- Securing Web Applications
- Secure Web Application Development
- Third-Party Security
- Secure Your Mobile Applications
- Streamline Compliance With Industry Regulations
- Integrate Application Security into your SDLC
- Veracode Application Security Platform
- Veracode Static Analysis (SAST)
- Veracode Greenlight
- Veracode Software Composition Analysis (SCA)
- Veracode Web Application Scanning (WAS)
- Veracode Runtime Protection (RASP)
- Veracode Vendor Application Security Testing (VAST)
- Veracode Developer Training
Veracode is an application security company based in US. Founded in 2006, the company provides an automated cloud-based service for securing web, mobile and third-party enterprise applications. Veracode provides multiple security analysis technologies on a single platform, including static analysis (SAST), dynamic analysis (DAST), mobile application behavioral analysis and software composition analysis (SCA).
E-SPIN and Veracode
E-SPIN have partner with Veracode and actively in promoting Veracode end to end application security platform full range of products and technologies since 2017 as part of the company Application Security (AppSec), Application Security Testing (AST), Vulnerability Management solution portfolio. E-SPIN is active in provide consulting, supply, training and maintaing Veracode products for the enterprise, government and military customers (or distribute and resell as part of the complete package) on the region E-SPIN do busineses. The enterprise range from public listed corporation, multinational corporation, bank-securities-insurance (BSI), federal and state government or government link corporation.
Please feel free to contact E-SPIN for your inquiry and requirement, so we can assist you on the exact requirement in the packaged solutions that you may required for your operation or project needs.
Securing Web Applications
SCALES TO TEST THOUSANDS OF APPLICATIONS SIMULTANEOUSLY.
More than half of all breaches involve web applications* — yet less than 10% of organizations ensure all critical applications are reviewed for security before and during production†.
Clearly, organizations need a way to replace fragmented, manual pen testing with ongoing, automated scanning so they can protect their global application infrastructures — without hiring more consultants or installing more servers and scanning tools.
The leading vector for cyber-attacks
Applications have become the path of least resistance for cyber-attackers because they are:
- Constantly exposed to the Internet and easy to probe by outside attackers using freely available tools that look for common vulnerabilities such as SQL Injection.
- Easier to attack than traditional targets such as the network and host operating system layers which have been hardened over time. Plus, networks and operating systems are further protected by mitigating controls such as next-generation firewalls and IDS/IPS systems.
- Driven by short development cycles that increase the probability of design and coding errors — because security is often overlooked when the key objective is rapid time-to-market.
- Assembled from hybrid code obtained from a mix of in-house development, outsourced code, third-party libraries and open source — without visibility into which components contain critical vulnerabilities.
Discover and continuously monitor all your web applications
- Discovery: According to SANS, many organizations don’t even know how many applications they have in their domains. Our Discovery service addresses this visibility gap by creating a global inventory of all your public-facing web applications such as corporate sites, temporary marketing sites, related sites (.mail, .info, etc.), international domains and sites obtained via M&A. Plus, Discovery leverages our massively parallel, auto-scaling infrastructure to discover thousands of applications per day.
- DynamicMP (Massively Parallel): Baseline your application risk by quickly identifying highly exploitable vulnerabilities such as those found in the OWASP Top 10 and CWE/SANS Top 25. Leverage our massively parallel infrastructure to test thousands of web applications simultaneously with lightweight, non-authenticated dynamic scans. Rapidly mitigate risk by shutting down temporary sites and feeding security intelligence information to Web Application Firewalls (WAFs).
- DynamicDS (Deep Scan): Perform a comprehensive deep scan that identifies web application vulnerabilities using both authenticated and non-authenticated scans, including looking for attack vectors such as cross-site scripting (XSS), SQL injection, insufficiently protected credentials and information leakage. Also integrates security intelligence information with WAFs to enable virtual patching.
- Virtual Scan Appliance (VSA): Perform a deep scan of applications located behind the firewall, typically in QA or staging environments, in order to find vulnerabilities prior to deployment. The VSA also helps secure internal web applications from insider attacks or attacks by malicious outsiders who gain access to insider credentials.
- All results are consolidated with other threat intelligence through our central cloud-based platform.
Three steps to web application security
Secure Web Application Development
PROTECT APPLICATIONS ACROSS THE ENTIRE SDLC
When 12,000 security professionals were asked to name what the number one security threat was for their organization, 69% said application-layer vulnerabilities* — yet less than 10% ensure that all their business-critical applications are reviewed for security before and during production.†
Clearly, organizations need a better way to scale their secure development programs so they can protect their entire application infrastructures in a cost-effective manner — without hiring more consultants or installing more servers and tools.
Scalable cloud-based platform secures all your applications across the Software Development Lifecycle (SDLC) — from code development to pre-production testing and production:
- Multiple analysis techniques, built upon a single unified platform — including Static Application Security Testing (SAST), Web Application Discovery and Monitoring, Dynamic Application Security Testing (DAST), behavioral analysis (for mobile applications) and manual penetration testing — deliver a holistic, policy-based view of application layer threats.
- Enterprise policies are based on the minimum acceptable levels of risk for applications according to their business criticality. Risk is based on the severity of flaws identified in the application, using standards such as the OWASP Top 10 (for web applications), the CWE/SANS Top 25 (for non-web applications) or compliance mandates such as PCI.
- Analysis is optimized for low false positives and prioritized based on severity so you don’t waste time on things that don’t matter.
- Role-Based Access Control (RBAC) provides granular, permission-based access to results for multiple teams based on their roles, including development, security and audit/compliance.
During Code Development
During the initial code development phase, experts recommend code-level analysis via SAST, in addition to best practices such as secure architectural design and threat modeling. Addressing security during the development phase of the SDLC produces stronger application security at lower cost.
- SAST tests applications from the “inside out” and is sometimes called “white-box” testing. It examines static code for common vulnerabilities such as SQL injection and cross-site scripting, as well as coding errors such as buffer overflows and unhandled error conditions.
- We’re the only enterprise security vendor to offer binary static analysis, which allows you to test applications without access to source code — including third-party software such as commercial applications, outsourced code, third-party libraries and open source.
- SAST analyzes binary code to create a detailed model of the application’s data and control paths. Then the model is searched for paths through the application that represent a potential weakness. For example, if a data path through the application originates from an HTTP Request and flows through the application without validation or sanitization to reach a database query, then this would represent a SQL Injection flaw.
