Veracode: A Continuous Software Security Platform

My main use case for Veracode  is related to code scanning as well as third-party library scanning. In addition to my main use case with Veracode , I also used it for penetration testing.

The best features Veracode offers in my experience include product discovery, specifically library discoveries as well as remediation timelines, pull requests, and others. I also explored sandboxes.

The Remediation Timelines feature helps us in our workflow by ensuring we abide by certain compliance regulations, and it helped us prioritize high or critical vulnerabilities beforehand so that we pass the compliance checks.

For Library Discovery with Veracode, it was effective in terms of finding transitive dependencies, which allowed us to identify what libraries we need to update and recognize both direct and indirect vulnerabilities.

Veracode has positively impacted our organization by giving us a good chance to focus on development as we don't need to focus as much on compliance-related matters after we have ensured this level of security on the security posture management for our application. Veracode helped us focus on development by reducing our manual work, and the suggestions for fixes were valuable.

Veracode could be improved in terms of the UI platform as it could be more seamless, and if they allow different sessions in different browsers at the same time or in different tabs that would help tremendously. I feel Veracode doesn't need any additional improvements beyond what we have discussed.

I have used Veracode for about two years in my previous organization.

Veracode is stable for me with no issues with uptime or reliability that I have experienced.

Veracode handles growth and increased usage effectively.

The customer support with Veracode is good, as I have interacted with their support team. I would rate the customer support of Veracode an eight on a scale of one to ten.

Before using Veracode, we used SonarQube.

We did see a return on investment with Veracode, as we segregated our remediation efforts, which reduced our time to delivery as well as the number of engineers needed to help us in delivering a secure solution.

My experience with pricing, setup cost, and licensing for Veracode is that it is fairly moderate.

We did not evaluate other options before choosing Veracode; we directly moved to Veracode.

I would advise others looking into using Veracode to go for code scanning as well as library scans, and I would recommend adopting it. I would rate this review an eight out of ten.

My main task involved integrating a security tool into a cloud platform. Once the integration was complete, we ran the pipeline. After completion, the overall metadata was fed into the security tool. The tool then scanned the data from the cloud platform and transferred it to the Veracode platform. Once Veracode processed the information, it scanned the overall metadata to identify vulnerabilities based on OWASP or application security top ten rules. The tool categorized the vulnerabilities as critical, high, or medium based on these rules. This was the workflow we implemented in the industry.

Veracode helps organizations develop software by reducing the risk of security vulnerabilities through developer enablement and applications focused on governance. You can utilize different levels of processes to achieve better performance or a more scalable service. Since I started working with it in 2022, I’ve found it to be cost-effective as well. Overall, Veracode is a user-friendly security tool.

It includes features such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA). During the development phase, we can identify vulnerabilities in the application. This process occurs in the staging environment during development. When we're ready to go to production, we conduct a final check. Essentially, this tool helps identify vulnerabilities during the code development stage, including both high-level vulnerabilities and those related to open-source software composition. We utilize specific methodologies for this purpose. Additionally, it offers a feature that allows us to set up policies based on client requirements. This means we can customize the tool to meet the specific needs of our clients, ensuring that they receive the appropriate level of security in their applications.

Veracode is user-friendly as well. Compared to other tools, their scans take 15 minutes or under. If you have a large scale of libraries or data, it might take longer, but based on my personal experience, the scan usually runs within fifteen minutes.

For my case study using the Veracode  tool, I worked on an internal project following industry standards. We used Veracode  to improve our security posture and speed up the time to market by streamlining the development process. This enhanced collaboration between developers, operations, and security teams. The automated scanning process helped identify and fix vulnerabilities earlier in the development process. We maintained compliance with regulatory requirements, avoided fines, and built customer trust by integrating security into the development process.

When we conduct this scan, we receive data on a list of vulnerabilities. This information improved our communication and increased transparency, which leads to better reports about the efforts being put in. This results in a more effective and efficient collaboration process, making it user-friendly for all involved. When considering costs, if we resort to manual processes, it can be time-consuming. Therefore, we utilize automated scans to identify and fix security issues. This allows us to address vulnerabilities early in the development process, as we discussed previously. This applies both to our in-house code and third-party libraries, using Software Composition Analysis (SCA) agent-based scans. In the future, we will also implement SCA agent-based scans as a separate feature within Veracode, which can help organizations avoid the expensive and time-consuming consequences of security issues. Furthermore, we have seen an increase in compliance, helping to maintain adherence to regulatory requirements and industry standards, thereby avoiding fines and reputational damage associated with noncompliance.

Additionally, by integrating security into the development process, we enhance customer trust in our organization and its products.

Veracode is a modular cloud-based solution for application security with features such as SAST , DAST, SCA , IAST, and pen testing. It helps organizations reduce the risk of a security breach through analysis, developer enablement, and AppSec governance. The tool integrates into cloud platforms to scan metadata, identify vulnerabilities based on OWASP Top 10 rules, and set up policies according to client requirements. It's also time-efficient, scalable, cost-friendly, and enhances customer trust.

I have been using Veracode for four years and have found some areas that need improvement. When we implement a policy, it can be very difficult to locate. Running SAST  and DAST simultaneously can be challenging. The initial deployment was not easy, and the internal training was quite difficult. However, after using it for about a month, it became more user-friendly.

