AppSec Santa

Veracode - Application Security Platform

Summary

Veracode is a platform that offers DAST, SAST, SCA and Security Labs to deliver a “secure-by-design” AppSec methodology.

11 min read

Veracode

What is Veracode?

Veracode is a platform that contains all of the application security testing types – static analysis, dynamic analysis, software composition analysis, and manual penetration testing.

Veracode Dashboard

How does Static Analysis work?

Static analysis in particular is a great way to uncover security flaws in the code of your application before deployment, reducing your risk and cost of remediation.

Veracode SAST Scan Results

Supported languages:

  • Android: C, C++, Java, and Kotlin
  • iOS: Objective-C and Swift
  • Java, including Java SE, EE, and JSP
  • .NET, including C#, ASP.NET, and VB.net
  • Web platforms: JavaScript, Python, PHP, Ruby on Rails, ColdFusion, ASP, and more
  • C and C++
  • Legacy business languages such as COBOL, Visual Basic 6 and RPG

How does Dynamic Analysis work?

According to the 2020 Verizon Data Breach Investigations Report, web applications were the source of 43% of breaches, more than double that in 2019.

Veracode SAST Scan Results

Veracode Dynamic Analysis is a Dynamic Application Security Testing (DAST) solution that delivers an automated and scalable dynamic scanning capability that enables broad coverage at speed. You can scan both web applications and API specifications.

 

You can use Dynamic Analysis to:
  • Run security tests against live web applications in the late stages of development, such as test or quality assurance, or applications in production.
  • Use API Scanning to test the security of endpoints in API specifications.

 

Supported Technologies

  • Web applications that you access using a browser-based user interface
  • Web applications built using Java, ASP, ASP.NET, Ruby on Rails, JavaScript, Perl, PHP, Python, or similar languages
  • Single-page (SPA) and HTML5 applications
  • Web applications built with Angular, React, and Vue.js frameworks

 

Unsupported Technologies

  • REST and SOAP APIs are not directly accessed using a user interface
  • Sites that have MFA and 2FA that you cannot turn off for testing because of company policy
  • Silverlight, Java applets, and ActiveX control technologies
  • Sites with complex business logic that are unsuitable for automation using crawl scripts
  • Sites that only support connection via TLS 1.0

How does Composition Analysis work?

With third-party components, including open-source libraries, making up as much as 80% of an application’s codebase, it’s critical to scan those libraries for vulnerabilities to reduce the introduction of risk into your apps.

 

The recent log4j vulnerability only served to emphasize the importance of scanning and securing open-source libraries.

Veracode SCA Scan Result

Veracode Software Composition Analysis (SCA) identifies risks from open-source libraries early so you can reduce unplanned work, covering both security and license risk. SCA helps Engineering keep roadmaps on track, Security achieves regulatory compliance, and the Business make smart decisions.

How does Security Labs work?

Veracode Security Labs shifts AppSec knowledge left, giving you hands-on training to confidently tackle modern threats by exploiting and patching real code, and applying Develops principles to deliver secure code on time.

Veracode Security Labs

Data from the 12th edition of Veracode’s State of Software Security shows that developers who complete at least one training course from Veracode Security Labs fix security flaws over 33% faster than those who have not.

 

With security absent from most Computer Science programs, it’s critical to give your development team a leg up both on the competition and on bad actors.

 

Veracode Security Labs shifts AppSec knowledge left, giving you hands-on training to confidently tackle modern threats by exploiting and patching real code, and applying Develops principles to deliver secure code on time

On this page:

Leave a Reply

Your email address will not be published.