Developers and security teams are both challenged to meet security goals in complex environments. Developers already need to manage many separate tools; new AppSec tools that do not integrate well or lack flexible APIs and customizable integrations are met with low adoption, high distraction and a steep learning curve. Likewise, security teams often seek to protect against AppSec vulnerabilities with a web application firewall and are challenged to integrate risk data and program metrics across disconnected AppSec tools without manual effort. As more organizations move to DevOps and reap the automation and speed benefits, AppSec solutions need to keep up or risk being left behind.
Veracode enables organizations to speed applications to market without sacrificing security. The Veracode Application Security Platform integrates with the development, security and risk-tracking tools you already use. And, our flexible API allows you to create your own custom integrations or use community integrations, built by the open source community and other technology partners. Veracode’s focus on making security developer-friendly is one reason why we help you go faster, without sacrificing security.
Developers work best when tools don’t get in their way, which is why Veracode integrates with Eclipse, IBM RAD and other Eclipse-based IDEs, IntelliJ, and Visual Studio. Before checking in your code, you can start a scan, review security findings and triage the results, all from within your IDE. In addition, you can easily see which findings violate your security policy and view the data path and call stack information to understand how your code may be vulnerable to attack.
Security findings are best addressed by fixing the source of the problem, in the code. But the prevailing approaches—spending all day creating bug tickets by hand, or doing a one-time import into a defect tracker only to have to update the bugs by hand afterwards—are a pain and don’t scale. Veracode’s defect tracking integrations with JIRA, Visual Studio Team Services/TFS, and HP ALM not only create defect tickets but they also automatically update or close them when the code is retested.
Make sure you catch security issues before they get further downstream by integrating Veracode into your Jenkins, Visual Studio Team Services or Team Foundation Server build or release pipelines. You can test in the pipeline or in parallel and can even stop the pipeline if security issues that violate your policy are found. Not ready for CI yet? You can use us in your Maven build too.
Veracode's open APIs have enabled customers, partners, and end users to build integrations to other build systems to automate scanning with Veracode. These integrations are not supported by Veracode, but if your team is using one of these tools you may want to check these out.
Need more time to fix an issue? You can use Veracode DynamicDS findings to automatically generate rules for your Imperva or Apache ModSecurity web application firewall, so you can target just the areas you know have problems.
Struggling to tie your application security program to your overall IT and security program objectives? Veracode provides native integration for RSA Archer to make it easier to understand which of your applications may be in violation of your corporate security policies and how quickly the organization is addressing issues. And partner-developed integrations are available for many other GRC and risk management platforms, including RSAM, RiskVision, Lockpath, Symantec CCM, Allgress, Brinqa, Threadfix, Kenna Security and MetricStream.