Veracode

At build time, right after we build and test the component but before promiting it

a lot, we are now more security aware

We use Veracode in all stages of development, from the time a project is envisioned and first created to the maintenance life stage of an application. Through automation and integration with our development tooling we can continue to perform scans through this entire lifecycle, and continue to monitor the application after it has been released.

Veracode has had a very positive impact to our development process, both through detecting and helping to mitigate flaws if they are written as well as promoting a continuous improvement in the knowledge of our developers to prevent flaws from being created in the first place.

We are using Veracode Static analysis, during the development and UAT phase. By UAT stage we make sure that all vulnerabilities (excluding the cases where client can not move to the newer version e.g. client still on Java 8) are resolved.

Veracode is the essential tool/product that my organization uses to produce the secure software. We take the security of our product very seriously and we relay on Veracode to find potential vulnerabilities in our code. If found, we do not spare resources to eliminate the vulnerabilities.

We use Veracode at almost all stages of SSDLC , In planning and development stage to assess security considerations and requirements which helps in establishing security architecture and controls.
Coding stage to perform static analysis while code is being written,
Building Stage, during CI and CD pipelines, to identify vulnerabilities.
And finally post-deployment stage, to monitor emerging new threats or vulnerabilities,

It has been immensely helpful by proactively identifying and addressing vulnerabilities throughout the lifecycle.

Ideally, Veracode is used throughout the software development lifecycle. It helps to establish a baseline and, if possible, eliminate any found issues prior to any piece of software being released.

For established applications, it is also useful. Even if an app has been flawless, new issues may arise if someone discovers a new way to exploit the current software. It is very important to keep up.

It has been very useful in helping to ensure applications are as secure as possible.

We have integrated Veracode into all our pipelines.
Each time a commit is pushed to a pull-request, an analysis is triggered and returns the quality gate status, as well as a commentary detailing the discoveries (pipeline scans).

When a PR is merged on a stable branch, a new compliance analysis is triggered.
This time, the results are available in the interface (sandbox / policy scans).

We do not impose to developers, the use of scans in the code editor, but the solution is available on VSC for example (greenlight scans).

Our security development process hasn't changed much.
It's the results that have changed, and the distribution of the workload among the tech leads.

Tech leads have more time, because the analysis is shared between team members.
This also help discuss and share knowledge on specific part of the code and best practices.

Regarding the results, they are more relevant and there are fewer false positives than with other solutions we've tested.

From the beginning of coding through post-deployment Veracode works seamlessly

So far, Veracode is being built-in to become a natural part of the process. People are encouraged to begin using Veracode from the first set of code with IDE-based scans to sandbox scans and finally to gated or policy scans.

Static scans are done early in the CI pipeline (before code check-in). Static scans of 3rd party libraries. Dynamic at the end of a release. Manual PEN testing annually.

Made our product secure by design!

Initial code review and ongoing code review.

Allowed us to quickly find potential issues and remediate them before they enter production.

We use the product to scan both staging and production environments to ensure issues found in a lower environment aren't promoted to production machines.

No change in the impact to our security program as we obtained the software to consolidate other tools used by our organization.

I use Veracode in all part for software development lifecycles for ensuring software being built is secure and meets compliance requirements. The part that now a important also for CI/CD is security testing on pull requests, but that require the right balance between time consumption and details in the results.

We established several process for managing the security flaws arise from Veracode security testing. Every type from SAST, DAST and SCA has a different queue to process and implement the solution as fast as possible and with a dedicated team that can also specialized on the field.

We run Veracode scans against our latest code base, in some cases with every build, in others at least quarterly. It's safe to say we use Veracode across our entire application development process. We're working to automate more of our products to upload builds for scanning on a more consistent and frequent basis.

We are made aware of vulnerabilities in our products as soon as they are detected, and are able to resolve them much quicker than we were previously. Veracode also notifies you if/when the severity of a vulnerability has changed from the initial finding so we can raise priority accordingly.

As stated earlier in this survey, we have incorporated Vericode to be part of our Teamcity automated build and deploy process. We perform scan on our software during our build cycles and then review the results to accept or reject the latest checkin of code changes. We have our build cycle then email the developers responsible for the vulnerability that was found.

When we performed our initial scans with the toolset it was an eye opening experience for us. Third party libraries had been ignored for years and the results had us scurrying to find alternatives and upgrades for fixes of these findings. This renewed focus on security had us also pursuing other areas that we could add security improvements within our applications like adding MFA abilities.

The security policies that are developed by this team have positive impact on overall production growth. The customer support team ensures that we meet the set standards for the secure operation environment. The vendor team provides reliable assessment in each development stage to rectify where there are hitches and give effective directions for better performance.

We use Veracode during the Validation and Verification process of the product. We included the static scanning in our build pipelines so that every time a project is built, the scan is run allowing us to see issues right away.

It allowed us to resolve certain gaps that we were not aware of and allow us to address those issues before release to production.

Veracode can be used in any stage of the application. Unit scanning can be done with any particular piece of code. Extension of Veracode can be found in infamous IDE like Visual Studio Code.

For finding the flaws even before deploying the code definitely benefits the organization.

Currently, we use it in our development branch

It's turned me more security focused in my development. Once our other developers start getting tickets to fix the security flaws, I'm sure they'll start thinking that way too!

Veracode can be used at any stage of the application. Either from the unit phase or the integrated phase. Extension of Veracode is available in different ides, such as Visual Code Studio. You can also zip the entire code folder and upload to the Veracode to get the combined score of the application.

I use it for the dev stage so that we can be sure that the security weaknesses are not present in the above stages, like UAT and PROD.

I pay more attention to the security aspect - I understand potential weaknesses earlier than in the past.

We use Veracode continuously during our implementation process. Therefore we have it integrated into our CI/CD pipeline. Whenever we publish new code, it is a security gate in our Pull Request policy that the Veracode scan runs on success. Therefore it is super easy when the security department needs a current scan; we can just publish a Sandbox scan and are good to go!

Yes indeed. As new packages being used are directly scanned before they are committed to our code base.

All stages

It identified some areas in our code that is susceptible to being exploited.

Our clients use Veracode in each phase of the SDLC, integrating the IDE Scan to analyze the code from the first steps of the development, executing static and dynamic analysis in the pipeline including the analysis of third-party libraries, the integrations are in different systems like GitHub, bitbucket, Azure DevOps

Using Veracode in the first steps of the development helps to reduce the possible flaws that could be introduced in the early stages, this is complemented by the security labs that enable the developers to create secure code, also the capability of Sandbox allows the developers to evaluate the code against the security standard, all this helps to deliver a secure applications