Veracode Primary Use Case
Software Architect at Alfresco Software
The use case is that we have quite a few projects on GitHub. As we are a consulting company, some of these projects are open source and others are enterprise and private. We do security investigating for these projects. We scan the repository for both the static analysis—to find things that might be dangerous—and we use the Software Composition Analysis as well. We get notifications when we are using some open source library that has a known vulnerability and we have to upgrade it. We can plan accordingly.
We are using the software as a service.View full review »
We have three use cases. We have the dynamic scans that we use to scan the production, public-facing URLs. We also use the static scan where we work with the Dev team and scan the code base for the web application and the mobile application on both iOS and Android. Our third use case is manual penetration tests, which my team manages. We do annual manual penetration tests.
It's deployed to our platform infrastructure, which is in a public cloud.View full review »
Head Of Information Security at a media company with 51-200 employees
We use Veracode for static analysis of source code as well as some dynamic analysis.View full review »
Veracode has both static application security testing as well as dynamic application security testing, also called Dynamic Analysis. Our primary use case was on the static analysis side, not on the dynamic, because we have an automated tool in the dynamic analysis scope. So our primary use was static analysis security testing.View full review »
Principal for the Application Security Program and Access Control at a engineering company with 10,001+ employees
Our primary use case of this solution is for static and dynamic analysis along with the source gear for the third party dependency (not IDM).
We were looking into actually moving towards IDM, but that's the extent of my knowledge. They are licensed as two separate products. They're part of the same platform, but they are licensed separately.
We have Veracode, Veracode Developer Training, Veracode Software Composition Analysis, and SourceClear. SourceClear and SCA are pretty much the same. They just support different languages. Veracode as a whole, the top option, is the one that includes everything.
We use Veracode primarily for three purposes:
- Static Analysis, which is integrated into our CI/CD pipeline, using APIs.
- Every release gets certified for a static code analysis and dynamic code analysis. There is a UAT server, where it gets deployed with the latest release, then we perform the dynamic code scanning on that particular URL.
- Software Composition Analysis: We use this periodically to understand the software composition from an open source licensing and open source component vulnerability perspective.
We use both the static and the dynamic scanning. What we do is run the code through the scanner once we make any modifications. And periodically, we also run the dynamic to connect several applications. We use Veracode to check for specific vulnerabilities such as cross-site scripting. When we are checking for those vulnerabilities, we take a portion of code that is going to be generated and we run the scanner.View full review »
Security Architect at a financial services firm with 1,001-5,000 employees
We use it to scan our web applications before we publish them to see if there are any security vulnerabilities. We use it for static analysis and dynamic analysis.View full review »
DevSecOps Consultant at a comms service provider with 10,001+ employees
We use the Veracode SAST solution to scan the Java, Node.js, and Python microservices as part of our CI/CD pipeline, wherein we are using our CI/CD server as Bamboo, Jenkins, and GitLab CI/CD.
We have teams for both our cloud pipeline and on-prem pipeline, and both teams use this solution. We are using Veracode to constantly run the internal application source code and ensure the code's security hygiene.View full review »
R&D Director at a computer software company with 201-500 employees
We focus on these two use cases:
- Our first use case is for Static Analysis (SAST). The purpose of it is to scan our code for any vulnerabilities and security breaches. Then, we get some other reports from the tool, pointing us to the problematic line of code, showing us what is the vulnerability, and giving us suggestions on how to fix or mitigate them.
- The second use case is for the Software Composition Analysis (SCA) tool, which is scanning our open sources and third-party libraries that we consumed. They scan and check on the internal database (or whatever depository tool it is using), then they return back a report saying our open sources, the versions, and what are the exposures of using those versions. For any vulnerability, it suggests the minimum upgrades to do in order to move to another more secure version.
IT Cybersecurity Analyst at a educational organization with 11-50 employees
We use it to scan our biggest applications, our bread and butter. We've got a lot of developers using it in our organization, and we've got quite a few applications using it as well.View full review »
We use the Static Analysis, Dynamic Analysis, and SCA, the software composition analysis.View full review »
We're required to make sure we have no high or very high security issues in our code. Veracode is a code reviewer to prevent hacking and other bad things from happening.View full review »
We are using Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Static Component Analysis (SCA). We use different types of scanning across numerous applications. We also use Greenlight IDE integration. We are scanning external web applications, internal web applications, and mobile applications with various types/combinations of scanning. We use this both to improve our application security as well as achieve compliance with various compliance bodies that require code scanning.View full review »
I have used this solution in multiple projects for vulnerability testing and finding security leaks within the code.View full review »
We used it for performing security checks. We have many Java applications and Android applications. Essentially it was used for checking the security validations for compliance purposes.
Veracode is a cornerstone of our Development Security Operations Program, particularly scanning automation and remediation tracking.
We've been able to monitor the release cycle and verify our Security Standards are met by setting policy and ensuring scans are taking place. If a scan fails to meet our standard the build breaks and the flaws are remediated before releasing to Stage and ultimately Production - where the potential impact is much more costly.
We have discovered opportunities to make our code even better thanks to Veracode!
Founder & CEO at a healthcare company with 1-10 employees
We use this solution for Digital Health.View full review »
Managing Principal Consultant at a tech vendor with 11-50 employees
Our primary use case for this solution is application security.View full review »
This was intended to scan all of our custom development efforts to ensure a certain level of (secure) code quality. Right now the scope of that effort is limited to web exposed systems but with maturity, we hope to increase that scope.View full review »
Our primary use cases are for comprehensive security assessment using static analysis, dynamic analysis, source code composition, and manual penetration tests. We also use it for security training for developers.View full review »