Veracode

It is used across the organization. We are using it for static analysis of our code. We have selected the policy that requires our release code to minimize the level of security faults. Beside static analysis we use Software Composition Analysis and we found it very helpful in rectifying vulnerabilities from third-party libraries.

• Thorough scan of our code.
• Integration with our release process.
• Accurate info about vulnerabilities in third-party libraries

• At the moment due to very slow speed to the scan, we can not fully integrate it in our development process.
• However, we are using it for our release process.
• The analysis that Veracode software provides gives us and our client confidence that we are producing the secure code.

GitHub

Microsoft Office 2016 (discontinued), Microsoft Visual Studio, IntelliJ IDEA, Notepad++, Microsoft 365, Atlassian Jira

We use it a a SAST and SCA tool for all the developments in our organization. All our developers analyze the code they write using the IDE plugin and Veracode Fix to help make the software more secure.

• No critical or high vulnerabilities get to production
• Complex onboarding on teams that don't work following enterprise guidelines or that doesn't have experts devs
• Once the devs have it working and integrated to the IDE it is easy to use for them

Sonatype Platform, GitLab and Fortify by OpenText

Appdome, OneTrust Third-Party Management, HackEDU

I have been using Veracode for nearly 2 years, we are using its SAST and DAST features. Previously there was no source code validation in our software development life cycle. We used this tool to shift the security to left, and tried to make the process as automate as possible. The best use case of this tool is that it can be fit anywhere with flexible plugins at different stages of SDLC. Even the support is very good and co-operative.

• I am a senior security engineer, I could not give you the numbers, but I can see the difference before Veracode and after Veracode into the business.

SonarQube, Qualys VMDR and JFrog Security (Xray)

SonarQube, Qualys VMDR, JFrog Security (Xray)

We use Veracode as part of our SDLC, to provide for our SAST, DAST and SCA

• It makes our software offering safer
• It educates developers
• It saves time to have everything in 1 tool

Microsoft Defender for Cloud

We use Veracode to perform Static Application Security Testing (SAST) and Software Composition Analysis (SCA) scans against our code, repositories, and CI/CD pipelines for code deployments. We also utilized the IDE integration for software engineers to identify code issues earlier in the development lifecycle.

One of the areas Veracode excels in is their reporting. Our application development releases required a Veracode report to be included showing now high/critical findings.

• High effectiveness in detecting insecure code
• Streamlined release cycle by building security controls into deployments
• Highly customizable reporting simplifying reporting to stakeholders.

Snyk and SonarQube Cloud

Cloudflare, Zscaler Internet Access, Zscaler Private Access, PortSwigger Burp Suite, KnowBe4 Security Awareness Training, Infosec IQ, incident.io