We use Veracode for SAST and SCA. We are moving towards dynamic analysis as well. We use it now to scan our artifacts and reports, and very soon we are going to use the Veracode plugin for our IDE to have immediate results for security analysis purposes.
Before integrating Veracode, we were getting so many security vulnerabilities on higher branches. We integrated it to fix that. It prevents vulnerable code from going into production. We have fewer vulnerabilities and bugs.
We are getting the security vulnerability results on a day-to-day basis. Our pipeline is running every hour, and we are getting early feedback, giving us a shift-left approach. On a daily basis, we are able to rectify issues rather than find them in production or pre-production.
It provides visibility into application status at every phase of development. We have our initial feature branch, or low-level branch, and then we commit. The pipeline is running, so we will know about things immediately. This is quite valuable for us.
The SCA, agent-based analysis, is valuable. SAST and DAST take time, while this is quite fast. It gives the results very quickly. We have implemented it into our CI/CD pipeline.
Another aspect that is quite good is the policy reporting for ensuring compliance with industry standards and regulations. Initially, we were using freeware tools, but we are quite impressed with how Veracode gives the most detailed and latest vulnerability and security information.
I have been using Veracode for almost a year.
It's a stable solution. There are no problems. The stability is a seven or eight out of 10.
We connected with Veracode's support a couple of times, and we got a different answer each time.
Neutral
We used to use Snyk and other tools. The switch to Veracode was an enterprise-level discussion, and I was not involved.
It took some time to see the benefits, around six to eight months.
Although Veracode doesn't scan source code, only binary code, I'm not concerned because we can scan the source code with an SCR tool.
Veracode hasn't yet helped our developers save time. Their development time has increased because, initially, we were only taking the security and vulnerability issues on the higher branches. Now it is on lower branches as well, so the development time has increased. In the local branches, if a report indicates something has not passed, we are not allowing them to merge their code into higher branches.
We have it deployed in a multi-cloud and hybrid environment. We are using AWS, Azure, and VMware vSphere.
Overall, I would recommend Veracode. It is quite helpful.
We used Veracode for code scanning and source composition analysis.
Veracode can block vulnerable code from going into production.
The SBOM is a good option for companies that are asked about their SBOM.
The SBOM helps manage our risk.
Generating SBOM reports is not difficult, but setting up the necessary infrastructure for analysis takes time.
The policy reporting is incredibly robust.
Veracode provides visibility into application status in every phase of development.
The source composition analysis had very good reporting.
Veracode's long scan time for vulnerable code can hinder productivity. There is room for improvement in this area.
Veracode produced a lot of false positives.
Veracode's ability to fix flaws is less sophisticated than that of its competitors. For example, Veracode's static analysis scanning workflow for flaws is not as highly developed as Checkmarx's or Snyk's. Veracode would often provide incorrect sources and fail to identify the source of malicious user input coming to the team.
The process of bundling binaries or code for scanning could be improved.
I trialed Veracode for two weeks.
In our short trial period, we did experience some stability issues.
Veracode scales sufficiently.
I worked with Veracode's technical consultation staff and found the agent to be incredibly knowledgeable and sophisticated in their use of Veracode, as well as in vulnerable load patterns.
Positive
The deployment was complex.
Ten people were involved in the deployment.
We used the experience of engineers who had used Veracode in the past, as well as feedback from Veracode's engineers.
Veracode's pricing is competitive.
I believe Veracode would be willing to negotiate decent terms for organizations that are concerned about the pricing.
We also evaluated Checkmarx and Snyk, respectively. This puts them at a slight disadvantage in terms of identifying execution paths and their ability to comprehensively show how vulnerable code is executed in our solution.
I would rate Veracode six out of ten.
Once Veracode is fully configured, the maintenance should be relatively minimal.
Veracode's best advantages are detailed reporting for industries such as government work, or other industries that may require exceptionally detailed reports or secure security verifications. However, I would suggest that people look out for the accuracy of results and the usefulness of findings on a large scale. Additionally, Veracode has a difficult-to-navigate user interface.
We utilize Veracode to assist in establishing secure-by-design and development processes for our web applications, as well as transitioning from other systems to microservices.
Once Veracode is correctly tuned, its ability to prevent vulnerable code from entering production increases.
An SBOM is a list that can help us manage our risks by tailoring it with software competition analysis, scanning for vulnerabilities, and addressing third-party risks. As part of the supply chain, an SBOM provides a visual representation of the components present in our application, enabling us to take appropriate action.
Creating an SBOM is straightforward.
From a central perspective and a risk standpoint, the SBOM holds significant importance and must be integrated into our environment for the Software Development Life Cycle users.
Veracode has provided us with the opportunity to secure our applications. It enables us to identify risks and develop a strategy based on the results obtained from Veracode. These results are utilized to target developer training policies that we have created for pipeline and policy scanning. Additionally, Veracode provides us with guidance on resource allocation for teams. Overall, Veracode has proven to be highly useful. We obtained data from Veracode starting from day one of usage and witness its complete value within the initial six months of utilization.
