• SAST - Static Application Security Testing
  • SCA - Software Composition Analysis
  • SDLC Integration

VERACODE delivers the application security solutions

Veracode’s unified platform assesses and improves the security of applications from inception through production so that businesses can confidently innovate with the web and mobile applications they build, buy and assemble as well as the components they integrate into their environments.

MINT SECURITY implements, complements and supplements

Mint Security integrates, coordinates and innovates your secure software development lifecycle. By adding Veracode tools to the mix, we deliver a holistic and elegant solution for both your development and management teams.

Contact us for a quick demo – even over Skype. We scan your code – for free – and show you real-life findings. After successfully showing actual value, we run a PoC where you can get your hands dirty. We can even do integrations during the PoC.

By Experts – For Experts

CA Veracode was founded by experts from leading application security companies to help organizations achieve code security more effectively and cost-efficiently. By delivering static analysis as a service, instead of an on-premises product, CA Veracode’s solution enables companies to forgo capital expenditure in vulnerability assessment software and hardware. Because CA Veracode is automated and easy to use, companies no longer need to hire security assessment experts or consultants. Because CA Veracode’s static analysis assesses compiled applications instead of source code – CA Veracode can test 100 percent of an application, offering comprehensive coverage and greater application security.

With its powerful combination of automation, process and speed, CA Veracode seamlessly integrates application security into the software lifecycle, effectively eliminating vulnerabilities during the lowest-cost point in the development/deployment chain, and blocking threats while in production. This comprehensive solution is managed through one centralized platform and stems from a powerful combination of best-in-class technology and top-notch security experts who offer remediation coaching and guidance on processes.

For developers

CA Veracode makes writing secure code just one more aspect of writing great code. With our designed-for-developer tools, API and workflow integrations, and tips for fixing vulnerabilities when they are found, you can make security a seamless part of your development lifecycle without sacrificing speed or innovation.

For Security Professionals

With CA Veracode, application security can meet the needs of developers while still satisfy reporting and assurance requirements for the business. CA Veracode’s ability to provide the right solutions for each stage of the software lifecycle ensures the applications that companies build and buy — and the third party components they use — are secure.

For Executives

CA Veracode delivers the application security solutions and services today’s software-driven world requires so that innovation and security can go hand-in-hand. CA Veracode customers ramp up quickly, see value on day one, demonstrate compliance with regulations, and easily scale over time.

For Operations

CA Veracode provides solutions that ensure the security of an application all the way through deployment. Operations teams can get better insight about attacks on production applications – and protect against compromise – without impacting performance. And when new vulnerabilities are discovered in open source components already in use they can quickly find and remediate those risks.

What is SAST?

Static analysis is one of the many code review tools that can be implemented without actually executing, or running, the software. Static analysis tools look at applications in a non-runtime environment. This method of testing has distinct advantages in that it can evaluate both web and non-web applications and, through advanced modeling, can detect flaws in the software’s inputs and outputs that cannot be seen through dynamic web scanning alone. In the past, this technique required source code, which is not only unpractical, as source code often is unavailable, but also insufficient. The CA Veracode static analysis service assesses binary code (also called “compiled” or “byte” code) instead of source code, which enables enterprises to test software more effectively and comprehensively, providing greater security for the organization.

More details

Patented technology

Unique in the industry, our patented binary static application security testing (SAST) technology analyzes all code — including third-party components and libraries — without requiring access to source code. SAST supplements threat modeling and code reviews performed by developers, finding coding errors and omissions more quickly and at lower cost via automation. Our technology is typically run in the early phases of the Software Development Lifecycle because it’s easier and less expensive to fix problems before going into production deployment.

The hunt for vulnerabilities

Our SAST technology identifies critical vulnerabilities such as SQL injection, cross-site scripting (XSS), buffer overflows, unhandled error conditions and potential back-doors. It classifies and prioritizes the vulnerabilities using standard NIST severity levels. Actionable information is delivered to help developers address them quickly, including detailed remediation information.

How Binary SAST Works

Binary SAST analyzes binary code to create a detailed model of the application’s data and control paths. The model is then searched for all paths through the application that represent a potential weakness. For example, if a data path through the application originates from an HTTP Request and flows through the application without validation or sanitization to reach a database query, then this would represent a SQL Injection flaw.

