When you use the Veracode API you get an economy of scale through automation. One customer uploaded and scanned 100 applications concurrently over a weekend. image001Another one scheduled monthly recurring scans. "Application programming interface" (API) is more than jargon. It is the industrial revolution (automation) meets the information age (your application security intelligence). Here are five ways you can wield that power.

You make security testing invisible to developers

This is not to say developers are excluded from security goals. I mean the process is invisible. Imagine writing code and committing it to the build server to trigger a scan. We call this pattern "Upload and Scan" and use it in-house for our own development. See the Agile Integration SDK for more details.

You look beyond critical applications to the entire application infrastructure

Web security scans can be launched against your entire application infrastructure to quickly identify the "low-hanging fruit." This allows you to cover everything and focus remediation on the severe. Use the API to schedule frequency such as weekly, monthly or quarterly. Scan many applications regularly and review the results that only exceed your risk appetite.

You gain flexibility managing your security initiatives

Why not delegate the administration of your security platform to the department that manages your IT? The Veracode "Admin API" makes it simple to perform common administrative tasks in bulk. You can create a standard operating procedure to create 100 application profiles or enroll 100 developers. And you can integrate your identity and access management (IAM) system for user management. The result is an elastic security program that complies with your change control procedures. The benefit is less time spent on administrative tasks by the security team.

You export your data when you need it in other systems

The Veracode "Results API" makes is easy to get your data in the format you need. Feed your application results into a governance dashboard, a defect tracking system, or a custom python application. Allow people to choose the format of their results. PDF reports for some, XML for others, and results right inside of the IDE for the rest.

You leverage application security as a selling point

The Veracode Vendor Application Security Testing (VAST) program has APIs for automating vendor and enterprise tasks. I predict more customers will use the VAST APIs, especially as more software suppliers address questions about the security of their product from their customers. Use the VAST API to retrieve the shared Veracode results of your software vendors.

Anything that can be accomplished through the User Interface (UI) can be done through the application programming interface (API). These are a few examples. While automation alone does not solve every problem, it can be a distinctive element of a security program when combined with strong program management. Veracode has deep API expertise and can help you get started using our existing tools or building a custom integration solution for your environment.

About Brad Smith

Brad Smith is the Security Program Manager and integration expert for Veracode's enterprise customers. In this role he oversees program strategy, execution and adoption of Veracode's services, and builds customer relationships. Prior to Veracode he worked for Foundstone, Google, and received his M.S. in Information Security from Royal Holloway, University of London. Brad lives in Fountain Valley, California with his wife and sons.

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.