Veracode Releases Advanced Software Composition Analysis Solution Decreasing Open Source Risk with the Power of Machine Learning and Automated Fix Information

Cloud-based solution helps developers prioritize and remediate open source vulnerabilities quickly within DevSecOps environments

BURLINGTON, Mass. – Aug. 20, 2019 – Veracode, a leading provider of application security testing (AST), today announced its new Veracode Software Composition Analysis (SCA), the only solution that offers both vulnerable methods detection technology as well as machine learning models to identify vulnerabilities that have been fixed by open source projects but not disclosed to the National Vulnerability Database (NVD). This vulnerable method functionality doesn’t just identify which applications have a vulnerable component but additionally identifies whether or not an attacker can exploit the vulnerable code, saving development time by allowing developers to prioritize fixes based on risk and exploitability.

Veracode SCA combines automated vulnerability remediation with machine learning models that detect unreported vulnerabilities in open source libraries in near-real time, creating the most comprehensive SCA offering in the market. The new solution is a fully integrated part of the Veracode Platform, which provides analytics across various assessment types, including SAST, DAST, and penetration testing. Veracode SCA allows development teams to harness the power of open source code to speed up development cycles without introducing unnecessary risk or interfering with the development process.

“While the use of open source could be considered the most important accelerator in the history of software development, it also brings with it a significant number of security vulnerabilities that have been responsible for some of the world’s most significant breaches,” said Dave Gruber, senior analyst with Enterprise Strategy Group. “As developers strive to deliver secure applications at the pace of business they need tools that were designed from the ground-up for use in fast moving DevSecOps environments. The new offering, which fully leverages the SourceClear technology acquired last year, transforms Veracode’s SCA capabilities, allowing developers to rapidly prioritize, categorize and remediate open source related issues in a low-noise environment. As part of the broader Veracode Platform, development teams can now leverage a common platform to secure applications while measuring the effectiveness of their overall AppSec program.”

The use of open source libraries allows organizations to meet the demands of accelerated development times, but with more than 5 million open source libraries available today and an estimated half billion more libraries to be released in the next decade, organizations face increased exposure to vulnerabilities. Veracode SCA limits risk associated with integrating open source software components into applications as part of the DevSecOps process. It provides visibility on all direct and indirect open source libraries in use, identifies known and unknown vulnerabilities in those libraries, and shows how the vulnerabilities affect applications without slowing down development velocity. The solution has extensive language coverage, supporting Java, JavaScript, Python, Ruby, PHP, Node.js, Go, Objective C, Swift, C/C++, .NET, and Scala.

According to the State of Software Security Vol. 9, 87.5% of Java applications contain at least one vulnerable component and it takes organizations an average of 140 days to close just 50% of flaws in Java. The open source community finds many vulnerabilities and fixes them without a disclosure, meaning companies are not aware of the need to update or patch thereby compounding the problem. Veracode’s leading proprietary vulnerability database, built using machine learning and data mining, crawls open source project repositories continuously and extracts vulnerability information to build a database that has 40% more vulnerabilities versus simply using the NVD. Veracode SCA also looks for malicious packages which have intentionally planted vulnerabilities that act as backdoors.

By scanning open source libraries with a database augmented by machine learning, companies gain the advantage of identifying vulnerabilities that would otherwise have gone undetected. Yet, finding vulnerabilities is only half the challenge in application security. Veracode SCA provides automated prescriptive fix information enabling organizations to improve fix rates quickly and reduce risk.

“Developers are reliant on open source components in their software and may unknowingly introduce vulnerabilities and license risks into applications. The reality is that identifying open source risk and manually cataloguing open source libraries isn’t feasible,” said Chris Wysopal, Chief Technology Officer and co-founder at Veracode. “Veracode SCA is unique in offering the power and speed of machine learning to mine open source repositories, the flexibility of a SaaS-based solution to scale with the needs of the business, and automated fixes to match the pace of DevSecOps practices.”

Veracode SCA offers automatic generation of pull requests and remediation guidance to accelerate fixes, helping developers remediate faster and eliminating open source vulnerabilities that could lead to catastrophic data breaches without costly manual processes. Customers can leverage these benefits directly in their native environment through seamless integrations.

Customers have the ability to upload applications using an agent-based scan or an application upload scan, providing flexibility for developers to either integrate scanning via agent into their pipeline or upload code to be scanned by both Veracode Static Analysis and Veracode SCA. Veracode SCA can also link application scan results with agent-based scans to simplify policy compliance and internal reporting needs.

For more information on Veracode SCA, visit here.