At Veracode, we work hard to support our customers in meeting the goals of your application security program. As a Manager of Customer Success Management (CSM), I work with our CSMs to help hundreds of customers beginning their journey to a mature AppSec program, and many who are just starting out with Veracode.
Veracode Services and Support Teams hear a lot of the same questions from numerous customers. Below I’ll briefly explain the answers to 10 of the most frequently asked questions, provide links to resources on our website, and point out where you can find resources in the Veracode Application Security Platform.
1. What languages and platforms does your static scanner support?
2. How long does a scan take?
About 64 percent of scans are completed in less than 1 hour and 85 percent are completed in less than 4 hours. An ETA for scan completion is provided for each scan you create and is based upon a combination of language, application analysis size, and application history.
3. Why do I upload my binaries to Veracode? Do you also need my source code?
Veracode’s automated static binary analysis reviews the final integrated application, without requiring source code. You securely upload your executables to the Veracode Platform, and the scan examines the compiled binary at implementation time to detect security flaws. By examining a compiled form of an application in its runtime environment, static binary scanning can provide a more comprehensive picture of real-world vulnerabilities. Performing binary code reviews reduces concerns surrounding intellectual property contained in source code and is applicable to situations where access to source code is not available, as is the case with commercial software, legacy applications or many offshore outsourced applications.
4. What types of onboarding do you provide?
Veracode provides onboarding assistance and documentation to help you get the most out of Veracode products and services. Veracode customers can schedule an onboarding consultation through Veracode Support, or their CSM or SPM. Additionally, there are resources on the Veracode Help Center, including a Quick Start Guide and Demonstration Videos.
5. What is the difference between a Flaw and a Vulnerability?
Veracode scans identify application flaws. A flaw is a potential vulnerability. A vulnerability is a hole within the security of a system caused by software flaws, incorrect configurations, and/or insecure user behavior. Vulnerabilities can be exploited to cause the system to violate its documented security policy. An exploit is something that takes advantage of a vulnerability to either gain unauthorized access or do damage to a system.
There are a number of reasons why a flaw will not always be an exploitable vulnerability:
- A flaw may be flagged in a part of the code that is not easily reachable by an attacker.
- Veracode considers anything external passing data to the application to be untrusted. However, data an application receives in its live environment is not always untrusted.
- A flaw may require certain privileges in the application to be a vulnerability.
- A mitigating control external to the application code may prevent exploitation of the flaw.
6. Who is responsible for remediating vulnerabilities?
Developers are responsible for remediating vulnerabilities. There are several tools to help in the Veracode Platform, including the Triage Flaw Viewer and Flaw Sources View, where Veracode provides detailed remediation recommendations. Developers can also get help from Veracode secure development experts in Security Consultation sessions, which can be scheduled directly from the Veracode Platform, or by contacting Veracode Support.
7. What is prescan verification?
The Veracode Platform performs a preliminary analysis, or prescan, of your binaries to validate that they can be analyzed, and to give you an opportunity to fix problems before submitting your scan request. The results of the prescan verification are given as messages in the module table.
During prescan, red and orange informational messages will be shown in the status column. Red messages prevent scanning of the corresponding module. Orange messages indicate issues that should be corrected to ensure an accurate scan, but do not block analysis from proceeding. Green messages indicate that all is well with the associated module. If there is a failure, Veracode will attempt to provide details on why the failure occurred and how to resolve it.
After you resolve a prescan warning you will need to resubmit the affected files or libraries to the Veracode Platform. If you need to re-upload binaries, or upload new binaries, click the Back or Add Files button, locate the files to be added, and upload them. Refer to the Veracode Help Center for more information on prescan error messages and application submission-error codes.
8. What email notifications will I get from Veracode?
Veracode keeps customers up to date with scan and overall service status via email. Veracode users will receive emails when: their password is changed, prescan verification is complete, a scan is submitted, and a scan has completed. You will also receive Veracode Insider, a monthly newsletter with security tips, best practices for scaling your program, Veracode product updates, and relevant AppSec news and events.
9. I like the Veracode web interface, but I do all my work in my IDE. Can you show me the results there?
Veracode provides APIs for uploading applications and viewing results, including reference integrations to several bugtracking systems and integrated development environments, including Eclipse and Visual Studio. For more information on Veracode APIs and plugins, check out our integrations datasheet.
10. How do I learn more about how other customers increase their security posture?
Veracode’s Program Managers have experience providing guidance to customers with varying levels of experience and AppSec program maturity. Our customers are encouraged to reach out to their CSM or SPM to review best practices, set goals, and leverage the programmatic approach to improving overall security posture.
Still have questions?
Call us or email Veracode Support at [email protected] for technical issues and troubleshooting, or reach out to your SPM or CSM for general inquiries.