To keep up with the pace of the modern world, organizations are constantly looking for ways to release software faster than their competitors. This “need for speed” has led many organizations to adopt DevSecOps. With DevSecOps, security is moved earlier in the software lifecycle, into the realm of developers. As a result of the changing development landscape, application security testing has also been evolving. Yesterday’s application security testing tools and processes will no longer do.
Organizations need an AppSec vendor that is not only DevSecOps friendly but also offers multiple testing types, developer security training, and keeps false positives to a minimum. IT Central Station users have recently ranked AppSec vendors on these attributes and awarded Veracode the top spot for application security testing (AST) solutions.
Be DevSecOps friendly
DevSecOps, which adds security to the already merging workstreams of development (Dev) and IT operations (Ops), is now a critical piece of the application security story. IT Central Station members acknowledged the importance of having application security testing integrated into the DevSecOps workflow. For example, according to Riley B., a senior security analyst at a wellness & fitness company with over 1,000 employees, “Veracode has improved our application security program by providing numerous integrations and tools to take our AppSec/DevSecOps to the next level.”
Being able to integrate automated scans into the DevSecOps pipeline makes applications security testing more “DevSecOps friendly.” For a security architect at a financial services firm with over 1,000 employees, one of Veracode’s most valuable features is its ability to submit the software and get automated scan results from it.
Divakar R., a senior solutions architect at NessPRO Italy, a small tech services company, simply stated that Veracode is “a well-supported and valuable tool that was part of our DevSecOps process,” while a DevSecOps consultant at a communications service provider with over 10,000 employees compared Veracode to a competitor: “Veracode is more API and DevSecOps friendly. Veracode's scanning time is better.”
Cover all application types
Application security testing needs to cover a wide variety of application types if it’s going to contribute to positive outcomes in the modern world of DevSecOps. This means supporting testing for the web, mobile apps, microservices, and more. A senior security architect at a financial services firm with over 10,000 employees spoke to this need, saying, “We are scanning external web applications, internal web applications, and mobile applications with various types/combinations of scanning. We use this both to improve our application security as well as achieve compliance with various compliance bodies that require code scanning.”
The communications service provider’s DevSecOps consultant echoed this approach, sharing, “We use the Veracode SAST solution to scan the Java, Node.js, and Python microservices as part of our CI/CD pipeline, wherein we are using our CI/CD server as Bamboo, Jenkins, and GitLab CI/CD. It is an excellent solution. It finds a good number of the securities used, providing good coverage across the languages that we require at our client site.” They have scanned more than 150 microservices in the last year and a half.
Engage developers with security training
Ideally, an application security testing platform provider should engage developers with security training that lets them exploit and fix real applications. As the financial services security architect put it, “Veracode has helped immensely with developer security training and in building developer security skills. Before we implemented it, we would find a lot more vulnerabilities in our applications. Now, with Veracode, the developers have started doing a lot more secure coding and they have much better coding practices.”
Other notable comments about security training include:
- “The solution has helped with developer security training and has helped build developer security skills. It has definitely opened their eyes and made them more aware of things they should look for.” - IT cybersecurity analyst at a small educational organization
- “Veracode has helped with developer security training and helped build developer security skills.” - Head of information security at a small media company
- “The best stuff is the training: this enables your team to adopt the same programming approach, although these people have a different background or joined the projects in a different phase. Doing that, they can take the training and be aligned so that they all write code in a good way.” - Mauro V., a cybersecurity expert at PSYND, a small technology services company
- “The training also helped us to identify the existing vulnerabilities in our code and some of the third-parties that we are using that have vulnerabilities in them. We know we need to upgrade them.” - Heythem F., a product software engineer at a technology services company with over 1,000 employees
Keep false positives to a minimum
False positives waste time and cause stress for everyone in the DevSecOps process. An effective application security testing tool should keep false positives to a minimum. Veracode met this standard, as the financial services senior security architect explained. He said that Veracode “gave us much higher quality dynamic scanning with very few false positives and a robust static scanning solution.” In contrast, he added, when they used a “heavyweight” legacy dynamic scanning product, “It would produce hundreds of pages of (mostly) false positives that were nearly impossible to digest and tune.”
“Veracode also reports far fewer false positives with the static scanning,” said Srinivasa K., a manager of information technology at Broadcom Corporation, a technology services company with over 10,000 employees. He added, “The scanner just goes through the code and analyzes all the security vulnerabilities. A lot of scanning tools in the market give you a lot of false positives. The false-positive rate in Veracode is notably less. That was very helpful to the product teams as they could spend most of their time fixing real issues.” Christian C., a senior programmer/analyst at a financial services firm with over 10,000 employees, simply shared, “I haven't come across any false positives.”
To learn more about our ranking as a top application security testing solution, visit our page on IT Central Station.