Across the thousands of customer conversations we have each year, one theme continues to emerge regardless of industry, size, or geography: the pace of development is accelerating rapidly, and the pressure to innovate quickly is more intense than ever before. Veracode’s customers are not alone. A recent GitLab survey across more than 4,000 global developers found that 43 percent of teams now deploy on demand or multiple times a day, and nearly the same percentage, 41 percent, deploy between once a day and once a month.
In response to this development evolution, Veracode is evolving as well. Security testing that can’t keep up or, worse, slows developers down, will be under-utilized or ignored in this fast-paced environment. In turn, we’re announcing the latest evolution of our Static Analysis solution – in which we’re bringing together two existing scan types and introducing a new, first-of-its-kind scan type. The result is a comprehensive Static Analysis product family that is optimized to integrate security testing into every stage of the development pipeline, giving teams the right scan, at the right time, in the right place.
From the first line of the code, the IDE Scan provides focused, real-time security feedback to developers as they code. This scan, which returns resultswithin seconds, helps developers remediate faster through code examples and reinforces secure coding skills as they work with visual positive reinforcement. Companies using the IDE Scan have reduced flaws introduced into new code by 60 percent.
The first-of-its-kind in the market, the new Pipeline Scan runs on every build, providing security feedback on the code at the team level, with a median scan time of 90 seconds. This scan directly embeds into teams’ CI tooling and provides fast feedback on flaws being introduced on new commits. Teams can break the build if policy-violating flaws, based on severity or CWE category, are introduced on a commit or net-new security issues are found. Because this scan is built in line with best-in-class CI tooling, there is no learning curve for development.
Before releasing the software, a Policy Scan completes a full assessment of the code, with an audit trail for compliance purposes, in a median scan time of 8 minutes. This scan evaluates applications against security policy, delivering a clear pass/fail result. Security teams and development managers gain broad visibility across their applications and the continuous feedback they need to proactively improve their overall security posture.
Each scan runs on the Veracode Static Analysis Engine, which had a developer-verified false positive rate of less than 1.1 percent across more than 7 million scans in 2019 – without manual tuning. Teams benefit from the assurance that they are getting consistent, accurate results alongside clear guidance on what issues to focus on and how to fix them faster, without compromising on development velocity.
Putting it into practice
After struggling with a center of excellence approach, the security team at one of our customers, a large telecommunications firm, supported development by providing them access to a variety of different static analysis solutions. While they were empowered by tooling choice, the development team still wasn’t having success remediating risk or scaling the program and was frustrated with inconsistent results.
The development team decided to standardize on one solution and, upon completion of a thorough assessment process, selected Veracode. Using a combination of scanning with Veracode Static Analysis across the SDLC, they were able to scale the program to more than 1,300 applications, resolve more than 270,000 security flaws, and reduce the number of new flaws introduced by more than 60 percent – all in just 90 days.
To get more details on Veracode Static Analysis, download our technical whitepaper.