- Our SAST is designed for agile development processes, with 80% of all static scans completing within 4 hours and more than 90% completing within a day.
- We have a proven and repeatable process for rapidly on-boarding development teams and tightly integrating security testing with existing processes and tools including IDEs (Eclipse, Visual Studio, etc.), build processes (Jenkins, Ant, Maven, TFS, etc.) and issue tracking systems (JIRA, Bugzilla, Archer, etc.).
- We provide detailed information with line of code details to assist programmers in locating flaws in their source code and reproducing them, along with suggested corrective actions.
- We support all widely-used languages for desktop, web and mobile applications including:
- Java & .NET
- C/C++: Windows, Linux & Solaris
- Legacy Business Applications: COBOL
In Pre-Production Testing
Both SAST and DAST are typically used in pre-production testing (during the QA phase). For highly critical applications, manual penetration testing is also recommended. Our solutions integrate with widely-used WAFs such as Imperva so you can quickly mitigate vulnerabilities via virtual patching.
DAST tests applications in a running state by probing their exposed web interfaces from the “outside in”. For this reason, it is often called “black box” testing. DAST typically looks for vulnerabilities such as SQL injection and cross-site scripting as well as issues that only surface when the application is running such as authentication vulnerabilities and server misconfiguration errors. It’s important to test both credentialed and anonymous access, since some vulnerabilities may not be visible to a random attacker, but show up when logging in as a known user.
Random black box testing is more representative of how an outside cyber-criminal will act, but it takes longer to run and cannot exercise all data and control paths through the application in the same way that SAST does.
Since pre-production environments are usually located behind the firewall, we also provide a Virtual Scanning Appliance (VSA). The VSA is a locally-installed virtual appliance (software-based) that provides full DAST capabilities and is fully-integrated with our central cloud-based platform. This allows local DAST results to be managed via a single set of policies and reports, in combination with automated SAST and manual penetration testing results, to maximize accuracy and minimize false positives.
Whether you work for an enterprise and want to make sure all your vendor-supplied software is secure - or you're a vendor who wants to prove to enterprises your applications comply with security standards - we can help.
If you’re like most businesses, more than two-thirds of your enterprise software portfolio — including commercial and outsourced applications, SaaS, third-party libraries and open source code — is provided by third-parties.
Supply Chain Security
A PROGRAMMATIC APPROACH TO REDUCING THIRD-PARTY SOFTWARE RISK
Third-party software is the new perimeter for enterprises. Attackers are now targeting the IT supply chain because traditional network perimeters have been hardened over time and are further protected by next-generation firewalls and other controls.
Driven by the need to accelerate time-to-market, most applications are now “assembled” in a Lego-like fashion from third-party components such as outsourced code, libraries and open source, rather than developed from scratch.
Mitigating the risks
90% of third-party code does not comply with enterprise security standards such as the OWASP Top 10.*
As a result of the large and growing footprint of third-party software in the enterprise, regulatory bodies such as the OCC and industry organizations such as FS-ISAC, OWASP and the PCI Security Standards Council are now placing increased focus on controls required to mitigate the risks introduced by third-party software.
For example, the OWASP Top 10 now includes a requirement that prohibits vulnerable components from being used. OWASP points out that “Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover.”
Clearly, relying solely on vendor surveys and self-attestations is no longer sufficient to address these risks. Enterprises are looking for independent verification of the security of third-party software.
We manage your program
We work directly with your vendors — on your behalf — to assess and remediate their code. We also help you implement an ongoing governance process for validating third-party software, based on industry best practices.
The programmatic approach provided by the Vendor Application Security Testing (VAST) program yields 10x better results than conventional ad-hoc approaches, in terms of vendor application coverage.*
It also yields more rapid remediation. Enterprises with a programmatic approach only had 20% of applications remain non-compliant for more than six months, compared with nearly twice as many non-compliant applications (39%) for enterprises with ad hoc approaches. We also help by working closely with developers to explain results and recommend optimum remediation approaches.
Outsourced program management: Time, money and staff are tight within every organization. We augment your internal staff with program managers and security experts who work with your vendor community to assess and remediate their applications according to your enterprise security policies. We leverage best practices developed by working closely with more than 1,000 software vendors to date, including practices designed to:
- Guide collaboration between security, business, vendor management and procurement teams.
- Specify business, contractual and technical details as part of your policy.
- Provide a strong mandate for vendor application testing.
Cloud-based service: Our cloud-based service scales on-demand to handle your entire software supply chain. Its intuitive interface, automated testing and policy-driven reporting make it easy for third-party developers to comply with enterprise security policies without hiring more consultants or installing more servers and tools.
- Automated scanning without source code: Sharing access to third-party source code is problematic for software suppliers as they need to ensure proper protection of their intellectual property. Our patented binary static analysis technology identifies security vulnerabilities without requiring access to source code, a significant benefit for vendors.
- Reduced cost and complexity: With VAST, third-party suppliers are responsible for the cost of using our subscription-based service to validate their software. This eliminates the time and cost burden on your organization for managing the program and validating all of your third-party software using internal resources.
Secure Your Mobile Applications
Find and Fix Software Vulnerabilities in Your Mobile Applications
Mobile internet usage has long surpassed desktop usage. It’s quick and easy to develop mobile applications, and the competition is fierce. Because end users have high expectations, your mobile applications need to be revised and updated even more frequently than conventional applications. At the same time, serious risk of breach and regulatory pressures are driving you to turn attention to the security of mobile applications, but you don’t have the time, people or money to move the needle.
Veracode’s mobile application security testing (MAST) solution enables you to quickly identify and remediate mobile application security flaws through automated code review and manual penetration testing. As a SaaS-based model, Veracode is easy to use and delivers highly accurate results because our engine learns with every scan. Our team of experts helps lead you to success with a combination of program management, application security consulting, and premium support. Veracode helps you comply with regulations and enables you to expand to other types of application security testing within the same platform.
Most applications were not built with security in mind: More than 63 percent of applications fail the OWASP Top 10 on first scan.
