What is your primary use case for Veracode Static Analysis?

We use Veracode for static code analysis of our applications in two main ways: reactively and proactively. For the reactive approach, we run automatic scans nightly after developers merge changes from feature branches into the release branch. Proactively, we use the Veracode Greenlight plugin, which checks for vulnerabilities when developers try to commit code, even on feature branches, only allowing commits after passing these checks.

Static scanning is one component of Veracode. That feature we use heavily to scan all the custom code we write weekly. We use another component called software composition analysis to scan all of our open-source packages. These are the two primary use cases that we have for Veracode. It flags any security flaws or bad practices. Veracode has its own database for many vulnerabilities identified on the SCA side. They use a tool called SourceClear, which validates vulnerabilities in any of these packages. The scanner itself is pretty good at identifying some of the flaws in either the code or the open-source packages.

We use Veracode to find any vulnerabilities and for risk management.

We use the solution for identifying bugs before deployment in the software-side cycle process. It can be integrated with our CL and CDProp pipeline, and it can be used with multiple integrations in our Visual Studio Code editor. That's the main use case.

We use Veracode mainly for legacy software audits.

We use Veracode to scan the applications.

My company produces one of the most secure fabrics that you can find. Veracode is integrated into our development cycle through Jira. We do a full static analysis with Veracode and use Burp Suite to review the findings. The most common attack vector we find in Java code is SQL injection. When SQL injection shows up, you send a screenshot and a report to your executive team. They see the screenshot and say, "Oh, they're seeking injection here." This has now become a top priority. We're going to pause all these redundant features that we're making here and ensure our code is secure with no SQL injection vulnerabilities. Veracode finds everything, and the security engineers do the penetration test using the results. You provide a report showing where the issue is, and developers can fix it. We also use Veracode to train security engineers and teach them how to file reports.

We use Veracode for static application security testing, dynamic testing, and software composition analysis. My company's engineering team has about 50 people who use Veracode across multiple product lines.

We use Veracode to identify vulnerabilities in code to ensure the security and integration of the apps.

I used Veracode in my previous company. My role was to assist the team in identifying the vulnerabilities in the reports. I identified those and diverted them. The software team was responsible for taking appropriate actions to fix those. We used Veracode in our environment to have account verifications or transaction confirmations. Apart from that, we had event registration as well as membership confirmation.

Our company does app development. The primary use case for this product lies in ensuring the security and integrity of the apps we craft. Through Veracode, we implement robust security measures conducting comprehensive code analysis and vulnerability assessments. This allows us to detect and address potential security loopholes and safeguard our applications against cyber attacks or unauthorized access. Veracode is fortifying the reliability and stability of our apps by identifying and rectifying any code issues, irregularities, or inefficiencies. Its integration streamlines our development workflow, enabling us to deliver high-quality, resilient applications that meet the strengths and demands of our clients.

We use Veracode for SAST and SCA. We are moving towards dynamic analysis as well. We use it now to scan our artifacts and reports, and very soon we are going to use the Veracode plugin for our IDE to have immediate results for security analysis purposes.

We use Veracode to scan server applications, and we also use it for SCA functionality and to scan pipelines of our other projects.

We use Veracode to scan our websites at the beginning of the development process. When we are ready to launch a new application on the website, we upload it to Veracode for scanning. Veracode finds any vulnerabilities in the code and returns the results to us. We must then resolve all of the vulnerabilities and mitigate any risks before we can publish the application. We have also set up recurring scans, so that any time we release a new version of the same application, Veracode will automatically scan it again to ensure that we have not missed any vulnerabilities. We have been using Veracode for six or seven of our websites.

We were looking into compliance. I'm a consultant, and we're looking at it from the perspective of using Veracode to ensure that the organization we were consulting for was meeting its compliance expectations.

My use case for Veracode is for a front-end application, specifically an agent compensation calculation engine. That application is deployed through an EAR file, and then Veracode scans the EAR file and gives me the scan report to help me change and improve the file for future deployments.

We used Veracode for code scanning and source composition analysis.

We use it to scan third-party libraries to check for vulnerabilities.

Veracode helps us identify bugs and flaws in our code while operating it. We use the solution's static analysis feature to analyze code before running applications dynamic analysis that scans the app while it's running. We typically run Veracode at the end of the development phase when we are ready to launch our software. We also scan for vulnerabilities after the software goes into production. It's the final phase of our development cycle.

We use Veracode mainly for identifying any vulnerabilities in the software. We do a lot of development, and before we deploy any product to our client environment, we want to make sure there are no vulnerabilities in the code and also follow best practices. We run scans to identify the criticality of these bugs and vulnerabilities, and we try to mitigate them. If it's not possible, we get an exception. At least we are aware of the vulnerabilities in our code, making sure our code is secure and not exposed to any threats like hacking.

My company uses Veracode Static Analysis for scanning purposes and static analysis. I am a DevOps engineer configuring automation for multiple teams in our company using Veracode Static Analysis. Our company uses the product to identify vulnerabilities in third-party libraries that our teams use internally to secure our products before moving the product outside of our company. The aforementioned features of the solution are used mostly in our company. Most of the teams within my organization use Veracode's static analysis part. My company did not procure the license for Veracode Dynamic Analysis.

I have helped other companies implement Veracode Static Analysis in their IT environment. In our company, we need to scan many .NET applications using Veracode, and we could scan our software since it is a SaaS solution, after which we process the reports to improve the product.

We use Veracode Static Analysis in the IDE for our engineers to be able to catch security issues while they're coding. Additionally, we use it for the Veracode verified program to show that we're scanning and compliant, and we get the third-party seal of approval. It's a scanning security, static analysis code scanning software.

We're using Veracode Static Analysis for scanning security vulnerabilities. Once the image is built in the container, we send it to Veracode Static Analysis for static analysis assessment, and the tool scans it. The tool then provides us with information on vulnerabilities in our code and the third parties, then provides recommendations on how to solve vulnerabilities, and that's helpful.

For every application we develop, we want both static and dynamic security scans done before deploying them.

I use Veracode for static and dynamic analysis.

I'm working on security reviews for our in-house products. We are trying to solve problems. The use case for Veracode is to discover flaws in design before our application reaches end customers. We are using Veracode as one of the tools to ensure that our products are following secure design guidelines.

We use this solution because we have an important portfolio of applications, and before moving those applications to the production environment, we use the static features to scan the code: either for static analysis or for SCA (Software Composition Analysis) to find any vulnerability in our open source libraries.

In my previous organization, we used to use Veracode throughout all verticals. It is a cloud-based platform, and you need to upload the code for static analysis. The code has to be uploaded as per the compilation guide provided by Veracode. So, for different languages, you have to combine the code as per the instructions in the guide. We used to own and manage the platform. We also used to manage the users. If there was a particular project team that needed to use Veracode to do their code scan, they used to approach us. We used to create the user accounts for them so that user accounts were limited to just the code. We also used to guide and train them on how to upload the code on Veracode, how to combine the code, and how to initiate the scan. After the scan is completed, we used to tell them and guide them about how to treat the vulnerabilities in that code, how to fix and mitigate them, and what's the next process. Apart from that, we used to create a project team to build their CI/CD pipeline, where we used to create DevSecOps automation.