By Dan Cornell, CTO of the Denim Group (

At Denim Group, we help clients build secure software and secure the software they have built. We have a long-standing partnership with Veracode because their SaaS scanning engine provides us with the vulnerability information we need to help make our customer’s applications more secure.

Our goals when we work with clients rolling out software security testing programs are the following:

  • Coverage: What percentage of the application portfolio is covered?
  • Frequency: How frequently is testing being performed?
  • Depth: How thorough is the testing that is being performed?

However despite the fact that we work with a large variety of clients from a variety of vertical markets, we find that most organizations don’t scan all of their applications and more importantly, aren’t scanning their applications frequently enough. We’ve had a lot of success using Veracode to help overcome this problem. The SaaS scanning engine helps us get large numbers of applications into the testing program in a minimum amount of calendar time. Scripting application submissions also makes it easy to get applications on regular testing schedules.

This has a couple of advantages:

  • Quicker scanner rollouts (calendar-wise) means less time elapses before we have a feel for the level of exposure the client has to deal with
  • Scheduled re-scans mean that the information about vulnerabilities stays “fresh”
  • Easier scanner rollouts (level-of-effort-wise) means there is more time in the budget to focus on manual testing activities as well as vulnerability resolution and remediation

Having access to the data via their API is also really useful because it lets us slice and dice the vulnerability data and integrate the scanning program with other systems and processes to ensure we can produce the best product for our clients – applications that offer cutting-edge functionality and easy to use interfaces that also protect corporate assets consistently.

We’re happy to be partnering with Veracode, and especially enjoy working with Veracode customers that come to us to take advantage of our specialized expertise in both software development and software security. We look forward to working with Veracode as long as applications continue to have security defects…so I guess we’ll be at this for a long time.

For more details on our partnership, please see the press release we put out this week, and feel free to contact us if you’d like help making sense of your Veracode test results and how to best work with your development teams to get vulnerabilities resolved.

About Neil DuPaul

Neil manages the blog pipeline at Veracode, often by fending off eager contributors with a stick. He manages much of the Veracode web presence while also motivating the more introspective Veracoders to be social. Lover of sports and outdoors, and a SERP enthusiast, hit him up on Twitter here.

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.