What is our primary use case?
We used it for initial discovery and analysis and for reviewing the product. We were doing a trial. We had uploaded code on the Veracode server for analysis.
We used the cloud service or the cloud website where you could interact and identify the artifacts that you wanted to be reviewed, analyzed, and reported on. There was a plugin that we used with some of our IDs. It probably was Greenlight.
How has it helped my organization?
It pointed out some areas to be improved that we were not aware of. That was very helpful because if you don't know that there is a problem, you can't fix it.
What is most valuable?
The analysis of the vulnerabilities and the results are the most valuable features.
What needs improvement?
It can have more APIs and capabilities to handle other things well. We were doing a trial for it. There were two things that I looked at: one was uploading some Java-related content and the other was uploading database SQL files and having the review done on the quarterback.
The Java portion of it worked fine, and it was pretty seamless, but the database portion was not. We uploaded some files to use for vulnerabilities, and the tell-all portion of it was pretty easy. We uploaded a war file and Java files, and we got the reports back on these. They were pretty clear to understand. We did the same thing for the database portion for the most part. However, the content wasn't getting uploaded in a predictable fashion, and it was slow and hard to get done. We had to do it over and over. After it indicated that the content was uploaded, there were no results. There were zero search findings. It was possibly a user error, something that we didn't do correctly, but they had acknowledged that it was something they were currently enhancing. This is something that could be made easier if they haven't already done that. I don't know how many releases they've had in that timeframe. I haven't looked at it since then. It was a trial period.
What do I think about the stability of the solution?
It seemed fairly stable other than the database portion where the SQL files didn't seem to get uploaded.
What do I think about the scalability of the solution?
I didn't think there would be any concerns. We didn't exercise that. We didn't, in other words, try to upload gazillion artifacts and files. We just uploaded a few just to see how they handle it. It seemed fairly robust.
There were about ten Java and database developers who were using this solution. We were all collectively reviewing it and getting feedback on it.
How are customer service and technical support?
We didn't use their technical support.
Which solution did I use previously and why did I switch?
There was no other solution.
How was the initial setup?
I wasn't that involved in the setup. I was basically a reviewer after it was all done.
What about the implementation team?
I don't think there was any in-house work. I think it was just all on their server. We didn't have any equipment or any software per se other than just downloading a plugin or IDE, which essentially did the same sort of code analysis.
What's my experience with pricing, setup cost, and licensing?
Its cost for what we needed it for was too high. It wasn't too high for other companies and it was competitively priced, but for us, it just didn't fit. We did plan to use it and increase the usage. In the end, it may have been abandoned because of the cost, but I'm not a hundred percent sure. So, even though we had planned on using it more and more, because of the cost and the business conditions of things, we didn't have the opportunity to really use it more.
Which other solutions did I evaluate?
There were a few other solutions we had looked at, but they didn't seem to be as robust. They also didn't have good reviews. That's why we chose this solution.
What other advice do I have?
It is a robust software service for security analysis. It seemed to be pretty full-featured. We didn't exercise every single thing. Just a few of the features didn't seem to be up to snuff for our needs.
I would rate Veracode Manual Penetration Testing an eight out of ten.