Veracode Reviews

We use it for code analysis to see if there are any vulnerabilities in the code. I'm heading a startup for this, and I have a development team of about 14 people. They upload the codebase to Veracode, run an analysis, and take the results. If there are any vulnerabilities, they fix them.

It reduces security vulnerabilities and increases our security level. It has been helpful in reducing our security debt.

Having a centralized view for our developers and security professionals is very important. If there is anything in the cloud or infrastructure, we need to know proactively. Otherwise, we wouldn't know when there is a security compromise. So, we have to be prepared so that if something happens, we know where to go and stop it. It is not always about fixing and making your code zero percent vulnerable. That doesn't happen generally, but you need to know the areas where something can go wrong. If those areas are your critical systems or critical data security parts, you can act accordingly and quickly.

The centralized view has improved the visibility into the status of our application code. This visibility is very important because we need to know the condition or status of our codebase.

Scanning with the solution has increased our fix rate, but I don't have the metrics. It has also helped to increase the productivity of our security and development teams.

It is a good product for creating secure software. The static code analysis is pretty good and useful. The mitigation recommendations provided by the scanning engine are also pretty good.

From the usability perspective, it is not up to date with the latest trends. It looks very old. Tools such as Datadog, New Relic, or infrastructure security tools, such as AWS Cloud, seem very user-friendly. They are completely web-based, and you can navigate through them pretty quickly, whereas Veracode is very rigid. It is like an old-school enterprise application. It does the job, but they need to invest a little more on the usability front.

From the pricing perspective, it is not very convenient for startup organizations. They should have options to onboard it for the startup ecosystem quickly and affordably.

There should also be strengthening of the developer community.

I have been using this solution for almost a year.

I didn't find any errors. It is available and stable. I didn't have any issues with it.

Its flexibility is very less. It is a very rigid application. Currently, we have six users of this solution in our organization.

I interacted with them once. They were very good. They were very friendly and supportive. I would rate them a seven out of ten.

Neutral

We didn't use a different solution previously. The company started just a year ago. 

For enterprises, Veracode has done a fairly good job, but its pricing is not suitable for startups. The microservice distributed architecture for a startup is very small. I had to do a lot of discussions on the pricing initially. I previously worked in an enterprise organization where I used Veracode, and that's how I got to know about Veracode, but that was a big organization with more than a thousand employees. So, the cost is very different for them because the size of the application is different. Its pricing makes sense there, but when we try to onboard this solution for the startup ecosystem, pricing is not friendly. Because I knew the product and I knew its value, I onboarded it, but I don't think any other startup at our scale will onboard it. 

Its pricing should be based on the size of the application or organization. For a startup organization, they can provide credit-based pricing. They don't need to reduce the price. AWS, Google, and other vendors do the same where they don't reduce the price, but they give credits. I have been in the industry for 15 years, and I have seen that people don't like to change technologies for many reasons. For the first year or the first 18 months, customers can explore the product completely free. If the first year is free and you are onboarded, you would stay with it if it does the job. If the product is doing its job and adding security value, there is no reason to change it in the second year, and you are also ready to pay because, in the first year, you have tested that it is working fine. A company that has used it for the first year would definitely need it in the second year because they keep adding code to the codebase. Another option is that, like Cloudflare, they provide a very slashed rate. Cloudflare onboards everyone at a very cheap price, but when you start exploring the actual use cases, they start adding. 

It is a good product, and you should consider it, but it can be elevated more for startup culture. It should be more pricing-friendly and user-friendly. There should also be strengthening of the developer community.

We are only doing code analysis with it. For manual penetration testing, we have to contact an entity.

It hasn't reduced our scan time. It also hasn't helped our organization with certification and audits. We're a small startup, and at this time, we don't have audits, etc. We might do that later. 

I would rate this product a six out of ten.

I helped customers to build and start the journey of SecOps with Veracode.

Veracode helps to know and prevent vulnerable code or applications from being deployed. We can scan, consume reports, and fix vulnerabilities before deploying an application.

It is very good for ensuring compliance with industry standards and regulations. We can have many dashboards and reports related to policy management.

Veracode provides visibility into application status at every phase of development. We can have many analytics dashboards and reports, and we can build a custom dashboard to have this visibility. This visibility is essential for DevSecOps processes. We need this visibility and information to have a strategic approach and mature our security.

