When you use the Veracode API you get an economy of scale through automation. One customer uploaded and scanned 100 applications concurrently over a weekend. Another one scheduled monthly recurring scans. "Application programming interface" (API) is more than jargon. It is the industrial revolution (automation) meets the information age (your application security intelligence). Here are five ways you can wield that power.
This is not to say developers are excluded from security goals. I mean the process is invisible. Imagine writing code and committing it to the build server to trigger a scan. We call this pattern "Upload and Scan" and use it in-house for our own development. See the Agile Integration SDK for more details.
Web security scans can be launched against your entire application infrastructure to quickly identify the "low-hanging fruit." This allows you to cover everything and focus remediation on the severe. Use the API to schedule frequency such as weekly, monthly or quarterly. Scan many applications regularly and review the results that only exceed your risk appetite.
Why not delegate the administration of your security platform to the department that manages your IT? The Veracode "Admin API" makes it simple to perform common administrative tasks in bulk. You can create a standard operating procedure to create 100 application profiles or enroll 100 developers. And you can integrate your identity and access management (IAM) system for user management. The result is an elastic security program that complies with your change control procedures. The benefit is less time spent on administrative tasks by the security team.
The Veracode "Results API" makes is easy to get your data in the format you need. Feed your application results into a governance dashboard, a defect tracking system, or a custom python application. Allow people to choose the format of their results. PDF reports for some, XML for others, and results right inside of the IDE for the rest.
The Veracode Vendor Application Security Testing (VAST) program has APIs for automating vendor and enterprise tasks. I predict more customers will use the VAST APIs, especially as more software suppliers address questions about the security of their product from their customers. Use the VAST API to retrieve the shared Veracode results of your software vendors.
Anything that can be accomplished through the User Interface (UI) can be done through the application programming interface (API). These are a few examples. While automation alone does not solve every problem, it can be a distinctive element of a security program when combined with strong program management. Veracode has deep API expertise and can help you get started using our existing tools or building a custom integration solution for your environment.