I have been using Veracode since 2022.

Veracode is time-efficient compared to other tools, taking nearly 15 minutes for standard scans. When dealing with large-scale libraries or data, it may require more time. Veracode's price is lower and the solution is more scalable.

The technical support team provides immediate responses. We can resolve multiple issues during the calls. They provide good technical support, and I would rate their support as seven out of ten.

In response to our inquiry, they provide an update within 24 hours. They share detailed information via email, including screenshots or further clarification about the issue. If we are experiencing a significant backlog in processing technical issues, we arrange a call with our senior technical team. They will provide guidance and help resolve the issue during the call.

For quality and SAST-based purposes, we can use SonarQube and ShiftLeft . ShiftLeft  only provides SAST and SCA  based scans. For DAST, we work with Acunetix  or Burp  Suite. We compared ShiftLeft, Veracode, and GitHub Advanced Security . While Veracode has five features, ShiftLeft provides SAST and SCA, and GitHub  only handles secret scanning. Veracode was ultimately the best choice.

The initial deployment wasn't easy. During the internal training, I found it quite challenging. However, after about fifteen to twenty days of use, or nearly a month, it became user-friendly.

As for the deployment team, we had specific client requirements. They had multiple applications, which meant we needed more than one person. Initially, we started with two people, and then one intern joined us later on. In total, we had three members working on approximately 120 applications.

When considering pricing, Veracode stands out due to its lower cost per service and more scalable options. It offers nearly five security testing features within its own service, making it a competitive choice compared to other tools. Overall, Veracode's pricing is lower and more scalable than many alternatives in the market.

I would rate Veracode as eight out of ten.

My usual use case for Veracode  involves integrating automatic scans for each of our pipelines, which starts every month automatically without my intervention. I review the results, and if there are any changes, such as new issues, flaws, or outdated components, I address this task with our developers.

Veracode has improved my organization's ability to fix flaws because before Veracode, we did not even know about issues from the security side. Application security is relatively new in our company. The fact that we started to remediate these issues is a good step towards security, which has positively impacted us.

Veracode's ability to prevent vulnerable code from going into production is excellent. I implemented it as a pipeline into our CI/CD, and if there are vulnerabilities above our level, such as high or very high severities, the pipeline will not build. Developers can contact security personnel if they need clarification.

Veracode has helped developers save approximately 15%-20% of time. Our security posture has improved as expected.

We do not have many Veracode features yet. We are going to discuss expanding the subscription next year. Currently, Static Analysis is really good at scanning our code for vulnerabilities. Software Composition Analysis is also required for the upcoming rights from the EU Cyber Resilience Act, which is quite useful, and I am using them both. Both features are really important for us since we're using only Veracode.

The areas of Veracode that I would want to see improved or enhanced in the future are primarily related to user interface experience. I noticed they have started working on it as the main page has a new design, but other pages appear somewhat old and not intuitive. The interface needs to be more user-friendly, but otherwise, everything is acceptable.

I have been working with Veracode for approximately a year and a half.

Every time I wanted to work with Veracode, it worked, so there are no downsides. It was available every time.

Regarding scalability, Veracode is really good for our needs. You need many subscriptions because you need to include every developer who produces code. Implementing these features into our normal CI/CD was good, so I can say that scalability is really good.

I have communicated with the technical support of Veracode a couple of times, and this was a really great experience because these professionals know their material. They understood us immediately and helped us with our problems within half an hour. It was incredible. I would rate them a ten out of ten.

We did not use a different solution before Veracode. Veracode is our first solution.

I did not work directly with competing solutions similar to Veracode, but I attended several meetings with different companies to explore similar tools. They did not provide anything better than Veracode, and since I had already implemented Veracode in our CI/CD, there was no need to change the solution. I only saw Checkmarx as a competing solution. Though I did not try it myself, from what they showed me, it appeared quite similar but was not better than Veracode.

Without the documentation, the deployment and initial setup is complex. I tell my developers who are interested in Veracode that with this documentation, everything is possible because it is really thorough and helpful. At first, it was somewhat complicated, but with the documentation and time, it became a really good experience. After that, it became very easy and quick.

Since the Cyber Resilience Act is in motion, we need to provide static analysis and dynamic analysis, which we do not have right now. We must do it, and Veracode is a great tool for this purpose. We cannot sell our products without complying with this act, so Veracode is helping us achieve this.

When I joined the company, I was given Veracode. The decisions were made before I joined the organization. They had just bought it and needed a specialist for this, and I was the specialist.

I am working with the latest version of the features. Since starting with Veracode, I would rate the benefits as six or seven out of ten. It could be better if we had more high severity issues, but fortunately, we do not. It is a good sign that developers who are not in cybersecurity understand its value.

Regarding the solution's policy reporting for ensuring compliance with industry standards and regulations, I am using standard policies. I rated it five out of ten because we have not used it properly yet.

Veracode provides visibility into application status at development phases. We tried IDE  scans for the developer stage of products, but it was not fully compatible with our IDE . It works in CI/CD as mentioned.

We do not currently have the Veracode Fix feature that produces AI-generated fixes. The fact that Veracode does not scan source code, only binary code, does not concern us as we have other tools for that purpose.

I would rate Veracode an eight out of ten.