Test mobile apps to the appropriate depth
Not all mobile applications are created equal when it comes to security assurance. A simple marketing application may just need a fast automated scan with each incremental release. On the other hand, for an application that handles personal, financial or health care information, you need to secure the entire mobile ecosystem, including the customer-installed application, the back-end web services it communicates with, and the data that flows between them. Veracode’s mobile application security testing solution addresses the full range of use cases for mobile application security. Use Veracode Static Analysis to get fast, fully automated code security results for all of your front-end and back-end applications. And for those mission-critical mobile applications, you can supplement our fully automated analysis with manual penetration testing to spot issues that require skilled human review.
Veracode’s mobile application security testing solution uses an automated process to assess the security of mobile applications and deliver quality results. Our patented technology can test binaries, enabling us to analyze the data flow in compiled applications across proprietary and third-party components, as well as third-party and legacy applications. Since we give you accurate results and prioritize them based on severity, you won’t need to waste resources dealing with hundreds of false positives. So far, we’ve assessed over 2 trillion lines of code in 15 languages and 50 frameworks, and we have improved with every assessment.
Veracode has been named a Leader in the Gartner Magic Quadrant for Application Security Testing for the last four years.
Get the help of experts to lead your program to success
Everything’s harder when you do it the first time, so Veracode offers services to guide you through the process. Our program managers work with you to onboard your development teams and provide metrics for you to report to management. Our support team can assist you when you have questions on how to best integrate security into your development toolchain. When vulnerability reports and on-demand training don’t provide enough clarity, you can set up one-on-one consultations with our experts who have backgrounds in both security and software development. Companies using this service have increased fix rates by 147 percent.
Comply with company policy and industry regulations
Veracode’s mobile application security testing solution helps you comply with custom policies to satisfy industry regulations. For instance, PCI DSS Requirement 6.5 requires all custom application code to be reviewed to identify coding vulnerabilities. Veracode also supports other risk frameworks and security standards like NIST 800-53 and HIPAA. Each mobile application is graded against the policy as you have defined it, combining results from static analysis and manual penetration testing.
A global bank went from scanning 80 applications per year to 500 in the first year and now 1,000 annually, without adding any headcount.
Access all of your application security solutions in one platform
The cloud-based Veracode Application Security Platform offers multiple assessment technologies that assess mobile and conventional applications, including Veracode Static Analysis, Veracode Software Composition Analysis, Veracode Manual Penetration Testing, Veracode Web Application Security, and Veracode Runtime Protection. The SaaS model reduces your operational overhead because you won’t have to build and maintain in-house hardware. By providing both security expertise and program management, Veracode helps you accelerate the delivery of your pipeline of applications without hiring specialists. Our customers often scale from securing tens of applications without Veracode to hundreds or thousands of applications.
Contact E-SPIN about how we can help reduce your application-layer risk.
Streamline Compliance With Industry Regulations
To address growing concern over data breaches, various industries have issued regulations addressing cybersecurity and information security controls. In addition, enterprises in many industries are now holding their software vendors accountable for meeting standard application security policies. The challenge is that meeting these standards with manual processes and penetration testing is arduous, and most organizations can’t address this challenge on their own because of lack of time, staff and money. Most end up merely “checking the box” and demonstrating compliance via minimal process documentation. As a result, these organizations and their suppliers are at risk of noncompliance, and worse, of breach.
According to a Ponemon Institute study, industries subject to compliance requirements such as Healthcare, Education, Pharma and Financial Services have a per capita breach cost between 40% and 150% greater than the average.
Veracode enables you to address compliance requirements related to application security and secure development without having to manage tools or hire additional staff. The Veracode Application Security Platform provides access to a wide variety of methods to assess application security, along with compliance and development team reporting and secure development training. In addition, Veracode services help enterprises develop their cybersecurity strategy and deliver risk reduction results.
Track flaws, reviews and compliance through a single platform
All Veracode services are delivered through the Veracode Application Security Platform, which provides a central repository for information about your software weaknesses, as well as proposed, accepted and rejected mitigations. And the same workflow can be used for static, dynamic or manual findings. With this central location, Veracode application security consultants can make more informed decisions on whether a proposed mitigation is effective because they can see the exact application data flow that was analyzed as part of the static analysis.
Achieve continuous compliance monitoring
Best-practice organizations understand that to achieve the risk-reduction goals of mandated compliance standards, they cannot treat compliance as an end in itself but as the outcome of an ongoing process. Veracode helps deliver continuous compliance by providing application security testing that integrates into your software development lifecycle; conducting regular discovery scans of the web applications in your domain, including temporary marketing sites, international domains and sites obtained via M&A; continuously monitoring your production web applications for vulnerabilities; and providing virtual patching for your web application firewalls based on the security intelligence from your application assessments.
Detect and prevent web-based attacks
With Veracode Runtime Protection, you add the option to instantly mitigate certain vulnerabilities without involving developers, so you’re increasing development speed while managing your risk. Veracode Runtime Protection helps companies meet mandated standards by providing an automated solution that detects and prevents web-based attacks.
Educate developers in secure coding practices
Compliance standards for developing secure code don’t stop at testing software; many also recommend training developers in secure coding practices. Veracode Developer Training provides a variety of educational approaches to fit your team’s needs, from on-demand computer-based training courses to remediation-focused AppSec tutorials and instructor-led deep dives on specific topics.
3 out of 5 applications assessed by Veracode fail the OWASP Top 10 and therefore would fail to comply with most compliance standards.
Automate and audit compliance workflows
The Veracode Platform provides built-in, automated compliance workflows. These workflows reduce communication overhead and provide a secure audit trail of your compliance processes, including notifications about policy changes and approval workflows for mitigating controls that take a vulnerability out of scope for remediation. And the Policy Manager helps to document and communicate your security policy. When it’s time to show compliance to auditors, you can share compliance status with EMC/RSA Archer via our native integration. Similar integrations are available for other GRC systems such as IBM OpenPages, RSAM, RiskVision, LockPath, Allgress and Symantec Control and Compliance Suite (CCS).
