Veracode Review

Does software composition analysis, discovering open source software weaknesses


What is our primary use case?

C++ financial application acting as hub for my academic accounting system.

Application, which my institution partially owns, was analyzed after just having compiled the code. This happens seldom in academic software.

It does software composition analysis, discovering open source software weaknesses.

How has it helped my organization?

I can have quick results by just uploading compiled components. It gives me an idea about the most important vulnerabilities and fast remediation tips.

What is most valuable?

  • Dynamic analysis of on-premises applications using the Veracode proxy module.
  • Static analysis of applications, on which I share property with third-parties.

What needs improvement?

  • Management of false positives
  • Agile best practices: Violation detection.
  • Support for more programming languages, like SQL.
  • Support for more frameworks for Java: .NET, Python, PHP, C, and C++.

For how long have I used the solution?

Still implementing.

What do I think about the stability of the solution?

It never crashes, as far as I know.

What do I think about the scalability of the solution?

Since it is a SaaS solution, the performance is fine.

How is customer service and technical support?

CA still has some difficulties integrating the Veracode team in their support services.

Which solutions did we use previously?

I used SonarQube. It lacks of real enterprise-wide security detection. I continue to use Fortify and AppScan, while I am using Veracode.

How was the initial setup?

Setup is really simple, just use Jenkins, JIRA, Visual Studio, and Eclipse connectors for on-premise. The rest is online.

What about the implementation team?

Since we are based in the UK, the original Veracode Team (not CA) was helping us directly during the setup, then trained us.

What was our ROI?

Given the following:

  • Effectiveness of automatic detection of defects, taking into account bad fixes. 
  • Effort to find and correct a defect during automatic detection.
  • Effort to find and correct a defect during post release. 
  • Effectiveness of testing. 

ROI expressed as project savings is 2.4% of the project cost.

What's my experience with pricing, setup cost, and licensing?

Costs are reasonable. No special infrastructure is required and the license model is good.

Which other solutions did I evaluate?

I evaluated Kiuwan, Coverity, and Klocwork

What other advice do I have?

I wish Veracode support had more SDLC integration tools.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest

Sign Up with Email