What is our primary use case?
Our use cases are for both dynamic and static scanning of web applications. The application is cloud-based in a major cloud provider. We schedule scans at regular intervals that support various compliance efforts within the enterprise. The application has a modern design with a responsive UI that adapts to the display of the device being used. Veracode seems to have little trouble scanning our application. Overall, we are happy with the service that Veracode provides us although the cost does seem quite high in my opinion.
How has it helped my organization?
Our developers are more security-aware and are writing better code. The e-learning option allows our developers to dig deeper into the security issues. Topics such as sanitizing input, carefully configured logging output, and other typical sources of vulnerabilities. We have a better understanding of the proper configuration of web servers and web proxies as well. The Atlassian integration has helped manage our compliance paperwork in a more automated way also. Overall, we are happy with the service that Veracode provides to us.
What is most valuable?
The Atlassian integration is the most valuable aspect of this solution. Many other security platforms don't seem to have this feature or want an exorbitant amount of money to get it. Automated integrations such as these make compliance much easier to track and maintain. Additionally, the integrations help with agile processes such as DevOps. We are able to schedule things like scan submissions to Veracode that aids in automatic, regular scanning of our web application. Veracode also allows for customizing your corporate policy for things such as remediation deadlines.
What needs improvement?
Developers frequently complain to me about the user interface and the difficulty in navigating the web site. I too have had some very frustrating moments trying to find things. I do not find the dashboards all that helpful though they are pretty and there seem to be plenty of them. I am running out of critiques to say about Veracode but it seems I must use 500 characters regardless of what I need to say. It seems like an arbitrary requirement. I'm still not at 500 yet. Can I say that this requirement should be cut in half?
For how long have I used the solution?
We have been using Veracode for a little over two years.
What do I think about the stability of the solution?
Rock solid. I don't think we've ever had issues being able to access the system. Whenever we have needed to log in and look at something in our results, we have always been able to do so. The only stability issues we have had is with the dynamic scan authenticating into our web app. Sometimes for no understandable reason, it will stop authenticating. However this has only happened a couple of times.
What do I think about the scalability of the solution?
Scalability seems fine. Have not noticed any issues.
How are customer service and technical support?
Service and support is always helpful and knowledgeable. Turnover seems to be an issue. We are frequently being assigned new staff to our account. So far though, the level of service has been great.
Which solution did I use previously and why did I switch?
We tried to do it manually ourselves with Burp Suite Pro but it was too cumbersome and no integrations with Atlassian.
How was the initial setup?
Straightforward and web-based.
What about the implementation team?
Configured ourselves with some assistance setting our policy configuration as I recall. Veracode staff is knowledgeable and always helpful.
What was our ROI?
Difficult to quantify. What's the cost if you ignore security?
What's my experience with pricing, setup cost, and licensing?
It's expensive. Know that going in. Your organization, your programmers, and your product will be better for it though.
Which other solutions did I evaluate?
I spoke with Checkmarx as well. At the time, Veracode seemed to be cheaper.
Which deployment model are you using for this solution?