Try our new research platform with insights from 80,000+ expert users
FranckGafsou - PeerSpot reviewer
Security Architect Lead at a comms service provider with 10,001+ employees
Real User
Stable solution for managing vulnerabilities and risks, but some features need to be redesigned to make them more user-friendly
Pros and Cons
  • "Stable and scalable, with good reporting features. Helps in detecting and managing vulnerabilities and risks."
  • "Some features could be improved in terms of user-friendliness."

What is our primary use case?

We use this solution because we have an important portfolio of applications, and before moving those applications to the production environment, we use the static features to scan the code: either for static analysis or for SCA (Software Composition Analysis) to find any vulnerability in our open source libraries.

How has it helped my organization?

When I started my job, this solution was already deployed, so I cannot compare it to how our company was prior to its deployment, but Veracode Static Analysis is a very good tool for static analysis and SCA. It not the only one in the market, but I would recommend it.

What is most valuable?

There are several features which I found most valuable in Veracode Static Analysis. First, it has a user-friendly interface, so it is easy to use.

I also found its reporting features interesting because they give you visibility on the vulnerabilities and the associated risks.

The feature of scanning open source dependencies for vulnerabilities is also very interesting. You have a dependency graph which shows you how your libraries are embedded within your code, so you can also see what kind of dependencies you have from one library to another. This means if you need to upgrade to a free vulnerability version, you can assess the impact on other libraries as well.

There is also a feature that enables you to build your own dashboard. For example, if you want to query the database that is supporting the platform, you can build your own dashboard with some indicators regarding the vulnerabilities, your portfolio, or you can look for a specific type of library or a specific type of risk, and that's interesting when you want to have visibility on your key item. I use this feature often.

What needs improvement?

This solution has a clear interface, but there are times when you go to the menu of a scan, you have to open another page for the project, or if you need to link, you also have to link your scan to a specific project. Some people find it difficult to understand those different screens and menus.

When you want to retrieve specific information about the projects that are linked to your scan, it's not easy. Those pages need to be redesigned.

I also don't understand Veracode workspaces. Other people also find that feature difficult to understand.

Those are the features that Veracode needs to redesign.

Buyer's Guide
Veracode
November 2024
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.

For how long have I used the solution?

I've been using Veracode Static Analysis for more than one year.

What do I think about the stability of the solution?

This product is stable. We only encountered a bug which affected the results, but it was just once in a year, so this solution is stable.

What do I think about the scalability of the solution?

I was not involved in any scalability issues or concerns with Veracode Static Analysis. The scalability requirements for this solution would be easily met because it's a SaaS application, so it's supposed to be very scalable for customer needs. I would not expect much trouble regarding its scalability.

How are customer service and support?

Technical support for this solution is good. Whenever we face an issue, we schedule a consultation with them. We had the opportunity to have a slot four or five days after scheduling. Their SLA is good, but sometimes I would expect a more proactive support, or support with more availability. If we are facing an urgent issue, waiting four or five days is long. I would expect a more proactive support, but when we talk to them, in general, they provided the answers we expected.

I'm rating their support a seven out of ten.

Which solution did I use previously and why did I switch?

Prior to Veracode Static Analysis, the company was using the Black Duck solution. The reason for switching could be to have a SaaS-based solution, though I am unsure if Black Duck was an on-premises or a SAAS-based solution.

Veracode has a good recommendation and good scoring, so it was the opportunity to move to a more powerful solution with DAST, SAS, and SCA capabilities.

Since this solution also has DAST capabilities, with the midterm or long-term projects, it was expected to unify all those capabilities within one platform. It's more of a strategic reason why the company switched to Veracode Static Analysis.

Which other solutions did I evaluate?

We evaluated AppScan from HCL.

What other advice do I have?

Veracode Static Analysis isn't deployed on-premises. It's a SaaS offering.

We are using Veracode Static Analysis for static analysis and SCA, and there is also a need for the DAST module for dynamic scanning. We are considering running a POC for this solution, but I don't have any other updates for the time being. I know its DAST features would also be useful.

We are currently using HCL AppScan for SAST, and because we are not very satisfied with that product, we are considering using Veracode Static Analysis for DAST.

A lot of people are using Veracode Static Analysis in our company, approximately 300 or 400 people: development team leaders, developers, and people who are very tech-savvy and using all their time to develop applications and new programs.

I don't have pricing insight for this solution. I was not involved in the project before this was deployed. I just read in forums that the price for Veracode Static Analysis is high, but I cannot provide any specific insight.

What I can tell others who are looking into implementing Veracode Static Analysis is that it is a platform that provides good features. Its reporting capabilities are interesting, and overall the platform gives high quality results. You can manage your vulnerabilities and your risks quite easily, and define your own mitigation strategies within the platform.

I'm rating this solution a seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1526550 - PeerSpot reviewer
Lead Security Architect at a comms service provider with 1,001-5,000 employees
Real User
Fabulous support, good user management, good scalability, and good security
Pros and Cons
  • "It is a cloud-based platform, so every organization or every security team in the organization is concerned about uploading their code because ultimately the code is intellectual property. The most useful thing about Veracode is that if you want to upload the code, they accept only byte code. They do not accept the plain source code as an input. The code is converted into binary code, and it is uploaded to Veracode. So, it is quite secure. It also has the automation feature where you can integrate security during the initial stages of your software development life cycle. It is pretty much easy with Veracode. Veracode provides integration with multiple tools and platforms, such as Visual Studio, Java, and Eclipse. Developers can integrate with those tools by using Jenkins. The security consultation or the support that they provide is also really good. Its user management is also good. You can restrict the users for a particular application so that only certain developers will be able to see the code that has been scanned. Their reporting model is really good. For each customer, they provide a program manager. Every quarter, they have their reviews about how much it has scanned. They also ensure that the tool has been used efficiently."
  • "There are few languages that take time for scanning. It covers the majority of languages from C to Scala, but it doesn't support certain languages and the newer versions of certain languages. For example, it doesn't support SAP and new JavaScript frameworks such as Node.js and React JS. They can include support for these. If you go to their website, you can see the list of languages that are currently supported. The false-positive rates are also something they can work on."

