Prevents vulnerable code, offers valuable recommendations, and frequent updates
What is our primary use case?
Our primary objective when using Veracode was to ensure the security of website development and other application developments we were working on. We aimed to prevent any security breaches and also closely monitor any potential vulnerabilities that could arise from code deployment. Fortunately, we were successful in identifying and addressing these vulnerabilities.
Although the responses were somewhat mixed, we managed to go two years without a single security breach, which was a significant achievement. In addition to monitoring security breaches, we utilized Veracode for continuous monitoring. The difference lies in the fact that once the code is deployed and access to the server is initiated, there is a high possibility of connecting to a different server or encountering interference from unauthorized individuals. This continuous monitoring allows us to observe each step of the server, including the IP addresses and protocols, and ensure their proper functioning. Veracode facilitated us in carrying out this monitoring effectively.
How has it helped my organization?
Veracode's ability to prevent vulnerable code from entering production is remarkable. We were once alerted that there was a possibility of a breach occurring. Despite spending hours pondering the issue, we were unable to determine how that possibility existed. After discussing with the support team, we eventually learned the cause. Therefore, in terms of detecting vulnerabilities, it was excellent. However, the problem arose from the fact that it was not well-customized for our organization. Consequently, there were multiple instances where flags were raised for our IP address or email, which we knew were not vulnerabilities. In such cases, we had to address them accordingly.
Veracode's reporting feature provides comprehensive insights into the security status of our code or application. These reports generated by Veracode offer visibility into vulnerabilities and different severity levels of threats that may be present. They also recommend remediation steps to address these issues without extensive code modifications. I find this reporting feature valuable. Additionally, Veracode regularly releases updates, sometimes multiple times a day, ensuring that we are consistently up to date. Although this requires my engineers to work extensively on integrating AWS services with our platform, it is one of the standout features of Veracode due to the recommendations and frequent updates it provides.
Veracode's policy reporting for ensuring compliance with industry standards and regulations is on the mark. Everything was proceeding as it should, with adherence to the established procedures, protocols, and reporting mechanisms by both the organization and the support team. At no point did we feel that the industry standards were compromised.
Veracode provides visibility into the application's status at every phase of development. Primarily, we were only conducting two types of tests. One was continuous integration, which keeps track of the entire application's deployment process. It detects any defects and ensures a smooth deployment. The other test we used to perform at certain times was manual integration. We would delve deeper and test additional aspects because we wanted to ensure with utmost precision that there were no vulnerabilities when deploying the application. Hence, we also had to manually utilize this program before deploying or pushing it to the code.
When conducting the cost-benefit analysis for Veracode after six months, we discovered that there were actually only two significant security breach possibilities. With the assistance of the solution, we were able to detect and resolve these breaches. The most significant advantage provided by the solution was the assurance that no breaches were occurring outside of the office. Any potential risks were either determined to be false alarms or promptly addressed. Therefore, the only actual breaches we encountered during the six-month period were two. However, we also gained a sense of security, which I consider to be a worthwhile trade-off for the cost.
Speaking specifically about the security department of our company, there was a notable reduction in costs after the introduction of Veracode. However, when considering the broader scope of all the development departments, we not only had to invest more time in each project but also had to hire additional resources. Consequently, when taking into account all the departments collectively, the overall expenses increased. However, focusing solely on the security development department, there was a substantial decrease in costs, approximately $7,000 per month.
What is most valuable?
The recommendations and frequent updates are the most valuable features of Veracode.
What needs improvement?
The false positive rates were quite high in our case. Prior to seeking a solution, we had already engaged in discussions with their support team, who also confirmed this issue. We had read a few reviews, which indicated the presence of false positives. However, in our specific situation, the number of false positives was substantial. There were instances when we logged in during the morning and encountered 30 or 40 raised flags. Resolving them sometimes occupied a significant portion of our day, often extending into the first half. Thus, in certain projects we undertook, the occurrence of false positives was considerably elevated. Despite being aware of this, we acknowledged that a majority of these flags were likely false. Nonetheless, due to the matter of security, we had to address them, resulting in a significant allocation of our time.