Veracode has the lowest false positive rate in the market. Its results are accurate. In some cases, it is very difficult to see a false positive. We report it to the engineers, and they analyze it. If it is truly a false positive, the engineers will update the engine to provide better results at the next scan. The false positive rate of the static analysis has not affected the time we spend on tuning policies.

It has had a very good effect on our organization’s ability to fix flaws. We are developing a new feature, and Veracode will help to quickly fix any flaws.

It has helped our developers save time, but I do not have the metrics.

All features are valuable. I especially like SAST and ADO.

It is scalable and quick to deploy into the site and the pipelines. The reports and analytics are good, and the false positive rate is low. It gives true results.

There should be more APIs, especially in SCA, to get some results or automate some things.

I have been using this solution for almost three years.

It is very stable.

It is very scalable. I help other companies to deploy. Some of them are small, and some of them are big.

Their support is good. I would rate them a nine out of ten.

Positive

I have not used any other solution previously. I have only worked with Veracode.

It is a SaaS solution. Its initial setup is straightforward. I started with the most critical applications and automated the scanners inside the pipeline. After getting the results, I aligned the security policies. I prioritized the most critical vulnerabilities and assigned these reports to different groups and teams. I also integrated the other plugins into the IDE.

I implemented it myself. I work with DevOps and security teams. In some cases, I also work with developers.

It does not require any maintenance. Because it is a SaaS solution, the maintenance is provided by them.

The ROI is in terms of time savings and mature security. When you deploy a solution like Veracode, you can have these quickly.

It reduces the cost of DevSecOps for the organization when you use it for more than one year.

Its pricing is fair.

It is essential and perfect for preventing vulnerable code from going into production. Nowadays, it is very important and sensible to have a solution like Veracode to know all the vulnerabilities and manage and prioritize the ones that are more critical and better for security posture.

I have not used the Software Bill of Materials (SBOM) feature much, but it is easy to create a report using the SBOM feature. It is important for the supply chain that your software uses.

I would rate Veracode a nine out of ten.

We scan various types of software codes, such as codes or applications built in languages like C, Java, Python, PHP, and Ruby, among others. We assess the code quality using Veracode.

Veracode prevents 90 percent of vulnerable code from being introduced into production.

Previously, in our organization, we did not have a dedicated workflow or a tool for capturing code vulnerabilities. After the code passed the testing phase, it was directly implemented in production. However, since implementing Veracode and launching it, we have been able to identify vulnerabilities beforehand. As a result, our code now goes into production without any vulnerabilities. Only after ensuring this, do we allow it to go live.

Veracode provides visibility into application status at every phase of development.

Based on our experience, Veracode quickly and effectively identifies false positives.

Our project teams understand the importance of conducting code scanning in addition to code development and Veracode testing. This ensures that any flow issues are addressed before proceeding to the next phase. It has become ingrained in their approach.

Veracode has helped our developers save time by assisting in fixing the vulnerabilities that could have had disastrous effects if they had gone into production.

Veracode has had a tremendous impact on our security posture, particularly in one region in Asia where Veracode is being used for security testing and vulnerability assessment. Now, other regions, including the US, have also recognized its value and started adopting Veracode.

Static Scanning is the most valuable feature of Veracode.

Veracode's policy reporting, which ensures compliance with industry standards and regulations, is valuable. It would also be helpful to have a specific example that we can relate to in order to better understand it. Currently, the information is scattered, so precision would greatly assist us.

Veracode can be improved in terms of software composition analysis and related vulnerabilities. For instance, when an application team provides us with their software code, we perform code scanning. During this process, we often encounter software composition analysis vulnerabilities that require the application team to upgrade their Java file from version X to version Y. We then communicate this to the application team, and they proceed with the upgrade. Once the upgrade is complete, we conduct a rescan. However, during the rescan, Veracode may identify compatibility issues with the upgraded version Y. This situation puts the application team in a difficult position, as they may be unable to accommodate this change within their project schedule. Therefore, this is an area where I believe Veracode could make improvements.

The technical consultation can be enhanced to effectively address the communication variations among different regions.

I have been using Veracode for three years.

Veracode is 100 percent stable.

Veracode can scale to meet our maximum requirements.

