Perforce P4 (formerly Helix Core) is the company's version control and peer code review solution. Perforce offers add-on products for code review for free, and Git support products.
N/A
Veracode
Score 9.2 out of 10
Mid-Size Companies (51-1,000 employees)
Veracode provides advanced application security solutions, trusted by enterprises to develop and maintain secure software. Its platform identifies exploitable risks, speeds up vulnerability remediation, and reduces security debt at scale using a proprietary AI-assisted remediation engine.
Veracode is more thorough and provides a wider variety of tools than the competition. Support is prompt and very eager to make sure we get the help we need as quickly as possible. If Support can't resolve it right away, they will make sure we are connected to one of their …
While Perforce Helix is the best version control software out there, it can also be used to track your documentation, training videos and materials, and requirements. If you have strict compliance requirements, it can be used to ensure that those requirements are satisfied. Perforce Helix is incredibly flexible and can meet the needs of individual users as well as companies with thousands of users.
Veracode is well suited for development applications that can be made more secure right from the beginning. There is an excellent extension in Visual Studio that scans code from the IDE. However, it is less appropriate or incompatible with scanning SOAP or WSDL APIs. It supports only REST APIs.
The branching mechanisms in Perforce allow for an enormous codebase to be duplicated into release versions weekly with little impact upon things such as the speed of queries against the version control.
Action triggers permit such things as automated builds of software versions, dynamic messaging when issues are identified either within or prior to a build process, and much more.
Locking provides the ability to prevent modifications of stable, tested versions in order to ensure validity when they are released.
Veracode performs Static Application Security Testing (SAST) very well by finding flaws in the code using entry points so that it tests for everything a user can interact with in the application. This approach is very helpful for avoiding a lot of false positives early on.
Veracode performs SCA automatically on every SAST scan, so that we don't have to manually scan the application again for SCA scans.
Veracode integrates very well with the ticketing tools, so that it becomes very easy to track every finding and its status within our ticketing tool.
Perforce tends to feel backwards in how it approaches certain tasks, like branching and integrating - even once you figure out how it wants you to perform these tasks, you will likely forget when it comes around to the next time you need to do them again.
Perforce has a higher price tag, comparatively.
Perforce make some tasks very easy, and yet other tasks very difficult - it doesn't always seem to have found its target user's proficiency.
We are fully committed to our use of Perforce. It works well within our organization and our desire to share our code base with our customers. Their support staff are responsive, inquisitive, and eager to improve their software. I feel like we have a direct line to their design/feature team as they often solicit our feedback.
At this time, and we just renewed a month ago, I dont see any products out there overall that can offer what Veracode does. Yes, its not cheap by any means, but for the money its the best application security scanning tool out there.
With Perforce Helix, you can use it via the command line, via P4V, or any of the other APIs included with the product. It is extremely easy for new users to get up and running. Users of Perforce Helix only have to pull in the files of interest to them. Also, Perforce is very easy to script and integrate into your CI/CD pipeline. Streams allows you to have pinpoint control of your workflow, and P4Search is the absolute best--I wish Perforce (the company) would talk more about this. It is absolutely fabulous!
- Almost no setup required and easy to configure - Very easy to use, intuitive UI with integrated analytics and learning portals. - Seamless to review the results, triage them, generate reports. - Security progression of the product/application is tracked via successive scans. - Privileges/Roles nicely fine grained and tightly controlled to let teams "view" only their products.
In our large environment, Perforce is rarely "down". We have regular maintenance windows and from time to time Perforce can feel a little slow, but its always available. Tech support has always worked with our engineers and IT department to make sure that any real performance or stability issues are addressed quickly.
I had two representatives from Perforce contact me after downloading it but never responded when I had questions. I also had a difficult time finding good training material for getting started. There is a lot of available support material when running into issues, though, because of how many large companies use it.
Overall, Veracode support is helpful, community support is great, and documentation is available for self-service. Our Customer Success Manager is very helpful and reaches out regularly to see if we need assistance. We have not utilized many of the other resources offered by Veracode, however, in the future we would like to leverage secure coding training for our Development teams.
This rating is related to setting up an environment from an existing Perforce repository. Initial setup of Perforce as the repository for the company was done by a separate team long prior to my inception.
We use it as a SAS service, so really just getting our teams to mold the use of Veracode into their SDLC has been a process of years in the making. It comes down to what your teams are ready and willing to accept and change. Management is key in getting their groups on board with using it regularly. If it doesnt have management backing, your security teams have little to no influence in getting this process off the ground fully.
Git is great, I love Git. But it's not great for dealing with binary assets, even when using Git LFS. Locking is not as simple as on perforce. Git presents some problems on using for non-tech people it can get overwhelming and tech people have to come by and help.
Veracode is slower with scan results however the flaws discovered and sites crawled are almost the same. Rapid7 InsightAppSec only does dynamic scans. Veracode did find more links on a site crawl. Rapid7 InsightAppSec has more out of the box reports than Veracode. Both integration to DevOps tools were striaghtforward.
Veracode's platform has had a very positive impact on our security posture, paving the path towards having coverage monitored automatically on hundreds of internal applications throughout the development lifecycle.
Veracode's platform has also had a very positive impact on improving the security knowledge of our development team, providing meaningful feedback as well as training options to reduce mitigation time and help to prevent flaws before they are created.
