If you were talking to someone whose organization is considering Veracode Software Composition Analysis, what would you say?
How would you rate it and why? Any other tips or advice?
We were part of the initiation when the company started. They introduced it and we began using the solution. We're just a customer. For those companies hoping to automate the solution, I would not recommend it. It's too difficult for those heavily dependant on automation. However, for those companies who want to manually use it, I can recommend the solution. In those cases, it's easy to use even if you won't build it as a part of your automation test tools or on any internet server. I'd rate them eight out of ten. I'd rate them higher, but they have bad automation and terrible documentation. Other than that, they are very good.
The advice that I would have for people who are new to the product would be to start with a proof of concept. This will help you to see how the product works with your process and people. The biggest lesson I have learned from using this solution is that it definitely increased my education on how to prevent application vulnerabilities earlier on and how not to repeat them. It also helped me as a manager to better understand how to guide and coach people. On a scale from one to ten where one the worst and ten is the best, I would rate this product probably as a seven, if I am going back in time. I thought that there was room for improvement, but at the same time, it did what we needed it to do. We got what we expected. So I thought it was good, but I also think there were some additional manual steps or work involved that we should not have needed to do. That is really why I do not rate it with a higher number.
I handle software composition analysis. Currently, I'm moving away from Veracode. I don't know which version of the solution I am using currently. It's not quite the most up-to-date version. If a company is looking for a long-term partner, and not just a transactional solution, I'd suggest a different company. I'd rate the solution eight out of ten.
Overall, SourceClear is working fine for us and our main complaint is in regard to the high number of false positives. Nonetheless, I would recommend Checkmarx over SourceClear. I would rate this solution a six out of ten.