Veracode's policy reporting for ensuring compliance with industry standards and regulations is commendable. They dedicate ample time to conduct thorough research and executing internal campaigns. Instead of hastily releasing new features and language support, they meticulously perform six to nine-month testing to ensure proper formatting and functionality.
I give Veracode's false positive rate an eight out of ten.
A seasoned developer with the appropriate mindset understands the necessity of fine-tuning regarding false positives, as this can impact novice developers.
Veracode's low false positive rate in static analysis has had a positive impact on the time we spend fine-tuning policies.
Veracode greatly influences our organization's ability to address flaws. Resource allocation, strategy, and trading have had a significant impact, particularly when considering the redirection of traffic. Starting from the point of deviation becomes crucial in this context. Without comprehending the potential flaws that may arise within our environment, we cannot determine the appropriate direction to mitigate and reduce them over time.
Veracode assists our developers in saving time when used correctly. It took us approximately one year to align all the developers' mindsets, but once we achieved this, our team matured, and tasks became easier.
Veracode has been beneficial for our organization's security posture.
Veracode has reduced the cost of our DevSecOps by helping us decrease development time, remediation efforts, and the expenses associated with fixing flaws at a later stage.
Veracode Fix is a new feature that functions similarly to auto-remediation for low or medium flaw codes. Essentially, it serves as a means to demonstrate to developers how to create secure coding modules and solutions. I am excited about it because I believe it will accelerate development time.
The language version support could be improved. For instance, I recall a situation where there was a slight delay in supporting the application for a specific job because there were concerns regarding the vulnerabilities present in the new languages.
Veracode combines container scanning and software composition analysis into a single package. This has always been an issue because people want the freedom to choose one or the other. However, we are almost compelled to purchase both components together.
I would like to request the inclusion of incremental scanning in a future release. By scanning only the portions of code where changes were made instead of the entire code, we can significantly reduce the scanning time.
I would like to see what Veracode plans to do regarding endpoint protection, PAN testing, DAST, RAST, and similar areas. I haven't seen any developments in these aspects yet. Products like Contrast are more advanced in this regard. So, as teams become more mature, what steps can we take to adopt the mindset and processes required for such advancements?
I have been using Veracode for over four years.
Veracode has experienced occasional downtimes, but for the most part, it has remained stable.
Veracode is capable of scaling to accommodate the needs of large organizations.
The technical support is excellent. They have application security experts. If we have an issue within the platform, we can reach out to either a Success Manager or a technical representative, and they usually respond within twenty-four hours. Additionally, as a developer or end users, we can schedule consultations and speak to someone who understands a specific language, which is really helpful.
Positive
Aside from the standard licensing fees, we also have to pay for a competent Success Manager. We initially received a favorable deal in the first year, presumably to secure our business, but we have since observed a gradual annual increase in costs.
I would definitely recommend having a Success Manager in the first year. Once the teams become more mature, companies like Synopsys, Veracode, Checkmarx, and others are large enough to offer competitive deals if they are interested in our business. For small businesses, using open source tools would be worth considering. With Veracode, we pay for the research they have conducted and have gained a deep understanding of various flaws. Their risk rating aligns well with our requirements, which is beneficial. We rely on this tool and find it fantastic from a data perspective. The data provided has greatly assisted us in our strategic decision-making.
I have tested all of the solutions. I have tested Synopsys, Veracode, and Checkmarx. Checkmarx is a truly excellent product. The only drawback was that their dashboard was subpar, resulting in poor data quality.
I would rate Veracode a seven out of ten. Although it doesn't fulfill all our requirements, I am still impressed with it and find the solution appealing.
Veracode has excelled in SAST, DAST, and IAST, but conducting scans, secret scanning, and IAC are new areas for them.
Veracode alone cannot solve our issues or problems. We need to have an agile mindset and ensure that security is embedded and maintained. We need to educate developers to be able to use these tools effectively and incorporate them into their everyday processes.
Veracode can be hosted within Europe or at our local location if needed. However, I believe they offer various instances. Personally, I prefer the SaaS solution over on-prem, mainly because unless we have specific data privacy requirements, using the SaaS solution is more convenient. Opting for on-prem would require additional resources, such as setting it up and engaging with Veracode support, which can be a more complex process.
Veracode handles the maintenance. All we need to do is set up the files for pipeline scans. Our engineering teams can handle that. In terms of policies, we should review them annually. Credentials will naturally expire on an annual basis, so they need to be reviewed as well. If we want to pursue additional tasks like GitHub integrations, then the setup process is required.
I recommend evaluating the top four solutions listed in the Gartner report or any other reliable source of information. Test them thoroughly and ensure that the vendor truly understands the organization's environment before making a commitment.
It is crucial for individuals to comprehend and establish a workflow environment before they commence providing tools, and I believe there is indeed a wealth of information pertaining to data dashboards. Although it may require time, we can collaborate with Veracode to construct it. Overall, it is beneficial. It is truly excellent.
We use Veracode to find any vulnerabilities and for risk management.