There are cultural differences in the way we communicate with people from different countries. So, when a Japanese person is talking to an American, the rapid conversation provided by the American technical support person may not be easily understood by the Japanese individual. As a result, instead of having just one discussion or consultation with Veracode, we end up having three to four consultations.

Neutral

I give Veracode a ten out of ten.

We are using Veracode in multiple locations and departments.

Veracode does not require any maintenance.

Veracode is an extremely user-friendly tool, operating through a web interface. Additionally, the support and guidance offered by the Veracode team are excellent. Considering all of these factors, I believe Veracode should be the choice for anyone.

We use the solution to scan for and identify vulnerabilities or security issues.

We use a SaaS deployment.

Before releases, we must ensure that all the security issues identified by Veracode are addressed. Occasionally, some false positives may be encountered, but these can be safely ignored. We are usually satisfied with the accuracy of the report as all the important security issues are identified and addressed allowing us to focus on our release sooner.

All the applications that are going to production in our large company are required to pass through Veracode, which provides us with a uniform standard that everyone must adhere to. This standard allows us to ensure the quality of our products before they go to market.

Veracode may not seem to immediately save our developers time, and it may even seem tedious at times. Ultimately, however, it can be extremely useful in identifying issues and vulnerabilities before they become larger problems, making it a valuable resource.

Veracode helped our security posture by checking security gaps in the production environment.

The most valuable feature is the static scan that checks for security issues. We use Veracode for this purpose; we also use the solution for our UI, but for the backend, we only use the static scan. I'm not sure what it is called, but it is one of two scans, the other one being dynamic. We only use the static scan to identify any security issues.

Veracode assists in the prevention of vulnerable code from reaching production by providing a comprehensive review of security risks and comprehensive reports with thorough descriptions of the vulnerabilities. This allows us to address any security gaps in the release. Based on the severity, we should determine the standards for release. We should not have any security issues with a severity of medium or higher before releasing.

Veracode provides us with ultimate visibility concerning security issues. Additionally, we use OWASP, which checks our dependencies to identify any potential weaknesses, but Veracode is the only tool we use to check our source code. With Veracode, we have the capability to recognize any security issues in our source code.

The false positives have room for improvement. Sometimes, we will get false positives, which we mark as mitigated. However, it can be annoying when they come up again in the next release. Every time a new person is doing the work, they may not be aware of the history of the issue. They must then check the false positive again and mark it as mitigated, and it may come up again in the future. False positives can be an irritating and time-consuming issue for developers to deal with. Investigating them can be a waste of time, as they have already been looked into. This can be frustrating for those involved. False positives waste our time and resources.

The zip file scanning has room for improvement. Sometimes when we upload the zip files for scanning, it can take a long time to get the report. This can take up to a day. Unfortunately, even after waiting a day, sometimes we find that nothing happened and we have to start the process over. This is both time-consuming and frustrating, as we feel the system has crashed.

The reports have room for improvement. I believe the reports are thorough but can become overwhelming with unnecessary information that may not be pertinent to the developer. I'd prefer to have customizable reports that allow us to select which elements we'd like to include.

I believe the usability of the UI needs to be improved. For example, when we navigate away from a page, it should remember our last location and take us back there instead of sending us to the homepage. Additionally, it should be easier to navigate between pages without having to refresh the page each time.

Veracode should provide potential customers with better training materials and resources to help them make a more informed decision before purchasing the product. This could include tutorials, demonstrations, more about how the product works, the user interface, the quality of Veracode's reports, and more. It is unclear if these resources are already available, but they should be made more visible if so.

I have been using the solution for over one year.

The report is usually ready without any problems, but occasionally there may be a crash or other issue occurring in the background that prevents it from being ready. This happens about 10% of the time. The solution is primarily stable.

I haven't experienced any scalability issues so far. This is likely because the job is always the same and the files we upload remain the same. We haven't had to change any parameters in the input, so scalability hasn't been a concern.

We used CodeSonar to analyze various aspects of our source code, and we already utilize OWASP to assess the security risks of our dependencies.

I give the solution an eight out of ten.

One of the applications we supported through Veracode is designed for use by travelers of an airline. The application handles everything from searching for availability to obtaining tickets.

