Veracode offers peace of mind with its comprehensive security scanning
May 17, 2021
Veracode offers peace of mind with its comprehensive security scanning
Score 8 out of 10
Vetted Review
Verified User
Modules Used
- Static Analysis (SAST)
- Software Composition Analysis (SCA)
- Dynamic Analysis (DAST)
Overall Satisfaction with Veracode
Veracode is used by our department to ensure that our web applications are secure and that we are employing up-to-date security standards in our development. Veracode addresses not only our public facing website but also our coding practices.
- Website scanning
- Coding security standards
- Library security
- The Veracode website user interface is not intuitive and is difficult to navigate. New users will find that links will often have them going around in circles until they are lost.
- The dynamic scanning does not allow for minimizing scans on repetitive forms. This could be provided with a regular expressing matching for links to sections of the tested web site to reduce the amount of repeat scans of the same form.
- Software composition analysis does not handle applications with more than one framework well (e.g., a dot net core 3.x framework with a Vue front end). These have to be scanned individually and not analyzed in one run.
- Reports are compartmentalized, offering values in one section that aren't available in another section, so that users cannot combine the separated values and use them in one report.
- Software code analysis
- Vulnerability database
- Software composition analysis
- Dynamic analysis scanning of TLS ciphers with security evaluation remarks
- Static code analysis
- Improves coding practices and preventing coding errors that create security problems from escaping the development cycle
- Makes sure that our public-facing web applications are secured with up-to-date findings
- Help in identifying licensing issues and security in our embedded libraries
- Qualys Web Application Scanning (WAS)
The Qualys Web Application Scanning (WAS) product that we've used is similar to the Veracode Dynamic Application (DA) scanning tool. Overall, the Veracode DA scanning offers a better interface and an easier-to-read analysis report, which identifies and gives links into specific error findings in the CWE and OWASP sites. The added benefit of Veracode is that these findings are coupled with Static Application Scans (an evaluation of the code) to provide a more complete picture than Qualys provided. I'm not aware of any tool that Qualys has that offers a similar benefit as Veracode combined static and dynamic scanning.
Do you think Veracode delivers good value for the price?
Not sure
Are you happy with Veracode's feature set?
Yes
Did Veracode live up to sales and marketing promises?
I wasn't involved with the selection/purchase process
Did implementation of Veracode go as expected?
Yes
Would you buy Veracode again?
Yes