Thorough scanning engine and flexible reporting tools, so-so CI/CD and alerting
Updated March 08, 2024
Thorough scanning engine and flexible reporting tools, so-so CI/CD and alerting
Score 7 out of 10
Vetted Review
Verified User
Modules Used
- Static Analysis (SAST)
- Software Composition Analysis (SCA)
Overall Satisfaction with Veracode
We use Veracode for all the software we build in-house. Being in the financial services industry there's a lot of regulation and emphasis on security, and we've made Veracode a mandatory part of our production deployment process to satisfy some of those requirements. The reports Veracode generates are used by both management and development teams.
Pros
- PDF & web reports are very well laid out.
- Custom dashboards are very flexible/powerful.
- Flaw remediation suggestions are specific and helpful for most flaws & languages.
- Documentation is clear and detailed.
- Veracode support is excellent.
Cons
- Scan times can be long
- Atlassian / Bamboo CICD integration isn't the best
- No alerting functionality when new flaws are found
- No auto rescan functionality
- The web interface is slow
- Several legitimate security vulnerabilities in my team's legacy software were caught and addressed.
- Change management is made more auditable by quickly attaching scan reports to change tickets.
- Developers are more security-minded in general when they remember their code is going to be scanned.
SonarQube is faster and can be free, but the security scanning capabilities are a joke compared to Veracode.
Unlike SonarQube, Veracode goes deeper into finding a very wide variety of vulnerabilities and best practices that should be applied to software and provides reporting and support to assist in the process.
Unlike SonarQube, Veracode goes deeper into finding a very wide variety of vulnerabilities and best practices that should be applied to software and provides reporting and support to assist in the process.
Do you think Veracode delivers good value for the price?
Not sure
Are you happy with Veracode's feature set?
Yes
Did Veracode live up to sales and marketing promises?
I wasn't involved with the selection/purchase process
Did implementation of Veracode go as expected?
Yes
Would you buy Veracode again?
Yes
Using Veracode
300 - Veracode at our organization is utilized by a few hundred people, most involved in the software development lifecycle (SDLC). They span primarily software development, DevOps, application security, and change management teams.
10 -
Internally our application security and tools teams provide support to other teams that adopt Veracode.
On the tools team they only need to know the basics about Veracode - how to create and configure new applications, sandboxes, user access. They provide standardization of configuration/operation of the tool.
Our application security team has the most knowledge. They set standards for how teams should be using the tool - when teams should run scans, policies for remediating flaws, reviewing proposed mitigations, tell teams how to patch flaws, ensuring applications are properly scanned. They have deep software security knowledge, and evaluate the effectiveness of our Veracode adoption.
- Flaw detection via static analysis
- Dashboards for aggregation of flaws
- Flaw policies for tracking compliance
- Automatic Jira flaw ticket creation via custom tooling utilizing Veracode APIs
- Third party component analysis
- Dynamic analysis/scanning
Comments
Please log in to join the conversation