Contact E-SPIN today to learn how Veracode can help you streamline your compliance initiatives.
|6.1, 6.5, 6.6, 6.7, 11.3, 12.6
|5.1.7, 5.2, 7.1
|01.v, 02.e, 04.a, 06.d, 10.a, 10.b, 10.c, 10.l, 10.m
|Tasks 1, 4, 5, 8, 9, 10
|AT-2, 3, 4; CA-2, 7, 8; CM-4, 8; RA-2, 3, 5; SA-3, 4, 11, 12; SC-13; SI-2, 7, 10, 11, 12; PM-1, 6, 14
|Controls for 800-53, plus AU-10; CM-7, 8; CP-2; PV-1, 2; RA-1; SA-8, 11, 12
|New York Department of Financial Services Cybersecurity Regulations
|500.05(a) 1,2; 500.06(a)2; 500.08(a); 500.11; 500.14(a)2
|Monetary Authority of Singapore Technology Risk Management Guidelines
|5, 6, 9.4, 12.2
|Fraud prevention; protection of audit trails
|OCC Bulletin 2013-29
|Requires regulated entities to assess and manage risks associated with their third-party relationships
|Securities and Exchange Commission Requirements for Cybersecurity
|SEC has published guidance for public companies related to the disclosure of cyber-security risks and the financial impact of cyber incidents such as data breaches. We can help by providing detailed analytics about the current risk profile for your application infrastructure as well as an assessment of the remediation work required after a successful application-layer attack.
|FS-ISAC Third Party Software Controls
|Control Type 2, 3a, 3b
|Articles 5, 24, 25, 28, 32, 33, 35
Integrate Application Security Into Your SDLC
Developers and security teams are both challenged to meet security goals in complex environments. Developers already need to manage many separate tools; new AppSec tools that do not integrate well or lack flexible APIs and customizable integrations are met with low adoption, high distraction and a steep learning curve. Likewise, security teams often seek to protect against AppSec vulnerabilities with a web application firewall and are challenged to integrate risk data and program metrics across disconnected AppSec tools without manual effort. As more organizations move to DevOps and reap the automation and speed benefits, AppSec solutions need to keep up or risk being left behind.
Veracode enables organizations to speed applications to market without sacrificing security. The Veracode Application Security Platform integrates with the development, security and risk-tracking tools you already use. And, our flexible API allows you to create your own custom integrations or use community integrations, built by the open source community and other technology partners. Veracode’s focus on making security developer-friendly is one reason why we help you go faster, without sacrificing security.
Veracode Application Security Platform
MANAGE YOUR ENTIRE APPLICATION SECURITY PROGRAM IN A SINGLE PLATFORM
Reduce the cost of application portfolio risk management
Competing in business is all about speed of innovation. No matter what industry you’re in, that innovation relies heavily on leveraging software. However, most applications were not created with security in mind, which is why applications are the most common breach vector. Looking at a giant backlog of insecure applications can be overwhelming. Training developers to write more secure code, testing applications, and collaborating on remediation is very challenging because application security expertise is very hard to find. Even worse, developers may not be cooperative if they believe that you only point out their mistakes and delay their projects.
Gartner has named Veracode a Leader in the Magic Quadrant for Application Security – for 4 reports in a row.
The Veracode Application Security Platform offers a holistic, scalable way to manage security risk across your entire application portfolio. We offer a wide range of security testing and threat mitigation techniques, all hosted on a central platform, so you don’t need to juggle multiple vendors or deploy tools. Application security cannot be solved with technology alone. Our security program managers work with you to define policies and success criteria, so you’ll have a strategic, repeatable way to tackle your application security risk. Veracode educates developers with actionable results, one-on-one coaching, and a variety of training, so they can effectively fix existing flaws and code securely moving forward.
Manage all of your application risk on a single platform
Veracode can scan all of the applications and components you build or buy, covering all major languages, frameworks, and application types. It gives you a central repository for your applications and components, so you have full visibility into your risk posture. Detailed reports and executive level views help you to prioritize fixes, show reduced risk over time, or compare progress across different teams. You have the flexibility to leverage existing policies or create custom policies and then centrally view policy compliance.
Find vulnerabilities, detect and block attacks across development, testing, and production
Veracode offers all major types of automated and manual risk assessments, so you won’t have to juggle multiple vendors, reports, and technologies. Veracode integrates into each stage of your software development lifecycle, so you are building secure software, rather than making costly last-minute fixes that delay releases. We even help you detect and block exploitation attacks in production.
Use the industry’s most mature native SaaS application security platform
With over 10 years of experience and $100m in investment, the Veracode Platform is used by over 44,000 security professionals and software engineers to mitigate application security risk. Because the Platform has been cloud-based since its inception, it’s constantly learning, so you benefit from solid results with a low false positive rate. These are just a few of the reasons why Veracode has been named a leader in the Gartner Magic Quadrant for Application Security Testing four years in a row.
Manage a program, not a tool
Many testing tools produce reports with lists of flaws and no actionable information in sight. Veracode is dedicated to making sure that you actually fix the flaws you find. Our security program managers work with you to define policies and success criteria to set up a strategic, repeatable process. Veracode has assisted some of the world’s largest and most complex companies overcome the hurdles preventing widespread adoption of application security best practices – so you know you’re in good hands.
Veracode has 61,856 active users on the platform, who have assessed atotal of 152,875 applications.
Enable your developers to code securely
Veracode offers a variety of developer enablement technologies and services to match anyone’s learning style. Developers see which line of code their flaw is in and have easy access to short instructional videos to help them fix it. When a developer gets stuck, they can schedule a one-on-one coaching call with a Veracode application security consultant with a background in development. Veracode also offers application security training through on-demand eLearning courses and instructor-led trainings.
Scale your program more easily than on-premise programs
Scan one application or thousands. Veracode works with both the largest enterprises in the world and small development shops. Our cloud-based platform is ideal for fragmented business units and global teams of software engineers.
Contact E-SPIN today to see a demo of the Veracode Application Security Platform.
Veracode Static Analysis (SAST)
MANAGE APPLICATION SECURITY RISK IN A SIMPLE, STRATEGIC, SCALABLE WAY
Find and fix software vulnerabilities in applications you build or buy
Software is the engine that powers business innovation – and the No. 1 attack vector. Most applications were not built with security in mind: in fact, more than 63 percent of applications fail the OWASP Top 10 on first scan. At the same time, to meet business-driven deadlines and keep up with the rapid pace of innovation, your development team is churning out software faster than ever. Serious risk of breach and regulatory pressures are driving your company to turn attention to application security, but you don’t have the time, people or money to move the needle. As a result, you are only securing a fraction of your applications, if any at all, leaving your company exposed to risk of data breach.
Fewer than 4 out of 10 applications pass security policy requirements on initial assessment.
