Veracode Is A Best Of Bread Code Analysis Tool
May 09, 2024
Veracode Is A Best Of Bread Code Analysis Tool
Score 10 out of 10
Vetted Review
Verified User
Modules Used
- Software Composition Analysis (SCA)
- Dynamic Analysis (DAST)
- Static Analysis (SAST)
Overall Satisfaction with Veracode
In my organization, Veracode is used to address application security issues during the application development life cycle throughout the organization. Developers uses Veracode to address security coding flaws and application security engineers uses it to address running applications security issues. Veracode is a very good static, dynamic and software composition code analysis tool. It easy to manage and supports most commonly used development languages. It integrates well with a number of code repository system such as Azure DevOps and Github.
- I like the support given by Veracode, they are very responsive and they help you get things done.
- Veracode has well documented steps for administrating the platform and managing integrations for code scanning.
- Veracode is easy to use and the integration of to code repositories is seemless.
- It would be good if Veracode could find a way to improve how long it takes to complete a scan job. The scan time is usually long compared to other tools in the market.
- Veracode should find a way to give adminstrator the ability to add other administrators to the platform.
- Veracode should invest in devloping more reports that demonstrate trends of flaws vs remediations.
- One positive impact to our business over the period of about one year was the number of flaws being discovered went down significantly.
- The time spent on doing peer code reviews went down. Peers that did the reviews had more time to spend on other tasks other than doing peers code reviews.
- Over time the more seasoned developers were more proficient with writing code and I think was a direct result of the implementation of Veracode.
There are cases where diversifying is very effective. However consolidating to one vendor typically means you have less consoles to manage and usually reduces administration management costs. This reduces the fatigue that comes with switching from one management console to another and typing in multiple credentials. One benefit of diversifying allow you to get best in class solutions. Therefore with choosing a solution you have to make sure the solution fullfil you use case requirements.
Reporting and analytics is use case is very important for us. We use it to drive metrics and measure how effective the tool is in helping us to reduce security flaws before they make it into production. We use the reporting feature to see new flaws and well as remediated ones. We use the reporting feature to trend progress over time as well. We report on users per application and to get a executive report of the overall picture of the application security program from a Veracode prospective.
We use Veracode at various stages of the application development process. Some developers use Veracode inline while developing code. They use the Veracode plugin called Greenlight which provides feedback while you write code. We use Veracode also when code is being released to development environments and flaws must be remediated before releasing to QA or Production.
Veracode has helped with the discovery of more flaws than we were getting when we only did Peer reviews.
Veracode is slower with scan results however the flaws discovered and sites crawled are almost the same. Rapid7 InsightAppSec only does dynamic scans. Veracode did find more links on a site crawl. Rapid7 InsightAppSec has more out of the box reports than Veracode. Both integration to DevOps tools were striaghtforward.
Do you think Veracode delivers good value for the price?
Yes
Are you happy with Veracode's feature set?
Yes
Did Veracode live up to sales and marketing promises?
Yes
Did implementation of Veracode go as expected?
Yes
Would you buy Veracode again?
Yes