We utilize Veracode in three primary ways. The first is through Dynamic Scans, followed by Static Scans, and Software Composition Analysis Scans. I find this tool to be highly effective. We have various forms of support available. For instance, we can initiate our scans through the CI/CD pipeline or manually if needed. Additionally, we can create separate sandboxes for each of our code modules. Since development involves distinct code modules, each catering to different functionalities, we can conveniently set up corresponding sandboxes within Veracode. This allows us to scan any module whenever required, which is quite advantageous.
From a SAST perspective, Veracode can prevent vulnerable code from entering production by adhering to our manual checklist.
We haven't utilized the Software Bill of Materials; however, we have employed Software Composition Analysis. Whenever we scan a codebase, any third-party applications or libraries that have been incorporated into the code are automatically analyzed. Subsequently, a comprehensive report is generated. This report outlines the third-party libraries and applications that have been utilized in the codebase, along with their respective versions. Additionally, if any of these versions are found to have vulnerabilities, they are promptly detected.
Veracode is efficient. I have used various other tools such as DAST or SAST, and employing those tools usually takes between five and eight hours. In contrast, Veracode completes the task in two to three hours. For each scan, there is a consultation button available. Clicking on that button allows us to schedule a call with a Veracode support team member. During the call, they explain any issues, clarify why certain problems are false positives, and discuss the reasons behind issue detections. There's also a consolidation part and a support button, where we can raise tickets. I have found that their maximum response time to these tickets is within one day. Before starting the scan, Veracode offers a pre-scan functionality. This functionality performs connection and server checks in the pre-scan phase. It's similar to the SAST side of things for all the tools, where the code base is examined before initiating the SAST application to determine if it's sound. However, in Veracode's case, this is implemented in the DAST system. It checks whether the server is operational if the provided call scripts are correct, and if the provided login scripts are accurate. This pre-scan functionality doesn't run during the actual scan but rather at the very beginning to ensure that all prerequisites are met. Once everything is verified, then we can proceed to initiate the actual scan.
Using Veracode policy regulations, we can offer predefined rules. When setting up any application, we establish the application name and other necessary details. Following this, there is a section where we can input this information. Essentially, there exist predefined regulations which we can either directly utilize if they suit our needs, or adjust them based on the requirements of our project team. Therefore, we have a pre-existing set of rules and functionalities available.
We do have a dashboard in Veracode that offers visibility into the status of applications. There is a section where we can view the application names, and next to each name, there is a status report such as "The SAST has been completed" or "in progress," and the same goes for DAST.
After the scanning is completed, with other solutions from a DAST perspective, we would receive a report. If there are any false positives, we would have to identify them ourselves. However, with Veracode, one of their engineers or a support team member will verify the information, which helps to minimize the number of false positives.
Before using Veracode, we used to perform many tasks manually. We had a checklist for the SAST. We would go through each line of code, attempting to determine its compliance and level of security. Even with the DAST, we used to carry out this process manually. Completing the DAST scan took a considerable amount of time. For each module, we had to dedicate at least two to three days. However, since adopting Veracode, we can now not only perform this process for each module, but we can also initiate scans for all the modules simultaneously. As a result, we can obtain the results within a maximum of three to four hours. Time-saving for fixing flaws is one of the significant benefits that Veracode has provided us, helping reduce the time by almost 60 percent.
Regarding Software Composition Analysis, an exceptional feature is that during a SAST scan, SCA is seamlessly conducted in the background. Once we scan all modules and obtain SAST results, switching to the SCA section reveals the associated reports. This integrated approach eliminates the need for separate SAST and SCA scans, as is required by other tools.
The reporting feature is noteworthy. The reports are well-structured, providing comprehensive details for each vulnerability. Information about the vulnerability itself, its origin, the specific section of code it pertains to, and even the exact line of code involved are all included.
I've found that Veracode is not particularly suitable for Dynamic Application Security Testing. Unlike other tools equipped with their own crawlers, Veracode necessitates the use of a Selenium script for crawling. However, the tool's compatibility with all functions is limited, which can be frustrating. For instance, functions like upload, download, or those triggering new tabs are challenging to handle within the DAST section due to Selenium's inadequacies when used with Veracode.
In contrast to other tools where we can monitor requests and responses during a scan, Veracode lacks this capability. The scan initiates, and we must wait until completion to see the results. There's no opportunity to check if the right requests are being sent or if certain components are being excessively targeted. Once the scan starts, we're essentially locked in until it concludes, and only then can we access the results. Furthermore, even after the scan, we're only provided with a summary of scanned URLs and the number of requests made, without the specifics of the request or response contents.
I have been using Veracode for four months.
Veracode is stable, and we have not encountered any issues.
The cloud version of Veracode can scale according to the file size.
I have engaged in two different types of experiences with technical support. One involves the ticketing system, and the other involves consultation calls. The consultation calls revolved around static analysis. During these calls, we presented all the vulnerabilities we discovered. We conducted our analysis and demonstrated how Veracode identified certain vulnerabilities. However, we also explained instances where these were false positives due to specific reasons. During the call, they acknowledged these issues. They pointed out some of Veracode's limitations, highlighting that it solely scans the code and doesn't consider the framework side. This implies that they accept these limitations. Furthermore, they provided us with insights into how they plan to implement fixes in the future, which is quite beneficial.
Additionally, whenever we had inquiries or doubted Veracode's detection of false positives, they provided detailed explanations. They shared the specific Veracode setup and rules within the SAST side that led to the detection of certain vulnerabilities. They also explained that by incorporating certain mitigations at the code level, these vulnerabilities could be addressed.
Regarding the ticketing system, for minor issues or questions, we would raise a ticket. They consistently responded within a maximum of one day, providing us with the necessary information.
Before transitioning to Veracode, the client had been utilizing a free community version tool. However, the count of false positives was exceedingly high with that specific tool. This prompted the client to seek a solution that could deliver superior results with fewer false positives. As a result, the decision was made to switch to Veracode.
I would rate Veracode a seven out of ten because the DAST has room for improvement.
The maintenance is completed by the Veracode team because we are using the cloud version.
For individuals seeking exclusively SAST and SCA capabilities, rather than DAST, Veracode stands out as the most suitable tool. However, if someone intends to utilize Veracode solely for DAST, I believe they should explore alternative tools. The effectiveness of Veracode's DAST functionality is limited, and using other tools might yield better results. Additionally, Veracode provides comprehensive training resources through its portal, including a list of documents and video tutorials. These resources are readily accessible and offer adequate guidance for initiating the use of Veracode.