What is our primary use case?
We introduced SCA scanning to satisfy customer-requested open-source library scans as part of a contractional agreement. This led to expanding SCA scanning across our other applications to compliment SAST/DAST application scanning.
We knew we had a technical debt from not updating open-source libraries for years, and were not aware of the vulnerabilities in these libraries at the time. SCA scanning is now a first-class scan component of our current practices and included in our external security audits going forward.
How has it helped my organization?
Veracode SCA enables awareness of open-source library vulnerabilities and versions to upgrade and eliminate these problems. It links to SWE flaws and provides guidance on remediation.
The nature of discovering a vulnerability included in many places of the application code base makes initial findings look overwhelming. However, we found more the 80% of the time, simply updating the build project configuration to include new versions, rebuild, and rescan, resolved the vulnerability finding.
The remaining ~20% of findings required refactoring for deprecated methods or a shift in usage model to update to a newer version.
What is most valuable?
Multiple "Policy" profiles can be created to apply differently to different classifications of applications that include grace periods per severity. I find this a great way to manage team expectations and regulatory compliance on a per-scan and time-period cycle, leading to self-service compliance remediation.
The dependency graph visualization provides the ability to see nested dependencies within libraries for pinpointing vulnerabilities.
The Vulnerable Methods feature helps with sorting through those vulnerabilities that matter to my application codebase.
What needs improvement?
Three areas that we continue to struggle with are
- Identifying and flagging false positives that reappear in other locations, where a rule that can catch other occurrences such that we don't have to repeat the override each time would help in productivity, and
- Improving sorting through findings reports to filter by only what is critically relevant will help developers focus on issues,
- Add enterprise aggregate reporting, showing teams grouped in business units with trends per team and at the group level that can be sent by email as a digest with drill-in back to the dashboard.
For how long have I used the solution?
We have been using SCA for one and a half years and SAST/DAST for two and a half years.
What do I think about the stability of the solution?
Scanning is reasonably consistent and reliable. Occasionally, a scan will fail or get stuck with a defect in the scanner or some unsupported implementation requiring escalation to Veracode to fix or work-around.
What do I think about the scalability of the solution?
Platform scan performance has improved over the years. Refrain from putting too much in your application package for scanning such that you keep a reasonably short scan time.
Veracode needs a more standard microservice pricing strategy such that optimizing SaaS solutions into microservices from monolith applications is not penalized.
How are customer service and technical support?
Technical support was difficult at times due to off-shore support that seemed to be reading from a script and not really understanding our issue. The time delays in response with the off-shore team and language concerns made resolving issues painful at times.
As we grew, we were assigned a local Security Program Manager as a point person for all escalations and that made all the difference. Our escalations are now taken seriously, with a consultation of the issue and swift resolution if warranted.
Which solution did I use previously and why did I switch?
We previously use WhiteSource open-source scanning and switched to Veracode for consolidation of scanning tools with one vendor dashboard.
How was the initial setup?
The initial setup for manual scan uploads is straightforward. Pipeline uploads can take some effort to get to work right. Setting up policy rules and charts for results is reasonably easy.
What about the implementation team?
We implemented it through an in-house team. This a Quality Engineering Shared Service team with a part-time custodian that performs other roles, as well. We found the need to have a designated custodian per application scrum team to assure scans capability, and the scan frequency for that team is maintained, escalating any issue to the shared service team and/or Veracode directly, and for shepherding vulnerabilities through the backlog routinely.
What was our ROI?
We feel that security scanning is a necessary cost of doing business, especially with FedRAMP and other prescriptive certifications. The effort we put into scanning keeps our applications healthier with higher quality confidence.
When our scan pipelines work as intended, there is little human capital cost. If there are problems with the scan pipelines and/or scan results then this can become time-consuming to address.
What's my experience with pricing, setup cost, and licensing?
The Veracode price model is based on application profiles, which is how you package your components for scanning. Veracode recently included SCA pricing and support pricing as a factor of the SAST scan count cost. When using microservices, you may need to negotiate pricing based on actual application counts where microservices are usually a portion of an application.
Which other solutions did I evaluate?
Synopsis and Checkmarx were explored for SAST/DAST scanning in 2017, prior to the use of SCA.
What other advice do I have?
Veracode has evolved to be a good partner, overall, in working through our learning needs and problem escalations. There are layers of training and consultation available, as well as recurring support engagements if the enterprise scanning needs warrant it.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)