We use it for security scanning of SaaS and mobile software that we develop: one server-side and two mobile applications. Static application security testing, which is the primary use case.
There were different web applications which were scanned using this tool. I use Veracode to run scans on. I also use it to make deployments in three-tier environments: the application server tier, web server tier and the database tier.
We are planning on introducing a static code analysis tool to support a DevOps effort in our environment. The objective of the solution is to allow the team to identify vulnerabilities in the source code and improve the hygiene of the developed code before deployment. We have not yet integrated it into our software development lifecycle as it doesn't have the feature that enables us to integrate it with our repository.
Application, which my institution partially owns, was analyzed after just having compiled the code. This happens seldom in academic software. It does software composition analysis, discovering open source software weaknesses. We test each major release of our software using Veracode static and dynamic testing.
We also do manual penetration testing annually. Provides static code analysis of the customers' applications from all industries. It includes any type of code and scripts, but mostly Java,. We use it to assess or do security inspections of our software that we produce or assemble.
We have a very large portfolio of software across our enterprise. The Veracode system is a platform that scales with the dynamics of our organization. We have people that are in many locations, in the US and abroad.
The fact that the Veracode platform is essentially a cloud-based platform, that makes it scalable. To certify that we have valid code, and that the developers are working with valid structures and writing good code.
The primary use is as a static analysis tool. But we also use Greenlight and dynamic, and we're currently having a manual penetration test. At this moment, I am reviewing the solution. Sign In. Answered Sep 29, Hi Everyone, What is your primary use case for Veracode? Thanks for sharing your thoughts with the community! Reply Like 1. Reply Like 0. I'm an automation practice leader and we are customers of Veracode. And, you can review security findings in Visual Studio. We have assessed 14 trillion lines of code in 25 languages and frameworks, and we get better with every assessment due to our rapid update cycles and continuous improvement processes.
Align your AppSec practices with your development practices : Do you have a large or distributed development team? Are you drowning in revision control branches?
You can use Veracode Static for Visual Studio with the Veracode Developer Sandbox, which supports multiple development branches, feature teams and other parallel development practices. Don't just find vulnerabilities, fix them : Veracode gives you remediation guidance with each finding, as well as the data path that an attacker would use to reach the weak point in the application.
Veracode also highlights the most common sources of vulnerabilities to help prioritize remediation. However, as per our mandate, for every new repository that gets added and scanned, a report gets published. Based on that report, we decide if we can continue. In the past, we have found, by mistake, some developers have used copyleft licenses, which are a bit risky to use.
We immediately replace these with more permissive, open-source licenses, so we are safe in the end. We get quick results of what has gone into the environment in terms of any vulnerability in the code and for the Eclipse plugins of Veracode.
This is one of the more valuable features because a developer can get a sense at the line level if there are any issues. It is pretty efficient when creating secure software. For one or two particular applications, the dynamic code analysis can take too much time.
Sometimes, it takes three days or more. That is where we find speed getting dragged. Apart from that, it is pretty efficient for us to get results and make our software secure. If the dynamic scan is improved, then the speed might go up.
That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us. If they need to scale back-end infrastructure to make the scan faster, then they should do it.
Apart from that, there are no issues to mention. One person can just start a scan. In our case, the DevOps team does it. They configure it once, then do it. However, the cycle takes time, depending on the codebase size, to look at an issue, identify if there are true positives, and then work on it.
It is one person's almost full-time job. I have a team of around six security professionals team who work on Veracode and use the tool. Two of them are team leads, two of them are senior developers, one is a DevOps engineer, and another one is a junior developer. We normally create a ticket for Veracode support, then they respond back within 24 hours. Our experience with them is generally very positive.
Normally, the report that we get is self-explanatory, but sometimes there are false positives or some issues that we don't understand. For those, we schedule a consultation call, where they then come on a call and provide guidance on how to fix them. That is pretty cool. Before Veracode, we had a manual process where we hired white hat hackers. They used to do all the scanning, then submit a report.
That process was pretty lengthy. It sometimes could go on for three to six months. Nowadays, for static code scanning, we are doing it on regular basis. Since there are not many issues reported, we can fix them on the fly. For dynamic code analysis, it still takes a week's time because the scanning itself takes three days sometimes.
Then, once the scanning is done, we check if there is an issue, fix it, and then start the scan. That is a week-long process, but the rest is pretty under control.
At the time that we set it up, it was quite complex. Now, they have made it pretty simple to use and a brief process. However, we felt the process was quite complicated when we did it.
For example, when we initiated the static scan for the JavaScript, we needed a lot of instrumentation. That specific instrumentation that needs to be done at the JavaScript layer. Now, they can accept the bundle as it is and still identify the issue at the line number level.