Binary SAST Delivers Deep Visibility

Our binary SAST technology makes it faster than ever to find and fix vulnerabilities in your applications. It delivers detailed information that: Is accurate: Static binary analysis examines applications the same way attackers look at them: By creating a detailed model of the application’s data and control flows. Unlike legacy source code scanners, this approach accurately detects hidden threats such as backdoors that are difficult to detect because they’re not visible in source code.

Into the deep end of things

Is actionable: Prioritized results can be accessed via standard bug tracking systems such as JIRA or Bugzilla or viewed through our web interface. Flaw details and remediation advice are automatically provided to aid in rapid mitigation or remediation. Minimizes false positives: Legacy scanning tools have a reputation for generating a high volume of vulnerabilities, which lowers productivity because of the time required to identify false positives. Our centralized platform is backed by world-class security experts and continuously learning with every new application it scans, to reduce false positives so you can start remediating faster.

What is SCA?

CA Veracode SCA protects your Java, Javascript, and .NET applications from open source risk by identifying known vulnerabilities in open source libraries used by your applications. View our broader language coverage. In addition to providing a list of vulnerabilities when your application is scanned, CA Veracode SCA can also alert you when new vulnerabilities are discovered after your application has been scanned or when existing known vulnerabilities have had their severity level upgraded. Integrated with Jenkins for your build pipeline, you can fail your build based on vulnerabilities discovered as well as any components that your security team has blacklisted. As part of the CA Veracode Platform, CA Veracode SCA provides a unified experience to display all of your security testing results in one place. Additionally, the platform provides unified management of users, policies, mitigations, and integrations.

Reducing License Risk To Your Business

Many open source libraries have licenses that, when used in commercial purposes, can cost your organization millions of dollars. CA Veracode provides more than just vulnerability findings in our SCA product, we can also point out when your company is taking on license risk. Our SCA solution tells you which licenses you are exposing your application to, so you can take the proper steps to address them before going into production.

Struts – just as an example

68% of Java applications using the Struts2 library were still using a version vulnerable to Struts-Shock attack in the weeks following the initial breach. [Source: CA Veracode State of Software Security Report] Continuously monitor your applications for new vulnerabilities in open source libraries without rescanning. Get an overview of your entire application portfolio’s security landscape, not just a single application. Measure all of the vulnerabilities found by different testing methodologies against a single policy, including SCA, static analysis, dynamic analysis and penetration testing.

Best practices

Several industry regulations and security frameworks require that you find and patch known vulnerabilities in your applications, including PCI DSS, OWASP Top 10, FS-ISAC, NIST, and HITRUST.

Quickly onboard and scale security training to minimize enterprise risk and meet governance and compliance requirements

Veracode’s course-based eLearning empowers software developers, testers and security leads to develop secure applications from inception to deployment, providing the critical skills they need to identify and address potential  ulnerabilities.

By using Veracode’s turnkey eLearning program customers can quickly onboard all employees, including geographically diverse development teams, with the security knowledge needed to prevent a potential breach and meet compliance requirements.

Achieve a higher level of application security awareness and proficiency among your developers with comprehensive web-based training delivered via our cloud-based platform.

Our scalable, cost-effective approach can easily be deployed across global organizations with minimal overhead. Best of all, you won’t need additional hardware, software, travel or on-site training expenses to roll out our turnkey program across your enterprise.

Details

 

Veracode’s eLearning courses, offered through our cloud-based platform, enable customers to get started quickly and to scale easily across multiple geographies and development teams. Unlike many security training offerings in the market, Veracode focuses purely on security awareness and application security training.

Security Training Courses are written for developers by developers, and draw upon years of experience with application security. Veracode’s content addresses important security concerns, such as OWASP Top 10 and PCI requirements, and provides deep expertise in secure coding for multiple languages (e.g., Java, .Net, C\C++) and architectures (e.g., Mobile, Web and Client\Server). Veracode courses also provide proactive techniques, such as Threat Modeling and Secure Architecture, that can be used in the early stages of the software development lifecycle, minimizing the number of security defects in the code.

IDE integration is Greenlight

CA Veracode gives you the ability to scan your code, right in your favorite IDE, while you are coding. Whether you are coding in Java, Javascript, C#, or VB.NET, CA Veracode Greenlight has you covered. You’ll receive positive feedback when you are correctly using secure coding practices, as well as instant insight into any security flaws that are discovered.

..but what is Greenlight?

The majority of the scans done with CA Veracode Greenlight complete in seconds (mileage may vary by programming language). This means you are getting feedback before you get too far, that’s the speed of DevSecOps. CA Veracode Greenlight scans files, classes, or small packages and delivers those results back to your IDE in seconds. It’s a personal security coach while you code, pointing out security flaws right away so you can fix them immediately.

