It has allowed us to integrate with it through automated processes, which saves us a lot of time and effort.
Also, our customers benefited from the added application security assurance of our software, as they’ve been able to identify OWASP top-10 application vulnerabilities without a manual tester.
Static analysis scanning engine, because we need to do static analysis; that’s why we bought the product.
It would save us time when integrating with the APIs. Difficult APIs are annoying to work with and we have to trial/error our way through the integrations. The more straightforward and friendly they are, the less we have to trial/error.
No issues with stability.
Aside from the licensing, no issues with scalability.
The APIs are a bit nonsensical, but otherwise straightforward.
It has not really resulted in any cost savings related to code fixes.
The worst part about the product is that it does not scale at all. Also, microservices apps will cost you a fortune.
Regarding measures taken to integrate Veracode into our existing software development lifecycle, we have 100% API integration. We use the Jenkins plugin as a last resort, but we are moving away from that.
The AppSec best practices and guidance to our security and development teams are manifested in the static analysis it provides.
In terms of advice to others looking into implementing this project, I would say don’t use the UI, and do what you can to have license conversations up front.
It depends on the use case and budget, but I would recommend CA Veracode to colleagues.