What is our primary use case?

In my previous organization, we used to use Veracode throughout all verticals. It is a cloud-based platform, and you need to upload the code for static analysis. The code has to be uploaded as per the compilation guide provided by Veracode. So, for different languages, you have to combine the code as per the instructions in the guide.

We used to own and manage the platform. We also used to manage the users. If there was a particular project team that needed to use Veracode to do their code scan, they used to approach us. We used to create the user accounts for them so that user accounts were limited to just the code. We also used to guide and train them on how to upload the code on Veracode, how to combine the code, and how to initiate the scan. After the scan is completed, we used to tell them and guide them about how to treat the vulnerabilities in that code, how to fix and mitigate them, and what's the next process. Apart from that, we used to create a project team to build their CI/CD pipeline, where we used to create DevSecOps automation.

What is most valuable?

It is a cloud-based platform, so every organization or every security team in the organization is concerned about uploading their code because ultimately the code is intellectual property. The most useful thing about Veracode is that if you want to upload the code, they accept only byte code. They do not accept the plain source code as an input. The code is converted into binary code, and it is uploaded to Veracode. So, it is quite secure. It also has the automation feature where you can integrate security during the initial stages of your software development life cycle.

Veracode provides integration with multiple tools and platforms, such as Visual Studio, Java, and Eclipse. Developers can integrate with those tools by using Jenkins. The security consultation or the support that they provide is also really good.

Its user management is also good. You can restrict the users for a particular application so that only certain developers will be able to see the code that has been scanned. 

Their reporting model is really good. For each customer, they provide a program manager. Every quarter, they have their reviews about how much it has scanned. They also ensure that the tool has been used efficiently. 

What needs improvement?

There are few languages that take time for scanning. It covers the majority of languages from C to Scala, but it doesn't support certain languages and the newer versions of certain languages. For example, it doesn't support SAP and new JavaScript frameworks such as Node.js and React JS. They can include support for these. If you go to their website, you can see the list of languages that are currently supported.

The false-positive rates are also something they can work on.

For how long have I used the solution?

I have been using Veracode for the last four years.

What do I think about the stability of the solution?

From my perspective, it is really good. It is one of the best SaaS solutions that I have come across. Veracode is also a leader in Gartner Quadrant.

What do I think about the scalability of the solution?

It is pretty good in terms of scalability. There are many users of this solution. There are also many customers of Veracode. We had around 1,000 plus users.

How are customer service and technical support?

The support that Veracode provides is really fabulous. They are very responsive. They provide you with a thorough analysis. If you have any questions or doubts, they help to clear them in a very simple manner.

Which solution did I use previously and why did I switch?

I've used Checkmarx and HPE Fortify. Now, I am using Micro Focus. As compared to Veracode, Checkmarx takes input as plain text. It takes the code as it is and does not compile the code. This is the main difference between Checkmarx and Veracode. Checkmarx also has an on-prem solution, but Veracode does not have an on-prem solution. 

There is also a major difference in the cost and licensing model. Veracode's license model is quite complex. Comparatively, Checkmarx's license model is straightforward. You can upload any amount of code. For example, it could be 1 Gig or 2 Gig. They charge based on the number of applications, but Veracode's licensing model is pretty different. They charge based on the amount of code that has been analyzed.

How was the initial setup?

It is pretty much straightforward. It is a cloud-based solution. So, creating a user in Veracode is pretty much easy. It involves just a few clicks. Uploading the code is also pretty much easy. It is user-friendly and developer-friendly.

What about the implementation team?

When I used to maintain this for 1,000 developers, two or three people were enough to maintain it.

What's my experience with pricing, setup cost, and licensing?

Veracode is costly. They have different license models for different customers. What we had was based on the amount of code that has been analyzed. The license that we had was capped to a certain amount, for example, 5 Gig. There would be an extra charge for anything above 5 Gig.

What other advice do I have?

Veracode is well-suited for modern programming languages. Veracode is not for scanning large legacy applications with a huge codebase. It also doesn't support some unique languages such as SAP. This could be a challenge for certain people. 

More organizations are taking the left shift approach for application security and trying to integrate security early into their software development life cycle. Veracode is good for such automation.

I would rate Veracode Static Analysis a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Veracode
November 2024
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,067 professionals have used our research since 2012.
Senior Director, Quality Engineering at a tech services company with 1,001-5,000 employees
Real User
Good scan performance and visualization facilitates compliance and improves code quality
Pros and Cons
  • "The dependency graph visualization provides the ability to see nested dependencies within libraries for pinpointing vulnerabilities."
  • "Improving sorting through findings reports to filter by only what is critically relevant will help developers focus on issues."

What is our primary use case?

We introduced SCA scanning to satisfy customer-requested open-source library scans as part of a contractional agreement. This led to expanding SCA scanning across our other applications to compliment SAST/DAST application scanning.

We knew we had a technical debt from not updating open-source libraries for years, and were not aware of the vulnerabilities in these libraries at the time. SCA scanning is now a first-class scan component of our current practices and included in our external security audits going forward.

How has it helped my organization?

Veracode SCA enables awareness of open-source library vulnerabilities and versions to upgrade and eliminate these problems. It links to SWE flaws and provides guidance on remediation.

The nature of discovering a vulnerability included in many places of the application code base makes initial findings look overwhelming. However, we found more the 80% of the time, simply updating the build project configuration to include new versions, rebuild, and rescan, resolved the vulnerability finding.

