We just raised a $30M Series A: Read our story
2020-02-09T08:17:05Z

What advice do you have for others considering Veracode Software Composition Analysis?

2

If you were talking to someone whose organization is considering Veracode Software Composition Analysis, what would you say?

How would you rate it and why? Any other tips or advice?

ITCS user
Guest
88 Answers

author avatar
Top 5LeaderboardReal User

I can be confident about more of our applications in production. We can be more confident against many kinds of external threats. The lesson learnt is about being proactive, which is a good thing in security. Veracode integrates with our developer tool 95 percent of the time. It is supported very well because developers get to know why the security features are really important in any organization or application along with what they develop. They get to know the market standards of what the security threats are and how to fix them, making sure the coding or the applications are secure enough to move to production. However, with MuleSoft, it does not support most of the API parts. We use cloud-based applications and take support from the community. At the moment, we are only using SCA and Static Analysis, which we have been very satisfied with. However, we are not using their DAST or pen testing. In our organization, we concentrate on high-end and medium alerts, but we really don't bother much with false positives. I would rate this solution as a nine (out of 10).

2020-12-29T10:56:00Z
author avatar
Top 5Consultant

I don't think that Veracode has helped developers with security training, but it helps developers have a reality check on the code that they write and their open source library. That is the best value that developers can get from the product. Veracode products can be run as part of the development pipeline. That is also valuable. It integrates with tools like GitHub or Jenkins. At a high level, it does integrate with most of the pipeline of tools. It would be a showstopper if the incorporation of security was not in the developer workflows. We are past a time when developers or software engineers run a SCA or DAST scan on the code, then hand it off to the development team. What works instead is to inject a security tool in a development pipeline, which is why it is absolutely paramount and important that tools, like Veracode, be a part of the build pipeline. We limited the user to SAST and SCA. We haven't used any of the penetration testing, especially for the DAST solution that they have. For that, they are behind the curve, meaning that there are other products in the market that are being established. In my opinion, they don't have a viable product for DAST, because I believe they are not even testing APIs. So, it's not mature enough. We also have never used their pen testing because that is one of the services that we provide. At this point, Veracode is one of the best solutions available, though it's not perfect by any means, but you have to work with whatever you have. I will give the solution a seven (out of 10). When they integrate the SCA and SAST portions more tightly together, I could probably bump it up to an eight. Also, if they make improvements to the UI and the support, they can get a better rating. However, at this point, I would still pick Veracode for a company who doesn't have a million dollar plus budget.

2020-12-20T08:24:00Z
author avatar
Top 5Real User

Veracode has evolved to be a good partner, overall, in working through our learning needs and problem escalations. There are layers of training and consultation available, as well as recurring support engagements if the enterprise scanning needs warrant it.

2020-11-20T11:13:00Z
author avatar
Top 10Real User

In summary, I think that this is a good tool and I recommend it for helping with security in software development. I would rate this solution an eight out of ten.

2020-07-26T08:19:12Z
author avatar
Top 5Real User

We were part of the initiation when the company started. They introduced it and we began using the solution. We're just a customer. For those companies hoping to automate the solution, I would not recommend it. It's too difficult for those heavily dependant on automation. However, for those companies who want to manually use it, I can recommend the solution. In those cases, it's easy to use even if you won't build it as a part of your automation test tools or on any internet server. I'd rate them eight out of ten. I'd rate them higher, but they have bad automation and terrible documentation. Other than that, they are very good.

2020-03-16T06:56:15Z
author avatar
Top 5Real User

The advice that I would have for people who are new to the product would be to start with a proof of concept. This will help you to see how the product works with your process and people. The biggest lesson I have learned from using this solution is that it definitely increased my education on how to prevent application vulnerabilities earlier on and how not to repeat them. It also helped me as a manager to better understand how to guide and coach people. On a scale from one to ten where one the worst and ten is the best, I would rate this product probably as a seven, if I am going back in time. I thought that there was room for improvement, but at the same time, it did what we needed it to do. We got what we expected. So I thought it was good, but I also think there were some additional manual steps or work involved that we should not have needed to do. That is really why I do not rate it with a higher number.

2020-03-16T06:56:00Z
author avatar
Top 5Real User

I handle software composition analysis. Currently, I'm moving away from Veracode. I don't know which version of the solution I am using currently. It's not quite the most up-to-date version. If a company is looking for a long-term partner, and not just a transactional solution, I'd suggest a different company. I'd rate the solution eight out of ten.

2020-03-09T08:07:51Z
author avatar
Top 10Consultant

Overall, SourceClear is working fine for us and our main complaint is in regard to the high number of false positives. Nonetheless, I would recommend Checkmarx over SourceClear. I would rate this solution a six out of ten.

2020-02-09T08:17:05Z
Learn what your peers think about Veracode Software Composition Analysis. Get advice and tips from experienced pros sharing their opinions. Updated: September 2021.
540,984 professionals have used our research since 2012.