As important as application security testing is, it's really just the first step in a continuous process to identify and fix flaws. And, depending on your application, you may have hundreds of flaws which require remediation. Some of the most common questions I hear when consulting with customers, particularly new customers, are, “how can I make sure I’m remediating the flaws I find,” followed by “which flaws should I fix first?"
We’ve thought a lot about how we help customers take the all-important next steps to secure their applications. Here are five ways Veracode helps you remediate flaws.
1. Integrations with developer and bug tracking tools. Veracode offers many integrations with the IDEs and build tools your developers are using, so they can scan within their environments to see flaws, and get immediate feedback on how to remediate them. We also offer integration with bug tracking tools like JIRA, bringing relevant flaws into the ticketing system so you can assign them to developers. IDE integrations can close tickets when a scan confirms remediation. Veracode Greenlight, our IDE-based static scanning tool, provides lightning-fast feedback for developers — showing them right in the IDE what they need to do to fix a flaw. This makes developers’ jobs easier, which makes securing applications easier.
2. Central policy creation dashboards. People tend to think policies are the responsibility of security/compliance, but it’s equally as important for the dev team. The Veracode Application Security Platform makes it easy to filter by policy, so a developer knows exactly what flaws to fix. If my scan has 100 flaws and my policy filter shows me 10 policy-violating flaws, I know I need to focus on those 10 to meet the security expectation. The policy filter is also used for determining which flaws should have tickets opened in the defect tracking integration.
3. Flaw Sources View. The Veracode Platform helps you find the locations where you can get the most bang for your buck by remediating many flaws with one code fix — the Flaw Sources View. The flaw sources report quickly identifies main sources of untrusted data in an application, and locates all the flaws that share a flaw source. Being able to fix multiple flaws with a single code change saves developers time and effort. If a source is secured by design, developers can report all the flaws stemming from the safe source with a single mitigation action.
4. Verifying fixes on rescan. After fixing flaws in your application, you should scan your application again to verify that the fixes were effective and that developers didn’t introduce new flaws when making the fixes. Once a new scan of your application is complete, a number of features in the Veracode Platform and in the application report will check the status of those fixes.
— You can download reports from the Results page in the Veracode Platform. The score trend chart, visible in the PDF report, shows the trend of the application score over time and provides at-a-glance feedback to indicate whether the changes you made have improved the security of the application.
— Flaws that were not present in the prior scan of the application are flagged with a NEW badge in the PDF report. The appendix of the PDF report lists flaws that were present in prior scans that were not found in the scan currently being verified.
— If you’re using the DAST product, Veracode Web Application Scanning, the feature called Dynamic Vulnerability Rescan provides an inventory of the flaws found during the scan, identifying them as New, Fixed, Open/Reopened, or Cannot Reproduce. The inventory updates each time you rescan the same application.
5. Consultations with secure development experts. It’s easy to request a consultation call if you need additional guidance on your scan results. To request a consultation, go to the Results page for the most recent scan of your application. Click Request a Consultation to open the scheduling window. We also have consultation services directly with developers. Our security experts coach your developers through assessing, prioritizing, and fixing vulnerabilities using best practices. Veracode supports ongoing developer training, too. Veracode AppSec Tutorials provide developers with quick, video-based lessons. These are great if a developer gets stuck on an issue, like SQL injection or cross-site scripting flaws.
Finally, I suggest you check out our new Veracode Help Center for all the documentation you need to use the Veracode Platform. It’s easy to search, and you can add your own bookmarks to quickly find the answers you need.