The remaining ~20% of findings required refactoring for deprecated methods or a shift in usage model to update to a newer version.

What is most valuable?

Multiple "Policy" profiles can be created to apply differently to different classifications of applications that include grace periods per severity. I find this a great way to manage team expectations and regulatory compliance on a per-scan and time-period cycle, leading to self-service compliance remediation.

The dependency graph visualization provides the ability to see nested dependencies within libraries for pinpointing vulnerabilities.

The Vulnerable Methods feature helps with sorting through those vulnerabilities that matter to my application codebase.

What needs improvement?

Three areas that we continue to struggle with are

  1. Identifying and flagging false positives that reappear in other locations, where a rule that can catch other occurrences such that we don't have to repeat the override each time would help in productivity, and 
  2. Improving sorting through findings reports to filter by only what is critically relevant will help developers focus on issues,
  3. Add enterprise aggregate reporting, showing teams grouped in business units with trends per team and at the group level that can be sent by email as a digest with drill-in back to the dashboard.

For how long have I used the solution?

We have been using SCA for one and a half years and SAST/DAST for two and a half years.

What do I think about the stability of the solution?

Scanning is reasonably consistent and reliable. Occasionally, a scan will fail or get stuck with a defect in the scanner or some unsupported implementation requiring escalation to Veracode to fix or work-around. 

What do I think about the scalability of the solution?

Platform scan performance has improved over the years. Refrain from putting too much in your application package for scanning such that you keep a reasonably short scan time.

Veracode needs a more standard microservice pricing strategy such that optimizing SaaS solutions into microservices from monolith applications is not penalized. 

How are customer service and technical support?

Technical support was difficult at times due to off-shore support that seemed to be reading from a script and not really understanding our issue. The time delays in response with the off-shore team and language concerns made resolving issues painful at times.

As we grew, we were assigned a local Security Program Manager as a point person for all escalations and that made all the difference. Our escalations are now taken seriously, with a consultation of the issue and swift resolution if warranted.

Which solution did I use previously and why did I switch?

We previously use WhiteSource open-source scanning and switched to Veracode for consolidation of scanning tools with one vendor dashboard.

How was the initial setup?

The initial setup for manual scan uploads is straightforward. Pipeline uploads can take some effort to get to work right. Setting up policy rules and charts for results is reasonably easy.

What about the implementation team?

We implemented it through an in-house team. This a Quality Engineering Shared Service team with a part-time custodian that performs other roles, as well. We found the need to have a designated custodian per application scrum team to assure scans capability, and the scan frequency for that team is maintained, escalating any issue to the shared service team and/or Veracode directly, and for shepherding vulnerabilities through the backlog routinely.

What was our ROI?

We feel that security scanning is a necessary cost of doing business, especially with FedRAMP and other prescriptive certifications. The effort we put into scanning keeps our applications healthier with higher quality confidence.

When our scan pipelines work as intended, there is little human capital cost. If there are problems with the scan pipelines and/or scan results then this can become time-consuming to address.

What's my experience with pricing, setup cost, and licensing?

The Veracode price model is based on application profiles, which is how you package your components for scanning. Veracode recently included SCA pricing and support pricing as a factor of the SAST scan count cost. When using microservices, you may need to negotiate pricing based on actual application counts where microservices are usually a portion of an application.

Which other solutions did I evaluate?

Synopsis and Checkmarx were explored for SAST/DAST scanning in 2017, prior to the use of SCA.

What other advice do I have?

Veracode has evolved to be a good partner, overall, in working through our learning needs and problem escalations. There are layers of training and consultation available, as well as recurring support engagements if the enterprise scanning needs warrant it.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1360617 - PeerSpot reviewer
Sr. Security Architect at a financial services firm with 10,001+ employees
Real User
Gave us much higher quality dynamic scanning with very few false positives and a robust static scanning solution
Pros and Cons
  • "Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution."
  • "One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive."

What is our primary use case?

We are using Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Static Component Analysis (SCA). We use different types of scanning across numerous applications. We also use Greenlight IDE integration. We are scanning external web applications, internal web applications, and mobile applications with various types/combinations of scanning. We use this both to improve our application security as well as achieve compliance with various compliance bodies that require code scanning.

How has it helped my organization?

Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution.  

Our Veracode license includes a "people component" that allows developers to request an in-person session to be scheduled to review a defect. This has helped our application security personnel pool to free up time for other pursuits. I'm not sure if this is included in all licenses or is an add-on.

What is most valuable?

Being cloud-based is a huge plus. All of our scans are always using up-to-date scan signatures and rules, and there is nothing for us to maintain.  Veracode has been spot-on with notifying about planned downtimes for maintenance and upgrades.  In my years of using the product, unplanned downtimes have been minimal (in fact I can't remember one.)

The API integration that allows integration with other tools, such as defect trackers and automated build tools, is also a benefit. We also like the integrated, available "in-person" support sessions to review and ask questions on discovered defects.

What needs improvement?

We've had one occasion where a sub-product upgrade required action on our part faster than we initially understood it needed to happen.  This ended up being relatively minor.  

One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive. 

Separately, I find the results console somewhat confusing.  When you are running multiple scan types for the same application, I've sometimes found it difficult to sort out where issues came from when I need that information.

For how long have I used the solution?

We have been using Veracode for over four years.

What do I think about the stability of the solution?

Our solution is highly stable with minimal downtimes.  (In fact I don't recall the last time there was an unplanned Veracode cloud outage that impacted us.)  We previously had occasional issues with the scan appliance model, but the relatively recent switch to the ISM model has been much more stable.

What do I think about the scalability of the solution?

