Application security management.
Application security management.
We've been able to provide reports to our clients that show applications are either flaw-free, or in the process of being remediated, and give them timely status updates on how those flaw remediations are going on.
Our customers have benefited by being able to have a little bit more assurance from us, from a trusted authority, that our code is properly flaw-free and remediated.
The most important features, I would say, are the scanning abilities and the remediation abilities within the product. Scanning because, obviously, we want to make sure that our application code is flaw-free. And the remediation tools are helpful to the developers to help them track and manage their flaws.
Reporting. Some of the reporting features of Veracode do need improvement. They do not have the most robust access to data. That would be a bit more beneficial to a lot of our clients as well as our actual in-house staff. I've been talking to our program management at Veracode about that, and that is actually on their radar to have that improved, I think actually this year.
That would probably be the biggest area, access to more granular data that we could pull and use on a regular basis. Better dashboards. That kind of information.
It's stable, absolutely. They do regular maintenance schedules. Aside from that, I can't really think of a time where it has not been a stable product or unavailable.
No issues with scalability.
We engage their support teams quite often actually. Part of our licensing package is a good number of hours per month for our development teams to work with their support teams at Veracode, to help solve remediation issues, troubleshoot some of the flaws that they encounter or can't understand. Their support teams have been able to work with our development teams very well.
We were not using a previous vendor prior to this. We've used other vendors like Nessus for pen testing. We still use those. Veracode was just more of an addition.
The setup has been more of a phase-in approach, and it's been gradual. It's been kind of a "trial-by-fire" setup with a lot of our development teams because most of our development teams aren't used to doing this. So, it's been a trial, I guess more so on our side, to get the adoption going on. It's just part of training our team to actually know there's something they need to do on a regular basis.
Regarding any cost savings relating to code fixes since we implemented Veracode in our development process, I can't say I have that information off the top of my head.
Just do your research. Make sure you're getting the best price on this. It can be expensive to do this, so I would just make sure that you're getting the proper number of licenses. Do your analysis. Make sure you know exactly what it is you need, going in. Then just see if it can work. Try and make sure you get the best price possible.
I was not part of the evaluation team on this, unfortunately. But I believe the other options were evaluated as well, but I don't have access to that information.
In terms of Veracode providing AppSec (application security best practices) and guidance to our teams, they've been able to adapt their scanning and remediation in their SDLC, which is something we did not have really before. It's been a little bit of "not the best honeymoon" so far, doing this with our developers, but they've started coming along here in the past year and a half.
The advice I'd give is look around, make sure it's the right fit for you. Make sure that the tools they offer are a good fit for your organization. And make sure this is something that you really feel would be good for your company. If you aren't currently doing this kind of analysis on your code, I would take a strong look at whether this is something that you really should be doing. It's a different world out there right now.
I would recommend Veracode very highly, especially since the program management staff that I work with from Veracode are some of the best people that I've worked with in this industry.