There are multiple ways to use Veracode. We can use Veracode directly in our ID environment, and we can use it in the UI environment in our platform. We can integrate it with GitHub or GitLab. We can also install SourceClear as an agent.
It helps to reduce the application risk rate. It checks for any vulnerabilities or CVE IDs against its database. If any vulnerabilities are present, it gives suggestions, remediations, and fixes. They have recently started with Veracode Fix, so the auto-fix capability is there for your code.
Previously, it was very difficult to find vulnerabilities and scan threats. It is a primary need to maintain the security of our code. Veracode is a good option. It provides all kinds of features for developers.
Veracode checks for vulnerabilities in the static code, third-party libraries, and infrastructure. If there are any vulnerabilities in your static code, it will provide them. It can also auto-fix them with Veracode Fix. For Web APIs, there is a solution called DAST Essentials. It came out recently, but it is a very good solution.
It has been a year since I have been using Veracode, and it has been very helpful. It gave me the vulnerabilities present in my code, such as SQL injection, and the fixes for them. It gives good suggestions to improve the score of our code base. It gives a lot of things.
I started using Veracode Fix about one month back. It can automatically fix whatever vulnerabilities are present in the code. In GitHub, it shows the line numbers that it has fixed. It also provides a reason to fix them. It also gives a report based on your policies. If any high-severity vulnerability was there, it tells you how it was fixed. Everything is given in detail in the reports. It is very good.
Veracode's policy reporting is good for ensuring compliance with industry standards and regulations. I would rate it an eight out of ten for that.
Veracode provides visibility into application status at every phase of development, but the option of infrastructure and deployment security is not there in Veracode. They have probably started working on that.
We use third-party libraries, and it suggests using only the safest versions. It gives suggestions on vulnerabilities that are present and how to fix them. It is very good. It makes our code secure.
Veracode saves 10% to 20% time of developers.
I like its integration with GitHub. I like using it from GitHub. I can use the GitHub URL and find out the vulnerabilities. It maps everything for you. It gives suggestions and remediations.
They should provide infrastructure management. They have not included any infrastructure security. Kubernetes images are also not there.
Their scanning engine is sometimes a little bit slow. They can improve the scan time.
I have been using Veracode for more than one year.
It is stable. I would rate it an 8 out of 10 for stability.
It is scalable. We have 5 projects. In every team, 2-3 people are using Veracode. We have a dashboard, and through that dashboard, we log in to our account. We are also using a GitHub wrapper.
We have a sprint of 2 weeks, so every 2 weeks, we deploy code. We have a team of 10 people, and at a time, at least 5 people are involved in the deployment.
They have an Application Security Consultation team. Veracode support is also there. We can email them for any issues, and we can also connect with the ACS team through a Zoom meeting.
Their documentation is also very good. In the case of any issues, we follow the documentation.
Neutral
I have previously worked with SonarQube. The decision to switch to Veracode was taken by our management.
Veracode is better than SonarQube. In SonarQube, you need to give individual code, and then it fetches the details. With Veracode, you can get details about your entire application. Veracode Fix is also there to auto-fix the code. For web applications also, so many things are there with Veracode.
It is a very good product. Veracode Fix is also there. It gives very good solutions about the code and its reusability and fixes. It has been there for the last 17 years. Without such a solution, it is very difficult to find vulnerabilities and manage fixes.
I would recommend using Veracode. It has good features. It scans your source code and your third-party libraries. There are a lot of new products in the market, but Veracode is good.
Overall, I would rate Veracode an 8 out of 10.
We are quite new to security systems. We have not adopted Veracode at the enterprise level. We are using the GitHub Advanced Security system. We were looking for static code analysis or software configuration analysis tools in the market. That is when we explored Veracode.
We want to centralize our security systems so that any repository that developers are using or creating in our organization follows the same set of standards. We want to have all the security checks and all the static code analysis done at the same level and with one client.
We have had challenges with security because developers come from different organizations and different backgrounds. They have different ways of coding. Based on their experience, they write the code, but there is a very high chance of having vulnerabilities in their code. The PR reviews used to take a lot of time for the reviewer. By implementing such a solution at the enterprise level, we assume that we will save a lot of time for developers and code reviewers because everything will be done by the tool. It will impact us a lot.
Veracode is quite good. It checks the security vulnerabilities in our packages. It discovers them very nicely, but it is not a tool for improving code quality. It does not provide very good static code analysis.
Veracode's policy reporting is fine for ensuring compliance with industry standards and regulations.
Veracode provides visibility into application status at every phase of development.
Veracode saves our developers' time. They are not doing manual PR reviews. It has saved about 20% of the time because we are still in the adoption phase.
We have a lot of confidential data of clients. We do not want our application to be exposed outside. We have configured a code quality gate, so before production itself, it blocks the PR deployment and allows it once all the security checks are passed.
Veracode is one of the tools that helps to verify external dependencies. Veracode helps a lot there.
One thing that I like about Veracode is that it is quite a good tool for dynamic application testing. It is a little bit better than DeepSource and SonarQube in terms of software composition analysis and dynamic application testing.
