Dynamic and static code analysis.
Dynamic and static code analysis.
It has given us insight into the actual flaws that are out there, and the speed at which they're getting mitigated. Now, we're starting to see quantitative metrics to show the overall risk with code vulnerabilities. It has been very helpful in that it has exposed an area that we weren't digging into as much as we should have, before.
The developers' awareness of the security weaknesses within their code has also improved. They aren't just mitigating these issues, they are realizing these are, in fact, issues that have to be dealt with.
We are just starting to integrate Veracode into our software development lifecycle. We are reaching out to a few of our developers to begin project Greenlight. Specifically, right now what we're doing is integrating the static code analysis scans into our change approval. If you want to put a new piece of code live, you have to have a clean Veracode scan, whether it be through mitigation approval or through actually resolving issues. We've integrated it as part of our CAB process, and we're going to take that a step further and integrate it into the actual IDE for the developers.
In terms of security best practices and guidance to our dev teams, Veracode has been fantastic. The one thing we really liked about Veracode when we got it - and I think some other providers are doing it now - was the consultation calls; that our developers are able to schedule them on their own, instead of going to a "gatekeeper." They upload their code, they have questions, they schedule it, they speak with someone on the other side who is an expert, they can speak developer-to-developers. That is really good stuff.
Regarding our customers, I don't know if they have benefited per se, other than getting better, more secure applications. I don't know that our customers are necessarily looking for the most secure application, but it is something that I'm sure is on their mind, and they want to know that we're doing it. I would call it a tangential or unseen benefit. It is probably not in the top-10 things that they're looking for when they use one of our apps or our website. They are just assuming that a company such as ours is going to make sure that we have the appropriate security controls in place. So the way they benefit is that, hopefully, we're meeting that expectation, but I don't know that our customers are specifically looking for that as a decisive factor for using our websites or apps.
The reporting and mitigation features which allow our people to work on their own.
The only areas that I'm concerned with are some of the newer code libraries, things that we're starting to see people dabble with. They move quickly enough to get them into the Analysis Engine, so I wouldn't even say it is a complaint. It is probably the only thing I worry about: Occasionally hitting something that is built in some other obscure development model, where we either can't scan it or can't scan it very well.
I would also like to see some improvement in the speed. That is really the only complaint, but in all reality we have a massive Java application that needs to be scanned. Our developers are saying, "It takes 72 hours to scan it." That is probably the nature of the beast, and I'm actually pretty accepting of that timeframe, but since it's a complaint that I get, faster is always better. I don't necessarily think that the speed is bad as it is, just that faster would be better.
I don't think that we are even beginning to push the envelope of what the system is capable of. We haven't had any problems. I'd say we are probably on the lower end of usage, not only the number of scans but regarding the number of applications. I haven't seen any issues, but I also wouldn't expect to hit issues, given where we are.
The support team itself, or security program manager and a few others, have been fantastic. Most of the time, they're willing to move and work faster than we are actually capable of. They have been spot on in helping us get this thing rolling.
They are fantastic. They get the highest rating.
We used HP WebInspect, which is now under the Fortify umbrella. HP WebInspect was just terrible. Had we used the on-demand cloud piece - which is why I perhaps have to pull my comment back - maybe we would have had a different experience. But we had a WebInspect instance on a single server that was inside of our own data center. It was very, very kludgy, very slow, didn't work very well. We were hitting the required specs for it but we'd have a dynamic website scan, which should not have taken very long, taking a week. It not only should have been very close to the scanning engine, but had its own dedicated route for pieces that live in the cloud. It was bad, and it was slow, and their reporting was terrible. There was no real support for it. It was just very bad.
It was very easy. The cloud instance got turned on, we had a support rep dedicated to us to help us get up and running. It couldn't have been easier.
I can't think of any cost savings related to code fixes since implementing Veracode. We are mostly focused on using it for application security, which is a hard thing to quantify unless you have a major breach.
I think the pricing is in line with the rest of the tools. I think you get what you pay for. It is certainly not inexpensive, but the value proposition is there. There are certainly cheaper tools, but I don't think we'd be getting the support that we get with those, and that is what separates this product from the others.
Regarding licensing, pay very close attention to what applications you're going to need to do dynamic scanning for, versus static. Right now, the way the licensing is set up, if you don't have any static elements for a website, you can certainly avoid some costs by doing more dynamic licenses. You need to pay very close attention to that, because if you find out later that you have static code elements - like Java scripts, etc. - that you want to have scanned statically, having the two licenses bundled together will actually save you money.
You really need to understand how your application is going to be delivered and not think of it just as, "This is a website and this is a mobile app," or "This is a website and this is a fat client." Often, with new frameworks, you have websites - especially with Java specifically, which is not even a new framework - running Java, but you also have things running in a local Java sandbox on the machine, or on a Java virtual machine. You really want to understand how that application is being delivered to the end-user, and not just think of it as applications on a box and websites.
My advice is what I mentioned in the pricing/licensing section above, you really need to understand what it is you are looking to do.
Also, take into account a data sensitivity for the applications. It's not "one policy fits all." I really like that Veracode allows me to set up specific policies that I can apply to applications. Understand which are your critical apps that deal with critical, very sensitive data, and then apply a more rigorous scan model to them, versus internal applications that perhaps don't deal with as much PII, with as much sensitive information, and aren't available to the outside world. Those might have a lower risk footprint. Understand that, so when your developers go in there you are not treating every single thing like it is a public-facing, client-data-gathering, credit-card-processing web app. That way your developers can prioritize what they need to work on, so that you are delivering the right metrics to your leadership.
You really need to understand that strategy going in, because the tool is not going to help you determine that. The tool is only going to help you scan.
The only reason I don't rate it a nine or a 10 out of 10 is because we haven't hit those scalability roadblocks yet. I know we might have some challenges in the future, but I would say eight out of 10 is an incredibly good score for a product like this. If you were just asking me about the support and the people behind it, I would rate that a nine or a 10. If you bundle it all together it's an eight.
I recommend CA Veracode to colleagues all the time.