/aug 20, 2019

Veracode Releases Advanced Software Composition Analysis Solution Decreasing Open Source Risk with the Power of Machine Learning and Automated Fix Information

Cloud-based solution helps developers prioritize and remediate open source vulnerabilities quickly within DevSecOps environments

BURLINGTON, Mass. – Aug. 20, 2019Veracode, a leading provider of application security testing (AST), today announced its new Veracode Software Composition Analysis (SCA), the only solution that offers both vulnerable methods detection technology as well as machine learning models to identify vulnerabilities that have been fixed by open source projects but not disclosed to the National Vulnerability Database (NVD). This vulnerable method functionality doesn’t just identify which applications have a vulnerable component but additionally identifies whether or not an attacker can exploit the vulnerable code, saving development time by allowing developers to prioritize fixes based on risk and exploitability.

Veracode SCA combines automated vulnerability remediation with machine learning models that detect unreported vulnerabilities in open source libraries in near-real time, creating the most comprehensive SCA offering in the market. The new solution is a fully integrated part of the Veracode Platform, which provides analytics across various assessment types, including SAST, DAST, and penetration testing. Veracode SCA allows development teams to harness the power of open source code to speed up development cycles without introducing unnecessary risk or interfering with the development process.

“While the use of open source could be considered the most important accelerator in the history of software development, it also brings with it a significant number of security vulnerabilities that have been responsible for some of the world’s most significant breaches,” said Dave Gruber, senior analyst with Enterprise Strategy Group. “As developers strive to deliver secure applications at the pace of business they need tools that were designed from the ground-up for use in fast moving DevSecOps environments. The new offering, which fully leverages the SourceClear technology acquired last year, transforms Veracode’s SCA capabilities, allowing developers to rapidly prioritize, categorize and remediate open source related issues in a low-noise environment. As part of the broader Veracode Platform, development teams can now leverage a common platform to secure applications while measuring the effectiveness of their overall AppSec program.”

The use of open source libraries allows organizations to meet the demands of accelerated development times, but with more than 5 million open source libraries available today and an estimated half billion more libraries to be released in the next decade, organizations face increased exposure to vulnerabilities. Veracode SCA limits risk associated with integrating open source software components into applications as part of the DevSecOps process. It provides visibility on all direct and indirect open source libraries in use, identifies known and unknown vulnerabilities in those libraries, and shows how the vulnerabilities affect applications without slowing down development velocity. The solution has extensive language coverage, supporting Java, JavaScript, Python, Ruby, PHP, Node.js, Go, Objective C, Swift, C/C++, .NET, and Scala.

According to the State of Software Security Vol. 9, 87.5% of Java applications contain at least one vulnerable component and it takes organizations an average of 140 days to close just 50% of flaws in Java. The open source community finds many vulnerabilities and fixes them without a disclosure, meaning companies are not aware of the need to update or patch thereby compounding the problem. Veracode’s leading proprietary vulnerability database, built using machine learning and data mining, crawls open source project repositories continuously and extracts vulnerability information to build a database that has 40% more vulnerabilities versus simply using the NVD. Veracode SCA also looks for malicious packages which have intentionally planted vulnerabilities that act as backdoors.

By scanning open source libraries with a database augmented by machine learning, companies gain the advantage of identifying vulnerabilities that would otherwise have gone undetected. Yet, finding vulnerabilities is only half the challenge in application security. Veracode SCA provides automated prescriptive fix information enabling organizations to improve fix rates quickly and reduce risk.

“Developers are reliant on open source components in their software and may unknowingly introduce vulnerabilities and license risks into applications. The reality is that identifying open source risk and manually cataloguing open source libraries isn’t feasible,” said Chris Wysopal, Chief Technology Officer and co-founder at Veracode. “Veracode SCA is unique in offering the power and speed of machine learning to mine open source repositories, the flexibility of a SaaS-based solution to scale with the needs of the business, and automated fixes to match the pace of DevSecOps practices.”

Veracode SCA offers automatic generation of pull requests and remediation guidance to accelerate fixes, helping developers remediate faster and eliminating open source vulnerabilities that could lead to catastrophic data breaches without costly manual processes. Customers can leverage these benefits directly in their native environment through seamless integrations.

Customers have the ability to upload applications using an agent-based scan or an application upload scan, providing flexibility for developers to either integrate scanning via agent into their pipeline or upload code to be scanned by both Veracode Static Analysis and Veracode SCA. Veracode SCA can also link application scan results with agent-based scans to simplify policy compliance and internal reporting needs.

For more information on Veracode SCA, visit here.

About Veracode

Veracode is a global leader in Application Risk Management for the AI era. Powered by trillions of lines of code scans and a proprietary AI-assisted remediation engine, the Veracode platform is trusted by organizations worldwide to build and maintain secure software from code creation to cloud deployment. Thousands of the world’s leading development and security teams use Veracode every second of every day to get accurate, actionable visibility of exploitable risk, achieve real-time vulnerability remediation, and reduce their security debt at scale. Veracode is a multi-award-winning company offering capabilities to secure the entire software development life cycle, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, and Penetration Testing.

Learn more at www.veracode.com, on the Veracode blog, and on LinkedIn and Twitter.

Copyright © 2024 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.


Press and Media Contacts

Katy Gwilliam,
Head of Global Communications, Veracode
[email protected]
Related Links


  • resource image


  • resource image


  • resource image


  • resource image


  • resource image


  • resource image


  • resource image

    and Tricks

  • resource image

    & Podcasts

  • resource image

    and eBooks