Veracode Software Composition Analysis Valuable Features

Principle Consultant at a tech services company with 11-50 employees

SCA provides guidance for fixing vulnerabilities. It provides extensive guidance for both writing secure code and pointing to vulnerable open source libraries are being used.

From the time it takes for the solution to detect a vulnerability, both in the source code and the open source library, it is efficient. 

Within SCA, there is an extremely valuable feature called vulnerable methods. It is able to determine within a vulnerable library which methods are vulnerable. That is very valuable, because in the vast majority of cases where a library is vulnerable, none of the vulnerable methods are actually used by the code. So, if we want to prioritize the way open source libraries are updated when a library is found vulnerable, then we want to prioritize the libraries which have vulnerable methods used within the code. 

The Static Analysis Pipeline Scan is faster than the traditional scan that Veracode has. All Veracode products are fast. I have no complaints. On average, a piece of code for a customer takes 15 to 20 minutes to build versus the Static Analysis Pipeline Scan of Veracode that takes three or four minutes. So, that is 20 to 30 percent of the total time, which is fairly fast.

View full review »
Enterprise Architect, VP at a financial services firm with 501-1,000 employees

One of the best things about the solution is that I think it is kind of easy to get started using it. The pain of adoption is low. Once you got the code scanned, there is a lot of information that you have to plan time to go through and work with other teams to get things resolved or disposition.  

I think that it was easy to get started, but there was also definitely a learning curve in terms of people needing to understand what the reports meant and what to do about the information that they were getting.  

View full review »
Nagaraj Sheshachalam
Lead Cyber Security Engineer at Ecolab Inc.

There have been a lot of benefits gained from Veracode. Compared to other tools, Veracode has good flexibility with an easy way to run a scan. We get in-depth details on how to fix things and go through the process. They provide good process documents, community, and consultation for any issues that occur during the use of Veracode.

SCA enables developers to write secure code from the start. During the development process, we run the scan. If any threats or vulnerabilities occur, we make sure to fix them, then rerun the scan. Then, we move to production. We have all the applications of our organization on Veracode using CI for our pipeline.

We use the Static Analysis Pipeline Scan, and it provides a good benefit for our developers. Previously, we didn't have any of these kinds of tools within the organization. We were using a code quality tool, but Veracode also gives us code quality. It also detects the vulnerabilities within the application, which makes sure the quality of the application is treated well. Therefore, I can give it a rating of four and a half out of five.

View full review »
Learn what your peers think about Veracode Software Composition Analysis. Get advice and tips from experienced pros sharing their opinions. Updated: April 2021.
502,499 professionals have used our research since 2012.
Senior Director, Quality Engineering at a tech services company with 1,001-5,000 employees

Multiple "Policy" profiles can be created to apply differently to different classifications of applications that include grace periods per severity. I find this a great way to manage team expectations and regulatory compliance on a per-scan and time-period cycle, leading to self-service compliance remediation.

The dependency graph visualization provides the ability to see nested dependencies within libraries for pinpointing vulnerabilities.

The Vulnerable Methods feature helps with sorting through those vulnerabilities that matter to my application codebase.

View full review »
Hemanth Jayakumar
Sr Director at a non-profit with 51-200 employees

The feature that was most valuable to us was the ability to point locally in a quorum.

View full review »
Enterprise Architect at a computer software company with 1-10 employees

The article scanning is excellent. 

The composition analysis and common CBEs attached to it are quite good.

The solution offers a lot of really great analysis. There's lots of good data support.

View full review »
Associate Consultant at a comms service provider with 201-500 employees

The most valuable feature is the efficiency of the tool in finding vulnerabilities.

View full review »
Senior Technical Architect at a tech services company with 51-200 employees

The most valuable feature is the dynamic application security testing.

View full review »
Learn what your peers think about Veracode Software Composition Analysis. Get advice and tips from experienced pros sharing their opinions. Updated: April 2021.
502,499 professionals have used our research since 2012.