What is our primary use case?
We use the Veracode SAST solution to scan the Java, Node.js, and Python microservices as part of our CI/CD pipeline, wherein we are using our CI/CD server as Bamboo, Jenkins, and GitLab CI/CD.
We have teams for both our cloud pipeline and on-prem pipeline, and both teams use this solution. We are using Veracode to constantly run the internal application source code and ensure the code's security hygiene.
How has it helped my organization?
Before, the pentesting was happening at later part of the SDLC. Now, we have been getting early feedback about insights from Veracode, including traction around the application security aspects. Developers keep coming to us and asking the questions. Vericode has built a bridge between the development and security teams, which is something really helpful in an organization.
Veracode has helped us build security training in our clients' organizations.
The solution’s policy reporting for ensuring compliance with industry standards and regulations is very helpful. We use Veracode to scan for vulnerabilities. This help us comply with regulatory standards for the European region. While the policy scanning takes time, it is very good from a compliance point of view.
What is most valuable?
There are quite a few features that are very reliable, like the newly launched Veracode Pipelines Scan, which is pretty awesome. It supports the synchronous pipeline pretty well. We been using it out of the Jira plugin, and that is fantastic.
We are using the Veracode APIs to build the Splunk dashboards, which is something very nice, as we are able to showcase the application security hygiene to our stakeholders and leadership.
We have been using Veracode Greenlight for the IDE scanning.
Veracode has good documentation, integrations, and tools, so it has been a very good solution.
Veracode is pretty good about providing recommendations, remedies, and guidelines on issues that are occurring.
It is an excellent solution. It finds a good number of the securities used, providing good coverage across the languages that we require at our client site.
We have been using the solution’s Static Analysis Pipeline Scan, which is excellent. When we started, it took more time because we were doing asynchronous scans. However, in the last six months, Veracode has come with the Pipeline Scan, which supports synchronous scans. It has been helping us out a lot. Now, we don't worry when the pentesting report comes in. By using Veracode, the code is secure, and there are no issues that will stop the release later on in the SDLC.
The speed of the Pipeline Scan is very nice. It takes less than 10 minutes. This is very good, because our policy scans used to take hours.
Veracode is good in terms of giving feedback.
What needs improvement?
We would like to see fewer false positives.
Sometimes, I get feedback from a developer saying, "They are scanning a Python code, but getting feedback around Java code." While the remediation and guidelines are there, improvement is still required, e.g., you won't get the exact guidelines, but you can get some sort of a high-level insights.
Veracode has a little bit of noise. Sometimes you will get a lot of issues, which you just need to triage. While the solution is excellent, it does come with a little bit of noise.
For how long have I used the solution?
We have been using the solution for a year and a half.
What do I think about the stability of the solution?
The stability is good, except every month it needs maintenance. So far, we haven't had an outage during UK working hours, e.g., where we are unable access the platform. There were some issues out-of-the-box, but now it's pretty much fine.
What do I think about the scalability of the solution?
More than 100 people are using the Veracode solution in our organization. Mostly, the guys who use Veracode are developers, QA engineers, product owners, Scrum Masters, and some data scientists.
We have a three-person team of security guys who maintain the entire service. The security guys have automation skills and can write the code. We are one squad in a company out of 21 squads. We are a security who helps other development teams with Veracode as part of their DevSecOps.
We have adapted Veracode across three line of our client's business. In the future, we may expand Veracode into more lines of business.
How are customer service and technical support?
The technical support sometimes takes 48 hours to get back to us. Some of the support staff are not that great. There is no extra support on Slack channel nor is there a chat. Instead, we just have to wait for an email. They gave us a mobile number, which sometimes doesn't work. Then, if it does, it takes time. The technical support is something that needs to be improved.
Veracode's application security team is very helpful. If we are not getting the answers that we need, this team will come and assist us. For example, we had a call with their application security team who helped us determine best practices. They are good and very professional.
Their account team is helpful and knowledgeable.
We use the solution’s support for cloud-native applications, like AWS Lambda. We have a cloud pipeline, where some of our microservices functions are getting developed there. Less than five of our squad use this service.
Which solution did I use previously and why did I switch?
Because of my consulting background, I have used other solutions prior to the use of Veracode. However, Veracode was the first solution implemented of its type. Before Veracode, developers didn't know how they could develop secure software. After Veracode was implemented, developers knew when they wrote code that they could scan it in their IDEs. Also, while pushing a deployment, they can get feedback from the Pipeline Scan.
How was the initial setup?
The initial setup is straightforward. It took us three months to deploy the entire solution across all the squad at our site via Pipeline Scan as well as have the squads adopt it. If you are familiar with security, you can be up and running with the solution in a week's time.
Our implementation strategy was to give the Greenlight ID plugin to all the developers and enable the microservices. Then, we wanted to let the non-human account use the new unlimited account and all the source code. This has helped us in last year and a half, as we have over 150 microservices being scanned by the Veracode platform.
What about the implementation team?
Customer support was amazing during the evaluation phase.
What was our ROI?
The ROI seems good so far. The client is happy with what they invested in Veracode. Having our developers now think about security is also helping us out.
The solution has reduced the cost of AppSec a little bit for our organization through the automation of pentesting.
We have seen a 30 percent reduction in pentesting. Using Veracode, we can do faster releases.
What's my experience with pricing, setup cost, and licensing?
Veracode's price is high. I would like them to better optimize their pricing.
Which other solutions did I evaluate?
Veracode's price is a little higher than other tools. However, they are the market leader.
Micro Focus Fortify doesn't have good APIs. Instead, they are relying on CLI. Whereas, Veracode is more API and DevSecOps friendly. Veracode's scanning time is better than Fortify's.
What other advice do I have?
It is an excellent solution. I would recommend adopting it. If you come from a security background, Veracode is an easy solution. If you don't come from a security background, the adoption of Veracode will take a bit of time.
Veracode has been integrated with our IDEs. It has been also integrated with our DevOps CI/CD server, which is Bamboo, Jenkins, or GitLab CI/CD. It is all pretty neat and clean.
I would rate this solution as a nine out of 10.