The solution does not require any maintenance. I am logging into my organization's portal, from which I have a direct link to access Veracode. I do not need to do anything else, such as create content or install anything.

Our primary use case for Veracode is SAST and SCA in our SDLC pipelines. We also use it for DAST on a periodic basis and time-based scans on our staging system. We use the trading modules for certifying all our developers annually.

In addition, we use Veracode to scan within our build's pipeline. We do use Greenlight, which is their IDE solution for prevention of issues of vulnerabilities.

We are FedRAMP certified as a company, so we use this as part of our certification process for Veracode ISO 27001 and various other certifications we have.

There is a tight integration of Veracode with JIRA. We use JIRA for nearly all of our issue tracking.

This integration provides a way to link all of the vulnerabilities discovered to our backlogs and active scrum queues, so that there's high visibility within teams for any of the issues that are related to their teams.

I think the most valuable to us is the policy management, which enables us to create different kinds of policies for different kinds of applications. Veracode policy management also allows us to plan for, track against, and report on our compliance with those different policies.

I think the biggest room for improvement is around known or accepted vulnerabilities that, when we re-scan, we want those things to be recognized as already accepted, as an exception. Sometimes they show up as something new and we have to go back and re-accept that as an accepted exception in order to bring our numbers back into compliance. I think if they could improve the operations around accepted vulnerabilities, we would see improvements in our productivity.

I would also like to see more executive reporting. Having a good snapshot of how well we're tracking, where each of the teams that own the applications, how they're doing, and where their gaps are would be good. Currently, the reporting is geared towards tracking current vulnerabilities. Even though they have trending, the trending doesn't necessarily evaluate the teams and how well they're doing. I would also like to be more oriented towards teams.

Overall, I would give Veracode a nine out of 10.

The company's been using Veracode for five years. I've been using it for four years.

Veracode is stable in my opinion. We've had very little interruption that was unplanned.

We have not run into an issue with scalability yet. Veracode was built based on application counts and not users, which is what a lot of the competitors do.

We have some 300 people using Veracode. Some are executives while others are engineers actively working in Veracode. 

Veracode's technical support is great. They assigned us a TAM and once a week, we have a brief engagement with the TAM to verify that everything's going well. If we have any outstanding issues, they get serviced and addressed.

Positive

We have used Veracode the entire time I have been with this organization. However, I know that they used Coverity and WhiteSource prior to switching to Veracode. The main reason my organization chose Veracode is its comprehensive dashboard. 

Our deployment took a while so I would say the initial setup was moderately complicated. We gradually moved into the pattern we are in today and displaced some other vendors along the way. So it was a slow ramp for us because of our business needs.

We were up and running and operational within a couple of months. And then, over time, we broadened our footprint with Veracode.

We deployed Veracode in-house. 

Our biggest return on investment is maintaining certifications that enable us to attract customers of larger scale and government-sensitive customers.

Going back to the cost structure, I think that the way Veracode is priced and their comparison to third parties, I still put them at four out of five.

Veracode recently introduced some pricing based on microservices. This model gives us a lot of flexibility in being able to add and remove microservices and scale them that way.

The pricing is solid. I think with the current consolidated pricing that we have is pretty consistent every year.

All of the Veracode applications operate as one platform. Most of the competitors out there separate their products from their reporting and configuration, so you don't get a single pane of glass. With Veracode, you get a single pane of glass and reporting that you can combine with the different scan types to look at compliance.

The advice I would give regarding this solution is this: Look at the policies, the dashboards, and integration with ALM applications like Veracode and JIRA. They have a tighter integration there that I see with most of the competitors.

I'm sure that the scan quality is consistent. Perhaps there's some applications that are a little better than others at detection. But we find that Veracode is very comparative to other things you solutions the quality of catching vulnerabilities.

Manual Penetration Testing is a security tool for static code scanning. It's still in testing, so the client has it in their commercial cloud. As soon as it's federally approved, they'll move it to the government cloud. That's supposed to happen any day now. I think their government cloud is AWS. I believe they're looking at the dynamic piece as well.

I don't have much experience with the solution yet. We're looking at integrating Manual Penetration Testing with JIRA and Bamboo and then building that into a CICD model, so the integration is the most valuable feature so far.

We're still trying to get things operationalized, piloted, and tested. I haven't heard about any problems so far. However, it would be great if Veracode automatically packaged stuff up for you. 

