Elevating Security Through Automation and Integration
August 30, 2023
Elevating Security Through Automation and Integration
Score 10 out of 10
Vetted Review
Verified User
Modules Used
- Static Analysis (SAST)
- Software Composition Analysis (SCA)
- Dynamic Analysis (DAST)
Overall Satisfaction with Veracode
We use Veraocode for Static and Dynamic scans and Software Composition Analysis (SCA) across multiple products. The Jenkins automation is a lifesaver for Static scans and SCA since it gets us out of the business of uploading builds manually. We're also utilizing the Jira integration to manage vulnerabilities, from creating new tickets to resolving and closing them when a vulnerability is no longer present. Dynamic scanning can take some tweaking to get running smoothly, however, once things are dialed in, it's another scan that can be scheduled to run automatically. Arguably the most powerful tool, Software Composition Analysis, runs along with our Static scans and gives us insight into vulnerabilities in third-party libraries, newer versions available where a vulnerability is resolved, as well as their licenses.
In all, Veracode is a critical tool that helps us remain compliant with our various annual third-party audits.
In all, Veracode is a critical tool that helps us remain compliant with our various annual third-party audits.
Pros
- Automation
- Software Composition Analysis
- Integrations
Cons
- More insight into errors that may be causing an issue when configuring an integration, e.g. Veracode's Jira integration.
- Static Analysis can sometime get 'stuck' when using the Jenkins integration. Days, sometimes weeks can go by before we notice. Have to delete the 'stuck' scan and re-upload.
- Manual Pen Test account management/reminders. I would expect the vendor to reach out and schedule the pen test annually, maybe send a notification/reminder when the date starts getting close, things like that. From my experience it was on me to initiate our MPT.
- Reduces risk
- Helps us remain complaint
- Reduce security debt
We run Veracode scans against our latest code base, in some cases with every build, in others at least quarterly. It's safe to say we use Veracode across our entire application development process. We're working to automate more of our products to upload builds for scanning on a more consistent and frequent basis.
We are made aware of vulnerabilities in our products as soon as they are detected, and are able to resolve them much quicker than we were previously. Veracode also notifies you if/when the severity of a vulnerability has changed from the initial finding so we can raise priority accordingly.
Do you think Veracode delivers good value for the price?
Yes
Are you happy with Veracode's feature set?
Yes
Did Veracode live up to sales and marketing promises?
Yes
Did implementation of Veracode go as expected?
Yes
Would you buy Veracode again?
Yes
Comments
Please log in to join the conversation