Manage application security risk in a simple, strategic, scalable way

Veracode Static Analysis

Find and fix software vulnerabilities in applications you build or buy

Software is the engine that powers business innovation – and the No. 1 attack vector. Most applications were not built with security in mind: in fact, more than 63 percent of applications fail the OWASP Top 10 on first scan. At the same time, to meet business-driven deadlines and keep up with the rapid pace of innovation, your development team is churning out software faster than ever. Serious risk of breach and regulatory pressures are driving your company to turn attention to application security, but you don’t have the time, people or money to move the needle. As a result, you are only securing a fraction of your applications, if any at all, leaving your company exposed to risk of data breach.

Fewer than 4 out of 10 applications pass security policy requirements on initial assessment.

~ Veracode State of Software Security Report, 2016

With Veracode Static Analysis, you will:

  • Deliver consistent, high-quality scanning results for all your apps
  • Scale without devoting additional resources
  • Integrate application security into your SDLC
  • Get one-on-one remediation consultations for developers
  • Access all of your application security solutions in one platform

Upload a single packaged application to the Veracode Application Security Platform to kick off a scan for combined static analysis and software composition analysis, resulting in a single pass/fail result. Veracode also enables you to assess applications using dynamic analysis or manual penetration testing.

Deliver consistent, high-quality scanning results for all your apps

Unlike manual code reviews or penetration tests, Veracode Static Analysis is an automated process delivering repeatable results.Veracode Static Analysis can assess the security of microservices, web, mobile and desktop applications. Since we give you accurate results and prioritize them based on severity, you won’t need to waste resources dealing with hundreds of false positives. So far, we’ve assessed over 2 trillion lines of code in 15 languages and 50 frameworks, and we get better with every assessment.

Veracode Static Analysis supports all widely-used languages for desktop, web and mobile applications including:

  • Java
  • .NET
  • JavaScript & TypeScript (including AngularJS, Node.js, and jQuery)
  • Python, Perl, PHP, Ruby on Rails, Scala, ColdFusion, Classic ASP
  • iOS (Objective-C and Swift), Android (Java), PhoneGap, Cordova, Titanium, Xamarin
  • C/C++ (Windows, RedHat Linux, OpenSUSE, Solaris)
  • COBOL, RPG, Visual Basic 6

Veracode constantly updates its support for languages and frameworks. Please contact us if you don’t see what you need on this list.

Veracode Static Analysis integrates with IDEs, such as Microsoft Visual Studio, to help developers find and remediate vulnerabilities efficiently.

Scale without devoting additional resources

The SaaS-based Veracode Application Security Platform reduces your operational overhead because you won’t have to build and maintain in-house hardware. And you’ll feel comfortable with our cloud-based application security because Veracode Static Analysis can process binaries, so you don’t have to disclose your source code. In addition, by providing both security expertise and program management, Veracode helps you work through your backlog without hiring specialists. Ultimately, our customers often scale from securing tens of applications without Veracode to hundreds or thousands of applications.

A global bank went from scanning 80 applications per year to 500 in the first year with Veracode and now 1,000 without adding any headcount.

The Veracode Application Security Platform provides one simple policy pass/fail result per application for static and dynamic testing, software composition analysis and manual penetration testing.

Integrate application security into your SDLC

When security is well integrated, you remove friction. The Veracode Application Security Platform integrates with your IDEs, build, ticketing and GRC systems to automatically test code and coordinate remediation. For instance, Veracode Greenlight allows developers to test the code they’re working on in their IDE, getting results back in seconds and highlighting areas where they’ve successfully applied secure coding principles. In addition, the Developer Sandbox functionality enables engineers to test and fix code between releases without triggering a failed policy compliance report to the security team. Veracode’s focus on making security DevOps-friendly is one reason why our customers have fixed 70 percent of the 10 million vulnerabilities they found in 2015.

Veracode Static Analysis integrates with your development toolchain to help your organization scan applications and find, track and remediate vulnerabilities.

<

>Learn about Veracode's Integrations with your SDLC toolchain. Check it out

Get one-on-one remediation consultations for developers

When vulnerability reports and on-demand training don’t provide enough clarity, developers can set up one-on-one developer consultations with our experts who have backgrounds in both security and software development. Companies using this service have increased fix rates by 147 percent.

Flaw sources show developers where in the code they can make a single change that addresses several vulnerabilities at once.

Comply with company policy and industry regulations

Veracode Static Analysis helps you comply with custom policies or industry regulations. For instance, PCI DSS Requirement 6.5 requires all custom application code to be reviewed to identify coding vulnerabilities. Veracode also supports other risk frameworks and security standards like NIST 800-53 and HIPAA. Each application is graded against the policy as you have defined it, combining results from static and dynamic testing, open source risk and manual penetration testing.

The Veracode Application Security Platform tracks application security compliance over time so you can report progress to stakeholders and easily integrate with your GRC system.

Access all of your application security solutions in one platform

The Veracode Application Security Platform offers multiple assessment technologies that complement Veracode Static Analysis, on a single platform, including Veracode Software Composition Analysis, which inventories and assesses open source components, and Veracode Web Application Security, which identifies architectural weaknesses and vulnerabilities in running web applications by probing the attack surface. In addition, Veracode Runtime Protection enables you to protect web applications against vulnerabilities found by Veracode Static Analysis and Veracode Web Application Security.

The Veracode Application Security Platform brings together various AppSec testing methodologies and services so you can manage your program more effectively.