For example, it would be nice if the solution used AI or machine learning to detect what your code was by doing. It could perform the review and decide how to package up the software. You could run it and wouldn't need as much developer involvement.

We've had Veracode in place for about three or four months now.

I haven't heard anything negative about Veracode's performance, and we've had a hundred people test it at one time. We may get to a point where see some degradation, but we haven't yet. 

Manual Penetration Testing looks relatively scalable. We won't know those things until we get a critical mass of people testing all at the same time. We have around four teams that are scanning continuously, or on a fairly regular basis at this point. So.

I'm happy with Veracode's support. We're getting the help we need. I meet with them weekly, and they answer our questions.

We haven't worked with something like this before. This is the first time the organization has picked up this type of scanning solution.

Setting up Manual Penetration Testing wasn't complex. None of these solutions are complicated. You get it, set it up, and run it. It has been deployed. They're already scanning, and more developers are being onboarded. 

We followed the implementation strategy provided by Veracode. One person is probably enough to onboard people and set them up. We need one person to concentrate on the strategy and ensure the systems are set up correctly.

We deployed Manual Penetration Testing ourselves, but we have an arrangement with Veracode to provide the necessary professional services to support us. Consulting is part of the package they provide.

We used it to scan and detected a vulnerability, and they're trying to use it to identify how to fix the problem. That's the only example of an ROI we've got so far. 

I'm not familiar with the costs, but I believe it's around half a million. I'm not sure how it compares to the other solutions, but I assume they're all in the same ballpark. HCL might have been a little less expensive.

I think someone at my company was looking at SonarQube, but whoever did that didn't go forward with a commercial version. I don't know how it would've worked out, and I didn't look at it. There was a community version someone had for years, but it never got the traction. 

Then I looked at HCL, Synopsis, and Cast. Cast is deep but highly expensive. Those were the Cadillac solutions. We went with the SaaS because they did not have anything that was on-premThey wanted something that would be in the gov cloud that we fed ramped and low maintenance on our side. 

I rate Veracode Manual Penetration Testing nine out of 10 for support and ease of setup. If you're considering this solution, I suggest trying it out and taking the opportunity to learn and teach yourself. Take some classes or online training. I found the solution pretty straightforward, and I'm not terribly technical. 

At this moment in time, in my project, we are mostly using Static Analysis from Veracode. We automated it and added it as a step to our daily pipeline. We also tried using the pipeline plugin from Veracode that gives an immediate evaluation of your code. We're also using agent-based Software Composition Analysis. I have not exactly used it in my project, but I participated in investigating it and setting it up.

I know two flavors of doing Software Composition Analysis. The first one is a part of a daily static scan where you're uploading all your third-party libraries. The second one is by using agent-based, which gives more reporting capabilities but not doesn't affect policy scans, etc. We use both of them.

We use Software Composition Analysis as a part of our daily build pipeline, so we use Jenkins Plugin from Veracode. Every night, we upload our sources to the Veracode platform. In the morning, we receive results of Static Code Analysis and Software Composition Analysis. 

We are able to receive results for vulnerabilities in other libraries. We can then react to it and fix our code and those dependencies.

We do have a policy in regards to security. As a part of that policy, we cannot have very high-end issues. Usually, when you change third-party libraries, you need to do some level of regression testing. Our release cycle is long, and it could be half a year between releases or sometimes even more. By using Software Composition Analysis, we're checking our sources on a regular basis, and if needed, we change our libraries in our code, So, we are checking and mitigating any vulnerabilities if they are not applicable to our solution.

We use static scanning. This is the main use of Veracode for us. We package our application every day and send it to Veracode. We receive static code analysis results and also the software composition analysis results every day because the first focus for us is on quality improvement. The security improvement is definitely static scanning. We do have a process for analyzing and mitigating results around this static scanning. So far, we have been able to comply with our internal policy. At this moment in time, we are at the stage of releasing our product, and according to our internal policy, certain important issues from 2017 had to be addressed and fixed.