The false positive rate of the static analysis has impacted the time we spend on fine-tuning policies. We have had to allocate a considerable portion of the software team's time to address the significant number of false positives, resulting in substantial time investment. Additionally, some of our projects with clients have been delayed due to this issue. One particular project experienced a delay of approximately 25 days, with false positive cases accounting for an estimated 60 to 75 percent of the delay. The cost of the false positive rate is causing a slight disruption in the development process. Therefore, I believe this is the major area that needs improvement.
We initially deployed on the AWS cloud because AWS also offers us additional security benefits and most of our other solutions were already on AWS. However, I think Veracode could develop a self-contained cloud system, allowing them to deploy the solution on their own system. This would be beneficial for us as they could provide the data privacy we require. It would be great because each new update on the security process necessitates a slight change in the program.
The reporting features could be subcategorized if the bugs are categorized and subcategorized according to our requirements rather than the understanding of the security system. This would be beneficial because whenever we need to integrate or resolve a bug, it is crucial for us to identify the vulnerable parts of our code. This process requires additional time and effort. Moreover, it is often challenging for us to comprehend the specific changes the system expects from us.
For how long have I used the solution?
I have been using Veracode for two years.
What do I think about the stability of the solution?
The stability of Veracode, in my opinion, was not very reliable considering the need to consider false positive readings. We had to invest a significant amount of time rectifying or addressing those inaccurate queries, which made it a less-than-ideal solution.
What do I think about the scalability of the solution?
I believe the solution is scalable. I remember a time when we were working with four clients in total. Even though our agreement with Veracode was not to exceed three projects, we were able to manage that, and everything went smoothly. They were even able to implement registration. This probably occurred due to significant delays in one of our projects. I was able to onboard the next client, which means we were working with four clients at that time.
How are customer service and support?
The technical support team is knowledgeable. In the initial stages, when our team lacked the technical capability to perform manual configurations on our own, they assisted us with that. Overall, the experience was satisfactory. Nothing extraordinary, but it was good.
How would you rate customer service and support?
How was the initial setup?
The initial setup was fairly straightforward, although it did take us some time. Our team lacked the necessary technical capabilities since it was a new endeavor. Before Veracode, our company didn't have any other security measures in place. Since it was a new concept, our employees also had a technical knowledge gap, which required some time for learning. However, the deployment process, on the whole, wasn't overly technical. It was done in two or three stages. The first stage involved initial queue meetings to understand the configurations we were using for deploying the code. The subsequent meetings focused on understanding the features we desired, how they would be implemented, and accessed, and their frequencies. Following that, the tech team took over and handled the deployment for us.
Six engineers were involved in the deployment, although the entire working team comprised twenty-two people.
What about the implementation team?
The implementation was completed in-house.
What was our ROI?
It is quite challenging to calculate ROI. However, I can confidently state that over the course of two years, we did not experience a single security breach. Furthermore, we ensured that our solutions were free from any vulnerabilities when delivering them to our clients. As a result, we established a positive reputation with our clients, as evidenced by the certification from Veracode, confirming the absence of vulnerabilities in our overall feature or code deployment. In summary, we maintained a flawless record of zero security breaches. Despite the difficulty in conducting a cost-benefit analysis, it remains an essential task.
What's my experience with pricing, setup cost, and licensing?
I believe the price is fair according to market standards. However, if we are anticipating a growth phase in the enterprise, it might be a bit costly for us. On the other hand, if we are currently making profits and aiming to stabilize ourselves while improving our solutions and working with our existing team, it suited us well during that period. We were focused on developing the final product, refining protocols, and enhancing overall product development processes for our brands. Therefore, I believe it was a good fit for us. However, organizations that are in a growth phase may want to consider other options, even if it means compromising slightly on the security aspect.
Which other solutions did I evaluate?
