By Dan Cornell, CTO of the Denim Group (www.denimgroup.com)At Denim Group, we help clients build secure software and secure the software they have built. We have a long-standing partnership with Veracode because their SaaS scanning engine provides us with the vulnerability information we need to help make our customer’s applications more secure. Our goals when we work with clients rolling out software security testing programs are the following:
- Coverage: What percentage of the application portfolio is covered?
- Frequency: How frequently is testing being performed?
- Depth: How thorough is the testing that is being performed?
However despite the fact that we work with a large variety of clients from a variety of vertical markets, we find that most organizations don’t scan all of their applications and more importantly, aren’t scanning their applications frequently enough. We’ve had a lot of success using Veracode to help overcome this problem. The SaaS scanning engine helps us get large numbers of applications into the testing program in a minimum amount of calendar time. Scripting application submissions also makes it easy to get applications on regular testing schedules. This has a couple of advantages:
- Quicker scanner rollouts (calendar-wise) means less time elapses before we have a feel for the level of exposure the client has to deal with
- Scheduled re-scans mean that the information about vulnerabilities stays “fresh”
- Easier scanner rollouts (level-of-effort-wise) means there is more time in the budget to focus on manual testing activities as well as vulnerability resolution and remediation
Having access to the data via their API is also really useful because it lets us slice and dice the vulnerability data and integrate the scanning program with other systems and processes to ensure we can produce the best product for our clients – applications that offer cutting-edge functionality and easy to use interfaces that also protect corporate assets consistently. We’re happy to be partnering with Veracode, and especially enjoy working with Veracode customers that come to us to take advantage of our specialized expertise in both software development and software security. We look forward to working with Veracode as long as applications continue to have security defects…so I guess we’ll be at this for a long time. For more details on our partnership, please see the press release we put out this week, and feel free to contact us if you’d like help making sense of your Veracode test results and how to best work with your development teams to get vulnerabilities resolved.