When I was looking into it, my initial impression was that it has a good UI as compared to other competitors.
A negative issue I found is that it has a subscription-based model.
If Veracode can provide static analysis in terms of how we can improve the code quality, it will be quite a good feature.
I have been using Veracode for 2 years.
It is quite stable.
We have not deployed it on our on-premise system, so it is quite scalable. There are no issues with that. I would rate it a 6 out of 10 for scalability.
We have not used their support extensively, but when we were choosing Veracode, I felt that they have a very good support system. The support they provided was good.
Neutral
I also work with SonarQube. I did not switch from SonarQube to Veracode. We are using a combination of both because SonarQube provides good code quality, but Veracode does not. Veracode provides very good dynamic application testing and software configuration analysis, but SonarQube does not. A combination of both is meeting our needs.
Configuring SonarQube at the cloud level based on our requirements is quite challenging. The support is based on the community. It is not something we consider as an enterprise-level tool, whereas this is not the case with Veracode. These things are better in Veracode.
I was not involved in its deployment. I am in the quality team. The DevSecOps team takes care of its deployment. That team has 8 to 10 people.
It does not require any maintenance. Everything is done automatically by the vendor.
Everything was done in-house.
It is too early for that, but Veracode will save us development effort and time. That will be the return on investment for us in the future. We will be able to measure its overall cost-effectiveness by comparing what we are paying for the service and how much developer time it is saving.
We are still considering it at the enterprise level. It has a subscription-based model. We find its price a little high based on the features it provides. In addition to the standard licensing costs, there are no additional costs.
To someone who is looking at Veracode but is concerned about the price, I would recommend exploring it themselves. They might not need the same features that we need. They might be looking at some other aspects of security. I would recommend exploring it and doing a price evaluation based on their needs.
We also explored DeepSource for some time, but we did not go for it. The functionality that DeepSource provides is somewhere between Veracode and SonarQube. Veracode was a little bit better, and that is why we went for Veracode.
We do not use the free access to Veracode's Application Security Consulting team, but we are planning to use it. We have not yet used the Veracode Fix feature that produces AI-generated fixes. It is a new feature.
The fact that Veracode does not scan source code, only binary code, does not concern us. We are using multiple tools. Veracode is one of them.
Overall, I would rate Veracode a 7 out of 10. We are still adopting Veracode. We have not gone through all the features that Veracode provides. Its rating would probably increase after a few months of use. I would recommend Veracode to others.
I used Veracode in my previous company. My role was to assist the team in identifying the vulnerabilities in the reports. I identified those and diverted them. The software team was responsible for taking appropriate actions to fix those.
We used Veracode in our environment to have account verifications or transaction confirmations. Apart from that, we had event registration as well as membership confirmation.
Veracode provides visibility into application status at every phase of development. My role was to analyze the vulnerabilities and pass them on to the software team. The severity of a risk was provided by us, and the software team was responsible for mitigating that. It helped us a lot in mitigating the vulnerabilities. We were able to proactively react to anything malicious.
It helped with early vulnerability detection and automated security testing. These were two things for which I usually used to use Veracode.
The static analysis and the dynamic testing methodologies for security vulnerabilities helped us in our development process. It allowed our developers to address issues before they became complex or expensive to fix. That was one of the things that helped us a lot.
Veracode helped us with the Log4j vulnerability. At that time, we relied completely on Veracode.
Veracode helped our developers save time. Proactively fixing the vulnerabilities saved a lot of time. It saved 50% to 60% of the time. Fixing them after the sprint is over takes more resources and time and also costs us. Veracode saved time as well as the cost.
Veracode helped us with the shift-left security strategy, but we did not rely much on Veracode for that because we already had something for that. Veracode was good enough overall.
The scanning is most valuable. The scans given by Veracode are one of the key features that I like.
The integration with DevOps pipelines is seamless.
The scans were sometimes not accurate in version 2022. There were some false positives in the vulnerability reports. We used to get false positives, and we were responsible for checking all of the alerts and determining whether they were true positives or false positives. They might have already improved it. If they have not, they can look into how to mitigate false positives.
I have used Veracode for almost two years.
It is stable.
It is scalable. The agents were deployed on about 2,000 machines. For administration, we had a SOC team. It was filler work for them, but we had a team of 13 people.
Dennis from Veracode helped us right from the deployment. If there was any critical task, he used to help us with that. We hardly had to reach out to their support for any issues.
I have used different solutions. I have used Darktrace. I have used CrowdStrike and Carbon Black. In my current company, I am using CrowdStrike.
When I was using Veracode, each agent needed to be deployed on each machine. I do not know what they are using now. CrowdStrike is a single platform with a single agent. You can deploy it on all the machines. That is one of the advantages. Moreover, I have become used to the GUI of CrowdStrike over the last year or so. I am more comfortable with CrowdStrike, but it depends on person to person. I would rate Veracode an eight and CrowdStrike a nine out of ten. I am a bit biased toward CrowdStrike because I am currently using it in my organization. I am not using Veracode here.