So, that is an enhancement. They have done some improvements on the triage screen where you can look at all the issues. You can perform various actions over there, like mitigations or adding comments. They have simplified that interface a bit and made it a little faster.
Earlier, we used to take quite a time for the check-in and check-out operations. However, now, it is quite fast. If we had to redeploy it from scratch, it would take around 30 minutes. Veracode has definitely helped us close deals with the software being compliant to our customers' various standards. Before we had Veracode, customers might have demanded some scanned compliance reports, which we didn't have. Because of that, we might have lost some customers during the pre-sales cycle.
That cost is huge compared to what we are paying for Veracode. If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount. We also used Contrast Security for real-time scanning on an experimental basis. If that is successful, we will probably roll that out. Contrast Security is very focused on run time scanning. Veracode also has some kind of module for this that we have not explored.
However, the Contrast Security tool was suggested to us by one of our customers. We have not compared Veracode and Contrast Security yet. The other tool which we use is Burp Suite for performing some manual verification.
This is apart from what Veracode is not able to. Our customers are also reporting some vulnerabilities because they have their own scans. To verify those types of issues, we use Burp Suite. Burp Suite is pretty handy when you want to quickly do some penetration testing and verify some vulnerabilities. It is definitely a unique tool, and I don't think there is this kind of module with Veracode.
I'm pretty confident about Veracode's ability to prevent vulnerable code from going into production when I'm using it. This way, every build is certified. Then, if there is an issue, you will know about it earlier in the development cycle, not later. Because as the time passes, it becomes more difficult to fix that issue.
With Veracode's support for cloud-native applications, there are some components of our application which are cloud-native , that we treat in the same way as regular software, e. We don't have a model where we can do the real-time scanning. This is something which is currently in talks for maintaining the security of the distributed application.
Hopefully, that should get implemented in about two months' time. The reports that they share have been pretty informative, but someone has to go through them and read them quickly.
In the early days, they might have offered some kind of training plan, but we did not opt for that. While there are false positive, there aren't much around 10 percent. We normally farm these to the Veracode team, who act accordingly. I would rate this solution as an eight out of I took off points due to the extra time that it takes to do the dynamic scan.
We use both the static and the dynamic scanning. What we do is run the code through the scanner once we make any modifications. And periodically, we also run the dynamic to connect several applications.
We use Veracode to check for specific vulnerabilities such as cross-site scripting. When we are checking for those vulnerabilities, we take a portion of code that is going to be generated and we run the scanner. We work a lot with open sources. Using the Static Analysis, the Dynamic Analysis, and the scan module, we can control everything we do via Veracode. Moreover, because all our applications are security applications, keeping a high security standard is really important.
The visibility into application status across all testing types in a single dashboard is helpful because, even if you are running different types of scans, you have everything in one place. You have a unique dashboard to control all the applications, and that is good. Overall, we've never had any problem with vulnerable code going into production. It's quite a solid tool. We have a really good feeling with this solution. The most valuable feature is actually the support provided by Veracode. Once you start to use the platform, you can mount the IDE plugin for your script.
The advantage is that you can run the scan and check what the problem is and you can fix it yourself. Support could be used to address something that could go beyond your skills. If you use Veracode Greenlight, you have a small pop-up that you can use to interact directly with the team and you can ask a consultant to advise how an issue can be fixed.
One of the good things about the Greenlight plugin is that it is very simple. There are several guides that tell you how to install it. It's a matter of one or two minutes and you are ready to go.
Once you check something, they provide links, not manually, it's all automated. When you want to check into a vulnerability you click and open the website where there is a description. If this is not enough of an answer, you can ask directly by scheduling an appointment with a Veracode guy. Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced.
They don't teach you how to develop in Java, Python, PHP or C , but they instruct you about the best practices that should be adopted for secure code developing and how to prevent improper management of some component of the code that could lead to a vulnerability.
The e-learning that Veracode provides is an extremely good tool. And as far as I know, there are no other competitors that offer it. The best stuff is the training: this enables your team to adopt the same programming approach, although these people have a different background or joined the projects in a different phase. Doing that, they can take the training and be aligned so that they all write code in a good way. We also use the Static Analysis Pipeline Scan and it's quite good.
They provide several of the most common templates for pipelines. You see the process, while you program, right up until you package an application, and that the platform is able to detect things that are a blocking point. Before deploying to the production, you already know what is doing. And the speed of the Pipeline Scan is quite good.
Another good feature is the policy reporting for ensuring compliance with industry standards and regulations. We test compliance for medical devices, for GDPR, and for payment methods. These are all good.
