Detailed Analysis: Impact and Efficiency of Veracode on Cybersecurity Posture of an Organization
August 12, 2024

Detailed Analysis: Impact and Efficiency of Veracode on Cybersecurity Posture of an Organization

Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Modules Used

  • Static Analysis (SAST)
  • Software Composition Analysis (SCA)
  • Dynamic Analysis (DAST)
  • Developer Training
  • Reporting
  • Analytics
  • Dashboards
  • Compliance

Overall Satisfaction with Veracode

We use Veracode for performing Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and Software Composition Analysis (SCA) scans for all of our products. These scans help us find and address security vulnerabilities early in the Secure Development Life Cycle (SDLC) of every product. We have also automated the SAST, DAST and SCA scans by adding the Veracode scan step in our CI/CD pipelines.

Pros

  • Veracode performs Static Application Security Testing (SAST) very well by finding flaws in the code using entry points so that it tests for everything a user can interact with in the application. This approach is very helpful for avoiding a lot of false positives early on.
  • Veracode performs SCA automatically on every SAST scan, so that we don't have to manually scan the application again for SCA scans.
  • Veracode integrates very well with the ticketing tools, so that it becomes very easy to track every finding and its status within our ticketing tool.

Cons

  • Veracode sometimes marks some findings as fixed and then in subsequent scans, it reopens the finding. All of this happens even when there is no change in the source code.
  • Triaging SCA and License risk findings on Veracode UI is very difficult when you compare it with the SAST findings. I think the "Triage Findings" UI should be same for all the types of findings for better user experience.
  • Veracode's integration with ticketing tools is unidirectional, meaning it only syncs the status from Veracode to the ticketing tool and not the other way around. If the integration is bidirectional, triaging findings could be very convenient.
  • Positive: Scanning all our applications on Veracode provides us an overview of our cyber security posture for the organization as a whole.
  • Positive: Performing the SAST, SCA and DAST scanning for all the applications at the early stages of the SDLC helps us identify and mitigate security vulnerabilities early, reducing the risk of data breaches and cyber-attacks.
  • Negative: Sometimes Veracode SAST scanner closed and reopens some findings, leading to reliability issues on the scanner itself.

Do you think Veracode delivers good value for the price?

Yes

Are you happy with Veracode's feature set?

Yes

Did Veracode live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Veracode go as expected?

Yes

Would you buy Veracode again?

Yes

Veracode is a very powerful tool for performing Static Application Security Testing (SAST) and Software Composition Analysis (SCA) for any application. It gives very few false positives from the get go, so less work for the AppSec team for filtering out the false positives.

However, it is not very good at performing Dynamic Application Security Testing (DAST). So, its not a one-stop scanning tool that fulfills all the needs.

Comments

More Reviews of Veracode

  1. Home
  2. Application Security Tools
  3. Veracode Reviews
  4. User Review of Veracode