I was involved in its deployment. It was super easy. The support that was provided by them was fabulous.
There was a delay from our end. It took us almost 90 days to deploy it, which included approvals and other things.
We had a consultant from Veracode. His name was Dennis. We were satisfied with his job.
I used it for two years in my last organization, and we saved a lot of costs. It was not related to the product; it was related to the risks that we used to get. On the technology side, it surely saved a lot.
They keep on working on their product. They keep on upgrading that. The threat landscape keeps on evolving, and there are new threats every day. The Veracode team helped us in mitigating and remediating them and guiding us with those particular threats. I would surely recommend Veracode. I even tried to recommend it over here, but I am not one responsible person for that decision over here.
They have recently introduced a feature called "Veracode Fix" that produces AI-generated fixes. I read about it somewhere. It does vulnerability identification and prioritization and some behavioral analysis. It does dynamic analysis of any malware or any abnormal or malicious behavior. It is evolving. One more thing that I read was pattern recognition. The AI algorithm that has been provided recognizes patterns. It can assist in recognizing patterns and trends in security data.
It has policy reporting for ensuring compliance with industry standards and regulations, but we did not use that.
To those who want to use Veracode or any similar solution, I would advise being aware of their environment and security posture and seeing where it fits into their security posture. If they proactively work on the alerts provided by Veracode, they will surely save a lot of money, time, and resources. I would suggest working proactively on the alerts given by Veracode.
Overall, I would rate Veracode an eight out of ten.
We utilize Veracode in three primary ways. The first is through Dynamic Scans, followed by Static Scans, and Software Composition Analysis Scans. I find this tool to be highly effective. We have various forms of support available. For instance, we can initiate our scans through the CI/CD pipeline or manually if needed. Additionally, we can create separate sandboxes for each of our code modules. Since development involves distinct code modules, each catering to different functionalities, we can conveniently set up corresponding sandboxes within Veracode. This allows us to scan any module whenever required, which is quite advantageous.
From a SAST perspective, Veracode can prevent vulnerable code from entering production by adhering to our manual checklist.
We haven't utilized the Software Bill of Materials; however, we have employed Software Composition Analysis. Whenever we scan a codebase, any third-party applications or libraries that have been incorporated into the code are automatically analyzed. Subsequently, a comprehensive report is generated. This report outlines the third-party libraries and applications that have been utilized in the codebase, along with their respective versions. Additionally, if any of these versions are found to have vulnerabilities, they are promptly detected.
Veracode is efficient. I have used various other tools such as DAST or SAST, and employing those tools usually takes between five and eight hours. In contrast, Veracode completes the task in two to three hours. For each scan, there is a consultation button available. Clicking on that button allows us to schedule a call with a Veracode support team member. During the call, they explain any issues, clarify why certain problems are false positives, and discuss the reasons behind issue detections. There's also a consolidation part and a support button, where we can raise tickets. I have found that their maximum response time to these tickets is within one day. Before starting the scan, Veracode offers a pre-scan functionality. This functionality performs connection and server checks in the pre-scan phase. It's similar to the SAST side of things for all the tools, where the code base is examined before initiating the SAST application to determine if it's sound. However, in Veracode's case, this is implemented in the DAST system. It checks whether the server is operational if the provided call scripts are correct, and if the provided login scripts are accurate. This pre-scan functionality doesn't run during the actual scan but rather at the very beginning to ensure that all prerequisites are met. Once everything is verified, then we can proceed to initiate the actual scan.
Using Veracode policy regulations, we can offer predefined rules. When setting up any application, we establish the application name and other necessary details. Following this, there is a section where we can input this information. Essentially, there exist predefined regulations which we can either directly utilize if they suit our needs, or adjust them based on the requirements of our project team. Therefore, we have a pre-existing set of rules and functionalities available.
We do have a dashboard in Veracode that offers visibility into the status of applications. There is a section where we can view the application names, and next to each name, there is a status report such as "The SAST has been completed" or "in progress," and the same goes for DAST.
After the scanning is completed, with other solutions from a DAST perspective, we would receive a report. If there are any false positives, we would have to identify them ourselves. However, with Veracode, one of their engineers or a support team member will verify the information, which helps to minimize the number of false positives.
Before using Veracode, we used to perform many tasks manually. We had a checklist for the SAST. We would go through each line of code, attempting to determine its compliance and level of security. Even with the DAST, we used to carry out this process manually. Completing the DAST scan took a considerable amount of time. For each module, we had to dedicate at least two to three days. However, since adopting Veracode, we can now not only perform this process for each module, but we can also initiate scans for all the modules simultaneously. As a result, we can obtain the results within a maximum of three to four hours. Time-saving for fixing flaws is one of the significant benefits that Veracode has provided us, helping reduce the time by almost 60 percent.
Regarding Software Composition Analysis, an exceptional feature is that during a SAST scan, SCA is seamlessly conducted in the background. Once we scan all modules and obtain SAST results, switching to the SCA section reveals the associated reports. This integrated approach eliminates the need for separate SAST and SCA scans, as is required by other tools.
