Veracode Review and Alternatives

Veracode is an application testing system that combines tools and automated testing systems with expert consultancy services. The main draw of the Veracode system is its dynamic application testing (DAST) service. However, this is not the only module in the Veracode package.

The Veracode service is delivered from the cloud as a SaaS package. This enables the system to perform tests on Web applications from an external perspective, as though they were already live on the internet.

Veracode, based in Burlington, Massachusetts, is a private company that was founded in 2006. The company was sold to CA Technologies in 2017 and then sold on to Broadcom in 2018.  Broadcom immediately sold the business on to IT services investor Thoma Bravo, LLC.

All of the company’s efforts are invested in the Veracode platform. The service has 2,500 customers and has, to date, scanned more than 36 trillion lines of code and helped to fix more than 66 million security weaknesses.

What does Veracode do?

Veracode is a testing platform for applications under development. It offers a range of test strategies and also includes a test management system. The services of Veracode are hosted on a cloud server.

Veracode testing can be performed on demand by the developer or integrated into a CI/CD pipeline, offering continuous testing for enrolled applications. The testing strategies available with Veracode are:

  • Dynamic Application Security Testing (DAST)
  • Static Application Security Testing (SAST)
  • Interactive Application Security Testing (IAST)
  • Software Composition Analysis (SCA)
  • Penetration Testing

Veracode modules

The Veracode system is divided into three modules. These are:

  • Veracode Application Analysis
  • Developer Enablement
  • AppSec Governance

The functions of these services are explained below.

Veracode Application Analysis

This is the core module of the Veracode platform, and it implements automated, continuous testing that can be integrated into a DevSecOps environment. The system implements DAST, SAST, IAST, and SCA strategies in its automated testing services.

As an optional extra, a customer can ask for a penetration testing exercise to be carried out against a complete Web service. This will probably be an infrequent requirement for your company to use in its operations, perhaps when a full suite has been completed.

It is possible to get a test run on demand by entering the URL of the subject into the dashboard of the SaaS system. However, this service is most frequently used as an automated system will be on all of the time.

The testing system performs a discovery sweep and looks at all of the saved dates and times on all modules to identify systems that have been added or updated since the last sweep. It then works through looking for supporting modules, which might be resident on the servers of framework and microservice providers.

Tests involve a scan of code and an inventory of supporting libraries, and then the system will then run the modules to see how they perform and exchange data. The final phase of tests involved probing applications, as they operate, in a vulnerability scanning scenario.

The test run completes with an analysis report. This identifies each of the units under development that was examined. It states any problem found in each unit or the cohesion between them. The error report identifies the exact lines of code that cause a security weakness and an explanation of how these problems can be fixed.

While many application security testing services run a separate agent to check through code written in each programming language, Veracode performs all code analysis with one process, making this testing platform a lot quicker at identifying problems.

Developer Enablement

The on-demand analysis runs mean that security testing doesn’t have to wait until developers send a unit for integration testing. Instead, those services can be accessed directly by the developer.

Typically, the development team leader or software designer would trial frameworks and libraries before proposing their functions for integration into the development. This phase of security testing that happens before development starts can prevent a disastrous discovery late in the development cycle, resulting in a complete re-write of the new application. Code under development can also be tested periodically by the programmer.

Test platform available to the development team is one way that Veracode can assist in integrating security consideration into the development phase. For example, the Developer Enablement module of the Veracode SaaS platform provides training for developers to know how to use the security tools and why security procedures need to be integrated into code. This is called the Veracode eLearning system.

Veracode Security Labs is the main element in the Developer Enablement system. This provides a structure of attainment with online guides and awards levels of certification for developers who have been through the program.

The Support team of Veracode can be super-sized with a Customer Success Package. This supplies expert developers to be on call to give guidance and advice to your own programmers.

AppSec Governance

This module covers all of the project management and system security needs of a typical development project. In addition, these facilities extend to risk management and data privacy standards compliance issues.

Veracode is a specialized testing tool so that it won’t be a standalone tool in your development environment. Instead, it integrates with all of the other tools you use to manage a development team and plan and implement the software development lifecycle. Examples of the other tools that Veracode can interact with include Jira, Apache Ant, Bugzilla, GitLab, Jenkins, and Azure DevOps.

The reporting tools and data exchange facilities in Veracode mean that you don’t have to copy out information for integration with other workflow management systems. Instead, you can get timelines, goals, and deadlines fed through from your project management system into Veracode and confirmation sent back. These data exchanges will simplify your supervision of project progression.