Given that is is cloud based, coupled with their newer app-based internal scan model, we are pleased with the scalability and have not experienced any issues with scale.

How are customer service and technical support?

As mentioned in prior comments, Veracode is simply put our best vendor in terms of relationship, value-add, and customer service/technical support. We get responsive answers from support, and their support resources clearly understand the product, and issues are resolved quickly.

Which solution did I use previously and why did I switch?

Yes. We used a legacy, heavyweight dynamic scanning product. It would produce hundreds of pages of (mostly) false positives that were nearly impossible to digest and tune. We also didn't have a static scanning product. Moving to Veracode gave us much higher quality dynamic scanning with very few false positives (in part due to their model of human-assisted tuning, provided by them) and a robust static scanning solution.

How was the initial setup?

The setup was easy and straight forward. We had some issues with API calls from our build automation tools, but this was related to networking issues in reaching the Veracode servers on the Internet, not the Veracode product itself.

What about the implementation team?

We implemented with all in-house resources.

What was our ROI?

We achieve greatly improved security, earlier detection of security defects in the lifecycle, and as well as neatly meeting compliance requirements.

What's my experience with pricing, setup cost, and licensing?

For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.

Which other solutions did I evaluate?

Checkmarx and SonarQube.

What other advice do I have?

Of all the tools vendors I have relationships with, Veracode is simply our best vendor in terms of partnership, value add, and support responsiveness. 

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Sr Director at a non-profit with 51-200 employees
Real User
Stable with good technical support and a moderately easy implementation process
Pros and Cons
  • "The solution is stable. we've never had any issues surrounding its stability."
  • "The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified."

What is our primary use case?

The primary use case was scanning a single-digit number of applications. We scanned them about twice a year and that's about it. It was just to get the results. We used the results to gauge our security health.

What is most valuable?

The feature that was most valuable to us was the ability to point locally in a quorum.

What needs improvement?

The cost of the solution is a little bit expensive. Expensive in the sense that there was a hundred percent increase in cost from last year to this year, which is certainly not justified. 

The solution needs to be more flexible. It needs to work with clients more effectively. 

Right now, the licensing model is based on the number of applications as opposed to being flexible and based on the number of developers or based on some other parameters. This constrains our company in terms of defining what an application is and doing the scans. We have an application with multiple deposit rates, but Veracode has a hard time recognizing the different components sitting in different depositories as one application. 

The solution is pretty similar to others. There wasn't anything that was so startlingly different it would make us want to stay.

For how long have I used the solution?

I had been using the solution for a while, but I am currently in the process of moving off of it.

What do I think about the stability of the solution?

The solution is stable. we've never had any issues surrounding its stability.

What do I think about the scalability of the solution?

There's nothing to scale. Asking if the solution is scalable or not isn't applicable in this case. It's not an active load balancer. It's just a static scan. If it was dynamic, there may be a question around scalability, but it is not.

How are customer service and technical support?

Technical support team is quite good. However, if we're talking in terms of how Veracode recognizes clients and deals with them, I'd rate them as bad.

Which solution did I use previously and why did I switch?

We did not previously use a different solution. We've only used Veracode.

How was the initial setup?

The initial setup has a moderate level of difficulty. It's neither simple or complex.

What about the implementation team?

We handled the implementation ourselves.

What's my experience with pricing, setup cost, and licensing?

The solution recently doubled in price over the past year, which is why I've decided to move away from it. The price jump doesn't make sense. It's not like there was a sudden influx in new features or advancements.

Without getting too specific, I'd say the average yearly cost is around $50,000. The costs include licensing and maintenance support.

What other advice do I have?

I handle software composition analysis. Currently, I'm moving away from Veracode.

I don't know which version of the solution I am using currently. It's not quite the most up-to-date version.

If a company is looking for a long-term partner, and not just a transactional solution, I'd suggest a different company.

I'd rate the solution eight out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Development Manager at a computer software company with 1,001-5,000 employees
Real User
Significantly improves our productivity, helps us in complying with our security policy, and reports all necessary vulnerabilities
Pros and Cons
  • "Considering that in my project, we are mostly using Software Composition Analysis as a part of Static Code Analysis, for me, the main part is reporting and highlighting necessary vulnerabilities. Veracode platform has a rather good database of different vulnerabilities in different libraries and different sources. So, finding vulnerabilities in third-party libraries is the main feature of Software Composition Analysis that we use. It is the most important feature for us."
  • "The results of agent-based software composition analysis are not connected to policy scanning. So, for me, the only thing that Veracode can improve in Software Composition Analysis is to connect it with the policy scan because, at present, it is a bit inconvenient for those in our organization who use agent-based Software Composition Analysis. In the end, they need to make a static scan with all those libraries in order to receive that report. If Veracode implemented a connection between agent-based static scan and static scanning itself, it would be great because it would lead to fewer operations in order to prepare release documentation and release reporting from Veracode. We recently had a conversation with Veracode about it."

What is our primary use case?

At this moment in time, in my project, we are mostly using Static Analysis from Veracode. We automated it and added it as a step to our daily pipeline. We also tried using the pipeline plugin from Veracode that gives an immediate evaluation of your code. We're also using agent-based Software Composition Analysis. I have not exactly used it in my project, but I participated in investigating it and setting it up.

I know two flavors of doing Software Composition Analysis. The first one is a part of a daily static scan where you're uploading all your third-party libraries. The second one is by using agent-based, which gives more reporting capabilities but not doesn't affect policy scans, etc. We use both of them.

We use Software Composition Analysis as a part of our daily build pipeline, so we use Jenkins Plugin from Veracode. Every night, we upload our sources to the Veracode platform. In the morning, we receive results of Static Code Analysis and Software Composition Analysis. 

How has it helped my organization?

