Manage Your Entire Application Security Program on a Single Platform
Veracode’s unified platform assesses and improves the security of applications from inception through production so that businesses can confidently innovate with the web and mobile applications they build, buy and assemble as well as the components they integrate into their environments.
Veracode offers a holistic, scalable way to manage security risk across your entire application portfolio. Veracode is the only solution that can provide visibility into application status across all testing types, including SAST, DAST, SCA, and manual penetration testing, in one centralized view,
MINT SECURITY implements, complements and supplements
Mint Security integrates, coordinates and innovates your secure software development lifecycle. By adding Veracode tools to the mix, we deliver a holistic and elegant solution for both your development and management teams.
Contact us for a quick demo – even over Teams. We scan your code – for free – and show you real-life findings. After successfully showing actual value, we run a PoC where you can get your hands dirty. We can even do integrations during the PoC.
Veracode was founded by experts from leading application security companies to help organizations achieve code security more effectively and cost-efficiently. By delivering static analysis as a service, instead of an on-premises product, Veracode’s solution enables companies to forgo capital expenditure in vulnerability assessment software and hardware. Because Veracode is automated and easy to use, companies no longer need to hire security assessment experts or consultants. Because Veracode’s static analysis assesses compiled applications instead of source code – Veracode can test 100 percent of an application, offering comprehensive coverage and greater application security.
With its powerful combination of automation, process and speed, Veracode seamlessly integrates application security into the software lifecycle, effectively eliminating vulnerabilities during the lowest-cost point in the development/deployment chain, and blocking threats while in production. This comprehensive solution is managed through one centralized platform and stems from a powerful combination of best-in-class technology and top-notch security experts who offer remediation coaching and guidance on processes.
Veracode makes writing secure code just one more aspect of writing great code. With our designed-for-developer tools, API and workflow integrations, and tips for fixing vulnerabilities when they are found, you can make security a seamless part of your development lifecycle without sacrificing speed or innovation.
For Security Professionals
With Veracode, application security can meet the needs of developers while still satisfy reporting and assurance requirements for the business. Veracode’s ability to provide the right solutions for each stage of the software lifecycle ensures the applications that companies build and buy — and the third party components they use — are secure.
Veracode delivers the application security solutions and services today’s software-driven world requires so that innovation and security can go hand-in-hand. Veracode customers ramp up quickly, see value on day one, demonstrate compliance with regulations, and easily scale over time.
Veracode provides solutions that ensure the security of an application all the way through deployment. Operations teams can get better insight about attacks on production applications – and protect against compromise – without impacting performance. And when new vulnerabilities are discovered in open source components already in use they can quickly find and remediate those risks.
What is SAST?
Static analysis is one of the many code review tools that can be implemented without actually executing, or running, the software. Static analysis tools look at applications in a non-runtime environment. This method of testing has distinct advantages in that it can evaluate both web and non-web applications and, through advanced modeling, can detect flaws in the software’s inputs and outputs that cannot be seen through dynamic web scanning alone. In the past, this technique required source code, which is not only unpractical, as source code often is unavailable, but also insufficient. The Veracode static analysis service assesses binary code (also called “compiled” or “byte” code) instead of source code, which enables enterprises to test software more effectively and comprehensively, providing greater security for the organization.
Unique in the industry, our patented binary static application security testing (SAST) technology analyzes all code — including third-party components and libraries — without requiring access to source code. SAST supplements threat modeling and code reviews performed by developers, finding coding errors and omissions more quickly and at lower cost via automation. Our technology is typically run in the early phases of the Software Development Lifecycle because it’s easier and less expensive to fix problems before going into production deployment.
The hunt for vulnerabilities
Our SAST technology identifies critical vulnerabilities such as SQL injection, cross-site scripting (XSS), buffer overflows, unhandled error conditions and potential back-doors. It classifies and prioritizes the vulnerabilities using standard NIST severity levels. Actionable information is delivered to help developers address them quickly, including detailed remediation information.
How Binary SAST Works
Binary SAST analyzes binary code to create a detailed model of the application’s data and control paths. The model is then searched for all paths through the application that represent a potential weakness. For example, if a data path through the application originates from an HTTP Request and flows through the application without validation or sanitization to reach a database query, then this would represent a SQL Injection flaw.
Binary SAST Delivers Deep Visibility
Our binary SAST technology makes it faster than ever to find and fix vulnerabilities in your applications. It delivers detailed information that: Is accurate: Static binary analysis examines applications the same way attackers look at them: By creating a detailed model of the application’s data and control flows. Unlike legacy source code scanners, this approach accurately detects hidden threats such as backdoors that are difficult to detect because they’re not visible in source code.
Into the deep end of things
Is actionable: Prioritized results can be accessed via standard bug tracking systems such as JIRA or Bugzilla or viewed through our web interface. Flaw details and remediation advice are automatically provided to aid in rapid mitigation or remediation. Minimizes false positives: Legacy scanning tools have a reputation for generating a high volume of vulnerabilities, which lowers productivity because of the time required to identify false positives. Our centralized platform is backed by world-class security experts and continuously learning with every new application it scans, to reduce false positives so you can start remediating faster.
