Veracode - Application Security Platform

Suphi Cankurt
May 27, 2022
No Comments

Summary

Veracode is a platform that offers DAST, SAST, SCA and Security Labs to deliver a “secure-by-design” AppSec methodology.

11 min read

What is Veracode?

Veracode is a platform that contains all of the application security testing types – static analysis, dynamic analysis, software composition analysis, and manual penetration testing.

How does Static Analysis work?

Static analysis in particular is a great way to uncover security flaws in the code of your application before deployment, reducing your risk and cost of remediation.

Supported languages:

Android: C, C++, Java, and Kotlin
iOS: Objective-C and Swift
Java, including Java SE, EE, and JSP
.NET, including C#, ASP.NET, and VB.net
Web platforms: JavaScript, Python, PHP, Ruby on Rails, ColdFusion, ASP, and more
C and C++
Legacy business languages such as COBOL, Visual Basic 6 and RPG

How does Dynamic Analysis work?

According to the 2020 Verizon Data Breach Investigations Report, web applications were the source of 43% of breaches, more than double that in 2019.

Veracode Dynamic Analysis is a Dynamic Application Security Testing (DAST) solution that delivers an automated and scalable dynamic scanning capability that enables broad coverage at speed. You can scan both web applications and API specifications.

You can use Dynamic Analysis to:

Run security tests against live web applications in the late stages of development, such as test or quality assurance, or applications in production.
Use API Scanning to test the security of endpoints in API specifications.

Supported Technologies

Web applications that you access using a browser-based user interface
Web applications built using Java, ASP, ASP.NET, Ruby on Rails, JavaScript, Perl, PHP, Python, or similar languages
Single-page (SPA) and HTML5 applications
Web applications built with Angular, React, and Vue.js frameworks

Unsupported Technologies

REST and SOAP APIs are not directly accessed using a user interface
Sites that have MFA and 2FA that you cannot turn off for testing because of company policy
Silverlight, Java applets, and ActiveX control technologies
Sites with complex business logic that are unsuitable for automation using crawl scripts
Sites that only support connection via TLS 1.0

How does Composition Analysis work?

With third-party components, including open-source libraries, making up as much as 80% of an application’s codebase, it’s critical to scan those libraries for vulnerabilities to reduce the introduction of risk into your apps.

The recent log4j vulnerability only served to emphasize the importance of scanning and securing open-source libraries.

Veracode Software Composition Analysis (SCA) identifies risks from open-source libraries early so you can reduce unplanned work, covering both security and license risk. SCA helps Engineering keep roadmaps on track, Security achieves regulatory compliance, and the Business make smart decisions.

How does Security Labs work?

Veracode Security Labs shifts AppSec knowledge left, giving you hands-on training to confidently tackle modern threats by exploiting and patching real code, and applying Develops principles to deliver secure code on time.

Data from the 12th edition of Veracode’s State of Software Security shows that developers who complete at least one training course from Veracode Security Labs fix security flaws over 33% faster than those who have not.

With security absent from most Computer Science programs, it’s critical to give your development team a leg up both on the competition and on bad actors.