Good SaaS service for finding security vulnerabilities in code.
September 25, 2024
Good SaaS service for finding security vulnerabilities in code.
Score 9 out of 10
Vetted Review
Verified User
Modules Used
- Static Analysis (SAST)
- Software Composition Analysis (SCA)
- Dynamic Analysis (DAST)
Overall Satisfaction with Veracode
In my organization, Veracode is used as an enterprise mandate to scan any application or service built by the development teams before deploying it into higher or pre-production/testing environments. After the scans, the security team reviews the results to mitigate or fix the vulnerabilities found by Veracode static and dynamic scans following the recommendations provided by the tool, sometimes like upgrading a third-party library to a newer version through SCA.
Pros
- It is good at recommending fixing issues with third-party dependencies used in application code with detailed version information and knowing which version fixes what.
- It has a very nice interface for triaging flaws. One can sort the vulnerabilities found in code from Very Likely to be exploited to least likely to be exploited.
- There is a collections feature that allows us to group together groups of application profiles belonging to the same suite of applications.
Cons
- The Veracode CLI can be provided as a setup or installer file instead of the powershell command to install it from the script.
- There should be a copy feature that takes comments from vulnerabilities found in one application profile and imports them into matching flaws of another application profile.
- The automated module selection at the review step just after the upload should be better at identifying entry points and should select only custom-developed code modules instead of third-party ones (at least the common ones).
- It has a positive impact on easier PCI DSS compliance.
- It boasts the security aspect of any application developed in the organization, so there are fewer chances of exploits, which equals less damage to business and reputation.
- There is no need to set up in-house scanning systems, which saves the cost of maintaining that solution, so it is another positive impact.
We are moving towards one vendor now as it provides better management for a unified solution and helps in cost savings compared to multiple vendors. However, enterprise-wide, this will take time to implement as a few teams are already using another platform for their needs, and the security team is trying to consolidate those.
Reporting is crucial for interpreting the results by the development teams directly working on the output of scan results. The analysis helps project management and security teams identify potential bottlenecks and timelines to commit to leadership for the delivery of the developed applications, considering their security aspects.
Right now, my team is using it at the testing phase after development while we are parallelly trying to introduce Veracode at earlier stages in development to make the process a bit more seamless. It is also used before production deployment to ensure nothing goes into production that doesn't pass the organization's security policies.
It has been very helpful in reporting risky libraries and third-party dependencies. These can be easily replaced with newer versions without affecting much of the application's functionality, making the development process more trustworthy in terms of security.
Sonatype only identifies and scans third-party dependency and not custom-developed code—at least that's what it was doing back in 2018 when I used to utilize its services. Interface-wise, too, Veracode looks much cleaner and easier to navigate than Sonatype. Support and consultation with how-to guides and documents make Veracode easier to use.
Do you think Veracode delivers good value for the price?
Yes
Are you happy with Veracode's feature set?
Yes
Did Veracode live up to sales and marketing promises?
I wasn't involved with the selection/purchase process
Did implementation of Veracode go as expected?
I wasn't involved with the implementation phase
Would you buy Veracode again?
Yes
Comments
Please log in to join the conversation