What is our primary use case?
The primary use case for us was looking for web applications that might have vulnerabilities that could be compromised. Specifically, I was managing a team and we had built a lot of applications as well as having purchased applications from vendors. We were working with a security team to go through and scan those applications for vulnerability using Software Composition Analysis. We were trying to avoid situations where somebody could do something that they should not be able to do like get at data.
How has it helped my organization?
The product helped improve our organization by helping us to identify potential problems in applications and fix them before they were used in a way that they should not be. In essence, it helped enhance our security. I think another thing is that it did is it did kind of helped us with the general education level of staff working on the projects. Developers or technical stakeholders specifically were presented with the opportunity to understand things that maybe they did not before.
We were not doing the training piece of the process when we were onboarding the product, but just adopting the platform definitely increased their awareness and knowledge about potential issues in development and application vulnerabilities.
What is most valuable?
One of the best things about the solution is that I think it is kind of easy to get started using it. The pain of adoption is low. Once you got the code scanned, there is a lot of information that you have to plan time to go through and work with other teams to get things resolved or disposition.
I think that it was easy to get started, but there was also definitely a learning curve in terms of people needing to understand what the reports meant and what to do about the information that they were getting.
What needs improvement?
There is a concept called false positives where things might come up as a potential issue but they really are not. In our case specifically, we might get a false positive when a potential vulnerability is discovered through Veracode analysis, but the way that the application is built makes it so what appears to be a vulnerability is not really an issue. Stated a different way, even though there might be something that prevents that particular event from ever happening, the product does not correctly detect the safeguards or the impossibility of the issue arising.
When a false positive gets reported by the Composition Analysis, it results in more work for you to do than you should have to. There is a lot of information to go through and so some of it is due to those false positives. You either have to do work to eliminate the false positives being identified, or you have to look at the alert and determine that it is harmless.
As far as what might be added in future releases, more artificial intelligence capabilities would be desirable. I do not know if they have it now. Maybe one example could be to make more focused suggestions or give more information in the reports to locate the cause of the issues. It should be something that improves results over time so that people do not have to do as much work to understand the details.
For how long have I used the solution?
I have been using Veracode Software Composition Analysis for probably around three years.
What do I think about the stability of the solution?
I would say it is definitely stable. There were no problems with the platform itself. It has been reliable. We never had issues where we needed to call support.
What do I think about the scalability of the solution?
I think the opportunities for scalability are good because we did not come upon issues that caused us to wonder about its limitations. We have not really pressed to find scalability problems. So my impression is that scalability is good. We did not experience issues due to bottlenecks or anything like that.
Our group of users contained a mix of roles. It was developers, project managers, testers, information security analysts, and engineers. It was probably a total of around 30 to 40 people.
For deployment and maintenance, there were really just like a couple of people. There was not a full-time dedicated need for it.
How are customer service and technical support?
There were times when we had to deal with support when we ran scans and we were reviewing results. There were times when we needed to either open a ticket or talk to somebody who had some expertise in a specific area. That process was timely and they were responsive. So that was good.
Veracode actually has a separate subscription that you can participate in that is something like a learning management catalog. I think that the training piece of support has definitely improved over the course of when we used it.
Which solution did I use previously and why did I switch?
We did have a different product, but it was a little bit for a different purpose. We were using a different product but complemented the Veracode product.
How was the initial setup?
The initial setup was pretty straight forward. That is part of it being an easy solution to get started with.
The deployment started smaller in employing the product to analyze a subset of our applications. It initially was being employed to look at the vendor applications that we had. I would probably say that initial period was about three to six months. That effort was focused on one group and did not really include all of the technical people and developers.
Once we saw what it could do, it got adopted and we rolled it out to more people. So we kind of employed it in stages. The first part, which was essentially a test period, was three to six months. Then pushing it out for broader adoption in the next part was another three to six months.
What about the implementation team?
We did not use integrators. We did have the training and we did have professional services in the form of customer support from Veracode.
What's my experience with pricing, setup cost, and licensing?
I do not remember the licensing costs off hand. I would probably estimate it to be between 50,000 to 75,000 in our case.
What other advice do I have?
The advice that I would have for people who are new to the product would be to start with a proof of concept. This will help you to see how the product works with your process and people.
The biggest lesson I have learned from using this solution is that it definitely increased my education on how to prevent application vulnerabilities earlier on and how not to repeat them. It also helped me as a manager to better understand how to guide and coach people.
On a scale from one to ten where one the worst and ten is the best, I would rate this product probably as a seven, if I am going back in time. I thought that there was room for improvement, but at the same time, it did what we needed it to do. We got what we expected. So I thought it was good, but I also think there were some additional manual steps or work involved that we should not have needed to do. That is really why I do not rate it with a higher number.
Which deployment model are you using for this solution?