Testing can be seen as a rubber stamp or a hold-up. Getting a fully automated tool helps you adapt your opinion of testing by getting feedback at the early phases of the lifecycle, so you don’t get to the point of falling behind and missing deadlines because of security errors in the new code. However, Veracode does make a difference and influences project managers’ opinion of security testing from being an inconvenience to providing helpful project input.

How much does Veracode cost?

Veracode doesn’t publish a price list. The company’s communication with potential customers starts with access to a demo. The three modules are priced separately, and it is possible to take out a subscription to each individually. Subscriptions last for a year. There are multi-year subscription options available. However, the company doesn’t offer lower rates for more extended subscription periods. For example, a three-year license costs three times the price of a one-year license.

Veracode Security Labs is available on AWS Marketplace for $690 for a year. Unfortunately, the company doesn’t offer its other modules on AWS. Back on the Veracode site, you can get a 14-day free trial of Veracode Security Labs. There is also a Community Edition of Veracode Security Labs.

Veracode deployment options

Veracode is available as a SaaS platform on the Veracode website. Unfortunately, there isn’t an on-premises version. Veracode Security Labs is open at the Veracode site or on AWS – it isn’t accessible on Azure or GCP.

Veracode Pros and Cons

Veracode has put together a very comprehensive range of services. For example, it offers an automated testing system that can also be used as a vulnerability scanner. In addition, it provides online security training for developers, and it also runs a penetration testing service. This means that the company offers a nice mix of automated software and human expertise.

Here are some of the key advantages and disadvantages of the Veracode system.

Pros:

  • Integrations with project management and issue tracking systems
  • Automation for testing phases in a CI/CD pipeline
  • On-demand testing tools for developers that offer suggested resolutions
  • Project management reports assisting with monitoring workflow progression
  • A support package of experts who can mentor programmers

Cons:

  • There is no on-premises option for this package

Alternatives to Veracode

Veracode is highly respected, and its client list includes major multinationals, such as Santander Bank, Sherwin Williams, Thomson Reuters, eBay, and Adidas. A credible and reliable testing system stacks up well against rivals in third-party comparison testing exercises. However, it always pays to assess several alternatives before deciding on a vital service provider.

Although DevOps security testing is a niche market, there is a surprisingly high number of providers in this sector. It can take you a long time to discover all of the options and identify the leading systems. This guide to alternative application security testing systems should speed up your search.

Here is our list of the seven best alternatives to Veracode:

  1. Invicti (ACCESS FREE DEMO) A DAST and IAST system can be run as a vulnerability scanner for Web applications or integrated into a CI/CD pipeline for continuous, automated testing at all stages of the software development lifecycle. This service integrates with about 50 commonly used development tools, including Jenkins, GitLab, and Jira. Available for installation on Windows or Windows Server or as a cloud service. Access a free demo.
  2. Acunetix (ACCESS FREE DEMO) This package is primarily marketed as a vulnerability scanner, offering searches for 7,000 external vulnerabilities plus 50,000 network-based exploits. The system includes integrated application security testing (IAST) and is integrated into a CI/CD pipeline through a continuous testing option. The service is offered in three plans, and it is implemented as an on-premises software package for Windows, macOS, and Linux.
  3. Rapid7 InsightAppSec This tool is aimed at the IT Operations departments of large corporations that have many Web applications to manage. It also integrates with Jira, which makes it suitable for deployment in the development environment; additionally, this discovery of a vulnerability provides a replay segment of the exploit to enable the developer to understand how to replace the problem. This tool is free for 30 days.
  4. Checkmarx A SaaS platform that offers a range of units for testing. These options include dynamic and static testing and a bundle of the two, called CxIAST, that can be integrated into a CI/CD pipeline to offer continuous automated Web application testing.
  5. Detectify Deep Scan This is a DAST service that is offered as a SaaS platform. The user enters a URL for a resource into the service’s dashboard, and the platform scans for security flaws. The system can be integrated into DevOps workflows, orchestrating with other development systems, such as Jira, Splunk, and OpsGenie. Available for a two-week trial.
  6. HCL AppScan This system is available as on-premises software or as a SaaS package. It offers DAST, SAST, and IAST for Web application and mobile app development. The Operations teams can use this tool for vulnerability scanning, and it can also be set to continuous testing for CI/CD pipelines. The on-site version installs on Windows and Windows Server, and you can get it on a 30-day free trial.
  7. GitLab Ultimate This is a higher version of GitLabs, widely used for code version control and development management. The Ultimate edition includes a DAST testing service that offers continuous testing for CI/CD pipeline. This is a SaaS platform, and you can assess it on a 30-day free trial.