What is our primary use case?
In India, we have a digital development center. I'm from the security team. There are teams who develop all the applications for security features and coding security analysis. We use the Veracode Static Analysis for all projects and applications within our organization.
How has it helped my organization?
All the top vulnerabilities are detected. This makes sure all our applications are up-to-date on market threats, which are occurring. It gives a good workaround process for the developers to secure their code and ensure all our applications are secure. Up-to-date vulnerabilities are detected. It detects the vulnerabilities in the market on time. We keep running the scan over regular intervals, which ensures that we are secure.
Veracode has helped with developer security training and building developer security skills. I had never used Veracode previously. The training portals really helped teach me how to run the scan, know the Veracode processes, what processes should be followed, and what Veracode is all about. The training has really helped everyone.
Veracode covers most policy scans of most of the top vulnerabilities, like mobile. It pretty much covers all the policies per our compliance guidelines.
We give the developer a specific SLA period to fix each severity part of the vulnerabilities. So, they have a certain time limit to fix it. They are very comfortable in receiving these threats and working on fixing them.
We are very much confident in the SCA scanning mechanism. If things are going fine, we can push it into production. On scale from one to five, I can give it a four and a half.
What is most valuable?
There have been a lot of benefits gained from Veracode. Compared to other tools, Veracode has good flexibility with an easy way to run a scan. We get in-depth details on how to fix things and go through the process. They provide good process documents, community, and consultation for any issues that occur during the use of Veracode.
SCA enables developers to write secure code from the start. During the development process, we run the scan. If any threats or vulnerabilities occur, we make sure to fix them, then rerun the scan. Then, we move to production. We have all the applications of our organization on Veracode using CI for our pipeline.
We use the Static Analysis Pipeline Scan, and it provides a good benefit for our developers. Previously, we didn't have any of these kinds of tools within the organization. We were using a code quality tool, but Veracode also gives us code quality. It also detects the vulnerabilities within the application, which makes sure the quality of the application is treated well. Therefore, I can give it a rating of four and a half out of five.
What needs improvement?
The scanning could be improved, because some scans take a bit of time.
Many developers have commented on the packaging. It is quite different compared to other tools, so the packaging of codes could be changed. They should make it more uniform.
On the reporting, there should be an option like sending reports to groups or task ID.
For how long have I used the solution?
We have been using Veracode for one year within our organization.
What do I think about the stability of the solution?
The stability is good; there is nothing unstable about it.
What do I think about the scalability of the solution?
SCA scales well.
Most of the users are developers, about 90 percent. 100 to 150 employees are using Veracode as of now.
We have more than 30 applications. Some use it on a daily basis, then others use it on a biweekly or monthly basis.
We do have plans to increase usage. All our developers across our organization, across the globe, will start implementing Veracode within all their platforms or applications that they are developing very soon.
How are customer service and technical support?
We receive guidance for fixing vulnerabilities in case something is new to us, or we are stuck from there. We can very easily get consultation through calls and emails, which gets things easily clarified. That means we get things done quickly.
Which solution did I use previously and why did I switch?
We were using SonarQube previously, but just as a code quality tool.
How was the initial setup?
The initial setup was somewhere between straightforward and complex. I am not a developer, so I would not know how to package these codes and send them in for a scan. What I prefer is if there could be some mechanism where if I am a layman, then I just need to run a scan of the application. After that, there should be some option where I can get the project details. Instead of doing the packaging or some changes in the uploading part, this change would really help anybody who had to run the scan.
We have multiple applications developed at our organization, but it didn't take much time to deploy the solution to each. If a new application comes into picture in our organization, we provide access, so they can start running the scan in one or two days.
What was our ROI?
SCA reduced the cost of AppSec for our organization, because of things like stability.
Which other solutions did I evaluate?
It scans quickly versus other tools, like Qualys, Burp Suite, SonarQube, and Nexus.
What other advice do I have?
I can be confident about more of our applications in production. We can be more confident against many kinds of external threats. The lesson learnt is about being proactive, which is a good thing in security.
Veracode integrates with our developer tool 95 percent of the time. It is supported very well because developers get to know why the security features are really important in any organization or application along with what they develop. They get to know the market standards of what the security threats are and how to fix them, making sure the coding or the applications are secure enough to move to production. However, with MuleSoft, it does not support most of the API parts.
We use cloud-based applications and take support from the community.
At the moment, we are only using SCA and Static Analysis, which we have been very satisfied with. However, we are not using their DAST or pen testing.
In our organization, we concentrate on high-end and medium alerts, but we really don't bother much with false positives.
I would rate this solution as a nine (out of 10).
Which version of this solution are you currently using?