The reporting feature is noteworthy. The reports are well-structured, providing comprehensive details for each vulnerability. Information about the vulnerability itself, its origin, the specific section of code it pertains to, and even the exact line of code involved are all included.
I've found that Veracode is not particularly suitable for Dynamic Application Security Testing. Unlike other tools equipped with their own crawlers, Veracode necessitates the use of a Selenium script for crawling. However, the tool's compatibility with all functions is limited, which can be frustrating. For instance, functions like upload, download, or those triggering new tabs are challenging to handle within the DAST section due to Selenium's inadequacies when used with Veracode.
In contrast to other tools where we can monitor requests and responses during a scan, Veracode lacks this capability. The scan initiates, and we must wait until completion to see the results. There's no opportunity to check if the right requests are being sent or if certain components are being excessively targeted. Once the scan starts, we're essentially locked in until it concludes, and only then can we access the results. Furthermore, even after the scan, we're only provided with a summary of scanned URLs and the number of requests made, without the specifics of the request or response contents.
I have been using Veracode for four months.
Veracode is stable, and we have not encountered any issues.
The cloud version of Veracode can scale according to the file size.
I have engaged in two different types of experiences with technical support. One involves the ticketing system, and the other involves consultation calls. The consultation calls revolved around static analysis. During these calls, we presented all the vulnerabilities we discovered. We conducted our analysis and demonstrated how Veracode identified certain vulnerabilities. However, we also explained instances where these were false positives due to specific reasons. During the call, they acknowledged these issues. They pointed out some of Veracode's limitations, highlighting that it solely scans the code and doesn't consider the framework side. This implies that they accept these limitations. Furthermore, they provided us with insights into how they plan to implement fixes in the future, which is quite beneficial.
Additionally, whenever we had inquiries or doubted Veracode's detection of false positives, they provided detailed explanations. They shared the specific Veracode setup and rules within the SAST side that led to the detection of certain vulnerabilities. They also explained that by incorporating certain mitigations at the code level, these vulnerabilities could be addressed.
Regarding the ticketing system, for minor issues or questions, we would raise a ticket. They consistently responded within a maximum of one day, providing us with the necessary information.
Positive
Before transitioning to Veracode, the client had been utilizing a free community version tool. However, the count of false positives was exceedingly high with that specific tool. This prompted the client to seek a solution that could deliver superior results with fewer false positives. As a result, the decision was made to switch to Veracode.
I would rate Veracode a seven out of ten because the DAST has room for improvement.
The maintenance is completed by the Veracode team because we are using the cloud version.
For individuals seeking exclusively SAST and SCA capabilities, rather than DAST, Veracode stands out as the most suitable tool. However, if someone intends to utilize Veracode solely for DAST, I believe they should explore alternative tools. The effectiveness of Veracode's DAST functionality is limited, and using other tools might yield better results. Additionally, Veracode provides comprehensive training resources through its portal, including a list of documents and video tutorials. These resources are readily accessible and offer adequate guidance for initiating the use of Veracode.
My company is a financial and technical enterprise with involvement in healthcare as well. We use Veracode for scanning, utilizing both SAST and DAST approaches. The purpose of static testing is to assess our code for vulnerabilities before deployment. After completing this step and addressing any identified issues, we run dynamic application security testing on the applications we've created to ensure there are no vulnerabilities introduced after the build. These could be issues that arise during the execution of the code, rather than being inherent to the code itself.
Additionally, we are currently considering or in the process of transitioning to Veracode for a specific function known as Software Composition Analysis, which is among the services they offer.
In terms of my use cases, I oversee approximately 200 development teams managing around three to four hundred projects. About 30 percent of these projects are connected to Veracode. Moreover, I manage a user base of over 700 individuals, and many of our build pipelines include immediate SAST scanning during the building process.
We currently use Vericode Cloud, specifically the public cloud. At the moment, I am in the process of deploying two Veracode ISM management servers from their platform. These servers will be responsible for scanning our internal applications that are not exposed to the external world. One significant aspect is that our company decided to transition to the cloud approximately three years ago. Initially, we had 27 data centers scattered worldwide, but now we have reduced that number to five. By the end of this year, we plan to further decrease it to three, and eventually, we will likely have only one or two data centers in the future. However, there are certain things that we cannot migrate to the cloud.
Veracode's ability to prevent vulnerable code from being deployed into production is excellent. It is considered one of the best scanning tools available. We have conducted several comparisons between Veracode and other products in the market, and Veracode consistently ranks first among those we have tested.
With Veracode, the amount of vulnerable code that gets through is almost negligible. When we run a scan, we don't expect to find any significant vulnerabilities because the SAST usually catches almost everything.
Veracode's policy reporting for ensuring compliance with industry standards and regulations is excellent. It is applicable to us as a multinational company with PCI and HIPAA requirements, and we also engage in government projects. Consequently, we are obliged to adhere to any relevant regulations, which is why we have implemented numerous policies that automatically alert us when any action might potentially violate the established guidelines.