Veracode gives the possibility to find different vulnerabilities and flaws in code, and it also makes things relatively easy because everything is automated. Implementing such a high-quality tool like Veracode, immediately made us aware of a lot of issues, but the volume of issues that we had to address was really high. The support from top management made it easy to fix the issues that Veracode identified in the product that has a long history of more than 20 years. Without the support of higher management in organizing and defining a process of fixing those issues, it wouldn't have been possible to fix all those issues. We took the reports received from Veracode, planned our activities, reviewed everything, and started acting on it as a result. The new release that we have is according to our policy, which is an important thing for us.

It definitely helps in reducing the risk of a security breach, which is rather important for us for providing our customers with a secure product. Among our customers, there are a lot of big companies that take security seriously. So, for us, it is really important. The fact that we have executive sponsorship shows that security is very important for our management. This initiative started because we're treating security really seriously.

It is improving our productivity significantly. We just finished a big chunk of results processing, and we are still in the process of setting up our processes. When you're first doing that scan with Veracode, you receive a bunch of results and an overwhelming amount of flaws in your code. All those results need to be investigated. For some of them, it is sufficient to have mitigations, but some of them need to be fixed. We just finished those fixes, and there were a significant amount of security findings from Veracode.

Considering that in my project, we are mostly using Software Composition Analysis as a part of Static Code Analysis, for me, the main part is reporting and highlighting necessary vulnerabilities. Veracode platform has a rather good database of different vulnerabilities in different libraries and different sources. So, finding vulnerabilities in third-party libraries is the main feature of Software Composition Analysis that we use. It is the most important feature for us.

The results of agent-based software composition analysis are not connected to policy scanning. So, for me, the only thing that Veracode can improve in Software Composition Analysis is to connect it with the policy scan because, at present, it is a bit inconvenient for those in our organization who use agent-based Software Composition Analysis. In the end, they need to make a static scan with all those libraries in order to receive that report. If Veracode implemented a connection between agent-based static scan and static scanning itself, it would be great because it would lead to fewer operations in order to prepare release documentation and release reporting from Veracode. We recently had a conversation with Veracode about it.

I believe it has been about two years because Software Composition Analysis is a part of the policy scan, and our journey with Veracode has been for about two years.

It is stable. I didn't feel that many problems with it. We did have a few glitches with the platform, but they were not that many. So, I can say that it is stable.

I can't say anything about the scalability of this solution because we are not bothered about keeping its infrastructure up and running. We use Veracode Cloud, and we are not supporting or deploying it. It is just a service for us, and we consider it as a service. We submit the information and receive reports back from that solution.

In our project, every night, we are currently scanning our development branch and three versions of our releases. We have four applications, and I believe that from my team, at least 15 scans happen every night. We have a partnership with another company that provides a part of our functionality. They provide releases to us to embed in our solution. We also do the scanning for their part and inform them about the issues that we've found.

We will increase the number of scanned versions because with each and every release, during the support period, we're supporting versions of our product, and we're also fixing the security stuff. We will be increasing the volume of scans, but it will come to a logical point. When a version is no longer supported, we will definitely remove it from Veracode. So, all in all, at any moment in time, I foresee four or maybe five versions to support multiplied by four applications. There is also a development branch for each application, so there will be around 20-25 automated scans per night.

I am very pleased with the Veracode support because so far, there were no issues where they were not able to help us. Sometimes, in our questions to Veracode, we ask about the deep aspects of functionality, and so far, we've received answers for all those questions, and they were mostly good. I would rate them a nine out of 10 just because I didn't like some of their answers. Because of our approach of having each version as a separate sandbox in Veracode, we had questions about the consistency of results between different sandboxes, but then we realized that these are peculiarities of the platform. It is nothing serious or special. It was mostly related to our expectations from those algorithms, but it actually works perfectly. I can give a 10 for Veracode's support, but then they will have no growth to improve.

It was pretty straightforward. The problem that we had was mostly about our solution's architecture because the solution itself is big and heterogeneous. Some parts or regions are using the Java platform, and some parts are in the .NET code. The main problem was to correctly build our solution for Veracode. This was the only challenge. Veracode provided us with good functionality with their Jenkins Plugin that made it possible for us to automate our daily development. So, the main problem for us was mostly related to properly building our solution and using it in Veracode. It was pretty straightforward. There was nothing complex, but it needed some work from our side.

