Resources

Browse through the materials below to learn what the industry is saying about best practices for application security.

Analyst Reports

Evolve To Become the 2018 CISO or Face Extinction

Read this report to learn about Forrester's 5-step plan for seizing control of your destiny as a CISO – and why the top 3 skills required to succeed are leadership, strategic thinking, and business knowledge.

Get the full report

Forrester ROI Case Study

Learn how a G2000 financial services company secured its critical outsourced and internally-developed applications with Veracode’s cloud-based service – and generated a 3-year ROI of 192 percent.

Download the case study

Gartner Application Security Testing Magic Quadrant

Released on 1 July 2014

Veracode is a Leader in the Magic Quadrant

Read the "Magic Quadrant for Application Security Testing" (July 2014) to find out why there is a critical need to reduce risk in Web, cloud and mobile applications.

Gartner, Inc. 2014 “Magic Quadrant for Application Security Testing” by Neil MacDonald, Joseph Feiman. July 1, 2014

Get the full report

Case Studies

Global Media and Technology Company Gains Visibility into Mobile App Perimeter

A global media and technology company had little control over the quality or security of the apps published to iTunes or Playstore. Using Veracode’s cloud-based service, the company gained visibility into its mobile app perimeter, finding it had 100% more apps published than originally thought. Through finding these apps and assessing their behavior, the company ensured all published apps adhere to its app policies for security and privacy and gain tighter control of its mobile footprint.

Download the case study

Large Financial Services Firm Passes Its PCI Audit — and Implements an Ongoing Governance Program to Continuously Reduce Enterprise Risk

Learn how Veracode’s cloud-based service and policy-based approach helped a large financial services firm not only pass its PCI audit in the short term -- but also continuously reduce its enterprise risk in the long term.

Download the case study

Forrester ROI Case Study

Learn how a G2000 financial services company secured its critical outsourced and internally-developed applications with Veracode’s cloud-based service – and generated a 3-year ROI of 192 percent.

Download the case study

Webinars

Secure Agile Development: Why Can’t We All Get Along?

In this webinar, we will introduce security professionals to agile development and expand upon the issues developers face. Hear discussions on rapid development process evolution, feature prioritization, and how cultural differences create friction between security and development. 

View the webinar

451 Research Webinar: Strategies for Third-Party Software Security that Actually Work

Join Wendy Nather, 451 Research, for a panel discussion on how enterprises can secure the software they are purchasing to the same extent they secure the software they are developing.

View the webinar

SANS Webinar: What's in your software? Reduce risk from third-party and open source components

Learn how you can immediately reduce risk from vulnerable third-party and open source components (such as Struts2) with Veracode’s new software composition analysis capability. This new cloud-based service works with all the code you’ve already uploaded for static analysis (SAST), to quickly identify all applications in your portfolio that use vulnerable components – using the same centralized policies, metrics, workflows and remediation advisory services.

View the webinar

State of Software Security

State of Software Security Report Volume 5

This report examines application security quality, remediation and policy compliance statistics and trends. Our analysis of tens of thousands of applications with Veracode's cloud-based platform found that 87% of web applications are not compliant with the OWASP Top 10, while 69% of non-web applications  are not compliant with the CWE/SANS Top 25.  

The data analyzed represents multiple security testing methodologies (including static binary, dynamic and manual pen testingl) on a wide range of application types (web, mobile and legacy/non-web) and programming languages (including Java, C/C++, .NET, PHP and ColdFusion). We also expanded our analysis of the mobile vulnerability landscape with sections on Android, iOS and Blackberry applications. The resulting intelligence is unique in the breadth and depth it offers.

Volume 5 (40 Pages)
April 8th, 2013

Get the full report

Veracode State of Software Security Report – Feature Supplement on Public Companies

Veracode has been publishing a semi-annual State of Software Security (SOSS) report since 2010. Over time we have received significant interest in our findings and numerous requests to investigate the dataset from many different perspectives that may not be routinely covered in our semi-annual reports. To satisfy the curiosity of our readers and to allow us to extend our investigation to topical areas, we are moving to a new reporting format in 2012. This year we are publishing shorter feature supplements that are designed to address a particular, focused topic, and only release the full SOSS report once a year. This report is the first feature supplement for 2012.

