My experience with Veracode
September 17, 2024
My experience with Veracode
Score 7 out of 10
Vetted Review
Verified User
Modules Used
- Dynamic Analysis (DAST)
- Static Analysis (SAST)
- Software Composition Analysis (SCA)
Overall Satisfaction with Veracode
* We run static scans on a regular basis (integrated in our continuous integration) on all our major branches.
* We review the Software Composition Analysis and the "Triage flaws" section on a regular basis (minimum every week).
* We run a dynamic scan before each major version release.
* Our goal is to fix all the Very high/high/medium vulnerabilities this year. We'll then look at the minor ones.
* We review the Software Composition Analysis and the "Triage flaws" section on a regular basis (minimum every week).
* We run a dynamic scan before each major version release.
* Our goal is to fix all the Very high/high/medium vulnerabilities this year. We'll then look at the minor ones.
Pros
- Report generation
- Flaws description and remediation strategy
- Consultation requests
Cons
- Scan results stability: from one scan to another, additional flaws appear whereas code did not change.
- Entry points selection: hard to be sure selection is optimal, should be automatized or hidden.
- Branches management: we currently use sandboxes to scan different branches of our software. Would be good to have real branches management.
- Adoption by developers: they are more aware of security aspects.
- Allows us to see where we are in terms of applicative security
- We're able to deliver clear security reports to our clients
Of course, it would be better to use different solutions to assess our security, but it would be more software to manage. So, I prefer consolidate to one vendor. We don't have to resources to manage multiple tools.
Reporting: this is essential for use as we need to send reports to our clients so that they know the security level of our application.
Analytics: I didn't spend enough time so far to assess analytics provided by Veracode. Currently we extract metrics using Veracode API and we generate our own KPIs based on this. But this is on our side, we shall try using Veracode analytics.
Analytics: I didn't spend enough time so far to assess analytics provided by Veracode. Currently we extract metrics using Veracode API and we generate our own KPIs based on this. But this is on our side, we shall try using Veracode analytics.
* in the IDE, during dev.
* once code is pushed, in the CI.
* before delivery to generate reports.
* once code is pushed, in the CI.
* before delivery to generate reports.
Developers are more aware of applicative security concerns.
Veracode is integrated in our CI. But we lack the possibility to break the CI on new security flaws, because we cannot use Veracode pipeline scans: timeout limit, limit of the artifacts size...this is for us the biggest showstopper with Veracode today.
Veracode is integrated in our CI. But we lack the possibility to break the CI on new security flaws, because we cannot use Veracode pipeline scans: timeout limit, limit of the artifacts size...this is for us the biggest showstopper with Veracode today.
- JFrog Security (Xray), Coverity Static Analysis (SAST) and CheckMark 1095
Mainly for reporting: Veracode reports are really comprehensive
Do you think Veracode delivers good value for the price?
Not sure
Are you happy with Veracode's feature set?
Yes
Did Veracode live up to sales and marketing promises?
Yes
Did implementation of Veracode go as expected?
No
Would you buy Veracode again?
Yes
Comments
Please log in to join the conversation