We are able to receive results for vulnerabilities in other libraries. We can then react to it and fix our code and those dependencies.

We do have a policy in regards to security. As a part of that policy, we cannot have very high-end issues. Usually, when you change third-party libraries, you need to do some level of regression testing. Our release cycle is long, and it could be half a year between releases or sometimes even more. By using Software Composition Analysis, we're checking our sources on a regular basis, and if needed, we change our libraries in our code, So, we are checking and mitigating any vulnerabilities if they are not applicable to our solution.

We use static scanning. This is the main use of Veracode for us. We package our application every day and send it to Veracode. We receive static code analysis results and also the software composition analysis results every day because the first focus for us is on quality improvement. The security improvement is definitely static scanning. We do have a process for analyzing and mitigating results around this static scanning. So far, we have been able to comply with our internal policy. At this moment in time, we are at the stage of releasing our product, and according to our internal policy, certain important issues from 2017 had to be addressed and fixed.

Veracode gives the possibility to find different vulnerabilities and flaws in code, and it also makes things relatively easy because everything is automated. Implementing such a high-quality tool like Veracode, immediately made us aware of a lot of issues, but the volume of issues that we had to address was really high. The support from top management made it easy to fix the issues that Veracode identified in the product that has a long history of more than 20 years. Without the support of higher management in organizing and defining a process of fixing those issues, it wouldn't have been possible to fix all those issues. We took the reports received from Veracode, planned our activities, reviewed everything, and started acting on it as a result. The new release that we have is according to our policy, which is an important thing for us.

It definitely helps in reducing the risk of a security breach, which is rather important for us for providing our customers with a secure product. Among our customers, there are a lot of big companies that take security seriously. So, for us, it is really important. The fact that we have executive sponsorship shows that security is very important for our management. This initiative started because we're treating security really seriously.

It is improving our productivity significantly. We just finished a big chunk of results processing, and we are still in the process of setting up our processes. When you're first doing that scan with Veracode, you receive a bunch of results and an overwhelming amount of flaws in your code. All those results need to be investigated. For some of them, it is sufficient to have mitigations, but some of them need to be fixed. We just finished those fixes, and there were a significant amount of security findings from Veracode.

What is most valuable?

Considering that in my project, we are mostly using Software Composition Analysis as a part of Static Code Analysis, for me, the main part is reporting and highlighting necessary vulnerabilities. Veracode platform has a rather good database of different vulnerabilities in different libraries and different sources. So, finding vulnerabilities in third-party libraries is the main feature of Software Composition Analysis that we use. It is the most important feature for us.

What needs improvement?

The results of agent-based software composition analysis are not connected to policy scanning. So, for me, the only thing that Veracode can improve in Software Composition Analysis is to connect it with the policy scan because, at present, it is a bit inconvenient for those in our organization who use agent-based Software Composition Analysis. In the end, they need to make a static scan with all those libraries in order to receive that report. If Veracode implemented a connection between agent-based static scan and static scanning itself, it would be great because it would lead to fewer operations in order to prepare release documentation and release reporting from Veracode. We recently had a conversation with Veracode about it.

For how long have I used the solution?

I believe it has been about two years because Software Composition Analysis is a part of the policy scan, and our journey with Veracode has been for about two years.

What do I think about the stability of the solution?

It is stable. I didn't feel that many problems with it. We did have a few glitches with the platform, but they were not that many. So, I can say that it is stable.

What do I think about the scalability of the solution?

I can't say anything about the scalability of this solution because we are not bothered about keeping its infrastructure up and running. We use Veracode Cloud, and we are not supporting or deploying it. It is just a service for us, and we consider it as a service. We submit the information and receive reports back from that solution.

In our project, every night, we are currently scanning our development branch and three versions of our releases. We have four applications, and I believe that from my team, at least 15 scans happen every night. We have a partnership with another company that provides a part of our functionality. They provide releases to us to embed in our solution. We also do the scanning for their part and inform them about the issues that we've found.

We will increase the number of scanned versions because with each and every release, during the support period, we're supporting versions of our product, and we're also fixing the security stuff. We will be increasing the volume of scans, but it will come to a logical point. When a version is no longer supported, we will definitely remove it from Veracode. So, all in all, at any moment in time, I foresee four or maybe five versions to support multiplied by four applications. There is also a development branch for each application, so there will be around 20-25 automated scans per night.

How are customer service and support?

I am very pleased with the Veracode support because so far, there were no issues where they were not able to help us. Sometimes, in our questions to Veracode, we ask about the deep aspects of functionality, and so far, we've received answers for all those questions, and they were mostly good. I would rate them a nine out of 10 just because I didn't like some of their answers. Because of our approach of having each version as a separate sandbox in Veracode, we had questions about the consistency of results between different sandboxes, but then we realized that these are peculiarities of the platform. It is nothing serious or special. It was mostly related to our expectations from those algorithms, but it actually works perfectly. I can give a 10 for Veracode's support, but then they will have no growth to improve.

How was the initial setup?

It was pretty straightforward. The problem that we had was mostly about our solution's architecture because the solution itself is big and heterogeneous. Some parts or regions are using the Java platform, and some parts are in the .NET code. The main problem was to correctly build our solution for Veracode. This was the only challenge. Veracode provided us with good functionality with their Jenkins Plugin that made it possible for us to automate our daily development. So, the main problem for us was mostly related to properly building our solution and using it in Veracode. It was pretty straightforward. There was nothing complex, but it needed some work from our side.

The strategy for Veracode implementation was pretty straightforward. From the very beginning, we stuck to the idea that it should be automated because all modern DevOps practices and approaches, such as Infrastructure as a Code, are widely used in our company. So, from the very beginning, we decided that it should be coded, and it should be stored in source control and uploaded. Veracode became a part of our process of everyday deployment, and it was a part of our strategy to make it a part of our life and use it as much as we can.

