What I think about Veracode.
July 22, 2024
What I think about Veracode.
Score 9 out of 10
Vetted Review
Verified User
Modules Used
- Static Analysis (SAST)
- Software Composition Analysis (SCA)
- Dynamic Analysis (DAST)
- Penetration Testing
Overall Satisfaction with Veracode
We have a system that needs to be safe and secure as it contains a lot of confidential information. We use Veracode to do Dynamic, Static Code and Software Composition Analysis scans. Veracode has helped us identify and fix various security and coding issues which we expect will make our system safer and more secure.
Pros
- It can identify OWAP issues.
- It provides help on how to fix issues.
- Their support helps any problems that may arise.
Cons
- Navigating around the system, especially when going back sometime take multiple clicks as it just keeps reloading the same page.
- While we haven't tried the new packaging tools, however, the way we do packaging and uploading code for static code analysis has been laborious.
- Setting up login process for Dynamic Code Analysis, is not easy as we need to modify scripts files.
- Positive Impact: Veracode is a well known and recognized name in the field so having our system scanned by Veracode gives it a higher level of trust and confidence to our customers.
- Negative Impact: Since there are newer updates to approaches and code in .NET, Veracode does not seem to keep with these changes, causing many false positives.
- Negative Impact: While we are able to scan our Web and API, we are not able to scan our Apps (built with Xamarin).
We prefer to consolidate to a single vendor. Hence, it would be great if Veracode could provide solutions for all our needs. While they have the ability to scan our Web and API solutions, they do not have an ability to scan our App solution which is build with Xamarin.
The reporting and analytics features of a solution is very important to us as we need to share our results with our customers and potential customers / prospects. We provide these results as documents our that can be downloaded from our website which we currently only do yearly because of all the work involved.
We static and software composition scan our code during our QA cycle to ensure any issues are resolved before we promote the code to Staging and then Production. Developers use the tools that integrate with Visual Studio to get static code scans on the work they do. We also a weekly dynamic scan our Production and QA environments to ensure coverage from all aspects.
It has definitely improved the security of our development process. Making it more of a consideration rather than an after thought because initially, when it was just an after thought, we found a long of issues to resolve. Now, being more proactive on security, there seem to be less issues that arise.
- Sentinel Dynamic and Coverity Static Analysis (SAST)
Veracode seems to provide better support and good scan coverage. Veracode also provides multiple scan types like Dynamic, Static Code, Software Composition which others may only offer 1 or 2. I might be missing it but some others like Sentinel provide schedule monthly, preconfigured custom reports that make it easier to provide customer updates.
Do you think Veracode delivers good value for the price?
Yes
Are you happy with Veracode's feature set?
No
Did Veracode live up to sales and marketing promises?
Yes
Did implementation of Veracode go as expected?
No
Would you buy Veracode again?
Yes
Comments
Please log in to join the conversation