Veracode Review

The scans have helped us make our code more secure, but mitigation can take a long time


What is our primary use case?

To certify that we have valid code, and that the developers are working with valid structures and writing good code.

How has it helped my organization?

The coding standards in our development group have improved. When we scan our code - at the end of a build cycle we'll go through and scan our code - from those scans we've learned the patterns and techniques to make our code more secure. An example would be SQL injection. We have mitigated all the SQL injection in our applications.

That is now part of our software development life cycle, to do a static scan before we release to our client base. We mitigate what we have to.

I'm not aware of any cost savings relating to code fixes since implementing Veracode in our development process.

In terms of Veracode providing application security best practices and guidance to our development teams, once we scan the software and we have to go through a mitigation process, we make sure we implement that in the base standards. Once we mitigate a problem, we implement it back into the base to make sure the developers who are still developing code are not going to have the same issues that we just mitigated.

For our customers, they know that we go through another level of application security with our application, one our competitors don't use. They know our code meets a standard and that we implement the standard and the structures. That we have mitigated gives them a little bit of peace of mind that our code is valid, and that it's not going to hurt their infrastructure. 

What is most valuable?

We just use the static scan, it's all we got into as of now. We're happy with that, it seems to work very well for us.

What needs improvement?

Going through the mitigation is probably the hardest thing to do and that's still an ongoing process. If there is a code issue to mitigate, it sometimes takes a little bit longer than what you would think. It might not be anything that they're doing. It's just their engine is changing and our code is changing so we have two things moving. We get a good score one time, scan it again on a new release and the score drops because the engine is picking up more things. I don't know if they could do anything about that. It's just one of those things you might just have to live with.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

No issues with stability.

What do I think about the scalability of the solution?

No issues with scalability, we're good there.

How is customer service and technical support?

They're very good. Anything that we've brought up to them, they've responded to us very quickly.

Which solutions did we use previously?

We used the built-in solution inside of Microsoft Visual Studio, and we switched because Veracode had more cohesive scanning abilities and found a lot more issues with our code, when we first scanned it.

How was the initial setup?

It was pretty straightforward.

What's my experience with pricing, setup cost, and licensing?

We get good value out of what we have right now.

Which other solutions did I evaluate?

We had a couple of products that we looked at, but went with Veracode.

What other advice do I have?

I am highly likely to recommend Veracode to colleagues.

Make sure, once you scan and find issues with your code, that the developers know how to remediate those issues so they don't go through them again.

It's going to take some time to get through your first set of scans and mitigations. To fix your code is not straightforward. But once you do that and implement it back through your whole development cycle, they identify the issues and it's very easy to fix them, once you know and have gone through it once.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Add a Comment
Guest

Sign Up with Email