The number of people involved depended on the stage. At the initial stage, when we were evaluating it, there were somewhere around six or seven people who were making the decision of buying Veracode and other stuff. We have different companies and products inside our organization, and each and every product team is responsible for implementing it. We were the pioneers in using the solution from Veracode, and later on, it spread out to other projects. Now, we're acquiring additional licenses and so on. We planned everything with the help of the developer team. We follow the agile approach in our development, so everything was planned. User stories were created, and we just acted on them.

Which other solutions did I evaluate?

I participated in the review of tools. We reviewed not only Veracode. There were also other candidates for our main tool for static scan and software composition analysis. So, I have been involved in all activities around Veracode from the very beginning. What I liked about Veracode is that it is not just one product. It is a big ecosystem. It even has integration with Visual Studio, etc. First of all, we took a look at the scope of scanning. We compared the results of scanning and the functionality. Veracode had really great reporting functionality. In the end, we came up with the conclusion that Veracode fits best to our needs, and I believe we were right.

What other advice do I have?

My advice would be to adopt Veracode to serve your processes. I believe that the processes inside the company shouldn't be changed significantly with the introduction of new tools. Definitely, for each and every new tool, you need to build some process around usage in terms of administration and control. Veracode has a relatively big ecosystem of tools, which is a big advantage, and my advice would be to check all those tools and see how they can fit into your process, and how they can improve them. There are a lot of options and a lot of tools provided by Veracode that can fit each and every process. Whether you are using a waterfall process or DevOps practices in your organization, with Veracode, you can add necessary steps to your process without making significant changes in the processes that you have.

We take security seriously, and Veracode is not the only thing that we have for security. We do manual penetration testing to security test our applications. We also have some dynamic scanning. We follow some practices while engineering and architecting our solutions. At each and every step, we are trying to cover our solution with the necessary security testing activities or security design principles. Veracode is a big part of our security, but it is not the only one. We are fixing all issues, especially those that are non-compliant with our policy.

We don't use any connections with Software Composition Analysis. It is a separate product in the ecosystem that makes it possible for you to deeply scan your third-party libraries. This is the only way we use it. 

In terms of Veracode SCA reducing our overall scan times, I believe that it is not applicable at this point. In the case of agent-based scanning, the situation that we recently had has shown that you cannot fully substitute Software Composition Analysis from a static scan with agent-based. That's because, in the end, documents that you provide together with the release are the policy scan results generated by static scan. You can reduce the amount of time for your scanning, but in the end, you need at least one scan where you will figure out all third-party states as a part of the policy scan report. You cannot use only agent-based Software Composition Analysis because they are two separate sources of information. We can use Software Composition Analysis and then somehow merge results from two sources in one document for it, which is inconvenient. We are having nightly builds for Veracode, and it doesn't matter to us whether it takes more than 30 minutes or less than 30 minutes. We haven't measured the time, but with the approach that we have set in our company, we can leave it for longer time periods, and after nightly build, everything is okay for us. So, Jenkins just does its job of uploading, and no one monitors it. We are just monitoring that the jobs are stable and results are available. Considering that we're doing it at night, it is not that important for us for how long it runs.

It hasn't exactly increased our fix rate because it is not about our code. It is about the third-party code. We definitely have to mitigate, and sometimes, we have to change libraries to a newer version, so it somehow affects our fix rate, but mostly, the static scan affects our fix rate because it shows flaws in our code. So, I don't see any significant improvement with Veracode Software Composition Analysis in terms of our fix rate. I don't see a direct relationship between Veracode Software Composition Analysis and our fix rate, whereas Static Analysis works and gives us the necessary results and plans for fixing and doing our next steps in security.

It has not yet helped our company with certification and audits. We haven't yet shared those green results with our customers, and we didn't have any certifications the last time.

I would rate Veracode Software Composition Analysis a nine out of 10.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Principle Consultant at a tech services company with 11-50 employees
Consultant
Provides extensive guidance for writing secure code and pointing to vulnerable open source libraries
Pros and Cons
  • "Within SCA, there is an extremely valuable feature called vulnerable methods. It is able to determine within a vulnerable library which methods are vulnerable. That is very valuable, because in the vast majority of cases where a library is vulnerable, none of the vulnerable methods are actually used by the code. So, if we want to prioritize the way open source libraries are updated when a library is found vulnerable, then we want to prioritize the libraries which have vulnerable methods used within the code."
  • "Veracode has a few shortcomings in terms of how they handle certain components of the UI. For example, in the case of the false positive, it would be highly desirable if the false positive don't show up again on the UI, instead still showing up for any subsequent scan as a false positive. There is a little bit of cluttering that could be avoided."

What is our primary use case?

Software Composition Analysis (SCA) is used to detect vulnerabilities in open source libraries, which are used by our customers for their own product. 

We are a consulting company who provides consulting services to clients. We don't buy the software for our own internal use. However, we advise customers about which solutions will fit their environment.

Most of our clients use SCA for cloud applications. 

How has it helped my organization?

For application security, the SCA product from Veracode is a good solution. It has a good balance. Altogether, the balance between the outcome of the tool, the speed of the tool, and its cost make it a good choice. 

One of the reasons why we recommend Veracode because it is very important in that SAST and SCA tools, independently from the vendor, should work seamlessly within the build pipeline. Veracode does a good job in this respect.

In this day and age, all software is developed using a large amount of open source libraries. It is kind of unavoidable. Any product application has a lot of embedded libraries. In our experience, many times customers don't realize that it is not just a code that can be vulnerable, but also an open source library that they may take for granted. In many ways, this has been a learning experience for the customers to understand that there are other components to open source libraries, and that SCA is an invaluable tool to address those issues.

