Automate security into your DevOps pipeline

Veracode for DevOps

Develop secure software faster by integrating AppSec into your SDLC

As a developer, you are challenged to meet increasingly accelerating time to market targets, as businesses begin to adopt mobile-first and other rapid development approaches to bringing value to market. Conventional application security approaches, including manual penetration testing and on-premise tools, cannot meet the demand for faster delivery and often deliver results too late in the development cycle. This means the development team must choose between shipping late and knowingly shipping vulnerable applications—or not testing applications at all. Worse, most developers never have the chance to learn to code securely. In turn, many developers will unknowingly introduce security vulnerabilities in their code – and lack the knowledge to fix the issues when they are identified.

A major United States insurance company implemented Veracode Developer Sandbox for Veracode Static Analysis to bring application security earlier in the development cycle. Testing reached over 100 applications scanned and over 1,000 developers enabled in the first four months of the program.

Veracode enables organizations to speed applications to market without sacrificing security. Veracode Static Analysis integrates into existing development toolchains and DevOps continuous integration/continuous delivery pipelines, enabling you to quickly identify and remediate application security flaws early in the process. Veracode Developer Training empowers developers, testers and security leads to develop secure applications, providing the critical skills they need to identify and address potential vulnerabilities. And Veracode Runtime Protection allows each application to defend itself from the inside out, alerting you to attacks and blocking them, extending application security into production.

Secure your code at the speed of DevOps

Unlike manual code reviews or penetration tests, Veracode Static Analysis and Veracode Software Composition Analysis are automated processes delivering fast, repeatable results. When scanning entire applications in DevOps-friendly languages, more than 70% of scans complete in under an hour, and scans of microservices return more quickly. You can check for vulnerabilities in your open source components in the same scan, without requiring additional integration effort into your continuous integration pipeline.

Integrate application security into the development tools you already use

When security is well integrated, you remove friction. The Veracode Application Security Platform integrates with your IDE, build and ticketing systems to automatically test code and coordinate remediation. Veracode supports common development toolchains, including Microsoft Visual Studio, Team Foundation Server, and Visual Studio Team Services; and Eclipse or IntelliJ, Jenkins/Hudson/Maven, and JIRA. And Veracode’s APIs allow you the flexibility to integrate into many additional build and DevOps tools including Bamboo, TeamCity, Ansible and Hygieia. Veracode’s integration capabilities make it easy to integrate application security with your CI/CD pipeline—and with your development workflows before it.

Align your appsec practices with your development practices

Have a large or distributed development team? Drowning in revision control branches? The Developer Sandbox functionality enables you to align your application security testing practices with your software development practices, supporting multiple development branches, feature teams, and other parallel development practices. Veracode’s focus on making security DevOps-friendly is one reason why our customers have fixed 70% of the 10 million vulnerabilities they found in 2015.

Don’t stop for false alarms

Since we give you accurate results and prioritize them based on severity, you won’t need to waste resources dealing with hundreds of false positives. Veracode gets better with every assessment thanks to our rapid update cycles and continuous improvement processes focused on driving noise out of our results so you don’t have to. So far, we’ve assessed over 2 trillion lines of code in 15 languages and 50 frameworks, and we get better with every assessment. And if something does get through, just annotate it; we’ll remember for next time.

A global bank integrated Veracode Static Analysis and SCA into their software development lifecycle via build server and IDE integration, enabling them to go from assessing applications only twice a year with a legacy on premises SAST tool to assessing within each development sprint.

Build security champions

Wouldn’t it be great to use the feedback from security findings as opportunities to coach your team on secure coding principles, and embed knowledge in the team rather than relying on external stakeholders? Veracode offers online instructor-led training, on-demand training and just-in-time training to help developers fix vulnerabilities. Development organizations that leverage Veracode eLearning see a 30 percent higher vulnerability fix rate. And when vulnerability reports and on-demand training don’t provide enough clarity, developers can set up one-on-one developer consultations with our experts who have backgrounds in both security and software development. Companies using this service typically have increased fix rates by 147%.

Extend application security into production

Application security cannot stop after deployment. As with other aspects of DevOps, a well-engineered solution must support “closed loop” feedback from production in the event of a security incident. Veracode Web Application Scanning can help you catch exceptions, where applications have been deployed without the benefit of testing in the automated pipeline or where misconfigurations have introduced a vulnerability. It can also help catch security errors introduced by misconfigurations on the production server. And Veracode Runtime Protection can alert you to attacks and block them on your production server, so you can both respond quickly and maintain peace of mind—even for legacy applications that haven’t made the transition to DevOps.

Learn how Veracode can help you secure your DevOps processes.

Related Veracode Solutions