We have some major clients using Veracode. It saves us time when it comes to doing annual pen tests. When we say we're using Veracode and they are also using Veracode, we don't have to run the test twice. They accept what we have because they know the framework is going to be the same.
A pen test can take a month; it really depends on the number of flaws that are found. So when we don't have to run a pen test twice it saves a lot of time. It not only saves time for my team, but for other teams as well, because when we run a third-party pen test for clients, I not only need to have my team coordinating it, but it requires documentation and it requires my technical support to be involved. So it saves a lot of time for a number of teams.
The report content is very good because the reports are structured in a way that they explain the scope of the scan and what the policy is. A report shows, right at the beginning, if we have passed the scan for the policy or not. That's very helpful when sharing that report externally. It's something that we didn't have before and having that now is extremely useful because it avoids a lot of back and forth with clients. If we share a report and there is no further explanation necessary on how the scan works and what we're doing to fix the flaws, it saves additional manual work that would otherwise be needed to update that information. With Veracode, we can do it automatically, just by pulling a report from the dashboard. In addition, whatever they have on the reports meets industry expectations.
Veracode provides visibility into application status across all testing types, including SAST, DAST, SCA, and manual penetration testing, in a centralized view. I manage the team, I'm not involved in the daily operations. But as a manager, it's extremely helpful, because I just log in to my Veracode instance and, on the homepage, it shows the status of all the scans. If I want more information about something, it's one click. From a managerial perspective, it's extremely helpful. The centralized view helps reduce risk exposure. If there is something wrong with a scan, if a scan doesn't run or a scan is not complete, I know about it from the main dashboard.
In addition, the solution integrates with developer tools. That creates more efficiency in the workflows because they don't need to duplicate work.
Overall, its ability to prevent vulnerable code from going into production is very good. We recently onboarded a new application into the static scan and we had almost 1,000 flaws in the first scan. We were able to mitigate all of them in less than three months. The result was amazing, enabling us to find everything that could potentially create a problem for us.