Veracode Review

A well supported and valuable tool that was part of our DevSecOps process


What is our primary use case?

I have used this solution in multiple projects for vulnerability testing and finding security leaks within the code.

How has it helped my organization?

We were embracing Veracode as a process in our DevSecOps, although I have not personally used this solution for the past eight months.

What needs improvement?

This is not a very elaborate application. I think that the suggestions are between thirty-five and eighty percent accurate, with most cases being about seventy-five percent. Some of them are references where you have to go and determine whether they are direct threats, or not.

At the point in time when we were using this solution, we had older coders and the way Veracode tests for vulnerabilities may have been affected by the code style. I found that there were far too many warnings and some false positives. Of course, this comes with every product, and there are multiple tools that are used.

Ideally, I would like better reporting that gives me a more concise and accurate description of what my pain points are, and how to get to them.

What do I think about the stability of the solution?

In the context of a dev or UIT environment, I'll say that it is fairly stable. However, I would not be able to give ratings for stability in a production environment because I have no experience with it.

How are customer service and technical support?

Technical support was good and I was very happy with them.

We did not have that many issues to start with. They conducted training, and there was an architect that was working directly with me to answer everything. He was fairly knowledgeable. In the beginning, when we wanted to understand the product, he gave us great pointers. He provided very nice documentation that we followed and we were able to establish with the infrastructure team.

If you previously used a different solution, which one did you use and why did you switch?

I have used multiple tools similar to Veracode that integrate with the IDE.

How was the initial setup?

The initial setup was straightforward. What I recall is that it was not really difficult and we had optimal support. They also provided us with documentation to help set up integration with tools such as Jenkins.

What other advice do I have?

When it comes to DevSecOps, in the industry it is still under adoption. With the advent of the cloud and code being there, or on other public platforms, many people have embraced it or are in the process doing so. 

My advice for anybody interested in implementing this solution is to be really careful when choosing your tools. Be very proactive and up-front on the requirements of your systems, because no tool is perfect. You need to find the best fit for each particular use case. I would do a thorough analysis.

As a solution architect, I do small POCs and run initiatives on products to find out various aspects. For example, the technical feasibility of the product is an important aspect. Other important ones are usability, testing, and implementation. Normally, I select at least three products and do a comparative analysis based on the POC. After this, I recommend a particular solution.

I would recommend Veracode. There are plusses and minuses to this solution, but given the chance to use it again I would definitely do so. Every product has its own flaws, but for my use case, it did fit very well.

I would rate this solution an eight and a half out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Keep your software secure

Application security starts with secure code. Find out more about the benefits of using Veracode to keep your software secure throughout the development lifecycle.

Add a Comment
Guest
Sign Up with Email