When you work in the banking industry, security is a part of everything you do. And just as important as protecting the money is protecting the integrity of the software it all flows through. But for us at CAP COM Federal Credit Union (CAP COM), ensuring that we were producing secure code had become a bigger priority.
As part of redefining our software development lifecycle (SDLC), CAP COM began to seek an all-in-one solution that would allow the credit union to integrate security into the build process. Any solution we brought in would need to help us meet the security specifications outlined by the National Credit Union Association (NCUA), along with industry certifications, including PCI, OWASP and HIPAA.
Since I've come on board two years ago, we've been moving slowly toward bringing in more of a .NET-centric infrastructure for all our software development and SDLC processes. We reached the point where we almost had a whole build system in place and really needed some kind of SAST and DAST tool so the developers could do security scans.
Looking for an SAST provider to accommodate the migration to .NET, we considered both Veracode and another leading on-premise SDLC solution before signing a long-term deal with Veracode. There were several factors that made Veracode the clear choice over the competitors:
- Veracode features a seamless integration with our .NET infrastructure, specifically TFS and Visual Studio. This allowed the team to get started scanning code faster while making it easier to build application security into their process. On the other hand, the competitor’s integrations were less intuitive while its findings were less comprehensive.
- Veracode offered us a true all-in-one solution, providing a full suite of services including SAST, DAST, and MPT from a single vendor. With no ability to conduct DAST testing, the use of the competitor would require other vendors to provide the same capability.
- Upon analysis, we discovered Veracode’s false-positive rate to be noticeably lower than the rates reported by the on-premise solution.
- Beyond its technical merits, there were several indicators Veracode would be an easy company to partner with. Veracode’s support reps were a significant factor, giving us the confidence that someone would always be available to help troubleshoot or configure the scan engine to their software build process. In addition, we felt that Veracode’s reporting for the Security Officer was more comprehensive, while the documentation around Veracode’s security practices was more extensive. Third-party validation in the form of Gartner’s Magic Quadrant for Application Security Testing also provided additional peace of mind.
- Of course, pricing was also a factor. Veracode’s pricing model was far more affordable for CAP COM over the medium- and long-term.
We chose Veracode not only to reduce security risks in its software, but also to reduce the risk of working with the wrong solution for our needs. By comparing Veracode to other vendors, we were able to find the capabilities, integrations, support, and price we needed to accomplish both our security and business performance goals.