What is our primary use case?
We focus on these two use cases:
- Our first use case is for Static Analysis (SAST). The purpose of it is to scan our code for any vulnerabilities and security breaches. Then, we get some other reports from the tool, pointing us to the problematic line of code, showing us what is the vulnerability, and giving us suggestions on how to fix or mitigate them.
- The second use case is for the Software Composition Analysis (SCA) tool, which is scanning our open sources and third-party libraries that we consumed. They scan and check on the internal database (or whatever depository tool it is using), then they return back a report saying our open sources, the versions, and what are the exposures of using those versions. For any vulnerability, it suggests the minimum upgrades to do in order to move to another more secure version.
How has it helped my organization?
Veracode provides guidance for fixing vulnerabilities. It enables developers to write secure code from the start by pointing them to the problematic line of code, and saying, "This function/method has security vulnerabilities," then suggests alternatives to fix it. Then, we adopt their suggestions of the tool. By implementing it in the right way, we can fix the issue. For example, if the tool has found a method where it copied one piece of memory into another piece of memory in the code. The tool points to problematic methods with the vulnerability and provides ways to code it more securely. By adopting their suggestions, we are fixing this vulnerability.
Once you run the tool and realize that it is not secure to use a certain method or function, then you fix it. Next time that you want to add new code, you don't want to repeat that mistake. So, you're already adopting the original suggestion, then writing more security code.
If we continued to scan and fix issues, which is an ongoing battle because every day as there are new vulnerabilities, we are on the safe side.
What is most valuable?
It is faster to adopt and use because it's a SaaS software. As a service tool, we didn't have to deal with any installation emails. We also didn't have to download packages, upgrade, or maintain their on-prem machine, which is usually the case for on-prem solutions. This is a critical point that we needed to consider when adopting the right tool. So, SaaS was a deal breaker for us.
I don't have any complaints about the policy reporting for ensuring compliance with industry standards and regulations. It is good and a mandatory part of our process.
What needs improvement?
We tried to create an automatic scanning process for Veracode and integrate it into our billing process, but it was easier to adopt it to repositories based on GIT. Until now, our source control repository was Azure DevOps Server (Microsoft TFS) to managing our resources. This was not something that they supported. It took us some sessions together before we successfully implemented it.
For how long have I used the solution?
How are customer service and technical support?
The technical support was good. Even with the time zones changes, they took the examples that we provided about how our call works and investigated them. When they didn't get an answer initially, they contacted someone else to assist. Overall, our experience was good.
The turnaround time and response times are good. We always got a response, even if they said, "It will take a while, as we are still investigating." One day after always, we always got a response, even if it was, "We need time to investigate."
I would differentiate between the initial response time for our needs and the resolution time for the issue. The representative themselves respond pretty quickly to our needs. We exchange phone calls with them or email, and they responded quickly. Some of the issues that we experienced were due to our specific code languages and packages that didn't work smoothly with the tool. For those, the representative had to approach the Veracode R&D team. It took more time to involve R&D, but we eventually got a resolution from them after a few days.
How was the initial setup?
To get into the solution, it took some tries to understand the structure of our repository and the code that we were using to write dependencies, etc. So, it took a bit of time, but then in the end, the solution was easy to connect.
It took about a month until we completed integration of Veracode tools into our own systems. Eventually, the tools needs to scan our code that resides on our machines in our on-prem environment. The integration of Veracode on the cloud with the on-prem repository and our processes took time. We worked with the Israeli representative of Veracode to help us. However, it was about a month overall until we stabilize it.
What about the implementation team?
An Israeli sales representative for Veracode came to our office and worked very closely with us. They escorted us through the process of doing the PoC, examining the results and tools, and how to use them. We found it straightforward. There were some hiccups and some problems in the beginning, but not something significant in the general overview. It was easy and fast to adopt.
What was our ROI?
Our customers demand that we provide secure software. Veracode is giving us the mandate of claiming that our code is more secure because we are using an external third-party, neutral tool to examine our code and expose vulnerabilities. By fixing them, Veracode takes some of the responsibility, which is kind of a diploma that we can wave when we are negotiating with our customers.
Which other solutions did I evaluate?
We compared it with other tools as part of our proof of concept to adopt the right tool. Eventually, we selected Veracode because the tool provided us the easiest, fastest solution for our two use cases.
When we did the PoC to compare it with other tools, before we decided to adopt Veracode, one of the benefits that we saw is its reports are more focused on real issues. Other scanning tools that we tried, they produced much bigger reports with hundreds of vulnerabilities. That is too many vulnerabilities, so you cannot manage them nor decide where to focus. Using Veracode helps us focus where we need to.
We have used a Checkmarx tool, which is a competitor of Veracode. We have also examined Micro Focus Fortify and some other monitoring tools, which gave us a partial solution, had only static code analysis, or had only the open sources for composition part. We wanted one tool which does everything; we found Veracode all-encompassing.
What other advice do I have?
The solution is efficient when creating secure software. Though, it depends on how you adopt the tool and how frequently you're running it. As long as you keep it as part of your routine and frequently run the tool, you will catch vulnerabilities closer to real-time. Eventually, you will improve the security of your software.
We haven't seen a lot of false positives. However, the tool points us to vulnerabilities to fix, which because of our behavior or software, we don't necessarily need to fix because we have other protections.
We are not using it for cloud software. Our solution is only on-prem.
I would rate this solution as an eight out of 10.
Which version of this solution are you currently using?