Elevating Security Through Automation and Integration
August 30, 2023

Elevating Security Through Automation and Integration

Anonymous | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)
  • Software Composition Analysis (SCA)
  • Dynamic Analysis (DAST)

Overall Satisfaction with Veracode

We use Veraocode for Static and Dynamic scans and Software Composition Analysis (SCA) across multiple products. The Jenkins automation is a lifesaver for Static scans and SCA since it gets us out of the business of uploading builds manually. We're also utilizing the Jira integration to manage vulnerabilities, from creating new tickets to resolving and closing them when a vulnerability is no longer present. Dynamic scanning can take some tweaking to get running smoothly, however, once things are dialed in, it's another scan that can be scheduled to run automatically. Arguably the most powerful tool, Software Composition Analysis, runs along with our Static scans and gives us insight into vulnerabilities in third-party libraries, newer versions available where a vulnerability is resolved, as well as their licenses.

In all, Veracode is a critical tool that helps us remain compliant with our various annual third-party audits.

Pros

  • Automation
  • Software Composition Analysis
  • Integrations

Cons

  • More insight into errors that may be causing an issue when configuring an integration, e.g. Veracode's Jira integration.
  • Static Analysis can sometime get 'stuck' when using the Jenkins integration. Days, sometimes weeks can go by before we notice. Have to delete the 'stuck' scan and re-upload.
  • Manual Pen Test account management/reminders. I would expect the vendor to reach out and schedule the pen test annually, maybe send a notification/reminder when the date starts getting close, things like that. From my experience it was on me to initiate our MPT.
  • Reduces risk
  • Helps us remain complaint
  • Reduce security debt
Overall, Veracode support is helpful, community support is great, and documentation is available for self-service. Our Customer Success Manager is very helpful and reaches out regularly to see if we need assistance. We have not utilized many of the other resources offered by Veracode, however, in the future we would like to leverage secure coding training for our Development teams.
We run Veracode scans against our latest code base, in some cases with every build, in others at least quarterly. It's safe to say we use Veracode across our entire application development process. We're working to automate more of our products to upload builds for scanning on a more consistent and frequent basis.
We are made aware of vulnerabilities in our products as soon as they are detected, and are able to resolve them much quicker than we were previously. Veracode also notifies you if/when the severity of a vulnerability has changed from the initial finding so we can raise priority accordingly.

Do you think Veracode delivers good value for the price?

Yes

Are you happy with Veracode's feature set?

Yes

Did Veracode live up to sales and marketing promises?

Yes

Did implementation of Veracode go as expected?

Yes

Would you buy Veracode again?

Yes

Veracode is well suited for small software companies, as well as organizations supporting multiple products. A well-defined and orchestrated build process will be a huge help when setting up a build upload integration with Veracode. Once scans are running smoothly, and assuming you have an integration with your ticketing system, you will rarely have to sign into Veracode's interface.

Comments

More Reviews of Veracode