Application security solutions that slow or stall the development process simply aren’t feasible in a DevOps world. AppSec will increasingly need to fit as seamlessly as possible into developer processes, or it will be under-used or overlooked. But overlooking AppSec puts your organization at high risk of a damaging breach. Our most recent State of Software Security report (which is based on our Platform data) found that a whopping 77 percent of apps had at least one vulnerability on initial scan. Leaving your code vulnerable leaves your organization open to breach. In the end, you need AppSec, but you also need AppSec that developers will use. Reduction of false positives is a big part of this requirement. False positives are always a key concern because they make developers and security folks spin their wheels, so solutions should minimize them as much as possible.
We always aim for full automation and high speeds for all of our scans, but that doesn’t mean that we compromise on quality. During both the early adopter phases of supporting a new language, as well as throughout the course of generally available support, we sample customer app submissions and manually review flaws. This step ensures that we have met our standards for accuracy in terms of both false positives and negatives. By reviewing actual customer apps, we get a much broader and realistic set of cases than would be possible in a QA lab that only tests applications built as internal test cases.
Our review of these applications leads to improvements that are implemented back into our static analysis engine. This results in us automatically publishing 98 percent of all of our static scans, ensuring that that our solution achieves the speeds required for DevOps and CI/CD.
As a native SaaS provider, CA Veracode has a strategic advantage in improving false-positive rates because all operations are conducted on our Platform. To date, we’ve assessed over 5 trillion lines of code and performed nearly a million scans, and with every release, the Platform gets smarter. On-premise solutions, on the other hand, require their customers to tweak their results to adjust for false positives, which can be very time consuming, or to wait for their on-premise vendor to release a new revision to the scanner, which requires downtime and unplanned work for the security teams. We at CA Veracode improve our static analysis engine at least monthly, and improvements we have made by observing the behavior of all customer applications are available with minimal disruption to your processes.
The result for our customers is that they get very high quality at high speeds, without having to train and maintain a team for tweaking false positives. In fact, 75 percent of our scans finish in less than an hour, and our false-positive rate is a low 5 percent – with zero rule tweaking. This 5 percent false positive rate across real-world applications is verified and based on feedback from our customers on vulnerabilities they have reviewed. By comparison, our competitors claim a 32 percent false positive rate.
The Veracode Platform has scanned tens of thousands of enterprise, mobile and cloud-based apps, and we’ve helped our customers fix more than 35 million flaws. Bottom line? Better analytics, faster improvements, increased accuracy and the ability to create more software, more securely than ever before.
Find out more about the CA Veracode Application Security Platform with this Overview.