How Veracode’s Integrations With Defect-Tracking Systems Enable DevSecOps

Software development deadlines are getting shorter. Business requirements are getting more complex, and cybersecurity threats are becoming more real. According to the Accenture report on 2018 State of Cyber Resilience, the average number of targeted attacks has more than doubled between 2017 and 2018. The good news is that security teams are adapting to these constant threats, with the targeted attack prevention rate also going up from 70 percent to 87 percent. Business organizations are investing in solutions that enable secure applications, but do not compromise on the speed of application deployment.

Veracode is responding to this need for rapid development of secure applications by integrating security solutions directly into application development workflows. Specifically, we make our security scanning solutions available from within customer-selected, industry-leading software development tools, which include support for Agile Central, Jira, Jenkins, IntelliJ, and Visual Studio. For the integrations that we do not support, we provide Restful APIs that allow customers to build their own integrations. By choosing whether they want to integrate Veracode solutions into their build servers, integrated development environments (IDEs), or defect tracking systems, customers have the flexibility to decide where in their software development life cycle (SDLC) and how tightly they want to couple their security and DevOps cycles. 

The benefits of defect-tracking system integration

The advantage of integrating Veracode solutions with defect-tracking systems is that production-level and sandbox vulnerabilities that are identified during Veracode security scans get automatically merged into application defect backlogs. Customers can either manually invoke security scans, or schedule them to start automatically, setting timing and frequency options that work best for their teams. Once these vulnerabilities are merged with the application defects, they are managed like all other application bugs – they automatically get assigned severity, get assigned to developers, and get prioritized. Vulnerabilities that are remediated, and no longer show up in successive scans, get automatically closed. Vulnerabilities that are not remediated, but have a risk acceptance plan, can get mitigation documented and ticket status resolved. 

This seamless integration of Veracode with customer defect-tracking tools provides a single, consolidated approach for managing all application development defects and all security-related flaws. Instead of spending their time jumping between different portals and different environments, developers can focus on fixing their issues and meeting their deadlines. That’s a clear advantage of a single process that simplifies tracking of all the different types of development-related flaws. We are all in with Beyonce as we shift security scanning “…to the left, to the left…”

Get more details on all Veracode’s integrations.