On Thursday night, Veracode released its sixth major platform update of 2011 (affectionately known as “2011.6″). I’d like to take the opportunity to walk through a few of the items in the release in detail and talk about how they make our customers’ lives easier and their applications more secure.
First, some introductions are in order, since this is the PM team’s first time posting on the Veracode blog. The Veracode product management team is responsible for the roadmap and user experience of the services that Veracode provides to its customers through the Veracode platform. The platform is the SaaS portal our customers use to interact with all of the services we provide. This is much broader than just static binary scanning – though that is certainly what we’re best known for – and also includes dynamic scanning, developer education, and reporting and analytics.
Veracode takes advantage of being a SaaS service to update frequently with a goal toward having the most actionable results turned around most quickly for our customers, and making it as easy as possible to use every aspect of the service, from requesting scans and viewing results to setting policy and running an application security program. Ease of use isn’t just a nice to have for us, it’s mission critical, as you’ll see below.
So what’s in this week’s release? The list is long but includes a redesigned platform administration interface; data export capabilities to provide customers better access to data about their application security program; adds support for the Apache Xerces J2EE framework; adds new flaw categories for Android applications; and adds a host of improvements in results quality, API based results access, and other areas. I’ll dig into three of these items in a little more detail in the rest of this post.
Android: A year or so ago Veracode introduced the Mobile Top 10, and earlier this year we rolled out our initial support for Android. As we’ve reviewed more and more Android apps, we identified some priorities for expanding our support for scanning some of the items on the mobile top 10, including looking at cases where Android apps attempt to modify proxy settings, create inbound SMS listeners, or create data files or permissions settings in ways that allow other apps to read or change them.
Xerces: One of the benefits of running a scanning service in the cloud is that we can learn a lot in an anonymous, aggregated way about the applications we scan. For instance, we have started to track the frequency with which we see frameworks in the applications that are uploaded, and are mining that data for prioritization purposes as we continually seek to improve the quality of our results. One outcome of this effort was learning–somewhat to our surprise–that Xerces was the fifth most common Java framework or technology that we saw, after JSPs, Spring MVC, and Struts 1.x. (We believe that we have the only top ten list of Java framework prevalence, which we’ll share soon.) But at the end of the day, the benefit to our customers is better coverage of their application leading to more accurate results.
User administration: To secure an enterprise, it’s not enough to scan a few applications or educate a few users–you need to roll out wide, scan everything, educate everyone. You need, in short, to scale. Veracode is probably better at this than anyone in the industry – we have multiple customers who have scanned 100 applications in the first 30 days of their subscription, and others who have successfully rolled out 1000+ user developer education programs. As more of our customers are scaling to this milestone or growing their Veracode user base from hundreds to thousands of users, we have recognized a need to enhance our user administration features. So this release adds features for sorting, filtering, and taking quick action on user lists, easy team membership management, and getting on-platform access to detailed user activity logs for tracking and investigating user activity. And we’ve made sure that it all scales to tens of thousands of users per customer.
So that’s just a few of the dozens of enhancements we made in this release—a great way to close out 2011. I’m looking forward to keeping you up to date as we go into the new year!
Written by: Tim Jarrett