The strategy for Veracode implementation was pretty straightforward. From the very beginning, we stuck to the idea that it should be automated because all modern DevOps practices and approaches, such as Infrastructure as a Code, are widely used in our company. So, from the very beginning, we decided that it should be coded, and it should be stored in source control and uploaded. Veracode became a part of our process of everyday deployment, and it was a part of our strategy to make it a part of our life and use it as much as we can.

The number of people involved depended on the stage. At the initial stage, when we were evaluating it, there were somewhere around six or seven people who were making the decision of buying Veracode and other stuff. We have different companies and products inside our organization, and each and every product team is responsible for implementing it. We were the pioneers in using the solution from Veracode, and later on, it spread out to other projects. Now, we're acquiring additional licenses and so on. We planned everything with the help of the developer team. We follow the agile approach in our development, so everything was planned. User stories were created, and we just acted on them.

I participated in the review of tools. We reviewed not only Veracode. There were also other candidates for our main tool for static scan and software composition analysis. So, I have been involved in all activities around Veracode from the very beginning. What I liked about Veracode is that it is not just one product. It is a big ecosystem. It even has integration with Visual Studio, etc. First of all, we took a look at the scope of scanning. We compared the results of scanning and the functionality. Veracode had really great reporting functionality. In the end, we came up with the conclusion that Veracode fits best to our needs, and I believe we were right.

My advice would be to adopt Veracode to serve your processes. I believe that the processes inside the company shouldn't be changed significantly with the introduction of new tools. Definitely, for each and every new tool, you need to build some process around usage in terms of administration and control. Veracode has a relatively big ecosystem of tools, which is a big advantage, and my advice would be to check all those tools and see how they can fit into your process, and how they can improve them. There are a lot of options and a lot of tools provided by Veracode that can fit each and every process. Whether you are using a waterfall process or DevOps practices in your organization, with Veracode, you can add necessary steps to your process without making significant changes in the processes that you have.

We take security seriously, and Veracode is not the only thing that we have for security. We do manual penetration testing to security test our applications. We also have some dynamic scanning. We follow some practices while engineering and architecting our solutions. At each and every step, we are trying to cover our solution with the necessary security testing activities or security design principles. Veracode is a big part of our security, but it is not the only one. We are fixing all issues, especially those that are non-compliant with our policy.

We don't use any connections with Software Composition Analysis. It is a separate product in the ecosystem that makes it possible for you to deeply scan your third-party libraries. This is the only way we use it. 

In terms of Veracode SCA reducing our overall scan times, I believe that it is not applicable at this point. In the case of agent-based scanning, the situation that we recently had has shown that you cannot fully substitute Software Composition Analysis from a static scan with agent-based. That's because, in the end, documents that you provide together with the release are the policy scan results generated by static scan. You can reduce the amount of time for your scanning, but in the end, you need at least one scan where you will figure out all third-party states as a part of the policy scan report. You cannot use only agent-based Software Composition Analysis because they are two separate sources of information. We can use Software Composition Analysis and then somehow merge results from two sources in one document for it, which is inconvenient. We are having nightly builds for Veracode, and it doesn't matter to us whether it takes more than 30 minutes or less than 30 minutes. We haven't measured the time, but with the approach that we have set in our company, we can leave it for longer time periods, and after nightly build, everything is okay for us. So, Jenkins just does its job of uploading, and no one monitors it. We are just monitoring that the jobs are stable and results are available. Considering that we're doing it at night, it is not that important for us for how long it runs.

It hasn't exactly increased our fix rate because it is not about our code. It is about the third-party code. We definitely have to mitigate, and sometimes, we have to change libraries to a newer version, so it somehow affects our fix rate, but mostly, the static scan affects our fix rate because it shows flaws in our code. So, I don't see any significant improvement with Veracode Software Composition Analysis in terms of our fix rate. I don't see a direct relationship between Veracode Software Composition Analysis and our fix rate, whereas Static Analysis works and gives us the necessary results and plans for fixing and doing our next steps in security.

It has not yet helped our company with certification and audits. We haven't yet shared those green results with our customers, and we didn't have any certifications the last time.

I would rate Veracode Software Composition Analysis a nine out of 10.

We are using it for two purposes. The first is to analyze the final binaries in our normal development cycle and the second is for auditing old software.

It's a SaaS solution.

