Veracode

It used in DevOps to identify security flaw before going to production. Common and hidden areas of software can be ignored if it’s too wide, so the report and triage flaws help security teams to understand where to improve. Furthermore, MPT an great to provide details and vulnerabilities that from DAST doesn’t arise.

Veracode is well suited for small software companies, as well as organizations supporting multiple products. A well-defined and orchestrated build process will be a huge help when setting up a build upload integration with Veracode. Once scans are running smoothly, and assuming you have an integration with your ticketing system, you will rarely have to sign into Veracode's interface.

Help raise the level of awareness throughout the organization on the importance of proper security measures for software development. Allows you to establish a campaign that touts your organizations concern and action towards continual technology threats. Working the Vericode tools into an automated build cycle allows continual focus on the security vulnerabilities within your applications. We are hoping Vericode adapts to large scale applications that allow us to auto scan our application that has over 3 million lines of code.

It is easily customizable to suit company security policies. The software has simple coding tools that enables our team to identify errors before completion of any given project. The security intelligence that has been provided over the time has saved the company the cost of security drawbacks. The customer support team is ever available when reached for any solution.

Having detailed reports generated by Veracode that highlights code vulnerabilities as well as security issues with third party libraries are features that are important in our industry. It is well suited for providing software teams all of the outstanding issues they may exist so that time is saved in not having to do all of that research ourselves.

Veracode is suited for organizations [that] give their customer both security and privacy. Veracode will dive deep into the code and points out the flaws which are dangerous to both the organization and the customer using it. I prefer not using Veracode if You don't have the time to revisit your module and resolve the issue because it may take time from the developer's perspective (This is a hypothetical scenario).

The ease of integration into our CI/CD pipeline (it only added a couple of minutes extra per build) followed by a weekly static scan of our entire code base which in turn generates results of all the severe items identified. Sometimes they are false positives as it's in libraries we don't control, but we pass on the findings back to the library maintainer(s). Often we have to modify our code slightly to mitigate/patch/fix the issue.

I will say it is a nine because the aggregated score of all the modules in an application is not shown anywhere in the Veracode. Otherwise, it's good for the easiness and stability of the application that a developer and an organization are keen to see in a penetration application, respectively.

Well suites: - to uncover security weaknesses - to get security awareness - to get information about the specific flaws.

I think that Veracode is a good basic code scan in order to ensure code security. It is super easy to integrate into CI-CD processes and offers good protection against common code vulnerabilities. It is less appropriate to consider it as the ONLY security consideration for your application.

It is useful for maintaining security compliance.
The manual penetration test is very useful to have in addition to the flaw identification algorithm.

Due to the lengthy amount of time it takes to scan, it's not useful for testing every commit.
The Visual Studio extension to not make it easy for developers in day-to-day programming

Veracode is useful across the spectrum of development teams' AppSec maturity, size of the development community, and varied skill sets to address application security. Veracode excels in bringing together threat management teams and development teams with a single view into all application vulnerabilities and their treatment.

It's an excellent security application platform, with different integrations that can fit in the SDLC, as the SAAS solution works perfect to quick starts and the integrations are fast and easy to execute, can be implemented in a modular way starting just with training in secure code or can be robust to integrate into all the develop environment

Veracode is a good choice for static analysis of code. If the code refers to any customized dependency, then Veracode does not consider the external dependency unless it is bundled along with the main archive while running the scan - it could be automated so that the dependencies mentioned in pom / gradle file are considered by default without us having to upload it manually.

I would say that Veracode is well-suited for any software development it supports. I use it with both Java and .Net based applications and find it works well for both. Veracode cannot provide detailed information if PDB files are not sent with the .Net compiled code.

Best Case Scenario:
1. Review your source code and security patching on the code.
2. Run real time test and penetration testing with dynamic data
3. Instill confidence with the customers

Not so well

1. timeout on the app is annoying
2. UI is not so great

Veracode Platform often identifies the same vulnerability over and over, even though that issue is mitigated. For example, we use typescript, which resolves to a very large javascript file. Since typescript combines multiple files into one monolithic file, the vulnerabilities can move line numbers by hundreds or more. This means that the same issue appears over and over and must be triaged and mitigated again.

Overall, Veracode is one of the best, if not the best, products for application security out in the market. It is a great platform for keeping track of flaws and being able to report on them. Their support services and program management services are excellent, as they hire really good persons to handle these areas. There is still room for improvement in their analytics area.

Well suited for complex applications in mainstream technologies and/or a requirement for frequent scanning. Less well suited to older or more specialized technologies.

I think Veracode would fit into to most organizations application security programs, but if you already are lacking build automation and pipelines you won't be able to harness that portion which is where I see Veracode shining. Doing scans manually would work, but you would be missing out.

Use of this platform allows us to better control vulnerabilities and demonstrate to clients that we take our security posture seriously. Of course this, though important, is only one aspect of ensuring our code is as secure as possible. The feature set of the tool is quite mature and serves our needs quite well for the most part.

If you are a smaller company or run less than 500 apps with a very vertical ownership structure, Veracode can be a great tool. Its fairly consistent, fairly mature nature means that it's much less likely to break your existing integrations. Where they struggle is when you are a big enough org where you need to rely on automation and integration support. I have yet to have a single developer that didn't get off a project attempting to integrate with it that didn't look mentally defeated. Their language integrations are not maintained, forcing devs to the web interface, which doesn't always have what you need, meaning you might have to restart and go back to the XML interface rather than their rest interface because they never finished converting to the rest interface. Their API can docs can be at times out of date, but on the whole, are mostly fine. Interfacing with support will also be unavoidable because of limitations around soft deletes and admins have left my team unable to manage the account more times than I am sure support appreciates having to fix.

We use Veracode to perform a static scan of our application after we build it. As per the scan result, we upgrade the security and coding standards of our application. Until we meet the standards as per the Veracode scan, our application code will not be approved. By using Veracode we can learn many new things about software development and coding standards. We can use those in the near future to maintain industry standards.

Veracode is a very good platform for security remediation tools. This is having less cost as compared to other User-friendly User interfaces and is easy to access. Easy to interact if you are having queries related to scanning results. Suggestions for security remediation are very understandable like the cleansing function Veracode helps to remediate flaws without breaking any functionality of the application (code reusability is more )

Veracode is ideally suited for environments where a large amount of code is being released by several agile teams. Code rework and problems in production can be greatly reduced by using this tool. It may also be utilized to incorporate some compliance-specific criteria, which can really serve as a tailgate to prevent the deployment of non-compliant code in production.