~ Veracode State of Software Security Report, 2016
With Veracode Static Analysis, you will:
- Deliver consistent, high-quality scanning results for all your apps
- Scale without devoting additional resources
- Integrate application security into your SDLC
- Get one-on-one remediation consultations for developers
- Access all of your application security solutions in one platform
Upload a single packaged application to the Veracode Application Security Platform to kick off a scan for combined static analysis and software composition analysis, resulting in a single pass/fail result. Veracode also enables you to assess applications using dynamic analysis or manual penetration testing.
Deliver consistent, high-quality scanning results for all your apps
Unlike manual code reviews or penetration tests, Veracode Static Analysis is an automated process delivering repeatable results. Veracode Static Analysis (otherwise known as white box testing) can assess the security of microservices, web, mobile and desktop applications. Since we give you accurate results and prioritize them based on severity, you won’t need to waste resources dealing with hundreds of false positives. So far, we’ve assessed over 2 trillion lines of code in 15 languages and 50 frameworks, and we get better with every assessment.
Veracode Static Analysis supports all widely-used languages for desktop, web and mobile applications including:
- Python, Perl, PHP, Ruby on Rails, Scala, ColdFusion, Classic ASP
- iOS (Objective-C and Swift), Android (Java), PhoneGap, Cordova, Titanium, Xamarin
- C/C++ (Windows, RedHat Linux, OpenSUSE, Solaris)
- COBOL, RPG, Visual Basic 6
Veracode constantly updates its support for languages and frameworks. Please contact us if you don’t see what you need on this list.
Veracode Static Analysis integrates with IDEs, such as Microsoft Visual Studio, to help developers find and remediate vulnerabilities efficiently.
Scale without devoting additional resources
The SaaS-based Veracode Application Security Platform reduces your operational overhead because you won’t have to build and maintain in-house hardware. And you’ll feel comfortable with our cloud-based application security because Veracode Static Analysis can process binaries, so you don’t have to disclose your source code. In addition, by providing both security expertise and program management, Veracode helps you work through your backlog without hiring specialists. Ultimately, our customers often scale from securing tens of applications without Veracode to hundreds or thousands of applications.
A global bank went from scanning 80 applications per year to 500 in the first year with Veracode and now 1,000 without adding any headcount.
The Veracode Application Security Platform provides one simple policy pass/fail result per application for static and dynamic testing, software composition analysis and manual penetration testing.
Integrate application security into your SDLC
When security is well integrated, you remove friction. The Veracode Application Security Platform integrates with your IDEs, build, ticketing and GRC systems to automatically test code and coordinate remediation. For instance, Veracode Greenlight allows developers to test the code they’re working on in their IDE, getting results back in seconds and highlighting areas where they’ve successfully applied secure coding principles. In addition, the Developer Sandbox functionality enables engineers to test and fix code between releases without triggering a failed policy compliance report to the security team. Veracode’s focus on making security DevOps-friendly is one reason why our customers have fixed 70 percent of the 10 million vulnerabilities they found in 2015.
Veracode Static Analysis integrates with your development toolchain to help your organization scan applications and find, track and remediate vulnerabilities.
Get one-on-one remediation consultations for developers
When vulnerability reports and on-demand training don’t provide enough clarity, developers can set up one-on-one developer consultations with our experts who have backgrounds in both security and software development. Companies using this service have increased fix rates by 147 percent.
Flaw sources show developers where in the code they can make a single change that addresses several vulnerabilities at once.
Comply with company policy and industry regulations
Veracode Static Analysis helps you comply with custom policies or industry regulations. For instance, PCI DSS Requirement 6.5 requires all custom application code to be reviewed to identify coding vulnerabilities. Veracode also supports other risk frameworks and security standards like NIST 800-53 and HIPAA. Each application is graded against the policy as you have defined it, combining results from static and dynamic testing, open source risk and manual penetration testing.
The Veracode Application Security Platform tracks application security compliance over time so you can report progress to stakeholders and easily integrate with your GRC system.
Access all of your application security solutions in one platform
The Veracode Application Security Platform offers multiple assessment technologies that complement Veracode Static Analysis, on a single platform, including Veracode Software Composition Analysis, which inventories and assesses open source components, and Veracode Web Application Security, which identifies architectural weaknesses and vulnerabilities in running web applications by probing the attack surface. In addition, Veracode Runtime Protection enables you to protect web applications against vulnerabilities found by Veracode Static Analysis and Veracode Web Application Security.
The Veracode Application Security Platform brings together various AppSec testing methodologies and services so you can manage your program more effectively.
GET SECURE CODING FEEDBACK IN SECONDS – RIGHT IN YOUR IDE
Add Security to Your DevOps Process and Reduce Cost to Fix
Companies are facing pressure to release software faster, often at the expense of security. To keep up with this rapid pace of innovation, development teams are moving toward processes like Agile, DevOps, and CI/CD - testing and releasing code more frequently. Traditional application security practices find security issues late in the SDLC where they are expensive and time consuming to fix and delay time to market. Application security testing must adapt to these new processes by enabling you to test early and often in the development lifecycle and to quickly understand and remediate security findings.
Most Veracode Greenlight scans complete in under 10 seconds.
Veracode Greenlight finds security defects in your code and provides contextual remediation advice to help you fix issues in seconds, right in your IDE. Leveraging our proven, and highly accurate static engine, Veracode Greenlight offers immediate results and scales to your needs. You do not need to provision any servers or tune the engine. It simply scans in the background and provides accurate and actionable results, without taking up resources on your machine. With Veracode Greenlight, find issues early, reduce development and remediation costs, and release your code on time – at the speed of DevOps.
Get security feedback in seconds – in the privacy of your IDE
Nobody writes perfect code the first time around, so Veracode enables you to test your code easily and quickly within your normal development workflow. Simply install a plug-in to your IDE and use Veracode Greenlight to get secure coding feedback in seconds, privately in your IDE, so you can fix issues while you’re still developing. Because Veracode Greenlight was built using Veracode’s proven static analysis engine that has analyzed over 2 trillion lines of code, you’ll benefit from high accuracy and very low false positives.
Fix flaws earlier and learn to write secure code
Veracode Greenlight provides immediate feedback as soon as a flaw is introduced and contextual remediation advice to help you quickly fix the issue. You’ll even receive positive feedback when you’ve taken active steps to secure your application. You can rescan in seconds to ensure the flaw no longer exists, so you can actively learn while you’re coding and introduce fewer defects going forward. Veracode Greenlight scans passively in the background, without taking up resources on your machine.
