Application security cannot be solved with a tool alone. There are significant organizational challenges, like gaining buy-in from various areas of your organization, helping developers to fix security flaws and making sure that security becomes part of the testing process. It’s truly a cultural shift. As such, adoption of application security will only be successful if you eliminate as much friction as possible. By offering first-class, out-of-the-box integrations that fit into the tools developers and security professionals are accustomed to, Veracode allows companies to easily fit application security into the software lifecycle and ease the introduction of application security.
Veracode integrates with IDEs including Eclipse, IBM RAD (9.5 and later), IntelliJ and Visual Studio, now available on the Visual Studio Marketplace.
With the shift to DevOps and CI/CD, these integrations are increasingly important because developers are creating and testing code in smaller pieces more frequently and releasing updates more regularly, rather than working on and completing a large project before moving onto the next step. With the requirement to test applications more frequently, it’s important that testing technologies (like Veracode) can be automated from the tools that developers are already accustomed to using.
When Veracode integrates with an IDE, developers have a button that allows them to upload to Veracode without logging into our web interface, as well as view the results of a Static Analysis scan within the IDE.
Easily test your .NET application with Veracode: The Veracode Visual Studio Extension allows developers to start a scan, review security findings and triage the results, all from within the Visual Studio environment. To ensure the best possible coverage and highest-quality results, the extension automates the preparation of an application for scanning. In addition, developers can easily see which findings violate security policy and view the data path and call stack information to understand how their code may be vulnerable to attack.
Integrate application security into your development workflow: Developers can use the Veracode Visual Studio Extension to test code changes prior to checking in, then test the whole application by integrating Veracode Static Analysis into the Visual Studio Team Services or Team Foundation Services pipeline—or with Jenkins or Maven. And developers can review security findings in Visual Studio or as work items or defects in VSTS or TFS.
Align your AppSec practices with your development practices: Do you have a large or distributed development team? Are you drowning in revision control branches? You can integrate your VSTS workflows with the Veracode Developer Sandbox, which supports multiple development branches, feature teams and other parallel development practices. Veracode’s focus on making security DevOps-friendly is one reason why our customers fixed 70 percent of the 10 million vulnerabilities they found in 2015.
The Veracode Visual Studio Extension is part of the Veracode ecosystem of integrations that helps you connect Veracode with your software development process, including a Visual Studio Team Services and Team Foundation Services extension and integrations for other build servers, IDEs and defect tracking solutions. For more information about Veracode's integrations and APIs, see Integrate Application Security Into Your SDLC.