If you are not correctly prepared on one of these sets of regulations, you know that Veracode is going to take care of it using pre-prepared templates. But we can also customize our own policy if we are facing a unique use case. Even if it's not really common, we can take a regulation and build it the way we want it to look. In addition, you can check everything from the dashboard.
Veracode provides a web portal that is connected with your account and through that you can check the status of all the deployments that were run. And suppose you also have an application that is quite complex. You can deploy and upload it through the portal. When it is ready, you receive a notification from the portal that the job has been done and that you can check the results.
There is a really simple graphic with the colors showing how many vulnerabilities have been found and how much these vulnerabilities are repeated in your code. It also tells you the potential effect, if it is a backdoor data breach, for example, etc. It also suggests what you can do to remediate. It might suggest modifying code or changing the status of some part of the development, or updating a third-party.
And if you have people on different projects, there is also a role management feature, so you can select, for example, that people who are working on a given project can only see that project. If you are running something with different levels of classifications, for example, if you have an external consultant, it does not affect the confidentiality of the system. When people are collaborating, not all people are at the same level of an NDA.
It is good that each person can see only their part implementing Need-To-Know. We haven't perceived any issue when it comes to scalability. But it's true that if you have more tenants, the response of the scanners is going to get released quicker. I would rate Veracode's technical support at nine out of They would probably deserve a 10 but it is not as quick as it should be. They need to increase the support workforce. The support people are well-prepared, but it can sometimes take one or two days to get the right guy to do support.
The previous solution that we were working with was mainly focused on the quality of the coding. We are happy with Veracode because it's focused on security. The initial setup is very simple. The Veracode guy who accompanied us made it appear really straightforward.
It's a SaaS solution so once it's prepared on the Veracode side, to deploy onsite may take up to a couple of hours to get everything prepared, mainly due to the configuration, for a simple implementation. Overall, setting up the product is quite straightforward. In terms of managing the code, it's quite simple for us because we are all technical guys. Once we saw it working, it was really easy to manage. We have three people who use the solution and they are all developers. We could save some money having an on-premise solution, but the fact that this is a SaaS means we can be sure that it's updated.
It's outsourced. In terms of cost, I don't see a big advantage, but in terms of operations there is because we don't have to take care of it. We know that if, somewhere else in the world, somebody detects a vulnerability, a few minutes later we will already have a patch.
This is extremely important for us. Nobody in our company has to touch anything to get this. If we had to designate one or two people to take care of maintenance of an application, at some moment one of them might not be updating things.
With Veracode, we know that we don't have to worry. We just have to focus on our development. We don't consider maintenance at all because it's all managed.
We looked at other vendors but we selected Veracode because it had a top rating in industry reviews. For us, that was like a warranty. We were skeptical about running scans with a cloud-based solution, but then we saw the benefits. Everything is up to date without us having to lift a finger. We know we don't have to take care of maintenance.
Also, if you work in the domain of medical devices, payment methods, or other things that are related to privacy, Veracode provides all these modules.
This is a big advantage. Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly.
False positives are not a main problem. The platform does try to overprotect but, of course, a system like this can only understand the syntax and not the semantics. So it's overprotective when there is a doubt. Sometimes, we ignore some of the advice received.
Our primary use case is providing reporting from Veracode to our developers. We are still early on in the process of integrating Veracode into our life cycle, so we haven't consumed all features available to us yet. But we are betting on utilizing the API integration functionality in the long-term. That will allow us to automate the areas that security is responsible for, including invoking the scanning and providing the output to our developers so that they can correct any findings.
The goal is to bridge that with automation to provide something closer to real-time feedback to the developers and our DevOps engineering team. We are also looking for it to save us productivity time across the board, including security. The product is being used to replace another solution and we recognize in our early implementation that Veracode DAST is identifying more vulnerabilities in application code than our previous solution did. Also, at this juncture, I have received no feedback of false positives from our development team.
It seems to be fairly good in that regard and probably has minimal false positives. We haven't gotten feedback one way or another from developers about how the false positive rate affects their confidence in the solution, but if there were significant false positives, or even one in our environment, we would certainly be engaged with the vendor to discuss it. But that has not been the case so far. Overall, I think that if it's implemented correctly for the business, Veracode is highly effective in preventing vulnerable code from going into production.
The visibility into application status helps reduce risk exposure for our software. Today, any findings provided by the DAST are reviewed by the developers and we have internal processes in place to correct those findings before there can be a release. So it absolutely does prevent us from releasing weak code.
