Veracode Manufacturing Reviews & Insights

In my organization, Veracode is used to address application security issues during the application development life cycle throughout the organization. Developers uses Veracode to address security coding flaws and application security engineers uses it to address running applications security issues. Veracode is a very good static, dynamic and software composition code analysis tool. It easy to manage and supports most commonly used development languages. It integrates well with a number of code repository system such as Azure DevOps and Github.

Veracode is good at identifying flaws that does not adhere to the OWASP top 10 security controls. Therefore, a Junior developer could produce code and flaws will be caught. There is also the software composition analysis that provided a view into third-party dependencies. Veracode may not be suited in cases where you need to have your scan results in a short amount of time.

We use the Veracode software platform to look for vulnerabilities in our code as well as in the third party libraries we were using. We are in the medical software industry, so the data we deal with is very sensitive in nature so we take security and privacy very seriously.

Having detailed reports generated by Veracode that highlights code vulnerabilities as well as security issues with third party libraries are features that are important in our industry. It is well suited for providing software teams all of the outstanding issues they may exist so that time is saved in not having to do all of that research ourselves.

Veracode is used at Cox Automotive as a swiss army knife of products. It can be used for most languages and use cases for reasonably trustworthy static analysis, SCA analysis, and dynamic analysis for external products. This from a crawl, walk, run perspective gives teams the ability to meet them where they are and get security a foot in the door for our products.

If you are a smaller company or run less than 500 apps with a very vertical ownership structure, Veracode can be a great tool. Its fairly consistent, fairly mature nature means that it's much less likely to break your existing integrations. Where they struggle is when you are a big enough org where you need to rely on automation and integration support. I have yet to have a single developer that didn't get off a project attempting to integrate with it that didn't look mentally defeated. Their language integrations are not maintained, forcing devs to the web interface, which doesn't always have what you need, meaning you might have to restart and go back to the XML interface rather than their rest interface because they never finished converting to the rest interface. Their API can docs can be at times out of date, but on the whole, are mostly fine. Interfacing with support will also be unavoidable because of limitations around soft deletes and admins have left my team unable to manage the account more times than I am sure support appreciates having to fix.

Developers scan application code for vulnerabilities. It helps to keep our apps safer from hacking.

any group developing code that will be externally facing. Any team of developers who need the training to stay current with Security information in regards to their training - OWASP Top 10, etc.

We evangelize the use of Veracode to other departments who develop their software code, additionally conduct walkthroughs and training. Business problems usually range from vehicle security-related development, analytical development, and digital transformation.

1) Code quality for new development.
2) dynamic scanning of web applications.
3) less appropriate when we have to scan the previous version of the code.

Veracode (& SourceClear) has been used for Static Code Analysis & Software Composition Analysis for some of our products.

Veracode is best suited for node.js static code analysis & software composition analysis. It is less appropriate for ARM platform C++ SCA scan (not working).