What is most valuable?

SCA provides guidance for fixing vulnerabilities. It provides extensive guidance for both writing secure code and pointing to vulnerable open source libraries are being used.

From the time it takes for the solution to detect a vulnerability, both in the source code and the open source library, it is efficient. 

Within SCA, there is an extremely valuable feature called vulnerable methods. It is able to determine within a vulnerable library which methods are vulnerable. That is very valuable, because in the vast majority of cases where a library is vulnerable, none of the vulnerable methods are actually used by the code. So, if we want to prioritize the way open source libraries are updated when a library is found vulnerable, then we want to prioritize the libraries which have vulnerable methods used within the code. 

The Static Analysis Pipeline Scan is faster than the traditional scan that Veracode has. All Veracode products are fast. I have no complaints. On average, a piece of code for a customer takes 15 to 20 minutes to build versus the Static Analysis Pipeline Scan of Veracode that takes three or four minutes. So, that is 20 to 30 percent of the total time, which is fairly fast.

What needs improvement?

Most of our time is spent configuring the SAST and SCA tools. I would consider that one of the weak points of the product. Otherwise, once the product is set up on the computer, it is fairly fast.

Like many tools, Veracode has a good number of false positives. However, there are no tools at this point in the market that they can understand the scope of an application. For example, if I have an application with only internal APIs and no UI, Veracode can detect that. It might detect that the HTML bodies of the requests are not sanitized, so it would then be prone to cross-site injections and SQL injections. But, in reality, that is a false positive. It will be almost impossible for a tool to understand the scope unless we start using machine learning and AI. So, it's inevitable at this point that there are false positives. Obviously, that doesn't make the developers happy, but I don't think there is another way around this, but it is not just because of Veracode. It's just the nature of the problem, which cannot be solved with current technologies. 

Once we explain to the developers why there are false positives, they understand. In Veracode, embedded features (where there are false positives) can be flagged as such. So, next time that they run the same scan, the same "vulnerability" will be still flagged as a false positive. Therefore, it's not that bad from that point of view.

Veracode has a few shortcomings in terms of how they handle certain components of the UI. For example, in the case of the false positive, it would be highly desirable if the false positive don't show up again on the UI, instead still showing up for any subsequent scan as a false positive. There is a little bit of cluttering that could be avoided. However, that is not necessarily a shortcoming of the product. I think it's more of a shortcoming of the UI. It's just the way it's visualized. However, going forward, I personally don't want to see any more vulnerabilities that I already flagged as a false positive.

It does take some time to understand the way the product works and be able to configure it properly. Veracode is aware of that. Because the SCA tools are actually a company that they acquired, SourceClear, the SCA tool and SAST tool are not completely integrated at this point. You are still dealing with two separate products, which can cause some headaches. I did have a conversation with the Veracode development team not too long ago where I voiced my concerns. They acknowledged that they're working on this and are aware of it. Developers have limited amounts of time dedicated to learning how to use a tool. So, they need quite a bit of help, especially when we're talking about this type of integration between the SAST and SCA. I would really like to see better integration between the SAST and SCA.

For how long have I used the solution?

I have been using it for almost a year.

What do I think about the stability of the solution?

It is stable. One of the selling points is that it is a cloud solution. The maintenance is more about integrating Veracode into the pipeline. There is a first-time effort, then you can pretty much reproduce the same pipeline code for all the development teams. At that point, once everything runs in the pipeline, I think the maintenance is minimal.

What do I think about the scalability of the solution?

We have deployed the solution to FinTech or technology medium-sized companies with more than 100 employees.

How are customer service and technical support?

Their technical support is less than stellar. They have essentially two tiers: the technical support and the consulting support. With the consulting support, you have the opportunity to talk to people who have intimate knowledge of the product, but this usually takes a bit of effort so customers still like to go through the initial technical support that is less than stellar. We rarely get an answer from the technical support. They seem a lot more like they are the first line of defense or help. But, in reality, they are not very helpful. Until we get to the second level, we can't accomplish anything. This is another complaint that I have brought up to Veracode.

Which solution did I use previously and why did I switch?

One of the reasons why we decided on Veracode is because they have an integrated solution of SAST and SCA within the same platform. Instead of relying upon two different, separate products, the attraction of using a Veracode was that we could use one platform to cover SAST and SCA. 

How was the initial setup?

The SAST tool is pretty straightforward; there is very little complexity. The pipeline works very well. The SCA tool is more complex to set up, and it doesn't integrate very well with the SAST tool. At the end of the day, you have essentially two separate products with two separate setups. Also, you have two different reports because the report integration is not quite there. However, I'm hopeful that they are going to fix that soon. They acquired SourceClear less than two years ago, so they are still going through growing pains of integrating these two products.

The setting up of the pipeline is fairly straightforward. It works a lot of the main languages, like Java, Python, etc. We have deployed it across several development teams. Once we create a pipeline and hand the code to the developers, they have been able to make a little adjustment here or there, then it worked.

What about the implementation team?

For both SCA and SAST tools, including documentation, providing the code, writing the code for the pipeline, and giving some training to the developers, a deployment can take us close to two weeks. 

Deploying automated process tools, like Veracode, Qualys, and Checkmarx, does take more effort than uploading the code manually each time.

What was our ROI?

As long as developers use the tool and Veracode consistently, that can reduce the cost of penetration testing.

What's my experience with pricing, setup cost, and licensing?

Checkmarx is a very good solution and probably a better solution than Veracode, but it costs four times as much as Veracode. You need an entire team to maintain Checkmarx. You also need on-premise servers. So, it is a solution more for an enterprise customer. If you have a small- to medium-sized company, Checkmarx is very hard to use, because it takes so many resources. From this point of view, I would certainly recommend for now, Veracode for small- to medium-sized businesses. 

