When to Scan?

Find and Fix Security Issues Before Release

The National Institute of Standards and Technology (NIST) estimates that code fixes performed after release can result in 25 times the cost of fixes performed during the design phase.

As shown by the graphic below, the cost for fixing vulnerabilities is highest after an application has been deployed. In addition to the costs involved with engineering a fix for a given vulnerability, it is usually accompanied by a significant loss of user productivity. By following a defined process like the SDL, which systematically addresses software security during the development phase, vulnerabilities are more likely to be found and fixed prior to application deployment, thereby reducing your total cost of software development.


For more information on how Veracode fits with your SDL, read the Veracode SDLC Datasheet.


Testing throughout the application lifecycle reduces the long term management costs

Checking in-house developed code at all stages of development, testing and deployment minimises the number of flaws. Commercially acquired binary code can also be scanned prior to deployment and at run-time. On-demand code testing services have the benefit of scale; their providers scan software from hundreds of customers a day and are cognisant of all the common flaws as well as rarely seen ones. The new research presented in this report shows that, for commercially acquired software, the use of code testing services is now about as common as the use of on-premise tools. The number using services for in-house code is increasing too.