Veracode to the Rescue!
Updated February 27, 2024
Veracode to the Rescue!
Score 10 out of 10
Vetted Review
Verified User
Modules Used
- Static Analysis (SAST)
- Software Composition Analysis (SCA)
- Dynamic Analysis (DAST)
Overall Satisfaction with Veracode
Veracode DAST is used on app applications in the portfolio. SAST/SCA scans and DAST scans are run monthly for all Critical application in the portfolio. In total there around 120 applications in scope for the program.
- Customer support that won't permit any failures anywhere along the line.
- Regular updates to the platform that supports rapid changes in technology and development practices
- Sets the standard for how AppSec scanners should work
- Sometimes finding the right person to help takes a little time
- Pricing of SAST/SCA scans may scare off some potential customers until they understand that it's worth it.
- Faster scan times make it easier for developers to address exposed vulns
- Simplified reporting removes the need for external data and reporting mechanisms
As long as two products are not doing identical work, it makes sense to diversify to make sure we're using best-in-class tools and processes.
Very important! They're used daily to check on progress and stay on top of new defects as they pop up. It's also useful for identifying application functions that are repeatedly generating defect reports so we can hone in to the defective code, fix it, and clear out potentially hundreds of reported CWEs in one fell swoop.
From the beginning of coding through post-deployment Veracode works seamlessly
So far, Veracode is being built-in to become a natural part of the process. People are encouraged to begin using Veracode from the first set of code with IDE-based scans to sandbox scans and finally to gated or policy scans.
Veracode stands out as the best of breed for all types of AppSec scanners.
Do you think Veracode delivers good value for the price?
Yes
Are you happy with Veracode's feature set?
Yes
Did Veracode live up to sales and marketing promises?
Yes
Did implementation of Veracode go as expected?
Yes
Would you buy Veracode again?
Yes
Using Veracode
All developers use Veracode at their desktops, along with Azure pipeline scans and sandbox scans. Greenlight is used in the IDE for development. Other users are the AppSec Team in the CISO's office for oversight and management of the platform, and the compliance teams who pull data directly from the Veracode API.
5 - We have a dedicated team of 3 people in India who work directly with the development team in Indonesia and 2 people in the US who support the installation and manage site users.
- Rapid remediation of High and Very High severity defects
- Open Source library security and currency
- Recurring use of DAST on all Web and API-based apps.
- Showcasing results from AppSec processes
- Training on basic concepts, like CWEs and Mitigation processing
- We're hopeful that Veracode Fix works as advertised!
- Develop a repository of best practices for remediating defects
- Custom cleansers
Evaluating Veracode and Competitors
Yes - It replaced two products - Tenable DAST scanning and Checkmarx CXSuite. Those products were poorly managed and coverage was too limited for them to be useful as a security scanner.
- Scalability
- Ease of Use
- Other
Veracode reputation was the driving factor. Knowing how powerful and instantly useful Veracode can be drove our easy decision to procure it!
I would short-cut it and go with the vendor I know would serve us best and Veracode made that choice simple!
Veracode Support
Using Veracode
| Pros | Cons |
|---|---|
Like to use Relatively simple Easy to use Consistent Quick to learn Convenient Feel confident using | Lots to learn |
- Mitigation processing
- Custom cleansers
- Veracode Learning could use some help from educators
Yes, but I don't use it