Because we're so early in our implementation, we have had minimal feedback in terms of room for improvement. We have seen some minor things within the interface itself that we would love to see some improvements on. One of those is scheduling, which can be a little difficult.
For instance, if you set up recurring scheduled scans and a developer comes in and says, "Hey, I have this critical release that happened outside of our normal release patterns and they want you to scan it," we actually have to change our schedule configuration and that means we lose the recurring scheduling settings we had. We have to change that over to a one-time scan.
It would be lovely if we could run ad hoc scans without changing our recurring schedule. That can be a little painful because it happens a lot, unfortunately. I think that will change, so I don't want to knock them completely. It appears to be very efficient when it comes to scalability. We're a smaller shop, so I may have a different interpretation of what scalability is.
We're under licenses at this point, but so far we have had success. There are some great, positive things about Veracode and the relationship they try to form with the clients. Regarding tech support, I've mostly had positive engagements, especially because they have one engineer who is, frankly, a rock star.
I cross my fingers that I get him every single time because he's very thorough, he's educational, and he is quick. For the most part, it has been positive, especially when I do get assigned that particular engineer.
I had a little frustration in the early days because they didn't quite understand the situation, but that was the only time I had a negative engagement with Veracode on support. Our previous solution was difficult to configure. Setting up the login process was very difficult, as it was tied to your browser and there were a lot of hoops you had to jump through. The reporting was also hard to follow sometimes and didn't provide a good view into previous findings versus new findings.
That made things difficult too. Once we did the evaluation of our old solution against Veracode, it was very clear that it was finding fewer vulnerabilities, which lowered our confidence level in that tool. The major component is being granted access to the tool. They then engage a customer success manager to help you understand and give you an overview of the interface itself and to walk you through some example setups.
We were able to work with the CSM to configure a couple of our production scans. He did some hand-holding for us through the process until we felt that we understood it enough and had repeated it enough to do it on our own.
He also provided detailed reviews of reporting, et cetera. Deployment took less than an hour, although we have a small environment today. It would, obviously, take much more time with a larger organization.
Because we were migrating from one solution to another, it was an easy migration path. We just needed to collect the information from the previous solution and replicate that within Veracode.
One thing that can be difficult—and it was in our previous solution—is creating the login component for the scans. The learning about how to create that was a little daunting at first, because you have to create what they coin a "login script," but it is really just a recording of a login.
Once you get it down, creating those "login scripts" takes less than a minute. One of the struggles we have had with that recording process is that we have had to redo it more often than not if our developer has changed, even in some minor way, the way they collect information for the login. That does affect the script. That can be a little frustrating at times, but unfortunately, it is a known behavior apparently.
It's just the nature of the beast if you do make any modifications to login. As for admin of the solution, we have one person involved and it probably takes a quarter of their time or less. There is no maintenance since we have the SaaS product, other than ensuring that the scans that we have set up are still scanning successfully and that we don't have any failures.
Veracode has not reduced the cost of AppSec in our organization yet, but that's only because we are very early in the implementation. My advice would be to understand how you want Veracode to function within your environment from a workflow perspective. That way, you can potentially start taking advantage of a lot of the functionality it offers out of the gate, which is something we are not doing yet. We're on a delay until That is really important. Also, in introducing the product to those who will be receiving the output, the findings reports, it would be great to include them in some conversation and collaboration on the move down that Veracode path or, frankly, any path that leads to scanning applications.
Veracode provides guidance for fixing vulnerabilities, although we haven't actually had to utilize that. But as a part of our licensing model, they provide us a certain number of opportunities to engage with someone for consultation. We are not focusing on using the solution to enhance developer security training right now, although it is a part of our roadmap. We are banking on being able to utilize that aspect of Veracode because we are an Agile environment and we want developers to be able to engage that training.
Also, when there are findings, we want our developers to get that assistance in real-time. That is a part of our strategy. We have started out with a much more narrow policy for ourselves because we are just learning about how the tool works and how it functions. But we did evaluate some of Veracode's policies, out of curiosity, and they seem to be very aligned and very helpful. However, I would not be able to speak to whether they are on the money for utilization against compliance frameworks.
Sign In. Home Application Security Veracode. Post Review. Veracode Reviews. Find out more. Some of the features that are on the roadmap include: Forms-based authentication Recurring scan scheduling Automated pause and resume Dynamic vulnerability view Automation using dynamic APIs. Topics 1. Veracode Dynamic Analysis Press delete or backspace to remove, press enter to navigate.
Related Articles How does static binary analysis work? What type of internal modeling is performed e. Number of Views 2. Number of Views Ask the Community Get answers, share a use case, discuss your favorite features, or get input from the Community. Community About Rules of Engagement.
0コメント