What is our primary use case?
Manual Penetration Testing is a security tool for static code scanning. It's still in testing, so the client has it in their commercial cloud. As soon as it's federally approved, they'll move it to the government cloud. That's supposed to happen any day now. I think their government cloud is AWS. I believe they're looking at the dynamic piece as well.
What is most valuable?
I don't have much experience with the solution yet. We're looking at integrating Manual Penetration Testing with JIRA and Bamboo and then building that into a CICD model, so the integration is the most valuable feature so far.
What needs improvement?
We're still trying to get things operationalized, piloted, and tested. I haven't heard about any problems so far. However, it would be great if Veracode automatically packaged stuff up for you. For example, it would be nice if the solution used AI or machine learning to detect what your code was by doing. It could perform the review and decide how to package up the software. You could run it and wouldn't need as much developer involvement.
For how long have I used the solution?
We've had Veracode in place for about three or four months now.
What do I think about the stability of the solution?
I haven't heard anything negative about Veracode's performance, and we've had a hundred people test it at one time. We may get to a point where see some degradation, but we haven't yet.
What do I think about the scalability of the solution?
Manual Penetration Testing looks relatively scalable. We won't know those things until we get a critical mass of people testing all at the same time. We have around four teams that are scanning continuously, or on a fairly regular basis at this point. So.
How are customer service and support?
I'm happy with Veracode's support. We're getting the help we need. I meet with them weekly, and they answer our questions.
Which solution did I use previously and why did I switch?
We haven't worked with something like this before. This is the first time the organization has picked up this type of scanning solution.
How was the initial setup?
Setting up Manual Penetration Testing wasn't complex. None of these solutions are complicated. You get it, set it up, and run it. It has been deployed. They're already scanning, and more developers are being onboarded. We followed the implementation strategy provided by Veracode. One person is probably enough to onboard people and set them up. We need one person to concentrate on the strategy and ensure the systems are set up correctly.
What about the implementation team?
We deployed Manual Penetration Testing ourselves, but we have an arrangement with Veracode to provide the necessary professional services to support us. Consulting is part of the package they provide.
What was our ROI?
We used it to scan and detected a vulnerability, and they're trying to use it to identify how to fix the problem. That's the only example of an ROI we've got so far.
What's my experience with pricing, setup cost, and licensing?
I'm not familiar with the costs, but I believe it's around half a million. I'm not sure how it compares to the other solutions, but I assume they're all in the same ballpark. HCL might have been a little less expensive.
Which other solutions did I evaluate?
I think someone at my company was looking at SonarQube, but whoever did that didn't go forward with a commercial version. I don't know how it would've worked out, and I didn't look at it. There was a community version someone had for years, but it never got the traction. Then I looked at HCL, Synopsis, and Cast. Cast is deep but highly expensive. Those were the Cadillac solutions. We went with the SaaS because they did not have anything that was on-premThey wanted something that would be in the gov cloud that we fed ramped and low maintenance on our side.
What other advice do I have?
I rate Veracode Manual Penetration Testing nine out of 10 for support and ease of setup. If you're considering this solution, I suggest trying it out and taking the opportunity to learn and teach yourself. Take some classes or online training. I found the solution pretty straightforward, and I'm not terribly technical.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
