Detailed Analysis: Impact and Efficiency of Veracode on Cybersecurity Posture of an Organization
Use Cases and Deployment Scope
Pros
- Veracode performs Static Application Security Testing (SAST) very well by finding flaws in the code using entry points so that it tests for everything a user can interact with in the application. This approach is very helpful for avoiding a lot of false positives early on.
- Veracode performs SCA automatically on every SAST scan, so that we don't have to manually scan the application again for SCA scans.
- Veracode integrates very well with the ticketing tools, so that it becomes very easy to track every finding and its status within our ticketing tool.
Cons
- Veracode sometimes marks some findings as fixed and then in subsequent scans, it reopens the finding. All of this happens even when there is no change in the source code.
- Triaging SCA and License risk findings on Veracode UI is very difficult when you compare it with the SAST findings. I think the "Triage Findings" UI should be same for all the types of findings for better user experience.
- Veracode's integration with ticketing tools is unidirectional, meaning it only syncs the status from Veracode to the ticketing tool and not the other way around. If the integration is bidirectional, triaging findings could be very convenient.
Likelihood to Recommend
However, it is not very good at performing Dynamic Application Security Testing (DAST). So, its not a one-stop scanning tool that fulfills all the needs.
