Why Veracode Can Save You... Money, Time, Security
February 21, 2022
Why Veracode Can Save You... Money, Time, Security
Score 10 out of 10
Vetted Review
Verified User
Modules Used
- Static Analysis (SAST)
- Dynamic Analysis (DAST)
Overall Satisfaction with Veracode
We use Veracode and its numerous integrations to great success. We have left Shifted out Information Vulnerability management processes all the way to the Repo, where integrations check on the current builds and submit them to Scans each time the build pipeline executes. We have some of our Dev Team Leads with Greenlight, using their IDE to directly scan some of the code their team is working on. From there those sandboxes are analyzed and when a final build is announced for production readiness we escalate that sandbox into the full scan. During the full scan of the application, we applied the policies that we have set up and allow the build to pass only if the application falls within our policy guidelines... Without Veracode running we would be just like any other company... Vulnerable...
- Intergrations
- Policy enforcement
- Build pipeline access
- Build a ticket management screen into the platform
- Easier integrations to SSO/SAML
- A different method of having API users, they should be either integrated into the team (an API key as part of the team) or at least separate from the regular user area.
- Pipeline integration
- Policy management
- Policy enforcement
- Developers are now realizing that security is there to help them, not just the people saying NO.
- When setting up Veracode integrations we found that Devs really like their IDEs and Repos. It's like a personal choice. However, as a company, it was unwieldy without devoting people to Veracode integrations to have so many so we had to slime the available IDEs to 3 and Repos to 3, just to be able to set up and maintain the integrations.
- Veracode is paying for itself (though through a different cost category). Our Development costs are going down and releases are getting quicker and more agile.
While things are different, Whitehat SAST was something I had run at a previous company. I was working with them as they were in their infancy and deployment was difficult and integration was being developed as I deployed. Compared to Veracode, WhiteSource at that time was an immature product. Though that was several years ago now.
Do you think Veracode delivers good value for the price?
Yes
Are you happy with Veracode's feature set?
Yes
Did Veracode live up to sales and marketing promises?
I wasn't involved with the selection/purchase process
Did implementation of Veracode go as expected?
Yes
Would you buy Veracode again?
Yes
Using Veracode
150 - We have 5 distinct Business units from Gas Cards, Executive Expense cards, Healthcare/insurance, and Travel management. So a rather diverse set of groups. We have several Dev groups within each business unit and they all access Veracode to run their own scans (via Pipeline Scans, and Greenlight access). Their Dev Leads access Veracode itself to pull reporting, The pipeline scans integrate and feedback directly to the tools they are using and in Repos reporting issues.
7 - We have 7 People on the Security Architecture Team, with a sub-group of 4 devoted to Application Vulnerability management. The overall group manages the tools, with the subgroup working directly in the app, working with Devs to get their applications into Veracode and explaining any of the vulnerabilities found and suggesting how to fix the found vulnerabilities.
- Reducing dev backlog
- Reducing cost
- Increasing security throughout the organization's many portals (well over 700 application portals)
- By left shifting security, we have a better handle on being secure faster in the process.
- By working with the devs we are able to help them close vulnerabilities much faster than before.
- With build pipeline integrations devs know very quickly when there is an issue and con correct it in minutes rather than waiting till a final build and then going back to fix it.
- Expanding access
- Connecting to more repos and pipelines as we are not fully deployed and more dev groups/applications are being created all the time...