Veracode - A non-binary review for the binary scanner
November 18, 2020
Veracode - A non-binary review for the binary scanner
Score 8 out of 10
Vetted Review
Verified User
Modules Used
- Static Analysis (SAST)
- Software Composition Analysis (SCA)
- Developer Training
- eLearning
Overall Satisfaction with Veracode
Veracode was used in our organisation by a few business units for Static Analysis Security Testing (SAST). It helps in finding software vulnerabilities in the code by scanning the binary derived objects of the source code written by developers, thus addressing the security aspects of the products the organisation is shipping to its customers.
Any aspect concerning the vulnerabilities of a software product is non-trivial and would be very costly if reported by the customers. Veracode helps find these beforehand, if the code (binaries) is scanned before being integrated into the product. With its wide variety of integrations, Veracode scanning can happen at any stages of the DevOps CI Pipeline, thereby facilitating the "shift left" mentality of finding defect/vulnerabilities in [the] code as early as possible in the software development life cycle.
Any aspect concerning the vulnerabilities of a software product is non-trivial and would be very costly if reported by the customers. Veracode helps find these beforehand, if the code (binaries) is scanned before being integrated into the product. With its wide variety of integrations, Veracode scanning can happen at any stages of the DevOps CI Pipeline, thereby facilitating the "shift left" mentality of finding defect/vulnerabilities in [the] code as early as possible in the software development life cycle.
- Binary scanning. Veracode static analysis is based out of binaries derived from source code which is more accurate that just the pure source code scanning. This accuracy translates to less false positives in the defects reported, thereby saving time of developers in tackling the real issues.
- Veracode being a SaaS platform reduces the IT burden on your organisation. No servers to worry about, no performance concerns, no storage expansion to plan ahead and no capacity/elasticity challenges to take care of on all the infra (compute, storage, networking).
- Veracode platform is very quick to configure and very easy to use. It just takes a few minutes to setup an application profile and start scanning. It is particularly easy to use for modern programming languages like Java as the java binaries are optimal for scanning.
- Learning - Veracode's eLearning portal is very good and has all the relevant training on various aspects of security and again is seamlessly available in the same platform/tenant where the teams scan.
- Security Consultation - Very easy to get help within the platform itself for a security consultation which is invaluable for the first few scans. Veracode is probably one of the very few SAST solutions which has such easy provision to get security consultation.
- There is an initial overhead on generating the binary artefacts for scanning. The binaries need to be loaded with debug symbols for Veracode to be able to trace the defect back to the file and line number. This is relatively easy for modern programming languages (e.g. Java) with latest build tools (e.g. maven/gradle) but can be quite challenging for languages which are platform specific (C/C++) and have dated build systems (e.g. make).
- Entry Point Selection. After the binaries are uploaded for scanning, the Veracode platform analyses them (pre-scan) and provides a list of 'modules' to be selected for scanning. Only the points of entry of program execution need to be selected here, based on the application architecture. The 3rd party modules on which your code is dependent on need to be uploaded but not selected as entry points for execution. This typically needs some fine-tuning and teams take some iterations to optimise. This would need the product architect inputs which teams generally do not understand, as they treat scanning in general as a DevSecOps responsibility and only after scanning, the developers/architects pitch in. For Veracode, their inputs are needed even during the scanning, for the first few scans at least.
- This is a both a pro and con. Veracode does not give any option to customise the scanning rules or tweak what it is scanning for. This makes for a much simpler setup but also gives no scope for creating an application-specific scanning profile. For instance, if I do not want Veracode to look for SQL injection for whatever reason, or if I want Veracode to only look for OWASP Top 10 vulnerabilities, I cannot configure.
- Long scan times, specifically for C/C++ based product/app scans. Some of the scans for enterprise scale product in C/C++ used to take quite many hours, and at times a couple of days. There have been improvements in this during the course of our 3 years of usage but in general, scans take a long time to complete.
- Veracode was one of the few scanning tools adopted by almost every team in the couple of Business Units where it was recommended. In a way, it is the only scanning tool with complete adoption.
- Veracode reports detailing vulnerabilities and the accompanying documentation/learning sections helped developers understanding security aspects of coding, driving a culture of not just writing working code, but [doing] it securely.
- Veracode Analytics Dashboards helped the leadership have a bird's eye view of the security score/compliance of all the products in their Business Units.
- Micro Focus Fortify Static Code Analyzer, Synopsys Coverity Static Application Security Testing (SAST) and SonarQube
Earlier in our organisation, Fortify was used (formerly from HP but now owned by Micro Focus). The general consensus was that there was too much noise (false positives), taking a lot of time to find and then fix the real issues.
SonarQube is also used in our organisation but not as widely as Veracode was used, due to the former's more generic scope on quality rather than the laser sharp focus Veracode has on Vulnerabilities.
Owing to the overall company's directive and cost objectives, Coverity eventually succeeded Veracode as the recommended SAST application, but the choice was not on purely technical grounds.
SonarQube is also used in our organisation but not as widely as Veracode was used, due to the former's more generic scope on quality rather than the laser sharp focus Veracode has on Vulnerabilities.
Owing to the overall company's directive and cost objectives, Coverity eventually succeeded Veracode as the recommended SAST application, but the choice was not on purely technical grounds.
Do you think Veracode delivers good value for the price?
Not sure
Are you happy with Veracode's feature set?
Yes
Did Veracode live up to sales and marketing promises?
Yes
Did implementation of Veracode go as expected?
Yes
Would you buy Veracode again?
No
Using Veracode
| Pros | Cons |
|---|---|
Like to use Relatively simple Easy to use Technical support not required Well integrated Consistent Quick to learn Convenient Feel confident using Familiar | None |
- Easy to upload and scan without much setup/configuration
- Easy to integrate with CI Orchestrators like Jenkins and IDEs like Eclipse/IntelliJ
- Elegant and integrated platform for scanning, viewing results, triaging vulnerabilities, generating reports/dashboards and learning. The complete SAST workflow
- Entry point selection after the pre-scan
- Identifying the warnings/errors in the modules after pre-scan
- Exporting defects/vulnerabilities during the triaging of them (need to go the analytics section for flaw export)