The development of software has become a continuous, integrated process that reaches beyond your internal development team. This allows your organization to grow and innovate like never before, but also requires you to think about security differently.
Different teams with different priorities
Security and development teams each have very different AppSec priorities, needs and requirements. Security cares about things like fix rates and compliance with regulations. Developers care about things like finding the line of code where the defect is and fixing it fast – delivering quality code on deadline.
And these two groups need to collaborate, share results and work closely together in order to succeed with application security.
Bridging the gap
Veracode’s cloud-based platform seamlessly integrates with both developers’ and security professionals’ processes, then allows them to easily share results and collaborate.
If you’re a developer, you don’t want to stop coding to open a separate testing system. So we built our solution to fit into your software development lifecycle.
Our APIs and plug-ins automate ongoing activities including:
- Scanning applications automatically from an IDE or CI/CD system.
- Integrating flaw comments and mitigation workflow tasks into IDEs.
- Opening and closing tickets in issue tracking systems when flaws are found and fixed.
- Training and coaching: quick access to short secure-coding instructional videos or personalized remediation advice.
- Scanning portions of an application while you code and displaying security findings directly from within an IDE.
We offer pre-built plugins for tools your team already uses such as:
- IDEs including Visual Studio, Eclipse and IntelliJ.
- CI/CD systems and build tools including Jenkins, Bamboo, Team Foundation Server (TFS), Visual Studio Team Services (VSTS), Ant and Maven.
- Issue Tracking Systems like JIRA, Bugzilla, and Team Foundation Server (TFS).
What if you don’t know how to fix a security-related defect Veracode found? The Platform also integrates secure coding best practices into the developer workflows – giving you easy access to short instructional videos to help fix what’s found, and with one click, access to our experts for personalized remediation advice.
If you’re on the security team, on the other hand, you need a different picture – you want to see overall trends and whether the organization’s risk level is going down.
We feed data into leading GRC platforms, including RSA Archer, via XML to share critical information such as application security scores; listings of all discovered flaws; and flaw status information (new, open, fixed or re-opened). Summary data is also included for third-party assessments, including scores and top-risk categories. In addition, we offer automated provisioning of new users and teams via APIs, and integrate with WAFs, such as Imperva SecureSphere – allowing them to instantly detect and block attacks until vulnerabilities can be addressed in the code itself.
Ultimately, security teams get the metrics they need within the workflows they currently use, while developers integrate security testing into their IDEs, CI/CD and issue tracking systems.
Every team and individual that plays a role in AppSec uses Veracode’s cloud-based platform in the way that works best for them, and they can easily collaborate and interact with other stakeholders, groups and outside organizations.
Get more details on the capabilities of the Veracode Application Security Platform, and a graphical representation of how they all work together, in our new eBook, People, Process and Technology: An Overview of the Veracode Application Security Platform.