Veracode

Integrate Veracode Java CLI with Jenkins and run it on every component build pipeline

Within our organization it is clear that when a codebase is available, and in a language that Veracode supports, the use of Veracode (with a particular focus to the static scanning platform) is a great suggestion. The depth of information it can provide with respect to security flaws is valuable, with very little setup required from the developers. When a codebase is unavailable, say in the instance of third-party applications for which you are creating extensions or some form of module, then static code scanning is not an option but even then dynamic scanning (DAST) may prove to be helpful, though potentially less so.

Veracode is excellent when you need good reporting/auditability to satisfy regulatory requirements. It works well for very large organizations and guides even entry-level developers through the process of how to set it up and start resolving flaws.

It's probably not as good for smaller companies, where CI/CD is a top priority, or where cost is a concern.

Overall, we are generally satisfied with the product. It gives very accurate information about vulnerabilities in our code using static analysis.
It has a good performance for the Java static analysis. However, for C++ is very slow.
As well the Software Composition Analysis for C++ code is not yet finished product. It can not recognize libraries build from source code, using the default build method from third-party vendors. That is the case even for libraries that have been in use for number of years.

It's more suited in software composition analysis for third library scans (SCA) and static application security testing (SAST). Currently being utilised by us and security labs, we are using these labs for tournaments for developers to learn about secure coding, even for learning purposes. It's helpful in the IDE stage - greenlight where developers can find issues/vulnerabilities during coding (Shift left).

Veracode is great for deep scans of your codebase, as well as performing deep scans against your online application. I have been using it for several years, and it has consistently gotten more and more thorough while vastly improving performance. Make sure, though, that your language is supported. Veracode supports several, but it doesn't support everything.

Well suited:
SAST is well suited to the analysis of individual commits in non-compiled languages.
New vulnerabilities are added as comments in the pull request.We generate daily compliance analyses by running nightly tasks.
This provides a daily report to the security team and the managers on SAST and SCA.
Flaw mitigation involves every developer in the investigation and proposal.
This helps the owners by reducing their workload and sharing knowledge across squads.

Less appropriate:
Cpp analysis on each commit is not appropriate for our modules, as it takes too long to get results (Caused by unsupported Conan dependency manager).
For public repositories, generated baseline files need to be saved securely to avoid sharing.

Veracode is useful across the spectrum of development teams' AppSec maturity, size of the development community, and varied skill sets to address application security. Veracode excels in bringing together threat management teams and development teams with a single view into all application vulnerabilities and their treatment.

We wanted a secure scan method for static, dynamic and also manual PEN testing. We wanted to make sure that we could "shift left" with our development and have security scans done at the beginning of the development process. Not at the end when it is already in the field and more difficult to update. Veracode allows us to do all this in our CI/CD pipeline early and also in the development IDE (static scans).

Allows a small infosec team to quickly scan large amounts of code and offer remediation solutions.

This application is exceptionally suited for regular compliance checks/scans. Being able to 'set it and forget it' is critical to allowing continuous scanning. However, DAST Scans do not appear to allow true continuous scanning as you have to re-create scanning rules once annually (Likely due to contract terms).

It used in DevOps to identify security flaw before going to production. Common and hidden areas of software can be ignored if it’s too wide, so the report and triage flaws help security teams to understand where to improve. Furthermore, MPT an great to provide details and vulnerabilities that from DAST doesn’t arise.

Veracode is well suited for small software companies, as well as organizations supporting multiple products. A well-defined and orchestrated build process will be a huge help when setting up a build upload integration with Veracode. Once scans are running smoothly, and assuming you have an integration with your ticketing system, you will rarely have to sign into Veracode's interface.

Help raise the level of awareness throughout the organization on the importance of proper security measures for software development. Allows you to establish a campaign that touts your organizations concern and action towards continual technology threats. Working the Vericode tools into an automated build cycle allows continual focus on the security vulnerabilities within your applications. We are hoping Vericode adapts to large scale applications that allow us to auto scan our application that has over 3 million lines of code.

It is easily customizable to suit company security policies. The software has simple coding tools that enables our team to identify errors before completion of any given project. The security intelligence that has been provided over the time has saved the company the cost of security drawbacks. The customer support team is ever available when reached for any solution.

Having detailed reports generated by Veracode that highlights code vulnerabilities as well as security issues with third party libraries are features that are important in our industry. It is well suited for providing software teams all of the outstanding issues they may exist so that time is saved in not having to do all of that research ourselves.

Veracode is suited for organizations [that] give their customer both security and privacy. Veracode will dive deep into the code and points out the flaws which are dangerous to both the organization and the customer using it. I prefer not using Veracode if You don't have the time to revisit your module and resolve the issue because it may take time from the developer's perspective (This is a hypothetical scenario).

The ease of integration into our CI/CD pipeline (it only added a couple of minutes extra per build) followed by a weekly static scan of our entire code base which in turn generates results of all the severe items identified. Sometimes they are false positives as it's in libraries we don't control, but we pass on the findings back to the library maintainer(s). Often we have to modify our code slightly to mitigate/patch/fix the issue.

I will say it is a nine because the aggregated score of all the modules in an application is not shown anywhere in the Veracode. Otherwise, it's good for the easiness and stability of the application that a developer and an organization are keen to see in a penetration application, respectively.

Well suites: - to uncover security weaknesses - to get security awareness - to get information about the specific flaws.

I think that Veracode is a good basic code scan in order to ensure code security. It is super easy to integrate into CI-CD processes and offers good protection against common code vulnerabilities. It is less appropriate to consider it as the ONLY security consideration for your application.

It is useful for maintaining security compliance.
The manual penetration test is very useful to have in addition to the flaw identification algorithm.

Due to the lengthy amount of time it takes to scan, it's not useful for testing every commit.
The Visual Studio extension to not make it easy for developers in day-to-day programming

It's an excellent security application platform, with different integrations that can fit in the SDLC, as the SAAS solution works perfect to quick starts and the integrations are fast and easy to execute, can be implemented in a modular way starting just with training in secure code or can be robust to integrate into all the develop environment

Veracode is a good choice for static analysis of code. If the code refers to any customized dependency, then Veracode does not consider the external dependency unless it is bundled along with the main archive while running the scan - it could be automated so that the dependencies mentioned in pom / gradle file are considered by default without us having to upload it manually.

I would say that Veracode is well-suited for any software development it supports. I use it with both Java and .Net based applications and find it works well for both. Veracode cannot provide detailed information if PDB files are not sent with the .Net compiled code.