Developing Secure Software With Confidence

Software development and security often have separate challenges and concerns.  Developers are worried about pushing software to production in a timely manner. Security teams worry about the security of the code being pushed. Veracode offers a solution that meets the needs of both sides. On Peerspot, where Veracode is ranked number one in application security, users discuss how Veracode enables them to build an advanced application security program.

Marcello T., a software architect at a computer software company, has used Veracode for two years and reports it has improved the way his organization functions, mostly because they can perfect the security issues on their products. For open-source projects, his organization also tested Snyk, which, he says, has some problems because it considers each file inside a repository of GitHub as a separate project. As he put it, “It was creating a lot of false positives. That made it basically unmanageable, so we gave up on using it. I trust Veracode more than the others.”

A customer for two years who is a security architect at a financial services firm looked at other vendors in the market, including Checkmarx, and shared, “What I didn't like about them is that their licensing models are based on how many developers you have. That wasn't a good fit for me. In addition, Checkmarx didn't have a SaaS solution.”

An R&D director at a software company compared several solutions, including Checkmarx, as part of their proof of concept to adopt the right tool. Eventually, Veracode was selected because the tool provides the easiest, fastest solution for their two use cases (static analysis and software composition analysis). He recalled, “When we did the PoC, one of the benefits we saw is [Veracode’s] reports are more focused on real issues. Other scanning tools that we tried, produced much bigger reports with hundreds of vulnerabilities. That is too many vulnerabilities, so you cannot manage them nor decide where to focus. Using Veracode helps us focus where we need to.”

“Moving to Veracode gave us much higher quality dynamic scanning with very few false positives and a robust static scanning solution,” said a senior security architect at a financial services firm. The company used to have a legacy, heavyweight dynamic scanning product that produced hundreds of pages of (mostly) false positives that were nearly impossible to digest and tune. They also didn't have a static scanning product. They selected Veracode after evaluating Checkmarx and SonarQube.

A year ago, Karen M., an information assurance manager at a tech vendor, was not happy with the dashboard of the solution she was using, which provided no analytics and had a bad UI, so it was not easy to manage. She stated, “Most of our big clients were using Veracode and asking us to migrate to it. We evaluated a few companies. The main advantage of Veracode was the UI, the dashboard. It's very easy to use and to manage.”

Mauro V., a cybersecurity expert at a tech services company, recalls that his previous solution was mainly focused on the quality of the coding. He and his team chose Veracode five years ago and are happy because it's focused on security. “We looked at other vendors, but we selected Veracode because it had a top rating in industry reviews. For us, that was like a warranty.”

The ability to support the programming languages his media company uses is why a head of information security chose Veracode over others. He commented, “It has the best language support. A lot of the other solutions might have supported one of the languages we're using, but not all of them.”

A DevSecOps consultant at a comms service provider has a consulting background and previously used other solutions prior to Veracode. In comparing it to the competition, he believes Veracode was the first solution implemented of its type. He elaborated, “Before Veracode, developers didn't know how they could develop secure software. After Veracode was implemented, developers knew when they wrote code that they could scan it in their IDEs. Also, while pushing a deployment, they can get feedback from the Pipeline Scan.”

Finally, a senior vice president of engineering at a tech vendor already had familiarity with Veracode when he joined his current company. They looked at a few options for security testing and then zeroed in on Veracode as the best option for what they needed to do. He explained, “We didn't need to go through too many competitors. Because I had experience with it, I said we should use it. I felt that it was the right product for us.”

He continued, “One of the advantages of Veracode is that it is a one-stop shop for everything you need. I did not want to hunt around for five different solutions and have to put them together and have to use five different dashboards. I really wanted a single solution for all our needs, and that's what I got from Veracode.”

Application security can be challenging, but as Peerspot users explain, Veracode has earned its number one ranking by making life easier for both developers and security team members. Dynamic, fast scanning, multi-language support, a “one-stop-shop” setup, and more, make Veracode a reliable, effective solution.​