What is our primary use case?
We are using Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Static Component Analysis (SCA). We use different types of scanning across numerous applications. We also use Greenlight IDE integration. We are scanning external web applications, internal web applications, and mobile applications with various types/combinations of scanning. We use this both to improve our application security as well as achieve compliance with various compliance bodies that require code scanning.
How has it helped my organization?
Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution.
Our Veracode license includes a "people component" that allows developers to request an in-person session to be scheduled to review a defect. This has helped our application security personnel pool to free up time for other pursuits. I'm not sure if this is included in all licenses or is an add-on.
What is most valuable?
Being cloud-based is a huge plus. All of our scans are always using up-to-date scan signatures and rules, and there is nothing for us to maintain. Veracode has been spot-on with notifying about planned downtimes for maintenance and upgrades. In my years of using the product, unplanned downtimes have been minimal (in fact I can't remember one.)
The API integration that allows integration with other tools, such as defect trackers and automated build tools, is also a benefit. We also like the integrated, available "in-person" support sessions to review and ask questions on discovered defects.
What needs improvement?
We've had one occasion where a sub-product upgrade required action on our part faster than we initially understood it needed to happen. This ended up being relatively minor.
One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive.
Separately, I find the results console somewhat confusing. When you are running multiple scan types for the same application, I've sometimes found it difficult to sort out where issues came from when I need that information.
For how long have I used the solution?
We have been using Veracode for over four years.
What do I think about the stability of the solution?
Our solution is highly stable with minimal downtimes. (In fact I don't recall the last time there was an unplanned Veracode cloud outage that impacted us.) We previously had occasional issues with the scan appliance model, but the relatively recent switch to the ISM model has been much more stable.
What do I think about the scalability of the solution?
Given that is is cloud based, coupled with their newer app-based internal scan model, we are pleased with the scalability and have not experienced any issues with scale.
How are customer service and technical support?
As mentioned in prior comments, Veracode is simply put our best vendor in terms of relationship, value-add, and customer service/technical support. We get responsive answers from support, and their support resources clearly understand the product, and issues are resolved quickly.
Which solution did I use previously and why did I switch?
Yes. We used a legacy, heavyweight dynamic scanning product. It would produce hundreds of pages of (mostly) false positives that were nearly impossible to digest and tune. We also didn't have a static scanning product. Moving to Veracode gave us much higher quality dynamic scanning with very few false positives (in part due to their model of human-assisted tuning, provided by them) and a robust static scanning solution.
How was the initial setup?
The setup was easy and straight forward. We had some issues with API calls from our build automation tools, but this was related to networking issues in reaching the Veracode servers on the Internet, not the Veracode product itself.
What about the implementation team?
We implemented with all in-house resources.
What was our ROI?
We achieve greatly improved security, earlier detection of security defects in the lifecycle, and as well as neatly meeting compliance requirements.
What's my experience with pricing, setup cost, and licensing?
For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.
Which other solutions did I evaluate?
What other advice do I have?
Of all the tools vendors I have relationships with, Veracode is simply our best vendor in terms of partnership, value add, and support responsiveness.
Which deployment model are you using for this solution?