This isn’t just about your code, this is about you! Our aim with CA Veracode Greenlight is to help developers around the world, such as yourself, build better and more secure code. Every day you are building the applications that are powering our entire world, and we want to make sure we are giving you the tools to be successful today and tomorrow.

  • No “Scan & Scold” – fix your flaw before you even commit your code
  • Better remediation advice with code examples
  • Positive feedback when best practices are followed
  • In line education, learning as you code
  • Become a better developer – build your career around it

Supported platforms

You work best when security tools don’t get in your way, which is why CA Veracode Greenlight integrates with Eclipse, IntelliJ, and Visual Studio. Before checking in your code, you will have already scanned the file you’re working on, reviewed any security flaws, triaged the results, and fixed it on the spot.

We have the integrations

Integrating has a twofold meaning – we integrate into your process and we integrate into your tools.

Ticketing And Bug Tracking Tools

Security findings are best addressed by fixing the source of the problem, in the code. But the prevailing approaches—spending all day creating bug tickets by hand, or doing a one-time import into a defect tracker only to have to update the bugs by hand afterwards—are a pain and don’t scale. CA Veracode’s defect tracking integrations with JIRA (including JIRA Data Center and JIRA Cloud), Visual Studio Team Services/TFS, and HP ALM not only create defect tickets but they also automatically update or close them when the code is retested.

  • CA Agile Central
  • Atlassian JIRA
  • Microsoft Team Foundation Server
  • Bugzilla
  • HPE Application Lifecycle Management

Build Systems

Make sure you catch security issues before they get further downstream by integrating CA Veracode into your Jenkins, Visual Studio Team Services or Team Foundation Server build or release pipelines. You can test in the pipeline or in parallel and can even stop the pipeline if security issues that violate your policy are found. Not ready for CI yet? You can use us in your Maven build too.

  • Jenkins
  • Microsoft Team Foundation Server
  • Microsoft Visual Studio Team Services
  • Atlassian Bamboo
  • Apache Ant
  • Apache Maven
  • CA Continuous Delivery Director
  • JetBrains TeamCity

Integrate much?

Yes. We integrate much. For more integrations, please visit: https://www.veracode.com/products/core-platform-and-architecture/apis-and-plugins

Static Analysis Tools for C/C++, Java, C#, .NET and More

CA Veracode offers the industry’s most comprehensive automated static analysis, making application development faster and more reliable. CA Veracode assesses binary code – compiled or “byte” code – allowing enterprises to scan 100 percent of an application, even when source code is not available for practical or proprietary considerations. CA Veracode is built on the software-as-a-service model, allowing organizations to access and scale security testing without the need for capital expense or investment. There is no vulnerability assessment software or hardware to purchase and no security personnel to train. Developers submit code through an online platform, and results are returned quickly. CA Veracode’s automated format greatly reduces the amount of effort and resources needed to perform static analysis, while greatly increasing the accuracy of assessment results.

And now for the ”more” part.. (Q3/2018)

Java

  • Java SE, Java EE, JSP
    • JDK 1.3-1.8, WebLogic 12.x, OpenJDK 1.3-1.8, IBM JDK 1.7-1.8
  • Frameworks supported for additional visibility
    • Apache Axiom, Apache Axis, Apache Axis2, Apache Commons, Apache CXF, Apache Jersey, Apache Oro, Apache Velocity, Apache Xerces, Apache XMLBeans, Google App Engine, Google Web Toolkit (GWT), Hibernate, Java Portlets, Java Servlets,
      JAX-RS, JAX-WS, JAXB, JDBC, JDOM, JSF, JSTL, Liferay, Play, Servlets, Spring Boot, Spring Core, Spring MVC, Spring Security, Struts, Tiles