What is SCA?
Highlights of SCA
SCA uses a proprietary database of 3 million vulnerabilities which have been collated by machine learning. This means that we can find issues before they have been given CWE numbers and you are always first to know about new issues that are coming out
SCA can provide dependency analysis and show vulnerabilities not only in the components that the customer software is using, but in the dependencies of those components.
SCA uses something called vulnerable methods to show only vulnerabilities in the components the application is using, not just everything in the library, massively speeding up remediation time.
Reducing License Risk To Your Business
Many open source libraries have licenses that, when used in commercial purposes, can cost your organization millions of dollars. Veracode provides more than just vulnerability findings in our SCA product, we can also point out when your company is taking on license risk. Our SCA solution tells you which licenses you are exposing your application to, so you can take the proper steps to address them before going into production.
Struts – just as an example
68% of Java applications using the Struts2 library were still using a version vulnerable to Struts-Shock attack in the weeks following the initial breach. [Source: Veracode State of Software Security Report] Continuously monitor your applications for new vulnerabilities in open source libraries without rescanning. Get an overview of your entire application portfolio’s security landscape, not just a single application. Measure all of the vulnerabilities found by different testing methodologies against a single policy, including SCA, static analysis, dynamic analysis and penetration testing.
Several industry regulations and security frameworks require that you find and patch known vulnerabilities in your applications, including PCI DSS, OWASP Top 10, FS-ISAC, NIST, and HITRUST.
Quickly onboard and scale security training to minimize enterprise risk and meet governance and compliance requirements
Veracode’s course-based eLearning empowers software developers, testers and security leads to develop secure applications from inception to deployment, providing the critical skills they need to identify and address potential ulnerabilities.
By using Veracode’s turnkey eLearning program customers can quickly onboard all employees, including geographically diverse development teams, with the security knowledge needed to prevent a potential breach and meet compliance requirements.
Achieve a higher level of application security awareness and proficiency among your developers with comprehensive web-based training delivered via our cloud-based platform.
Our scalable, cost-effective approach can easily be deployed across global organizations with minimal overhead. Best of all, you won’t need additional hardware, software, travel or on-site training expenses to roll out our turnkey program across your enterprise.
Veracode’s eLearning courses, offered through our cloud-based platform, enable customers to get started quickly and to scale easily across multiple geographies and development teams. Unlike many security training offerings in the market, Veracode focuses purely on security awareness and application security training.
Security Training Courses are written for developers by developers, and draw upon years of experience with application security. Veracode’s content addresses important security concerns, such as OWASP Top 10 and PCI requirements, and provides deep expertise in secure coding for multiple languages (e.g., Java, .Net, C\C++) and architectures (e.g., Mobile, Web and Client\Server). Veracode courses also provide proactive techniques, such as Threat Modeling and Secure Architecture, that can be used in the early stages of the software development lifecycle, minimizing the number of security defects in the code.
IDE integration is IDE Scan
..but what is IDE Scan?
The majority of the scans done with Veracode IDE Scan complete in seconds (mileage may vary by programming language). This means you are getting feedback before you get too far, that’s the speed of DevSecOps. Veracode IDE Scan scans files, classes, or small packages and delivers those results back to your IDE in seconds. It’s a personal security coach while you code, pointing out security flaws right away so you can fix them immediately.
This isn’t just about your code, this is about you! Our aim with Veracode IDE Scan is to help developers around the world, such as yourself, build better and more secure code. Every day you are building the applications that are powering our entire world, and we want to make sure we are giving you the tools to be successful today and tomorrow.
No “Scan & Scold” – fix your flaw before you even commit your code
Better remediation advice with code examples
Positive feedback when best practices are followed
In line education, learning as you code
Become a better developer – build your career around it
You work best when security tools don’t get in your way, which is why Veracode IDE Scan integrates with Eclipse, IntelliJ, and Visual Studio. Before checking in your code, you will have already scanned the file you’re working on, reviewed any security flaws, triaged the results, and fixed it on the spot.
We have the integrations
Integrating has a twofold meaning – we integrate into your process and we integrate into your tools.
Ticketing And Bug Tracking Tools
Security findings are best addressed by fixing the source of the problem, in the code. But the prevailing approaches—spending all day creating bug tickets by hand, or doing a one-time import into a defect tracker only to have to update the bugs by hand afterwards—are a pain and don’t scale. Veracode’s defect tracking integrations with JIRA (including JIRA Data Center and JIRA Cloud), Visual Studio Team Services/TFS, and HP ALM not only create defect tickets but they also automatically update or close them when the code is retested.
CA Agile Central
Microsoft Team Foundation Server
HPE Application Lifecycle Management
Make sure you catch security issues before they get further downstream by integrating Veracode into your Jenkins, Visual Studio Team Services or Team Foundation Server build or release pipelines. You can test in the pipeline or in parallel and can even stop the pipeline if security issues that violate your policy are found. Not ready for CI yet? You can use us in your Maven build too.
