Application security solutions that slow or stall the development process simply aren’t feasible in a DevOps world. AppSec will increasingly need to fit as seamlessly as possible into developer processes, or it will be under-used or overlooked. But overlooking AppSec puts your organization at high risk of a damaging breach. Our most recent State of Software Security report (which is based on our Platform data) found that a whopping 77 percent of apps had at least one vulnerability on initial scan. Leaving your code vulnerable leaves your organization open to breach. In the end, you need AppSec, but you also need AppSec that developers will use. Reduction of false positives is a big part of this requirement. False positives are always a key concern because they make developers and security folks spin their wheels, so solutions should minimize them as much as possible.

How Veracode Works to Reduce False Positives

We always aim for full automation and high speeds for all of our scans, but that doesn’t mean that we compromise on quality. During both the early adopter phases of supporting a new language, as well as throughout the course of generally available support, we sample customer app submissions and manually review flaws. This step ensures that we have met our standards for accuracy in terms of both false positives and negatives. By reviewing actual customer apps, we get a much broader and realistic set of cases than would be possible in a QA lab that only tests applications built as internal test cases.

Our review of these applications leads to improvements that are implemented back into our static analysis engine. This results in us automatically publishing 98 percent of all of our static scans, ensuring that that our solution achieves the speeds required for DevOps and CI/CD.

The SaaS Advantage

As a native SaaS provider, Veracode has a strategic advantage in improving false-positive rates because all operations are conducted on our Platform. To date, we’ve assessed over 5 trillion lines of code and performed nearly a million scans, and with every release, the Platform gets smarter. On-premise solutions, on the other hand, require their customers to tweak their results to adjust for false positives, which can be very time consuming, or to wait for their on-premise vendor to release a new revision to the scanner, which requires downtime and unplanned work for the security teams. We at Veracode improve our static analysis engine at least monthly, and improvements we have made by observing the behavior of all customer applications are available with minimal disruption to your processes.

The result for our customers is that they get very high quality at high speeds, without having to train and maintain a team for tweaking false positives. In fact, 75 percent of our scans finish in less than an hour, and our false-positive rate is a low 5 percent – with zero rule tweaking. This 5 percent false positive rate across real-world applications is verified and based on feedback from our customers on vulnerabilities they have reviewed. By comparison, our competitors claim a 32 percent false positive rate.

Bottom Line

The Veracode Platform has scanned tens of thousands of enterprise, mobile and cloud-based apps, and we’ve helped our customers fix more than 35 million flaws. Bottom line? Better analytics, faster improvements, increased accuracy and the ability to create more software, more securely than ever before.

Find out more about the Veracode Application Security Platform with this Overview.

Senior Product Manager for Veracode Static analysis. Jon is responsible for the strategy of all Veracode Static Analysis features. Jon has been with Veracode since 2013, and has been working in information security since 2008 in a variety of consulting and product-oriented roles. Jon lives in Chicago, IL.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu