Skip to main content


Veracode Is a Static Analysis Platform

What Is Static Analysis?

Static security analysis is one of the many code review tools that can be implemented without actually executing, or running, the software. Static analysis tools look at applications in a non-runtime environment. This method of testing has distinct advantages in that it can evaluate both web and non-web applications and, through advanced modeling, can detect flaws in the software’s inputs and outputs that cannot be seen through dynamic web scanning alone, including cross-site scripting and SQL insertion. In the past, this technique required source code, which is not only unpractical, as source code often is unavailable, but also insufficient. The Veracode static analysis service assesses binary code (also called “compiled” or “byte” code) instead of source code, which enables enterprises to test software more effectively and comprehensively, providing greater security for the organization.

Static Analysis Tool Delivers Software Security

Enterprise security is highly focused on the application layer today, and for good reason. The network perimeter has been successfully secured to a great degree, and most malicious attacks are now directed at applications. To address this threat, enterprises must test applications for flaws or threats before procuring or implementing them. Static analysis is one of the leading testing techniques. A static analysis tool reviews program code, searching for application coding flaws, back doors or other malicious code that could give hackers access to critical company data or customer information. But most static analysis tools can only scan source code, which is problematic. Many applications integrate code from third-party libraries, offshore software and commercial off-the-shelf (COTS) applications - and source code for these applications is often unavailable for scanning.

Static Analysis Tools for C/C++, Java, C#, .NET and More

Veracode offers the industry’s most comprehensive automated static analysis, making application development faster and more reliable. Veracode assesses binary code - compiled or “byte” code - allowing enterprises to scan 100 percent of an application, even when source code is not available for practical or proprietary considerations. Veracode is built on the software-as-a-service model, allowing organizations to access and scale security testing without the need for capital expense or investment. There is no vulnerability assessment software or hardware to purchase and no security personnel to train. Developers submit code through an online platform, and results are returned quickly. Veracode's automated format greatly reduces the amount of effort and resources needed to perform static analysis, while greatly increasing the accuracy of assessment results.

Veracode Static Analysis supports all widely-used languages for desktop, web and mobile applications including:

  • Java (Java SE, Java EE, JSP)
  • .NET (C#, ASP.NET, VB.NET)
  • Web Platforms: JavaScript (including AngularJS, Node.js, and jQuery), Python, PHP, Ruby on Rails, ColdFusion, and Classic ASP
  • Mobile Platforms: iOS (Objective-C and Swift), Android (Java), PhoneGap, Cordova, Titanium, Xamarin
  • C/C++ (Windows, RedHat Linux, OpenSUSE, Solaris)
  • Legacy Business Applications (COBOL, Visual Basic 6, RPG)

Veracode Delivers Innovative Static Analysis 

Veracode was founded by experts from leading application security companies to help organizations achieve code security more effectively and cost-efficiently. By delivering static analysis as a service, instead of an on-premises product, Veracode's solution enables companies to forgo capital expenditure in vulnerability assessment software and hardware. Because Veracode is automated and easy to use, companies no longer need to hire security assessment experts or consultants. Because Veracode's static analysis assesses compiled applications instead of source code - Veracode can test 100 percent of an application, offering comprehensive coverage and greater application security.

Veracode provides a comprehensive suite of testing services in a SaaS-based solution that significantly reduces the cost and complexity of performing static analyses and other security tests. Built on a powerful cloud platform, Veracode’s technologies include static and dynamic analysis, web vulnerability scanners and software composition analysis, enabling development teams and IT administrators to test code at any point in the SDLC from inception through production. With Veracode, organizations can improve the security of their software portfolio without sacrificing quality or speed-to-market.

Veracode Static Analysis offers on-demand static analyses of software that is built, bought or assembled. This Veracode service scans compiled binaries, making it easy to perform static analyses on software even when source code is not available. Developers can submit code for review through an online platform, and results are returned quickly – the vast majority of static analyses are completed within four hours, and 90% of all scans are completed within one day. Results are returned with a remediation plan that includes step-by-step guidance for finding and fixing flaws.

Learn more about static analyses in Veracode, or download an SQL cheat sheet for more information on how to mitigate this dangerous threat.

Questions About Application Security?


Contact Us