Teams that address security at every stage of the process spend 50% less time remediating security issues, according to the Puppet State of DevOps Report.
Get started easily without provisioning servers or tweaking rules
Other secure DevOps solutions require you to provision and maintain your own servers. If you want a high-availability or scalable solution, things get complicated fast – or you’re stuck in line in a single-scan queue. You’ll have to tweak rules to bring down the false positive rate for every application. Veracode Greenlight makes your life easy because it scans code through the Veracode Static Analysis engine, which has improved its accuracy with every one of the 2 trillion lines of code scanned so far – no rule tweaking required. Because the Veracode Platform is SaaS-based, it scales up to your needs without your having to provision and maintain any servers.
Use a platform that works for both development, security, and operations
Application security is a problem that affects the entire software development lifecycle and stakeholders throughout your organization. While Veracode Greenlight helps developers by scanning smaller units of code while they write it, Veracode Static Analysis provides security with the assurance they need to prove the application is free of defects. Unlike solutions that use different engines for testing at different development stages, Veracode Greenlight and Veracode Static Analysis are based on the same time-tested engine, giving you much more consistent and accurate results and enabling applications to pass compliance much faster. Used together, the two products provide the only end-to-end application security offering that meets the security, speed, and usability needs of development and security teams.
Veracode also provides on-demand developer training, web application scanning, open source software composition analysis, runtime protection, and manual penetration testing.
If you want to find security defects earlier in your SDLC to reduce costs and hit your development deadlines, contact E-SPIN to accelerate your secure software development lifecycle.
Veracode Software Composition Analysis (SCA)
IDENTIFY VULNERABILITIES IN THIRD-PARTY COMPONENTS AND YOUR OWN CODE
Manage the risk of open source components in your applications
Open source components are a blessing and a curse. They help accelerate your application development at no cost but put your organization at risk of getting breached and failing compliance audits. Here are your odds: 44% of applications contain critical vulnerabilities in open source components. Applications have an average of 46 components, and knowing which ones you are using is necessary to defend yourself when major vulnerabilities are announced. This is why several compliance regulations require inventories of open source components so that you can address risks.
Third-party source code libraries increase development speed and risk. […] Heartbleed made dependency risk plain for all to see.
Veracode Software Composition Analysis (SCA) helps you build an inventory of your open source components to identify vulnerabilities, covering open source and commercial code. The Veracode Application Security Platform analyzes both proprietary and open source code in a single scan, providing you visibility across your entire application landscape. When a big vulnerability hits the news, Veracode helps you quickly identify which applications in your organization are vulnerable. Because no technology is a silver bullet, Veracode supports your program’s people, processes and technology by coaching your engineers on secure coding practices, managing your remediation and mitigation process, and discovering known and unknown vulnerabilities through its highly scalable SaaS platform.
Assess proprietary and open source code in a single scan
Focusing only on proprietary or open source code means you’re blind in one eye – you need to get visibility of your risks across both parts to cover your bases. The Veracode Application Security Platform analyzes your open source components to find vulnerabilities with the same scan you’ve already set up for static binary scanning – without having to rescan the applications. As a result, you’ll reduce integration points, get broader visibility across your application landscape, and assess your entire application against one policy – summarized in a single report.
Manage your remediation and mitigation workflow
The Veracode Platform helps you manage the workflow for remediation and mitigations. Once you find a vulnerability in an open source component, you can immediately see whether the latest version of the component addresses it. Your developers can also access educational resources to help them addressing the security issue.
Get one-on-one remediation coaching for software developers
When vulnerability descriptions and on-demand educational resources are not enough, developers can schedule calls with a Veracode expert to talk through the options of remediating or mitigating the vulnerability.
Identify open source components and new vulnerabilities in your portfolio
Open source vulnerabilities are so impactful because the components libraries are widely used and repackaged in software. When a big vulnerability hits the news, Veracode helps you quickly identify which applications in your organization are vulnerable. This saves precious time as you’re formulating your action plan. You can also manually blacklist certain components, leading to an automatic policy audit fail for any application that uses it.
44% of applications contain critical vulnerabilities in an open source component.
Identify and remediate vulnerabilities to help comply with industry regulations
Several industry regulations and security frameworks require that you find and patch known vulnerabilities in your applications, including PCI DSS Requirement 6.2, OWASP Top 10 A-9, FS-ISAC, NIST-800-53 SA-12, NIST-800-161 CM-8, and HITRUST CSF v7. Identifying and remediating or mitigating vulnerabilities helps you comply with these regulations and pass audits.
Use a scalable SaaS solution that integrates with your SDLC
Security works best when it’s part of how people do their jobs. The Veracode Application Security Platform integrates with every part of your software development life cycle. The SaaS-based platform reduces your operational overhead and is highly scalable to meet your demands at peak times.
Contact E-SPIN today for free consultancy on your open source risk and software composition analysis requirements.
Veracode Web Application Scanning
DISCOVER AND ASSESS RISK OF THOUSANDS OF CORPORATE WEBSITES
Find web applications vulnerabilities in staging and production
With the explosion of digital marketing and communication, companies are relying on web and mobile applications to communicate with customers and compete. However, most applications were not created with security in mind, leaving business like yours exposed to risk of breach. To make matters worse, you have old marketing websites, applications created by different business units, or digital assets acquired during M&A – so you probably don’t even know how many websites your company has. Monitoring your web perimeter is time consuming and expensive and point solutions don’t scale to assess all of your applications. Integrating scanning technologies into the SDLC can be challenging.
Veracode Web Application Scanning typically finds 30 – 40% more websites than customers thought they had.
Veracode Web Application Scanning (WAS) offers a unified solution to find, secure, and monitor all of your web applications – not just the ones you know about. First, Veracode discovers and inventories all of your external web applications, then performs a lightweight scan on thousands of sites in parallel to find critical vulnerabilities and helps you prioritize your biggest risks. As a second step, you can run authenticated scans on critical applications to systematically reduce risk while continuously monitoring your security posture as part of the SDLC. Veracode offers multiple scanning technologies on a single platform, so you get unified results, analytics, and increased accuracy.
Discover and inventory of your publicly-facing web applications
You can’t secure what you don’t know about. Veracode WAS uses web-application-layer crawling, domain brute forcing, integrated web searches, and other unique approaches to identify more applications than network-based scanning. In fact, Veracode consistently finds 30-40% more websites than companies originally knew they had. As a result, our customers often shut down old and unused websites to save costs.