Get the full report

State of Software Security Report - Feature Supplement on Software Supply Chain

This featured supplement focuses on the state of enterprise programs that assess the security of software purchased from vendors. Veracode can uniquely report on how program practices evolve because our analysis is based on data aggregated from companies as they test real applications. The data represents intelligence gleaned from over 900 application builds submitted by software vendors to Veracode's cloud-based platform in an 18 month time-frame.

Get the full report

Whitepapers

Secure Agile Development

This paper, written by the independent security analyst group Securosis, is for security professionals who want to understand Agile development and the issues developers face, so both teams can work together better. Security teams are sharply focused on bringing security to applications and meeting compliance requirements in the delivery of these applications and services. On the other hand, the #1 job for software developers is to deliver code faster and more efficiently, with security placing a distance second. Both security professionals and developers may be tasked with security, but finding the best way to embed security into the software development lifecycle (SDLC) is not an easy challenge.

Download now

Evolve To Become the 2018 CISO or Face Extinction

Read this report to learn about Forrester's 5-step plan for seizing control of your destiny as a CISO – and why the top 3 skills required to succeed are leadership, strategic thinking, and business knowledge.

Get the full report

THREAT MODELING: Designing for Security

Adam Shostack is responsible for security development lifecycle (SDL) threat modeling at Microsoft and is one of a handful of threat modeling experts in the world. With specific actionable advice, he details how to build better security into the design of software from the outset. You'll explore various threat modeling approaches, find out how to test your designs against threats, and learn effective ways to address threats that have been validated at Microsoft and other top companies. Software developers will appreciate the jargon-free and accessible introduction to this essential skill. Security professionals will learn to discern changing threats and discover the easiest ways to adopt a structured approach to threat modeling.

Download the whitepaper

Datasheets

Software Composition Analysis

To help enterprises take advantage of the speed offered by component usage, Veracode now offers software composition analysis, which enables developers to continuously audit all their code — including third-party and open source components — to identify vulnerabilities and offer remediation assistance and advisory services for all impacted applications. Veracode provides the only cloud-based service that combines binary static analysis (SAST), dynamic analysis (DAST) and software composition analysis via a single platform, using a single set of centralized policies, metrics, dashboards and remediation workflows across all applications and development teams.

Download the datasheet

DynamicDS (DeepScan)

DynamicDS (DeepScan) is a DAST technology that provides granular visibility into the risk posture of all your web applications, with fewer in-house resources. It identifies application vulnerabilities before cyber-criminals can find and exploit them. DynamicDS delivers ongoing security assessments as an automated cloud-based service — backed by Veracode’s world-class application security experts — and works in conjunction with Veracode’s Web Application Perimeter Monitoring (Web APM) solution. 

Download the datasheet

Mobile Application Security

Veracode’s cloud-based solution helps mobile teams achieve the correct balance between innovation and control. We help manage the security risk posed by the mobile apps that your organization builds, buys or downloads.

Download now

Developer Research

Anti-Debugging – A Developers View

Anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target binary. Within this paper we will present a number of the known methods of antidebugging in a fashion that is easy to implement for a developer of moderate expertise.

Download now

Protecting Your Organization from Application Backdoors

Backdoors and malicious code pose significant operational risk to software that is too significant for organizations to ignore. This whitepaper discusses how binary (compiled code) analysis is the ideal platform for detecting backdoors and conducting the most complete independent security test, validation and verification of applications.

Download now

A New Taxonomy for Application Backdoors | Veracode

This technical whitepaper describes a new way to classify backdoor vulnerabilities in applications and discusses static detection of backdoors.          

Download now

Demos

Veracode: Preparing and Submitting Your Application (05:43)

View the demo of Veracode's Platform. Learn how to create an Application Profile and Submit your application for analysis.

View the demo

Veracode: Understanding and Interpreting Your Results (11:34)

View the demo of Veracode's Platform. Learn how to access and understand your results once the scan has completed. You will see how to access the summary and detailed results and also how to use Veracode's developer tools.

View the demo

Blackberry Spyware Demo

Tyler Shields gave a presentation at ShmooCon 2010 on the threats of mobile spyware, particularly as it relates to data privacy. Smart phones and mobile applications have grown tremendously popular over the past couple of years, and it seemed like an appropriate time to raise awareness of what these applications are capable of.

View the demo