Week 11

We are nearing the end of the Blog series where we discussed the importance of Secure Software Development and a number of vulnerabilities that exist today. The task for any organization that wants to seriously consider the security of its applications is enormous. In this blog post we will take a look at one of the application security platforms that can help an organization achieve it’s security goals.

Veracode is an application security firm based out of Massachusetts. Found in 2006 it provides an automated cloud-based service for securing web, mobile and third-party enterprise applications. Veracode helps organizations eliminate vulnerabilities during the lowest cost point i.e. the development phase. With its powerful and automated solutions organizations can tightly integrate Veracode platform in the SDLC. Veracode takes a holistic approach to application security where the powerful cloud solution can perform multiple analysis technologies to identify threats and technologies. Some of the offerings include:

Binary Static Analysis (SAST)

Static Application Security Testing (SAST) refers to white box testing which is performed by analyzing the application data model and control paths. The model is searched for all possible paths that represent a possible threat such as XSS, SQL injection attack. The advantage of binary analysis is that the organization source code is never exposed since it scans the complied binaries. Also Veracode has the ability to scan 3rd party assembly files without a need for any source code.

Software Composition Analysis

Open source components are a blessing for most organizations where they can speed up the development by using and extending openly available source code. However just like any other code they’re prone for security vulnerabilities. Veracode Software Composition Analysis (SCA) helps an organization build an inventory of open source components to identify vulnerabilities, covering open source and commercial code.

Integration with Agile and DevOps

Integration is key when testing for security. Ideally as soon as the code is checked in and available for a build the security scan should get triggered. If the scan fails the build should be rejected. With the use of APIs Veracode is able to accomplish this by seamlessly integrating into development and DevOps workflows.

Dynamic Analysis (DAST)

Dynamic application security testing is commonly referred as black box testing where the web application is tested to find architectural weakness and vulnerabilities. The DAST analysis uses the same techniques as used by cyber criminals for example testing the input fields, query string parameters.