My experience with Veracode
September 17, 2024
My experience with Veracode
Score 7 out of 10
Vetted Review
Verified User
Modules Used
- Dynamic Analysis (DAST)
- Static Analysis (SAST)
- Software Composition Analysis (SCA)
Overall Satisfaction with Veracode
* We run static scans on a regular basis (integrated in our continuous integration) on all our major branches.
* We review the Software Composition Analysis and the "Triage flaws" section on a regular basis (minimum every week).
* We run a dynamic scan before each major version release.
* Our goal is to fix all the Very high/high/medium vulnerabilities this year. We'll then look at the minor ones.
* We review the Software Composition Analysis and the "Triage flaws" section on a regular basis (minimum every week).
* We run a dynamic scan before each major version release.
* Our goal is to fix all the Very high/high/medium vulnerabilities this year. We'll then look at the minor ones.
Pros
- Report generation
- Flaws description and remediation strategy
- Consultation requests
Cons
- Scan results stability: from one scan to another, additional flaws appear whereas code did not change.
- Entry points selection: hard to be sure selection is optimal, should be automatized or hidden.
- Branches management: we currently use sandboxes to scan different branches of our software. Would be good to have real branches management.
- Adoption by developers: they are more aware of security aspects.
- Allows us to see where we are in terms of applicative security
- We're able to deliver clear security reports to our clients
- JFrog Security (Xray), Coverity Static Analysis (SAST) and CheckMark 1095
Mainly for reporting: Veracode reports are really comprehensive
Do you think Veracode delivers good value for the price?
Not sure
Are you happy with Veracode's feature set?
Yes
Did Veracode live up to sales and marketing promises?
Yes
Did implementation of Veracode go as expected?
No
Would you buy Veracode again?
Yes
Comments
Please log in to join the conversation