What is our primary use case?
Veracode is a cornerstone of our Development Security Operations Program, particularly scanning automation and remediation tracking.
We've been able to monitor the release cycle and verify our Security Standards are met by setting policy and ensuring scans are taking place. If a scan fails to meet our standard the build breaks and the flaws are remediated before releasing to Stage and ultimately Production - where the potential impact is much more costly.
We have discovered opportunities to make our code even better thanks to Veracode!
How has it helped my organization?
Veracode has improved our Application Security program by providing numerous integrations and tools to take our AppSec/DevSecOps to the next level.
Integrations into our developer's IDE (Greenlight) and the DevOps Pipeline SAST / SourceClear Integrations has particularly increased our time to market and confidence.
In many ways, Veracode has increased productivity, helped build and improve security and development departmental relationships as well as enabling developers to consider and care about application security.
What is most valuable?
Greenlight - Developers can test their code before they commit. They are able to privately scan their code and correct any mistakes before it is committed into the build and scanned with the other components.
SAST - During a build process, we have integrated the Veracode Static Scanning (SAST) component which provides an excellent first glance at the code moving through environments.
SCA /SourceClear - Veracode SCA / Source Clear has given us excellent visibility into potential vulnerabilities found in third-party components, packages, frameworks, and libraries.
What needs improvement?
Improve Mobile Application Dynamic Scanning DAST - .ipa and .apk. Right now I have to jailbreak an iPhone and Root an Android to intercept and fuzz requests with a Burp Suite Proxy.
That is a very time-consuming process and there are lots of dependencies. It would be very helpful if we can upload and .ipa or .apk into a Veracode simulator, provide credentials and run a Dynamic scan accordingly. Fuzzing functionality on API resources, HTTP Methods, and Parameters would also be very useful in testing our Web and API Application Firewalls, response pages, and other WAAF actions.
For how long have I used the solution?
I have been using Veracode for about two years now.
What do I think about the stability of the solution?
It seems to be very stable, no problems thus far.
What do I think about the scalability of the solution?
It has lots of growth potential, lots of room for improvement.
How are customer service and technical support?
Which solution did I use previously and why did I switch?
Previously used Burp Suite, OWASP Zed Attack Proxy, Python scripts / Powershell and Batch, Retire.JS, Vulners, and Wappalyzer browser plugins.
How was the initial setup?
The initial setup very straightforward and integrations were up and running in a matter of days after purchase.
What about the implementation team?
Implementation was in-house (Deployment, Automation Engineers, Myself)
What was our ROI?
Unknown - productivity and time are measurable, possibly as much as 20%. Improvement in cross departmental relations is priceless!
Which other solutions did I evaluate?
We also evaluated WhiteHat Security.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?