AppSec Knowledge Base

STATIC ANALYSES

Improving application security with static analyses.

Static analyses are the cornerstone of any application security program. Also known as white box testing, static analysis typically involves automated scanning of software in development to identify security flaws that could be exploited by attackers. As opposed to dynamic analysis or black box testing, static analyses have the benefit of access to source code and can search it for potential instances of a wide number of known vulnerabilities, including cross-site scripting and SQL insertion.

While static security analysis clearly offers significant benefits for application security, this methodology has not always been as valuable in practice. Many solutions for static analyses don’t operate within an IDE, forcing developers to interrupt coding to open a separate environment when conducting tests. Static analysis tools are often cumbersome and slow, introducing unacceptable delays to the development timeline. And because traditional static analyses require access to source code, it’s difficult to test software that has been assembled from parts which may include commercial or proprietary third-party software where source code is available.

That’s why, when choosing a solution for static analyses, more organizations today turned to on-demand services from Veracode.

On-demand static analyses from Veracode.

Veracode provides a comprehensive suite of testing services in a SaaS-based solution that significantly reduces the cost and complexity of performing static analyses and other security tests. Built on a powerful cloud platform, Veracode’s technologies include static and dynamic analysis, web vulnerability scanners and software composition analysis, enabling development teams and IT administrators to test code at any point in the SDLC from inception through production. With Veracode, organizations can improve the security of their software portfolio without sacrificing quality or speed-to-market.

Veracode Static Analysis offers on-demand static analyses of software that is built, bought or assembled. This Veracode service scans compiled binaries, making it easy to perform static analyses on software even when source code is not available. Developers can submit code for review through an online platform, and results are returned quickly – the vast majority of static analyses are completed within four hours, and 90% of all scans are completed within one day. Results are returned with a remediation plan that includes step-by-step guidance for finding and fixing flaws.

Benefits of Veracode technology for static analyses.

With services for static analyses from Veracode, you can:

  • Perform consistent, high-quality scans for all applications.
  • Scale easily as needed without devoting additional resources.
  • Integrate application security throughout the software development lifecycle.
  • Access all application security testing services from a single platform.
  • Enjoy one-on-one remediation consultations with Veracode security specialists.

Learn more about static analyses in Veracode, or download an SQL cheat sheet for more information on how to mitigate this dangerous threat.

 

 

contact menu