Veracode Review

Has helped build developer security skills and made them more aware of things they should look for

What is our primary use case?

We use it to scan our biggest applications, our bread and butter. We've got a lot of developers using it in our organization, and we've got quite a few applications using it as well.

How has it helped my organization?

The solution has helped with developer security training and has helped build developer security skills. It has definitely opened their eyes and made them more aware of things they should look for. I try to get my developers to go to the Veracode seminars if there are new things to learn or if Veracode has made an improvement or they're going to announce something new. They have participated in those quite often, a few every month.

What is most valuable?

One of the features they have is Software Composition Analysis. When organizations use third-party, open source libraries with their application development, because they're open source they quite often have a lot of bugs. There are always patches coming out for those open source applications. You really have to stay on your toes and keep up with any third-party libraries that might be integrated into your application. Veracode's Software Composition Analysis scans those libraries and we find that very valuable.

We like their Dynamic Analysis as well. They changed the engine of the Dynamic Analysis and it does a better job. It scans better.

We use the solution’s Static Analysis Pipeline Scan. It's really good for assessing security flaws in the pipeline. Sometimes my developers have a hard time understanding the results, but those are only certain, known developers in my organization. I typically direct them to support, especially if I cannot answer the question, because I have full confidence in that process. 

The speed of the static scan is good. Our bread and butter application, which is our largest application, is bulky, and it's taking four hours. That's our baseline to compare the Static Analysis Pipeline and its efficiency. If that's only taking four hours, I have no doubt about our other applications and the solution's static analysis efficiency.

The solution’s policy reporting for ensuring compliance with industry standards and regulations is really good as well. We're a state agency and we always look to be NIST compliant. We're always looking at the OWASP and CWE-IDs, and Veracode does a really good job there. I've used it often in trying to get my point across to the developers, telling them how bad a vulnerability might be or how vulnerable the application is, based on a vulnerability we may be finding. 

What needs improvement?

If Veracode was more diversified, as far as the number of platforms and the number of applications it could do in our favor, we would be using it even more. But there are a number of platforms it doesn't support. For example, I know they support C+, .NET, and Java, but there are certain platforms they don't support and that was disappointing.

They have a pretty unique process to get guidance. It's not like you send them an email. You could do that, but if you want to set up a consultation call, you have to go to the website and give them a certain amount of detail so that they can study the problem and the detail and be ready to meet with you. It's not as simple as doing an email. You have to go to their website and you have to click on the "consultation" button and pick a time to talk with an engineer. Sometimes an engineer is not available for quite a while. You have to wait at least a couple of days before you can meet. Having to wait for two days is not that efficient. You should be able to set it up within 24 hours.

And regarding announcements from Veracode, I've tried to get them to let my developers know directly, and I'm not sure if that's happening. I want to tell Veracode to make sure that happens. I don't want them to send an announcement to me and then I have to disseminate that information to my developers. I want it to go directly to them. They've got the developers' names and emails in their database so those announcements should go directly to them.

For how long have I used the solution?

I believe the company got Veracode at the end of 2012. However, my association with Veracode has only been since about the end of 2014. So we had it for a couple of years before I got my hands on it and then I gradually started to use it and implement it to the point where it's at right now. Early 2016 is when I began administering it. I do other tasks, so it's not my full-time job. Veracode is just one of many hats that I wear. Nobody else administers it with me in our company.

How are customer service and technical support?

Veracode support is really good. I get a lot of help from them. I've been on a few calls with my developers and they're very competent engineers. If they don't have the answers, they'll get back to you.

What was our ROI?

I feel that management would not approve it if we were not getting our money's worth out of it. We have definitely seen ROI from Veracode.

Going forward, though, what may bring that into question is our transition to the cloud. We're not getting any benefit from those applications in the cloud. I think that should be addressed sooner rather than later.  We're moving to the cloud more, and for our applications in the cloud we usually only go with FedRAMP-certified cloud vendors. So we're not actually even scanning those applications in the cloud with Veracode. Not all our applications are there, but close to 30 percent of them are there now.

And they have to address not being compatible with certain platforms that we use. That has to be addressed because the ROI question may be coming up sooner rather than later.

What's my experience with pricing, setup cost, and licensing?

The solution is very pricey.

What other advice do I have?

The product is very good, very reliable, and they've made a lot of improvements to the dashboards and the reports. They've made the product easy to use. There used to be a lot of things that you had to search for and maneuver to dig deep down for them, but you don't have to do that anymore. Many of the things are now at your fingertips, including performance reports. Those things are easy to get to. 

**Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
More Veracode reviews from users
...who work at a Financial Services Firm
...who compared it with Micro Focus Fortify on Demand
Add a Comment