We use it for static checking.
We use it for static checking.
We are a state agency, we're not a private-sector company. What we're able to do is take our main web-based application, which is not only for internal use but which the citizens of Ohio also use, and we can run this application, and others as well, through Veracode to ensure that we've done our job, our due diligence.
We print out a report, we see the rating of the vulnerabilities that have been found: "critical" and "high", "moderate" and "low." We've been able to go from having critical vulnerabilities to where we're now into the more moderate range. We've shown improvement through the years. We can provide that information to our superiors, and to people who come in and audit us, to show that we've made progress on scanning.
When we find a vulnerability, we do pass it on to our developers and they've been able to go in and adjust the code so that the vulnerability is no longer there. The goal, of course, is that these findings will help them as they develop new code so that these vulnerabilities are not a part of the next application. We run a follow-up scan to make sure the vulnerability has been cleared.
The benefit, at this point, has been more internal than for our customers. Obviously we don't want them to have a problem so that they could then, theoretically, actually see the benefit. We try to be proactive.
I attended a meeting of one of the security organizations I am associated with. At the meeting were security professionals from several major retail companies. The topic of discussion happened to be application development security. When the question was asked concerning what tools are being used, many of these major retail companies said they are using Veracode. However, they were quick to comment that the product is too expensive and that there are too many false positives which take too much time to remediate.
The stability is very good. They haven't had too many updates or upgrades. They did a major upgrade several years ago but it came out just fine. It has been a really good product.
I'd call us a "mid-range" agency, so it's not like we have a ton of applications that we're changing and updating. It's good for us, but I can't really answer how scalable it is because we're not really big.
I don't believe that the team has had any problem going on to the website, downloading the static code, or running scans. They do it quite often without any issue and are able to read the report and rectify whatever vulnerability has been discovered. There has not been a problem walking through those steps. It's been pretty straightforward. And if our team has any problems, we've got access to someone that we can schedule a call with to work out the issues.
We haven't had to call tech support too often, but when we have had to call them, support has been good in terms of resolution time.
I was involved, on a cursory level, with the setup. Our implementation strategy was to focus on our main web-based application. The way that they developed the application here was under one static set of code, so we could scan this code and, in essence, be able to check the vulnerability of most of the applications from the different business in our agency.
We did not use an integrator or a third-party. We did it with the help of Veracode.
We are a state agency, so we're not for profit. I tell everybody we don't make money, we spend money. To frame it in the context of the public sector, I think we are giving our citizens peace of mind. When they come in to write a permit, and we send them to a service that collects payment, that jumping-off point is secure and safe. It would be more in those terms, rather than the bottom line.
In the public sector, return on investment is not a term that is easily understood because we do not invest. But total cost of ownership is something that we can put our arms around. When we think about potential data breaches, Veracode has certainly helped us. When you think about the cost of the product and that I have one person, not ten people, running this tool, the total cost of ownership is low. I have no devices or servers, I didn't have to do any of that here onsite. It's all in the cloud. The total cost of ownership, given the services they provide, is very low, in my opinion.
We're always looking to save the taxpayers' money. I used to tell my vendors, sharpen those pencils and make the tip laser-sharp. When it can be, I want it to be less expensive, but you get what you pay for too. Vendors need to be fair and I think Veracode has been fair.
We use their SaaS solution and it's just an annual subscription.
The state of Ohio decided to bring AppScan in and that's an IBM tool. IBM became a major vendor in the state of Ohio. But what happened is that AppScan does not offer static code vulnerability checking; dynamic is something they do offer, but it's not as complete and comprehensive as a static scan is. Even the state has gone away from AppScan, but we were looking at it, we were starting to get set up for it. But evidently, other agencies haven't found it to be as useful. So we're not going that direction, we're staying with Veracode.
There would have been cost savings associated with going with AppScan but we decided, because the state was not going that way, that we were not going that way either.
I would absolutely recommend Veracode. I've suggested to one of the larger agencies that they implement the solution and that they come to see what we've experienced and how we use the tool.
I really like Veracode. That is one of the reasons that we brought them onboard ten years ago. Of course, they were new back then. The different aspects of the offerings that Veracode provides to their customers are somewhat unique and, right now, I couldn't ask another thing from them.
We have approximately 30 Java developers and four or five testers. There are also project managers using it. We have one person who manages running of the scans and that person might have one or two other people to help.
We haven't really been utilizing it to its full potential. We probably utilize it once or twice per quarter. We are planning to increase the capacity that we've purchased. However, we're getting ready to elect a new governor in Ohio. With that election, things will change, according to his or her desires. Right now, we're in a holding pattern waiting for November to come and go.
In terms of integrating the solution into our existing software development lifecycle, because we started so long ago - before the software development lifecycle was fully implemented - we were doing Veracode testing just because it was a good idea. Then we actually developed a lifecycle. We got into scrums and it just naturally worked its way in, so when we actually hired a testing group, Veracode was already a part of the process.