Detailed Analysis: Impact and Efficiency of Veracode on Cybersecurity Posture of an Organization
August 12, 2024

Detailed Analysis: Impact and Efficiency of Veracode on Cybersecurity Posture of an Organization

Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)
  • Software Composition Analysis (SCA)
  • Dynamic Analysis (DAST)
  • Developer Training
  • Reporting
  • Analytics
  • Dashboards
  • Compliance

Overall Satisfaction with Veracode

We use Veracode for performing Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and Software Composition Analysis (SCA) scans for all of our products. These scans help us find and address security vulnerabilities early in the Secure Development Life Cycle (SDLC) of every product. We have also automated the SAST, DAST and SCA scans by adding the Veracode scan step in our CI/CD pipelines.

Pros

  • Veracode performs Static Application Security Testing (SAST) very well by finding flaws in the code using entry points so that it tests for everything a user can interact with in the application. This approach is very helpful for avoiding a lot of false positives early on.
  • Veracode performs SCA automatically on every SAST scan, so that we don't have to manually scan the application again for SCA scans.
  • Veracode integrates very well with the ticketing tools, so that it becomes very easy to track every finding and its status within our ticketing tool.

Cons

  • Veracode sometimes marks some findings as fixed and then in subsequent scans, it reopens the finding. All of this happens even when there is no change in the source code.
  • Triaging SCA and License risk findings on Veracode UI is very difficult when you compare it with the SAST findings. I think the "Triage Findings" UI should be same for all the types of findings for better user experience.
  • Veracode's integration with ticketing tools is unidirectional, meaning it only syncs the status from Veracode to the ticketing tool and not the other way around. If the integration is bidirectional, triaging findings could be very convenient.
  • Positive: Scanning all our applications on Veracode provides us an overview of our cyber security posture for the organization as a whole.
  • Positive: Performing the SAST, SCA and DAST scanning for all the applications at the early stages of the SDLC helps us identify and mitigate security vulnerabilities early, reducing the risk of data breaches and cyber-attacks.
  • Negative: Sometimes Veracode SAST scanner closed and reopens some findings, leading to reliability issues on the scanner itself.
We prefer using solutions from a single vendor if all the solutions provided are above average than all its competitors in the market. By using all the solutions from a single vendor, we can consolidate all the different findings onto a single glass of pane, which provides better visibility into the overall security posture of the organization as a whole.
Reporting and analytic features are crucial components of any security tool as these provide visibility into the security posture of an organization's environment. Analytics like compliance, Trend Analysis, Risk Management, Performance Metrics, Scan Activity and Peer benchmarking highlight how well organization's AppSec and Dev team are performing.

We use all the Analytics and Reporting features of Veracode as it provides all the details that we need to work to secure our applications and to provide necessary data to the upper management.
We use Veracode Greenlight IDE from the very early stages when the dev starts to write the code. Once the code is written and ready to be built, we have added Veracode scanning as a post-build step of the CICD pipeline. And even after the application is built and deployed, we use Veracode to scan it frequently in order to find any deployment related security findings using the DAST scanner.
Veracode has helped a lot in securing our development process as the Veracode Greenlight IDE helps us to find security vulnerabilities at very early stages and fixing any finding at this stage reduces a lot of cost, manual efforts and the risks associated with it.

Do you think Veracode delivers good value for the price?

Yes

Are you happy with Veracode's feature set?

Yes

Did Veracode live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Veracode go as expected?

Yes

Would you buy Veracode again?

Yes

Veracode is a very powerful tool for performing Static Application Security Testing (SAST) and Software Composition Analysis (SCA) for any application. It gives very few false positives from the get go, so less work for the AppSec team for filtering out the false positives.

However, it is not very good at performing Dynamic Application Security Testing (DAST). So, its not a one-stop scanning tool that fulfills all the needs.

Comments

More Reviews of Veracode

  1. Home
  2. Application Security Tools
  3. Veracode Reviews
  4. User Review of Veracode