Manage application security risk in a simple, strategic, scalable way

Veracode Static Analysis

Find and fix software vulnerabilities in applications you build or buy

Software is the engine that powers business innovation – and the #1 attack vector. Most applications were not built with security in mind: More than 63% of applications fail the OWASP Top 10 on first scan. At the same time, to meet business-driven deadlines and keep up with the rapid pace of innovation, your development team is churning out software faster than ever. Serious risk of breach and regulatory pressures are driving your company to turn attention to applications, but you don’t have the time, people or money to move the needle. As a result, you are only securing a fraction of your applications, if any at all, leaving your company exposed to risk of data breach.

4 out of 5 applications written in web scripting languages fail the OWASP Top 10 upon first assessment.

~ Veracode State of Software Security Report, Part II, 2015

Veracode Static Analysis enables your developers to quickly identify and remediate application security flaws without having to manage a tool. Thanks to our SaaS-based model, we increase accuracy with every application we scan. Veracode’s patented technology analyzes major frameworks and languages without requiring source code, so you can assess the code you write, buy or download, and measure progress in a single platform. By integrating with your SDLC tool chain and providing one-on-one remediation advice, we enable your development team to write secure code. The Developer Sandbox feature enables engineers to test and fix code between releases without impacting their compliance status.


Deliver consistent, high-quality scanning results for all your apps

Unlike manual code reviews or penetration tests, Veracode Static Analysis is an automated process delivering repeatable results. Our patented technology can test binaries, enabling us to analyze the data flow in compiled applications across proprietary and open source components, as well as open source components and legacy applications. Veracode Static Analysis can assess the security of web, mobile, desktop and back-end applications. Since we give you accurate results and prioritize them based on severity, you won’t need to waste resources dealing with hundreds of false positives. So far, we’ve assessed over 1.8 trillion lines of code in 15 languages and 50 frameworks, and we get better with every assessment.

Veracode Static Analysis supports all widely-used languages for desktop, web and mobile applications including:

  • Java (Java SE, Java EE, JSP)
  • .NET (C#, ASP.NET, VB.NET)
  • Web Platforms: JavaScript (including AngularJS, Node.js, and jQuery), TypeScript, Python, Perl, PHP, Ruby on Rails, ColdFusion, and Classic ASP
  • Mobile Platforms: iOS (Objective-C and Swift), Android (Java), PhoneGap, Cordova, Titanium, Xamarin
  • C/C++ (Windows, RedHat Linux, OpenSUSE, Solaris)
  • Legacy Business Applications (COBOL, Visual Basic 6, RPG)

Scale without devoting additional resources

The SaaS-based Veracode Application Security Platform reduces your operational overhead because you won’t have to build and maintain in-house hardware. By providing both security expertise and program management, Veracode helps you work through your backlog without hiring specialists. Our customers often scale from securing tens of applications without Veracode to hundreds or thousands of applications.

Integrate application security into your SDLC

When security is well integrated, you remove friction. The Veracode Application Security Platform integrates with your IDE, build and ticketing systems to automatically test code and coordinate remediation. In addition, the Developer Sandbox functionality enables engineers to test and fix code between releases without triggering a failed policy compliance report to the security team. Veracode’s focus on making security DevOps-friendly is one reason why our customers have fixed 70% of the 10 million vulnerabilities they found in 2015.

Check out the full list of Veracode's Plug-Ins.

Get one-on-one remediation consultations for developers

When vulnerability reports and on-demand training don’t provide enough clarity, developers can set up one-on-one developer consultations with our experts who have backgrounds in both security and software development. Companies using this service have increased fix rates by 147%.

A global bank went from scanning 80 applications per year to 500 in the first year and now 1,000 annually, without adding any headcount.

Comply with company policy and industry regulations

Veracode Static Analysis helps you comply with custom policies or industry regulations. For instance, PCI DSS Requirement 6.5 requires all custom application code to be reviewed to identify coding vulnerabilities. Veracode also supports other risk frameworks and security standards like NIST 800-53 and HIPAA. Each application is graded against the policy as you have defined it, combining results from static and dynamic testing, open source risk and manual penetration testing.

Access all of your application security solutions in one platform

The Veracode Application Security Platform offers multiple assessment technologies that complement Veracode Static Analysis on single platform, including Veracode Software Composition Analysis, which inventories and assesses open source components, and Veracode Web Application Security, which identifies architectural weaknesses and vulnerabilities in running web applications by probing the attack service. In addition, Veracode Runtime Protection enables you to protect web applications against vulnerabilities found by Veracode Static Analysis and Veracode Web Application Security.

Contact Veracode about how we can help reduce your application-layer risk.

Related Veracode Solutions