Compared to other similar products, the licensing and pricing are definitely competitive. If you see Checkmarx as the market leader, then we are talking about Veracode being a fraction of the cost. You also have to consider your hidden costs: you need a team to maintain it, a server, and resources. From that point of view, Veracode is great because the cost is really a fraction of many competitors. 

Veracode provides a very good balance between a working solution and cost.

Which other solutions did I evaluate?

There are other products in the market. However, some of those products are extremely expensive or require a larger team to support them. Often, they have to be installed on-prem. Veracode is a bit more appealing for our organizations who don't have larger AppSec teams or where budget is a constraint. In this respect, SCA is a good solution.

We have been using Checkmarx for years, but mainly for their on-prem solution. They do have an offering in the cloud, but we haven't done any side-by-side tests in respect to speed. We did do a side-by-side comparison between Veracode and Checkmarx two or three years ago from a technical ability standpoint. At that time, Checkmarx came in a bit ahead of Veracode.

Checkmarx is more complex to set up because it is on-prem with multiple servers as well as there are a lot of things going up. If you have a larger budget and team, look into Checkmarx because it is a market leader. However, when it comes to a price, I would choose Veracode for a smaller company, not a large enterprise. 

Another consideration for Checkmarx, as an on-prem solution, is that you are pretty much ascertained that your code doesn't leave your company. With companies like Veracode, even if they are saying that you only upload the binary code, that's not quite true. The binary code can be reverse-engineered and the source code can be essentially reconstructed. For example, Veracode would not be suitable for a government agency or a government consultancy. 

For DAST, our customers like to use Qualys Web Application Scanning. There are very few players out there that can test APIs, but Qualys is one of them. 

Another promising solution that allows for testing APIs is Wallarm. We have done a couple of PoCs with them.

We tested Black Duck a few years ago, but they only had a SCA solution. They didn't have a SAST solution. I think they do now have a SAST solution because they acquired another company, Fujita.

What other advice do I have?

I don't think that Veracode has helped developers with security training, but it helps developers have a reality check on the code that they write and their open source library. That is the best value that developers can get from the product. 

Veracode products can be run as part of the development pipeline. That is also valuable.

It integrates with tools like GitHub or Jenkins. At a high level, it does integrate with most of the pipeline of tools. It would be a showstopper if the incorporation of security was not in the developer workflows. We are past a time when developers or software engineers run a SCA or DAST scan on the code, then hand it off to the development team. What works instead is to inject a security tool in a development pipeline, which is why it is absolutely paramount and important that tools, like Veracode, be a part of the build pipeline.

We limited the user to SAST and SCA. We haven't used any of the penetration testing, especially for the DAST solution that they have. For that, they are behind the curve, meaning that there are other products in the market that are being established. In my opinion, they don't have a viable product for DAST, because I believe they are not even testing APIs. So, it's not mature enough. We also have never used their pen testing because that is one of the services that we provide.

At this point, Veracode is one of the best solutions available, though it's not perfect by any means, but you have to work with whatever you have.

I will give the solution a seven (out of 10). When they integrate the SCA and SAST portions more tightly together, I could probably bump it up to an eight. Also, if they make improvements to the UI and the support, they can get a better rating. However, at this point, I would still pick Veracode for a company who doesn't have a million dollar plus budget.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
it_user831864 - PeerSpot reviewer
Application & Product Security Manager at a insurance company with 1,001-5,000 employees
Real User
Allows us to integrate with it through automated processes, but needs better APIs
Pros and Cons
  • "Also, our customers benefited from the added security assurance of our applications, as they’ve been able to identify OWASP top-10 application vulnerabilities without a manual tester."
  • "Static analysis scanning engine is a key feature."
  • "It needs better APIs, reporting that I can easily query through the APIs and, preferably, a license model that I can predict."

What is our primary use case?

Static analysis.

How has it helped my organization?

It has allowed us to integrate with it through automated processes, which saves us a lot of time and effort.

Also, our customers benefited from the added application security assurance of our software, as they’ve been able to identify OWASP top-10 application vulnerabilities without a manual tester.

What is most valuable?

Static analysis scanning engine, because we need to do static analysis; that’s why we bought the product.

What needs improvement?

  • Better APIs
  • Reporting that I can easily query through the APIs
  • Preferably, a license model that I can predict

It would save us time when integrating with the APIs. Difficult APIs are annoying to work with and we have to trial/error our way through the integrations. The more straightforward and friendly they are, the less we have to trial/error.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

No issues with stability.

What do I think about the scalability of the solution?

Aside from the licensing, no issues with scalability.

How are customer service and technical support?

Good.

Which solution did I use previously and why did I switch?

IBM Security App Scan. In looking at Veracode vs IBM Security App Scan, I switched because of the CI/CD offerings of Veracode.

How was the initial setup?

The APIs are a bit nonsensical, but otherwise straightforward.

What was our ROI?

It has not really resulted in any cost savings related to code fixes.

What's my experience with pricing, setup cost, and licensing?

The worst part about the product is that it does not scale at all. Also, microservices apps will cost you a fortune.

Which other solutions did I evaluate?

IBM, Coverity.

What other advice do I have?

Regarding measures taken to integrate Veracode into our existing software development lifecycle, we have 100% API integration. We use the Jenkins plugin as a last resort, but we are moving away from that.

The AppSec best practices and guidance to our security and development teams are manifested in the static analysis it provides.

In terms of advice to others looking into implementing this project, I would say don’t use the UI, and do what you can to have license conversations up front.

It depends on the use case and budget, but I would recommend CA Veracode to colleagues.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.
Updated: November 2024
Buyer's Guide
Download our free Veracode Report and get advice and tips from experienced pros sharing their opinions.