Veracode SAST review
Overall Satisfaction with Veracode
We replaced our old tools with Veracode 1 year ago. To reinforce our security posture and help us prevent vulnerable code from being added to our products.Each pull request must be analyzed and meet our security policy before it can be merged.We also have to maintain 5 versions and assess the conformity of each of these versions with our policy.
Pros
- Low false positive rate by taking into account context and input sanitization
- List and details of mitigation proposals
- Clear reports and the ability to create your own dashboards
Cons
- Some popular dependency managers are not currently supported (e.g. conan, pnpm)
- Analysis of compiled languages requires specific preparation before compilation
- No new vulnerabilities in recent code
- Far fewer false positives to investigate
- Prioritization of dependencies to be updated is justified and faster
- A lot of preparation and integration work on the pipeline side
The results are good. But we still need to think about it.
Our product has undergone successive enhancements that have left their mark.
The reporting and analysis functions of a solution are very important to us.
We use the many metrics available in Veracode to help us show the progress we've made and the progress still to be made.
We also collect other metrics, for example, every Quality gate failure is also tracked and reported as an incident metric.
The reporting and analysis functions of a solution are very important to us.
We use the many metrics available in Veracode to help us show the progress we've made and the progress still to be made.
We also collect other metrics, for example, every Quality gate failure is also tracked and reported as an incident metric.
We have integrated Veracode into all our pipelines.
Each time a commit is pushed to a pull-request, an analysis is triggered and returns the quality gate status, as well as a commentary detailing the discoveries (pipeline scans).
When a PR is merged on a stable branch, a new compliance analysis is triggered.
This time, the results are available in the interface (sandbox / policy scans).
We do not impose to developers, the use of scans in the code editor, but the solution is available on VSC for example (greenlight scans).
Each time a commit is pushed to a pull-request, an analysis is triggered and returns the quality gate status, as well as a commentary detailing the discoveries (pipeline scans).
When a PR is merged on a stable branch, a new compliance analysis is triggered.
This time, the results are available in the interface (sandbox / policy scans).
We do not impose to developers, the use of scans in the code editor, but the solution is available on VSC for example (greenlight scans).
Our security development process hasn't changed much.
It's the results that have changed, and the distribution of the workload among the tech leads.
Tech leads have more time, because the analysis is shared between team members.
This also help discuss and share knowledge on specific part of the code and best practices.
Regarding the results, they are more relevant and there are fewer false positives than with other solutions we've tested.
It's the results that have changed, and the distribution of the workload among the tech leads.
Tech leads have more time, because the analysis is shared between team members.
This also help discuss and share knowledge on specific part of the code and best practices.
Regarding the results, they are more relevant and there are fewer false positives than with other solutions we've tested.
Why you selected Veracode?
Stack coverage.
Integration into our pipeline and ticketing tools.
Good "false positive" rate.
SSO integration and ability to add antinomic.
Competitive pricing, considering the number of our contributors and components.
Stack coverage.
Integration into our pipeline and ticketing tools.
Good "false positive" rate.
SSO integration and ability to add antinomic.
Competitive pricing, considering the number of our contributors and components.
Do you think Veracode delivers good value for the price?
Yes
Are you happy with Veracode's feature set?
Yes
Did Veracode live up to sales and marketing promises?
Yes
Did implementation of Veracode go as expected?
No
Would you buy Veracode again?
Yes
Evaluating Veracode and Competitors
Yes - We replaced SonarQube by Veracode.
Too much false positives were reported and some methods introducing flaws were not reported at all.
Too much false positives were reported and some methods introducing flaws were not reported at all.
- Other
Enhancing our security analysis posture was the most important criteria for us.
Veracode is the best choice within the given budget.
Veracode is the best choice within the given budget.
Comments
Please log in to join the conversation