Veracode Users Talk About Selecting an AppSec Solution

Suzanne Ciccone By Suzanne Ciccone
September 10, 2018

With the shift to DevSecOps, developers are now primarily responsible for security testing in the early phases of the SDLC. If developers are conducting security testing, the old rules for selecting an application security solution no longer apply. What do application security selection criteria look like in a DevSecOps world? Veracode users are talking about this shift and their new selection criteria at IT Central Station, and we’ve condensed all that valuable insight into one paper. Read Real Users Speak: Selecting the Right Software Security Testing Tool to find out how your peers are fitting application security testing into DevOps processes, and what their selection criteria were when searching for an AppSec solution. Hear Veracode users talk about their priorities, including:

The importance of integrating into developer workflows:Figure out a way to integrate it into your software development lifecycle in a way that it’s not intrusive to your developers. That was really something that I set out to do. I didn’t want my developers to have to go into their code, and kick off scans, and upload their code.” – Systems architect at a tech company

The need to scale AppSec:“We went from 50 applications in 2015, we’re now up to over 400. There seems to be no limit on how quickly it can scale and operate. By using a cloud-based scanner, we really had no issues with where the developers are geographically located. So we didn’t really have setup problems at all. It just kind of happened, and scales fairly naturally, organically.” – Technical director at a financial services firm

Why it’s necessary to have multiple scanning types:“We do not pass our release without performing a static and a dynamic scan, and mitigating the flaws identified.” – Director of software engineering at a tech services company

Why automation matters: “We have 35 applications, and instead of having 35 different people preparing their packages for upload and scan, it’s automated. We don’t have to spend money doing that as well.” -- Director, security and risk, cloud operations at a tech company 

What to look for in training and support:“I feel like any vendor can identify the flaws but fixing the flaws is what is most important. Being able to have those consultation calls, schedule them in the platform, and have that discussion with an applications expert, that process scales well and that is what has allowed a lot more reduction of risk to happen.” – SVP, application security at a financial services firm

Get all the details and insights from Veracode users in Real Users Speak: Selecting the Right Software Security Testing Tool.

Suzanne is part of the content team at Veracode, working to create resources that shed light on AppSec problems and solutions.