It has caught lots of flaws that could have been exploited, like SQL injection flaws. It has also improved developer engagement with information security.
In terms of application security best practices and guidance to our teams, their engineering staff is really excellent. They provide our developers with suggestions and they take those to heart. They've learned from the recommended remediation strategies provided by the Veracode security engineers. That makes all of their future code better.
As for our customers, it lowers the risk for people visiting our site.
Catching coding flaws before they go live.
Regarding integrating Veracode into our software development lifecycle, we started out with it being used only as a web interface, and now developers are starting to use it right in their IDE on the desktop.
It's a pretty dynamic product. It's changing all the time and improving.
The scanning is a little slow, but other than that it's fine. It's usually when the binaries get up into the multi-hundred-megabyte size.
We haven't encountered any scalability issues with Veracode so far.
They're awesome. Their timeliness is acceptable, but their expertise is phenomenal.
Veracode is the first professional solution I've used. It was in place when I got to the company.
We just use it as a cloud service for third-party developers.
In terms of cost savings relating to code fixes since implementing Veracode in our development process, I can't really give hard numbers.
I'm not the pricing guy.
Licensing is pretty flexible. It's a little bit weird, it's by the size of the binary, which is a strange way to license a product. So far they've been pretty flexible about it.
I recommend it all the time.
It's an important aspect of a complete security program. Not necessarily this product, but source code, fraud detection.
I'd give it an eight out of 10 because it's pretty straightforward, but you still have to mostly wrap it with organizational policies that encourages its use. It's not a product - and I don't think it's really a product category - that sells itself to the end-user. They see benefits, but they do have to be convinced to use it.