Veracode is able to analyze the final software products. We compile the applications and it's an advantage for us because there are a lot of areas where we don't have the source code. In some companies, only internal development is taking place and they have the source code and everything else for the software. With those companies, there are other tools that we can use. But for use cases where our company buys a product with the source code, but only the final executables or the binaries, only Veracode is able to work on that type of tool. We are working in the financial sector for big bank banks and insurance companies. A lot of times, these types of companies don't have the source code for the applications, only the final applications. This is the biggest advantage of Veracode, that it's able to analyze these types of applications.

We use the scanning process to help our security professionals and developers fix flaws in the code and that helps speed up the development cycle. It helps to "shift-left" all of the security control to the earliest phase of the development cycle. It has sped up the development cycle significantly. An unexpected vulnerability can stop the development pipeline, at least for a little while, and we are able to avoid that.

It has also helped to increase our fix rate by almost 100 percent. In the past, if it turned out that we had vulnerabilities, we had no time to correct them. We went into production with them. Now, we are able to fix everything, 100 percent, in the development cycle.

In terms of best practices, we have the results from Veracode and then we have a Knowledge Base of the types of vulnerabilities and how they should be corrected by our developers.

Another benefit is that it has helped us with certification and audits. We have a lot of automated reports based on the scans and we can show them to the auditors. That has saved us a lot of money and work.

And Veracode SCA has helped to reduce the risk of a security breach because it finds vulnerabilities as early as possible. It has increased our security and development teams’ productivity because, with the automated scanning, we are able to scan much more than previously. It saves us at least one week per development cycle, if not more.

The recommendations from Veracode have improved our efforts in fixing potential vulnerabilities, and not just finding them. That's important for us because fixing is a very expensive process. If you can save time on that, it is a big help. And SCA’s automated, peer, and expert advice have definitely reduced remediation times, saving us at least a week per development cycle.

Overall, SCA has significantly lowered the risk of vulnerabilities. If we didn't identify them before production, and it turned out that there were vulnerabilities, there would be a big risk. We would have to go into production with them or stop the development pipeline. So it lowers the security risk significantly by doing early scanning. It has reduced our risk by at least 60 percent. It definitely helps create secure software. That is 100 percent important because we are working for financial companies.

It's good that it's cloud-based because we don't have to operate a new IT system for security scanning.

It provides a centralized view across all testing types, including SaaS, DAST, SCA, and manual penetration testing. We now have a central place with overall visibility.

In addition, the mitigation recommendations provided by the scanning engine are good. They are not all perfect, but they are good and usable.

There is room for improvement in the speed of the system. Sometimes, the servers are very busy and slow. Also, because we are located in Europe, it would be a big help if they had a European or national service, because of the regulations, not only because of the speed.

Also, the integration with SonarQube is very weak, so we had to implement a custom solution to extend it.

We have been using Veracode Software Composition Analysis for more than two years.

The stability is good. We haven't had any problems.

The scalability issue is a good question because it's not too fast, but it's scalable because it's cloud-based.

We use it for 10 critical applications.

Their technical support staff is skilled. We have been able to solve all of our problems with them. I wouldn't rate them a 10 because sometimes it's time-consuming to get the right guy to answer our questions. But we always get answers to our questions.

Positive

We used SonarQube because the developers liked it. We also used Checkmarx. We switched to Veracode SCA because of the binary scanning ability. Neither Checkmarx nor SonarQube is able to do that.

The initial setup was very easy. Because it's a cloud-based service, we were able to do it without the help of Veracode. We just read the recommendations and followed them. We had three guys involved, two developers and one security guy.

It took three months to implement. Our implementation strategy was to do a pilot and then everybody in the organization copied the reference implementation.

Our return on investment is due to saving a lot of development hours.

It's too expensive for the European market. That is why, in a big bank with 400 applications, we are able to use it for only 10 of them. But the other solutions are also expensive, so it wasn't a differentiator.

The static cost model is not that important. Veracode works on a subscription model, so we have to pay for it every year. 

We chose Veracode's Software Composition Analysis after we evaluated more than 10 products. Among those we evaluated were Checkmarx, Fortify, and SonarQube. The primary differentiator was the binary scanning use case.

Use Veracode for the special use case of binary scanning, because it is the best in this special use case.

Security Labs is very good as well. We are not using it day-to-day, but it's a good feature.