.NET Languages and Technologies

  • C#, VB.NET, C++/CLI
    • NET/Windows, .NET Core, .NET Portable Class Library, NET 1.0, 1.1, 2.0, 3.0, 3.5, 4.0, 4.5, 4.6, 4.7, Core 1.0, 1.1, 2.0 (C# only)
    • Visual Studio .NET (2002), 2003, 2005, 2008, 2010, 2012, 2013, 2015, 2017 Mono 4.x
    • Visual Basic 6
  • Frameworks supported for additional visibility
    • ADO.NET, ASP.NET, ASP.NET Core, ASP.NET Core MVC, ASP.NET MVC ASP.NET Web API, Entity, Log4Net, LINQ, Microsoft Enterprise Library, .NET Compact Framework, .NET Micro Framework, .NET Remoting, Newtonsoft Json.NET,
      NHibernate, Npgsql, Oracle Data Provider for .NET (ODP.NET), SharePoint 2010-2013, Silverlight 1-5, Telerik, Web UI for ASP.NET, Universal Windows Platform, Unity Container, Windows Communication Foundation (WCF), Rich Internet Application (RIA) services, Windows Communication Foundation, Windows Identity Foundation, Windows Phone, Windows Phone Silverlight

JavaScript Libraries and Technologies

Veracode supports analyzing many client- and server-side JavaScript and TypeScript applications, including those that use HTML5 APIs, ECMAScript 2015, ECMAScript 2016, ECMAScript 2017, ECMAScript 2018, and JSX. Veracode also supports the following technologies:

  • Angular.js, Backbone.js, Bootstrap, Cheerio.js, Ember.js, jQuery, Koa.js, Node.js, React.js, SAPUI5/OpenUI5, Underscore.js, Vue.js

Mobile platforms

  • Android (AWS Mobile SDK for Android, Parse Android SDK)
  • iOS Objective C/C/C++ (5-12)
  • Kotlin (as APK)
  • Xamarin (Forms, Android, iOS, Mac)
  • JavaScript/PhoneGap (Android, iOS)
  • JavaScript/Titanium (Android)
  • JavaScript/React Native (Android, iOS)

C/C++

  • Solaris (SPARC) 2.7-2.10, Red Hat Enterprise Linux (x86), Fedora (x86), CentOS (x86), openSUSE (x86), Solaris (SPARC64), Red Hat Enterprise Linux (x86-64), Fedora (x86-64), CentOS (x86-64), openSUSE (x86-64)
  • Visual C++ 7.0 – in Visual Studio .NET 2002, Visual C++ 7.1 – in Visual Studio .NET 2003, Visual C++ 8.0 – in Visual Studio 2005, Visual C++ 9.0 – in Visual Studio 2008, Visual C++ 10.0 – in Visual Studio 2010, Visual C++ 11.0 – in Visual Studio 2012, Visual C++ 12.0 – in Visual Studio 2013, Visual C++ 14.0 – in Visual Studio 2015, Visual C++ 14.1 – in Visual Studio 2017

Mainframe

  • Enterprise COBOL for z/OS, IBM ILE COBOL, MicroFocus COBOL (Net Express), AcuCOBOL-GT, COBOL-85, SCOBOL , COBOL-2002, HP COBOL Tandem, COBOL/400, COBOL for OS/390, COBOL for OS/370, COBOL for MVS, OS/VS COBOL, VS COBOL II
  • RPG

..even more

  • PHP5 & Zend
  • Scala (+ Play & Akka)
  • Groovy (+ Grails)
  • Ruby & Ruby on Rails
  • Classic ASP
  • ColdFusion
  • Perl5 (CGI)
  • Python (+ Boto3, Cryptography, Django, Flask, httplib2, Requests, SQLAlchemy)
  • Go

Veracode’s remediation coaching and developer support services deliver a combination of expertise and best practices matched to your specific needs to help you build an efective enterprise application security program. The right combination of people, process and technology must be properly aligned to helps developers efciently incorporate secure coding skills and practices into their existing development processes.  Discovering vulnerabilities in your internal, commercial, cloud or mobile applications is simply the first step in your path to application risk management. Efective and on-going remediation, mitigation, and coaching activities must be carried out to limit the business risks posed by your software infrastructure.

Veracode Application Security Support Services packages offer a unique combination of security coaching and traditional technical and customer support functions. The support packages are designed to meet the needs of the multiple constituents that will inevitably form part of a mature organization-wide application security program. Be it developers who need detailed guidance on code changes to remediate or mitigate vulnerabilities, or third-party vendors that need advice on closing the gap with the enterprise security policy—these needs are addressed by the flexible design and value-add services included in these packages.

CA Veracode Verified Overview

Prove your company’s secure software development practices with CA Veracode Verified. Implementing this program helps you make security part of your competitive advantage, easily defend your AppSec budget, and better integrate security with development.

Unlike a single security attestation – we verify the secure development process around an application. With developers releasing applications and new features more frequently, a single point in time snapshot is not good enough. Instead, we focus on continuous AppSec integrated into development – that’s DevSecOps.