We have now switched to another solution but our use case was SAST.
Veracode was crucial to our shift-left security strategy, as we implemented it into our transformation projects. We defined internal strategies to use Veracode in the earlier stages of application development. Each sprint received application code, and we consistently scanned it using Veracode, reducing many security flaws early in development. This proactive approach helped developers to address any remaining flaws. Additionally, we defined a Jira workflow specifically for SAST bugs to track and manage security issues effectively.
Veracode helped with policy compliance. We have proposed Veracode for SAST to our stakeholder in the banking plarform. They have specific security policies that the code needs to accommodate. We have two sets of policies defined: one is the default policy in Veracode, and the other is provided by stakeholders from the chief security team, who have imported policies relevant to the banking platform. The default policy is not sufficient to ensure the code is secure, so stakeholders provided more security policies relevant to their domain and the platform.
Our actual application code was a CAT-A application, meaning it had to pass SAST and DAST testing for deployment into production. This was a mandatory check from our perspective to get the code deployed into production. We have internal strategies to implement Veracode in different phases of our application deployment. Before going into production, we do SAST testing in lower environments and then one round of testing in higher environments based on bug-fixing code. We are cautious about deploying directly into production after completing security testing in Veracode because we continually receive bug-fixing code from different applications. So, we defined our strategy this way.
Veracode provided visibility into application status at every phase of development, including static analysis, dynamic analysis, composition, and penetration.
Most of the fixes relate to password encryption or some kind of SQL injections. If there are any security flaws verified against the policies defined by our stakeholders, as well as Veracode's, and if they pose a potential risk of breaches, Veracode provides excellent recommendations for fixing those security flaws. This detail helps us address the issues efficiently, as it specifies where fixes need to be applied and the implications of ignoring them. The options for developers to provide false positive comments or justification through Jira tickets if a fix cannot be implemented for a particular release are also very useful. These features in Veracode significantly aid developers in addressing security flaws in the code.
Because scanning takes a long time for uploading any kind of large application code, I would estimate we saved around 30% to 40%. After implementing our strategy for SAST within our platform, we started doing SAST scanning in Veracode for every sprint. This frequency is crucial because, without Veracode, it could be very difficult to implement such a strategy in the earliest stages of application development.
Veracode had a positive impact on our security posture.