Quickly assess risk across your entire application portfolio
After discovering all of your websites, you can scan your entire web perimeter, which will quickly identify major vulnerabilities across your full application portfolio and give you visibility into your overall risk. Then, run an authenticated deep scan on your most critical applications. Veracode WAS enables continuous, ongoing monitoring to maintain your security posture.
Strategically and efficiently reduce risk in testing and production
Veracode knows you can’t solve a problem with tools alone, so we offer security program management and application security consulting to help you achieve your goals. Our security program managers work with you to analyze the list of websites you discovered, define policies and success criteria to set up a strategic, repeatable process. Veracode Technical Support will help you integrate Veracode WAS into your SLDC and help mitigate vulnerabilities. Veracode WAS also learns as it scans, so you won’t waste time on false positives. Scans are easy to configure because the Veracode Application Security Platform guides you through the steps and offers clear results. Veracode’s operations center ensures findings are actionable and have your back in case you made a configuration error to ensure your scans run successfully.
Understand your digital assets before and after M&A activities
Inheriting insecure legacy applications can put your business at risk. If your organization has already acquired another company, you can test your current web perimeter for legacy websites to shut down or secure. If you’re considering M&A, you can assess another company’s security as part of the due diligence process before you join forces.
A telecommunications firm shut down 20% of its web applications that were no longer needed, breaking even on the cost of Veracode Web Application Scanning within the first year.
Use multiple assessment techniques all in one platform
The Veracode Platform is home to major application security technologies, including static and dynamic analysis as well as software composition analysis, which identifies open source risk. When you scan with both, you’ll benefit from increased breadth and accuracy, as well as consistent reporting and policy management. Scan public-facing websites directly from our cloud-based platform without having to provision servers, and use Veracode Virtual Scan Appliance to test your internal applications.
Contact E-SPIN today to see a demo of Veracode Web Application Scanning and start reducing your application security risk today.
Veracode Runtime Protection (RASP)
DETECT AND BLOCK ATTACKS AGAINST APPLICATIONS IN REAL-TIME
Enable secure application deployments without operational maintenance
Organizations like yours are increasingly leveraging software applications you build, compose or buy to gain competitive advantage. Development teams are pressured to deliver quality work on-time, often at the expense of security. The ability to exploit software vulnerabilities and the potential of significant financial gain has made web applications the most common breach vector. Mitigating a vulnerability may not be an option due to time to market or lack of access to the source code. Web application firewalls (WAFs) are frequently deployed as a quick fix, but they require a lot of maintenance and often run in monitoring-only mode for fear of false positives.
52% of applications scanned by Veracode contained XSS flaws, 35% contained SQLi flaws.
~ Veracode Internal Data 2016
Veracode Runtime Protection defends against application-layer attacks in real-time. Unlike a WAF, Veracode Runtime Protection is simple to deploy and does not require engineering resources to implement and tune it because it uses a technology called runtime application self-protection (RASP). Veracode Runtime Protection provides more effective protection, is harder for attackers to evade, and has much higher accuracy – so you won’t be distracted by noisy false positives. You can even deploy it in pre-production to ensure its functionality is tested as part of your QA process. Third-party and legacy applications can be secured without requiring code changes or interrupting engineering priorities.
Protect applications at runtime without touching code
Veracode Runtime Protection does not require you to change source code. It is installed in minutes on your application server and instantly begins monitoring and protecting you from attacks – no tuning required. The technology is great for defense in depth or as an easy option to start your application security program. Even if you operate legacy or third-party applications, or use open source components in your web app, Veracode Runtime Protection provides an excellent option for mitigating vulnerabilities. No development effort is required to get Veracode Runtime Protection installed and running.
Monitor and block attacks, integrate with security operations
You can set Veracode Runtime Protection to monitor or block. In monitoring mode, it alerts you about active threats and logs an audit trail. In blocking mode, Veracode Runtime Protection also prevents the attack from being executed. Attack data is logged in a central management console and can be fed into a SIEM to alert the security operations team.
Broaden your options for reducing application risk
Risk management is all about business trade-offs: With Veracode Runtime Protection, you add the option to instantly mitigate certain vulnerabilities without involving developers as an alternative to requesting a code change, so you’re increasing development speed while managing your risk. Veracode Runtime Protection helps companies comply with regulations, such as PCI DSS, by providing an automated solution that detects and prevents web-based attacks.
[WAFs have a] single point of failure; likely to fail open under high load, leaving the formerly protected web application vulnerable.
~ SANS Report
Experience easier maintenance and more accuracy than with a WAF
Unlike web application firewalls (WAFs), Veracode Runtime Protection requires no tuning. It is easy to deploy in pre-production to ensure it successfully blocks attacks. It has higher accuracy because it has insight into application logic and configuration, event and data flow, executed instructions and data processing. WAFs have a higher false positive rate because they lack the necessary means to ensure accurate detection of application vulnerabilities and protection against application-level attacks.
Run an integrated application security program, not just a tool
Veracode has over a decade of application security expertise and can help you understand exactly how you should deploy Veracode Runtime Protection within the greater context of your application security program. Use attack data to prioritize vulnerabilities discovered from Veracode Static Analysis, including evidence such as stack traces, database queries, and HTTP requests. Combine Veracode Runtime Protection with Veracode Web Application Scanning (WAS) to test your application interactively. Veracode WAS acts as a simulated attacker, while Veracode Runtime Protection alerts you on which attacks actually make it through to the application. This achieves interactive application security testing (IAST) to prioritize findings from your dynamic scans.
Contact E-SPIN today to see how Runtime Self Protection (RASP) technologies can help defend your applications.
ASSESS SECURITY OF THE SOFTWARE YOU BUY Veracode Vendor Application Security Testing (VAST)
ASSESS SECURITY OF THE SOFTWARE YOU BUY
Manage security assessments across your vendor landscape
Commercial applications have an average of 83 vulnerabilities, but procurement teams are doing little to assess the risks at time of purchase, increasing their organization’s security and audit risks. Regulations, such as PCI DSS, NIST SP 800-161, FS-ISAC, and MAS, require assessing software supply chain risk. Vendor self-assessment questionnaires do little more than check the box, and penetration testing is time-consuming and expensive. Assessing third-party software is even more challenging when vendors have to provide access to their source code, which many regard as confidential intellectual property.