We previously evaluated other solutions. One of the primary reasons for choosing Veracode was the ability to configure it at a deeper level, which was not possible with the other solutions. Another advantage was that the other solutions did not offer a six-month trial period, unlike Veracode. We initially had a trial for six months, which was later extended to one and a half years. Therefore, pricing became the third factor. However, even at the end of the two-year subscription, we were unable to conduct a thorough cost-benefit analysis. This seems to be a common situation in the industry. Without experiencing a breach, it is difficult to assess the cost-effectiveness of a solution.
What other advice do I have?
I give Veracode a nine out of ten. I believe that, in general, Veracode is a good product. False positives and these types of issues can be found in almost every security product out there. The best part was Veracode's technical team. They were proficient in their knowledge and there was never a moment of misunderstanding between our team and theirs. Overall, Veracode ensured that we did not encounter any ransomware or security breaches at any point in time.
Our DevSecOps team was involved in two stages of the entire process. The first stage was during the initial design phase of the specific application build. We had to determine when and where we wanted to manually interpret using the tool, as well as identify potential security breaches that required close monitoring. This was the initial step. Following that, our team proceeded with development, which typically progressed smoothly in collaboration with the client for a period of two to three weeks. As we approached the deployment phase, we would once again discuss with their team to determine specific points where DevSecOps would manually deploy the solution for testing purposes. Afterward, we would assess the solution from our end.
The false positive rate did not have a negative effect on the confidence of our development team. It was made very clear to us by Veracode's support team, as well as through other reviews and conversations with clients, that there would be a possibility of false positives being raised. We had to go through them because we cannot afford to miss out on any potential security breach.
I don't believe Veracode has helped us save time. Overall, if we consider the larger context, saving time was not a direct expectation communicated by Veracode. Their expectation was solely to prevent any security breaches. Regarding time-saving, I don't think Veracode has provided any assistance in that aspect.
At the end of the day, we were essentially thinking of transitioning to a new solution, primarily due to the high number of false positives we were receiving from Veracode, we conducted a cost-and-benefit analysis specifically for Veracode. We discovered that, overall, it prevented our solution from being breached for more than six clients. Considering our annual client turnover rate is approximately twelve to thirteen, Veracode played a significant role in addressing a substantial portion of our challenges.
I recommend negotiating with Veracode for a free trial period. We frequently engage in negotiations to secure a six-month trial. A trial will assist in comprehending the intricacies. While there are benefits, it is important to note that the time required for each project will naturally increase. It is crucial to understand how Veracode operates and determine if it aligns with the company's needs. However, regarding pricing, I am confident that Veracode delivers as requested.
Veracode functions solely within the development department, but within the department itself, we have a division based on the two types of clients we deal with. One type is primarily focused on development, while the other is focused on procuring or conducting quantitative analysis for the markets.
For general everyday maintenance, only two people are involved. However, for monthly maintenance, approximately six people from our end are involved, and I am unsure of the number of people from Veracode's end.
I would advise speaking with other clients like us who have already used Veracode. Prior to that, however, we need to understand what kind of security breaches are possible in our solution and determine how much of our money and time we want to allocate to addressing them. We should assess the importance of these breaches to us. Once we have this understanding, we can discuss with other clients how the overall process went and how much time it actually takes. The final step would be to directly contact their team and negotiate for a longer trial period. The best decision we made was to initiate a six-month trial with Veracode and then transition to full-time usage.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
A must-have tool for your security arsenal.
What do you like best about the product?
Over the years, Veracode has made the tools much faster and more thorough. Their Support group is very good, too. It's great to be able to schedule a consultation, and most of their consultants have been fantastic.
What do you dislike about the product?
On the static scan, sometimes a flaw is detected during one scan, not detected during the next, and subsequently detected on a third. The inconsistency makes it hard to track. Also, they do not make it easy to mitigate flaws other than those for a static scan.
What problems is the product solving and how is that benefiting you?
The platform helps identify any security flaws you have in your code. Also keeps developers on their toes with regard to making sure they don't introduce any *new* flaws.
Recommendations to others considering the product:
I've been very pleased with the Veracode Application Security Platform. It's very easy to use, it's quick, and their support if very good. I highly recommend checking it out.