Static Analysis Tools for C/C++, Java, C#, .NET and More
Veracode offers the industry’s most comprehensive automated static analysis, making application development faster and more reliable. Veracode assesses binary code – compiled or “byte” code – allowing enterprises to scan 100 percent of an application, even when source code is not available for practical or proprietary considerations. Veracode is built on the software-as-a-service model, allowing organizations to access and scale security testing without the need for capital expense or investment. There is no vulnerability assessment software or hardware to purchase and no security personnel to train. Developers submit code through an online platform, and results are returned quickly. Veracode’s automated format greatly reduces the amount of effort and resources needed to perform static analysis, while greatly increasing the accuracy of assessment results.
And now for the “more” part.. (Q1/2021)
Java SE, Java EE, JSP
JDK 1.3-1.9, 10-15, WebLogic 12.x, JDK and OpenJDK 1.3-1.9, 10-15, IBM JDK 1.7-1.8
Frameworks supported for additional visibility
Adobe Experience Manager, Apache Axiom, Apache Axis, Apache Axis2, Apache Commons, Apache CXF, Apache Jersey, Apache Oro, Apache Velocity, Apache Xerces, Apache XMLBeans, AWS SDK for Java, Google App Engine, Google Web Toolkit (GWT), Hibernate, Java Portlets, Java Servlets, JAX-RS, JAX-WS, JAXB, JDBC, JDOM, JSF, JSTL, Liferay, Play, Servlets, Spring Boot, Spring Core, Spring Data Access, Spring MVC, Spring Security, Struts, Tiles
.NET Languages and Technologies
C#, VB.NET, C++/CLI
NET/Windows, .NET Core, .NET Standard, .NET Portable Class Library, NET 2.0, 3.0, 3.5, 4.0, 4.5,-4.8, .NET 5.0, .NET Core 3.1 and earlier, .NET Standard 2.0-2.1.
ADO.NET, ASP.NET, ASP.NET Core, ASP.NET Core MVC, ASP.NET MVC ASP.NET Web API, Autofac, Dapper, Entity, Log4Net, LINQ, Microsoft Enterprise Library, .NET Compact Framework, .NET Micro Framework, .NET Remoting, Newtonsoft Json.NET, NHibernate, Nlog, Npgsql, Oracle Data Provider for .NET (ODP.NET), Serilog, SharePoint 2010-2013, Telerik, Universal Windows Platform, Unity Container, Windows Communication Foundation (WCF), Rich Internet Application (RIA) services, Windows Communication Foundation, Windows Identity Foundation, Windows Phone
Android (AWS Mobile SDK for Android, Parse Android SDK)
iOS Objective C/C/C++ (5-12)
Kotlin (as APK)
Xamarin (Forms, Android, iOS, Mac)
Solaris (SPARC) 2.7-2.10, Red Hat Enterprise Linux (x86), Fedora (x86), CentOS (x86), openSUSE (x86), Solaris (SPARC64), Red Hat Enterprise Linux (x86-64), Fedora (x86-64), CentOS (x86-64), openSUSE (x86-64)
Visual C++ 7.0 – in Visual Studio .NET 2002, Visual C++ 7.1 – in Visual Studio .NET 2003, Visual C++ 8.0 – in Visual Studio 2005, Visual C++ 9.0 – in Visual Studio 2008, Visual C++ 10.0 – in Visual Studio 2010, Visual C++ 11.0 – in Visual Studio 2012, Visual C++ 12.0 – in Visual Studio 2013, Visual C++ 14.0 – in Visual Studio 2015, Visual C++ 14.1 – in Visual Studio 2017, Visual C++ 14.2.x for Visual Studio 2019
Enterprise COBOL for z/OS, IBM ILE COBOL, MicroFocus COBOL (Net Express), AcuCOBOL-GT, COBOL-85, SCOBOL , COBOL-2002, HP COBOL Tandem, COBOL/400, COBOL for OS/390, COBOL for OS/370, COBOL for MVS, OS/VS COBOL, VS COBOL II
Veracode’s remediation coaching and developer support services deliver a combination of expertise and best practices matched to your specific needs to help you build an efective enterprise application security program. The right combination of people, process and technology must be properly aligned to helps developers efciently incorporate secure coding skills and practices into their existing development processes. Discovering vulnerabilities in your internal, commercial, cloud or mobile applications is simply the first step in your path to application risk management. Efective and on-going remediation, mitigation, and coaching activities must be carried out to limit the business risks posed by your software infrastructure.
Veracode Application Security Support Services packages offer a unique combination of security coaching and traditional technical and customer support functions. The support packages are designed to meet the needs of the multiple constituents that will inevitably form part of a mature organization-wide application security program. Be it developers who need detailed guidance on code changes to remediate or mitigate vulnerabilities, or third-party vendors that need advice on closing the gap with the enterprise security policy—these needs are addressed by the flexible design and value-add services included in these packages.
Similar to last year, we looked at the entire history of active applications, not just the activity associated with the application over one year. By doing so, we can view the full life cycle of applications, which results in more accurate metrics and observations.
Developers are, in effect, the only people in any organization who can fix vulnerabilities hidden in their applications. Veracode Security Labs helps meet the requirements of security standards while providing a meaningful way for the entire development team to learn more.