Although Veracode can offer visibility into the application's status at every phase of development, we do not rely on manual penetration testing because we have our own testing team. Instead, we use SAST from the moment our developers start typing the code until the deployment phase.
The visibility has significantly expedited our DevSecOps process. Now that we've integrated Veracode and included it in our build pipelines, we can provide feedback on potential issues and vulnerabilities in their code much more quickly. Our team appreciates and is delighted with this improvement because, previously, we had to wait until the builds were completed, then run DAST and subsequently present them with ten pages of issues, which would take them ten to fifteen days to address. By adopting a left-shifting approach, we've moved the bar further to the left, reaching a point where we can hardly get closer than we are now while they are actively coding. The only way to provide them with even faster information about potential vulnerabilities in their code would be to offer feedback as they type and when they push the code to the main build. Unfortunately, as of now, there are no tools available that can accomplish this.
Veracode has been a great benefit because it allows developers to log in to their code and examine the specific vulnerabilities they were informed about. Typically, there is a description of why and how the vulnerability occurred, along with guidance on how to resolve it. Veracode significantly aids our organization in fixing flaws.
Veracode helps our developers save time. While I cannot provide a precise estimate of the actual time saved, I can explain that the more we shift the SAST to the left, meaning running it as soon as the developers enter their code, the more time we can save. This is because when developers have the code fresh in their minds, they have a better understanding of what they wrote and how to fix any vulnerabilities based on the provided descriptions. On the contrary, if we shift the SAST further to the right when the code is already completed and possibly being reviewed by a different developer, it will take more time for them to understand the original code and the vulnerability's context. Thus, the original developer could have fixed the vulnerability in a shorter period of time. Additionally, considering the learning curve for new developers down the line, it becomes even more crucial to have the original developer fix the vulnerability promptly. If we only run DAST without SAST, we might end up with a long list of ten thousand potential vulnerabilities, which would require weeks of work just to address them all sequentially from the start.
Veracode has had a significant impact on our organization's security posture. When I first arrived, we were only connected to about three different teams. Originally, we only had seven or eight teams. Now, we have almost two hundred teams. One of the most significant changes is that even with those seven or eight teams, only two or so were using Veracode. However, we gradually added more teams as they came on board. Subsequently, there was a major organizational change, and Teams were divided into smaller, more compact, and agile units, which is the new trend in the industry. As a result, the teams are now much smaller, more diverse, and more agile. We are now connected to 70 percent of the two hundred teams. We have expanded considerably, but there is still more to achieve. The efficiencies have improved significantly, and the developers are satisfied with this progress. This shift is excellent for security because we were usually known as the "no people," but now we are transforming into the "yes" and "let me help you with that" people.
Veracode has reduced the cost of our DevSecOps, just from the 25 percent time-saving. The most expensive factor is not computers or technology, but rather, it's people. If I were to add together all of the salaries of the individuals and compare the amount of time saved to the total salary cost, I could cover the expenses for my infrastructure twice over a year.
The most valuable feature is the SAST capability and its integration into the Veracode pipelines.
From what we have seen of Veracode's SCA offering, it is just average. The SBOM is adequate, but it's essentially the same as what everyone else is doing. In terms of SCA, they are about average compared to other systems. Therefore, I would like to see some improvements.
SAST, DAST, and SCA in a single pane of glass would be a good upgrade to Veracode.
We are a Jira and Confluence shop and I would like to have a really good integration with those tools.
We have a ticketing system that not too many companies have ever heard of. In fact, I had never heard of it before coming here. Instead of using a well-known industry standard like ServiceNow, we use a ticketing system called Cherwell, which also has an open API. Having an API for the ticketing system would be really beneficial.
I would prefer if Veracode offered more options for licensing, such as a pipeline or project license instead of a user license. Currently, I have around seven hundred users, but I manage fewer projects. Therefore, I believe it would be more beneficial and efficient for me if Veracode could adopt a project-based pricing model. In reality, I have multiple teams working on various projects simultaneously. Pricing based on the number of projects I have up and running would be more suitable for my needs compared to the number of developers working on a particular project.
One thing that I would like to be able to do is to receive a daily summary of the emails I currently receive. With numerous ongoing projects, constant scanning occurs, resulting in a high volume of emails about what is being processed. I believe it would be helpful if Veracode could create a daily summary of these emails. This way, I can easily track the number of actual emails I receive without having to go through each one individually. As of now, I already have 65 emails from Veracode, specifically regarding the processes that ran today.
I have been using Veracode for three years.
I have almost never seen any downtime with Veracode.
The scalability is excellent because we utilize Veracode on their cloud infrastructure, and we handle dozens of projects daily.
I've never had a problem that didn't get solved, or at the very least, get immediate feedback. So, I would say their technical support is very good.
