What is Veracode?

Veracode is a comprehensive, cloud-native application security platform. It is designed to help organizations secure their software by seamlessly integrating security testing into the development lifecycle (DevSecOps). The platform provides multiple analysis techniques, including Static Analysis (SAST), Dynamic Analysis (DAST), Software Composition Analysis (SCA), and Interactive Application Security Testing (IAST), to identify and remediate vulnerabilities across first-party code, open-source libraries, and running applications.

Key Features

• Static Analysis (SAST): Scans non-running code to find security flaws and vulnerabilities early in the development process.
• Dynamic Analysis (DAST): Tests running web applications and APIs for vulnerabilities by simulating external attacks.
• Software Composition Analysis (SCA): Identifies open-source components in your codebase, flags known vulnerabilities, and helps manage license risk.
• Unified Platform: Combines multiple security testing types into a single platform with centralized policies, reporting, and vulnerability management.
• Developer Enablement: Provides IDE integrations, CI/CD pipeline scanning, and developer training to empower developers to write secure code from the start.
• Compliance Reporting: Generates detailed reports to help meet regulatory and industry compliance standards like PCI DSS, GDPR, and OWASP Top 10.

Use Cases

• DevSecOps Integration: Automate security testing within CI/CD pipelines to find and fix vulnerabilities without slowing down development.
• Vulnerability Management: Gain a centralized view of security posture across all applications to prioritize and manage remediation efforts effectively.
• Open Source Risk Management: Discover and manage vulnerabilities and licensing issues in third-party libraries used in your projects.
• Regulatory Compliance: Ensure applications meet security requirements for various industry and government regulations.
• Securing Web Applications & APIs: Protect against common web-based attacks by identifying vulnerabilities in production or pre-production environments.

Getting Started

A common way to use Veracode is by running a pipeline scan from your command line or CI/CD tool. This allows for rapid feedback on smaller code changes.

First, download the Veracode Pipeline Scan JAR file from the Veracode platform. Then, you can run a scan using a command like this:

```bash

Ensure you have Java installed

Set your Veracode API credentials as environment variables

export VERACODE_API_KEY_ID=”YOUR_API_ID” export VERACODE_API_KEY_SECRET=”YOUR_API_SECRET”

Run the scan on your application file (e.g., a WAR, JAR, or ZIP)

java -jar pipeline-scan.jar –file your_application.war –project_name “MyWebApp”

This command uploads the application file to the Veracode platform, performs a static scan, and provides immediate feedback on any critical flaws directly in your terminal.

Pricing

Veracode operates on a Paid/Subscription model. Pricing is customized based on the number of applications, the types of scans required, and the size of the development team. Prospective customers typically need to contact the sales team for a personalized quote or demo.