Over 90% of the third-party software tested by a global manufacturer had significant, compromising flaws.
Veracode Vendor Application Security Testing (VAST) provides a scalable program for managing third-party software risk. Build your program based on a decade’s worth of best practices to ensure success and see a simple pass or fail for each vendor application. Because Veracode scans binaries rather than source code, vendors will be more comfortable with the assessments because they don’t have to disclose their intellectual property. With Veracode, you can scale your program without adding specialized headcount and manage the entire program on a single platform.
Build your program based on a decade’s worth of best practices
Veracode has helped thousands of organizations with their application security program over the past 10 years. We work with you to formulate a strategy for contacting your independent software vendors (ISVs), defining policies for compliance that can include a mix of automated and manual testing methods, and getting them into compliance. Once you have reached out to your software vendors based on our proven process, we’ll handle the rest of the program management, including follow-ups with vendors, assessments, and removing any roadblocks to compliance. If you already have a vendor assessment program, we can help you to improve and scale it.
See which vendors comply with your corporate policy
No matter how complex your corporate policy is, you’ll be able to see a simple pass or fail for each vendor application, including static and dynamic scans, software composition analysis, and manual penetration tests. Reports include a bill of materials comprising all open source and commercial components that enable you to quickly assess where your organization is exposed as high profile open source vulnerabilities are discovered. Policies can cover several regulations requiring an assessment of software supply chain risk, including PCI DSS, NIST SP 800-161, FS-ISAC, and MAS.
Reduce vendor resistance by scanning application binaries
Software vendors will be reluctant to share the source code of their applications because they consider it their confidential intellectual property. Veracode’s patented technology scans binary code, so ISVs don’t have to share source code with a third party. Because Veracode conducts the application scans in its cloud-based platform, software vendors cannot game the system by “tweaking” scanning parameters to comply with policy.
Scale your program without adding specialized headcount
Finding security professionals is hard, but finding talent with a background in application security and program management is even tougher. With Veracode, you get instant access to a broad range of services that serve as an extension to your team. Our security program managers will work with you to onboard software vendors to facilitate assessments, and our application security consultants are available to developers who need coaching on how to address vulnerabilities. Veracode can even review software vendors’ mitigation proposals to provide you a qualified third-party opinion that will stand up to auditing scrutiny.
Information and communications technology supply chain risk assessment should be integrated to the overall enterprise risk assessment processes throughout the organization.
~ NIST Special Publication 800-161
Manage your entire program on a single platform
Your entire program is managed through the Veracode Application Security Platform, which provides you an overview of all of your vendors’ compliance status. The platform helps foster collaboration between Veracode, the software vendors, and you to track progress and results. In addition to seeing a simple pass/fail, you’ll be able to access detailed reports on each application. Analyze your application landscape and get a global view of vulnerabilities across all applications on the platform.
Contact E-SPIN to learn how we can help assess your vendor supplied applications.
Veracode Developer Training
REMEDIATE 30% MORE VULNERABILITIES WITH DEVELOPER TRAINING
Reduce costs by training developers on application security
Developers have to learn new languages, frameworks and skills throughout their careers, yet most never have the chance to learn to code securely. In turn, many developers will unknowingly introduce security vulnerabilities in their code – and lack the knowledge to fix the issues when they are identified; indeed, even the top computer science programs do not require cybersecurity classes. This becomes even more critical as development practices like DevOps compress delivery schedules, putting pressure on the development team to solve its own problems without waiting on input from overtaxed security teams. Therefore, security issues are discovered later in the cycle, when they are more expensive to fix.
In a recent survey of developers, most respondents were aware of Cross-Site Scripting, but only 11% could correctly answer what helps to protect against it.
~ Denim Group
Veracode Developer Training empowers developers, testers and security leads to develop secure applications, providing the critical skills they need to identify and address potential vulnerabilities. Veracode offers three styles of teaching that reinforce each other. Instructor-led training offers real-time training that’s tailored to your organization. On-demand training is integrated with the Veracode Application Security Platform and allows developers to learn when and where they need it. And just-in-time training offers refreshers and contextual recommendations to help developers fix vulnerabilities. Development organizations that leverage Veracode eLearning see a 30 percent higher vulnerability fix rate.
Get application security training by developers, for developers
Veracode Developer Training covers topics such as secure architecture & design, secure coding techniques and remediation. The training is available in two forms: Veracode Instructor-Led Training (ILT) is delivered by the same application security consultants who provide remediation coaching to your development team, so they can provide relevant examples and tailor the conversation to your needs. Veracode eLearning provides a wealth of content offered on-demand, enabling developers to learn on their own schedule, and in real-time when fixing vulnerabilities. Veracode Developer Training builds on Veracode’s real-world expertise from thousands of application security programs.
Increase your remediation rate by 30% through developer training
As developers review the findings of their Veracode Static Analysis or Veracode Web Application Scanning, the Veracode Application Security Platform automatically recommends eLearning courses and offers quick video tutorials to show developers how to address common vulnerabilities. Veracode ILT allows development teams to dive deeper into difficult vulnerability types so they have all the context they need to address the specific issues that are critical to your program.
Reach more developers through online delivery
Veracode ILT is delivered live via web conference so your entire security and development team can benefit. Because Veracode eLearning is delivered via the Veracode Platform, you can reach development teams no matter where on earth they reside. And our integrated SAML-based single-sign on automates developer provisioning so that you can go from a few developers to thousands without wasting time in an administrative console.
None of the top 10 computer science universities require students to take a cybersecurity class for their degree in computer science.
~ Dark Reading
Comply with PCI DSS, NIST and HIPAA
Veracode eLearning meets developer training needs for many common industry requirements, including PCI-DSS section 6.5, NIST 800-53 control AT-3 and HIPAA/HITRUST. Plus, developers can use their Veracode eLearning transcripts to earn continuing professional education (CPE) credit.
Integrate developer training into your application security program
Veracode has over 10 years of experience helping developers and security teams create secure applications, so our program management team can help you develop a curriculum, define goals and optimize how your team is educated. And the Veracode Application Security Platform enables both developers and the security program, not only delivering training but also providing management reporting and curriculum and user administration through a single cloud-based interface.
Contact E-SPIN today to learn how Veracode Developer Training can help your development team code more securely thru various subject matters eLearning.