Positive
I previously utilized a solution provided by IBM in my previous organization, but later we transitioned to a company named WhiteHat Security. The reason for this switch was that when we conducted a scan using the IBM solution, it returned a result of ten thousand vulnerabilities. It was my responsibility to review the vulnerability report and clear out any false positives. However, this task was extremely time-consuming, taking nearly forty hours to complete. The reason behind the prolonged effort was the spidering scan performed by the IBM solution, which continually traversed different pages through various links, leading to repetitive errors that required matching and deduplication. Out of the ten thousand vulnerabilities, approximately a thousand were legitimate, and the scanning capability was limited to DAST. To address these challenges, we migrated to WhiteHat Security. With WhiteHat's scanning process, the number of vulnerabilities was reduced significantly to around six or seven hundred. Their approach outperformed my manual efforts in identifying duplicates and further eliminated non-duplicate vulnerabilities that were caused by the same piece of code.
When I joined my current company they were already using Veracode.
The initial setup was straightforward. We connected to the Veracode cloud, so essentially, we are operating on their public cloud. Whenever we run any process, we send our code to them. They execute it, and we receive feedback from the execution.
I have not been involved in the initial deployment of Veracode, but I have been involved in deploying the pipelines, creating and building out the ISMs, and also administering users. Recently, we moved and integrated it with our single sign-on. Since we're using Okta, we performed the integrations, and now everyone connects through Okta.
We utilized a value-added reseller, and they provided integrators themselves. Additionally, we have direct connections with Veracode. So, my understanding is that we likely received assistance from both the value-added reseller's team and Veracode.
We have monthly calls with Veracode. I work directly with engineers and have access to their email addresses and telephone numbers. This way, whenever there's a problem or an issue, I can easily reach out to someone. Additionally, I receive almost daily emails regarding recent developments and occurrences.
We have seen a return on investment. We have two hundred teams, and approximately 70 percent of them are integrated with Veracode, running pipeline scans on about 50 percent of those. The remaining teams conduct manual SAST scans instead of using pipeline scans. We have likely saved 25 percent or more of the time it takes developers to go from a startup project to the final build and deployment, just by addressing vulnerabilities.
We pay based on the number of developers working on a particular project.
Our organization evaluated four or five different solutions before selecting Veracode. The issue with the others was that they only offered either SAST or DAST, but not both, whereas Veracode provides both.
I would rate Veracode an eight out of ten. Veracode needs to improve its SCA capabilities to become a market leader rather than a market follower. Another noteworthy area they are starting to focus on is container security. I assume they will compete with Laceworks and other companies in that domain, which makes it worth keeping an eye on.
Veracode's software build of materials feature is integrated into the software composition analysis, which we are currently exploring for utilization. However, at this time, we are using a third-party product for that purpose.
Veracode's false positive rate is very low based on what we have found. However, there are instances where it becomes confused, identifying one type of vulnerability when it is actually a different type that appears similar. Nevertheless, we always conduct verifications before approving a list of vulnerabilities for the developers to address. We thoroughly go through and verify at least most of the different types to ensure their validity. My team verifies the false positives, so the developers almost never see them. Because we don't encounter many false positives, we don't spend a lot of time fine-tuning policies. We'll make some minor adjustments, and it should mostly resolve the issue until we encounter a different type of false positive. Then, we'll have to address it separately.
One of the other things that I have observed recently is a tool called Veracode Fix. We have not examined it yet, but it's worth considering. Normally, we avoid implementing too many automated fixes because sometimes they end up causing even more issues, particularly when dealing with legacy code while transitioning to Veracode. Allowing automation could potentially lead to the application being permanently shut down, especially in cases like Software Composition Analysis and Software Bill of Materials where we may need to upgrade to a different or less vulnerable, open source piece of code. If we upgrade without ensuring compatibility with our existing setup, it could break numerous things. Hence, we previously attempted to use automated fixes, but the outcome was negative, and we have decided never to repeat that mistake. Therefore, it's something we plan to explore, but we need to ascertain if there have been any changes in that type of setup.
For someone who wants to use Veracode but is concerned about the cost, the amount of time saved, especially on the SAST side of things, makes it worthwhile.
We are a multi-cloud organization primarily using AWS, with 25 percent of our infrastructure on Azure and a smaller portion on Google Cloud. We are currently using Google services only because we are a Google shop rather than a Microsoft Office shop. As a result, all of our emails are managed through Google, and we rely on Google Docs and other related tools.
There are four architects and a group of DevSecOps professionals who work directly with the development and operations teams. They form the security component of the organization and are responsible for operating Veracode on a daily basis. Their primary role is to assist the developers in integrating Veracode into their workflows, setting up pipelines, and collaborating with them when vulnerabilities are identified. They are available to help the developers understand why they received a vulnerability and guide them on how to address and eliminate it.
The only maintenance we will have to deal with is related to the ISM servers. These ISM servers are actually controlled by our company. There is an on-prem link to the Veracode cloud. When they conduct their scan, they access the server, which acts as a jump box. This enables them to scan our internal applications that do not have direct access to the outside world.
Veracode is a good Dynamic Application Security Testing tool, but it excels as an outstanding Static Application Security Testing solution for organizations that prioritize serious security measures.
