price, when I looked at the total cost of ownership or the return on investment, it was totally different. With Sonatype there is definitely a return on investment in the number of integrations and the personal support. In that sense, there has been a lot of value. 

In addition, the bundled licensing is a huge difference and provides flexibility. We are not limited by the number of integrations, like in other products. We have flexibility and scalability. For us, the return of investment or value is huge, when it comes to the licensing model.

What's my experience with pricing, setup cost, and licensing?

Cost is a drawback. It's somewhat costly.

Which other solutions did I evaluate?

As part of the procurement process in Alef, we have to do a minimum three-product evaluation. We evaluated Sonatype, a different solution, and there were two more in the pipeline. Based on that evaluation, technical and other, Sonatype came into the picture. 

The competing solution was actually cheaper, no doubt, but when we looked at the overall picture, the total cost of ownership after one year of integration, we understood it would be less with Sonatype, even though the initial price was less with the other products.

If you're going to be scaling and growing quickly, in a way you cannot predict, the Sonatype licensing model and feature set are definitely good.

What other advice do I have?

Look at the scenario of the total cost after one year, not the initial stage. When we looked into the initial stage costs, there were vendors that cost less. But when you come to the integrations and real scenarios, that bill goes up. We had to clearly evaluate, not only the initial moment, but one year or two years down the line and consider the total cost of ownership.

Also, be sure to properly utilize the engineer allocated to your site to help support the developers.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Software Composition Analysis (SCA)
July 2022
Get our free report covering Synopsys, Snyk, Sonatype, and other competitors of JFrog Xray. Updated: July 2022.
619,967 professionals have used our research since 2012.