Veracode – application analysis – automation into the pipeline
Craig de Lucchi, Veracode Account Director, explains why it’s not possible to run a DevSecOps program if application analysis is not automated into the pipeline.
Veracode supports 29 integrations with development tools, plus APIs and code samples if our customers need to integrate with something that we don’t support out of the box.
It’s tough to run a comprehensive program if the applications needing cover are not supported. Veracode supports web and mobile apps as well as microservices in 24 programming languages and 77 frameworks. We look at the latest development trends and carefully consider which new technologies to offer cutting-edge support to next, and even if our customers have “treasured software” written in COBOL, we can handle that too.
Most of our customers tell us that their dozens of point solutions are killing them –separate deployment, logins to different consoles, different reports that need to be consolidated manually for the next audit – to name just some of the issues. With Veracode, you can simplify your vendor management and reporting by combining four analysis types in one solution: Static analysis, dynamic analysis, software composition analysis and penetration testing.
Before we talk about pipeline integrations, I’d like to cover some considerations. You may have spoken to some vendors who tell you that their one analysis type is the AppSec silver bullet. Then there are others who will tell you that shifting left is the only thing you need to do. Sadly, they are wrong, otherwise our lives would be easier. However, there are grains of truths in those statements.
Scanning plus speed versus costs
Scanning applications throughout the pipeline is a trade-off between speed and scope, plus specific strengths and weaknesses of different analysis types. We recommend that you shift left to catch issues as early as possible because they are cheaper to fix. However, when scanning only parts of the application, you don’t have the full scope of the application. It’s like providing feedback on one chapter of a book without knowing the other chapters. You can provide feedback if it makes sense, but you can’t assess it in the context of all the other chapters. The same is true for application security. That’s why you need to scan parts early but scan again when the application is fully assembled.
The role of the developer
Most AppSec programs forget that there is only one role that can fix security findings and that's the developer. Yet many developers are not empowered to do so and focus their programs on finding the flaws but not fixing them.
Veracode offers developers three types of advice that ensures a high percentage of fixes. Firstly, they receive automated advice from the Veracode solution in the form of text, video tutorials and interactive labs ,where developers can exploit and remediate vulnerabilities for a more in-depth understanding.
Secondly, they can reach out to peers in the Veracode Community and see if they can find a solution there. Thirdly, they can schedule a call with a secure coding expert to go through the source code and discuss approaches to fixing the issue. The Veracode consultants can view the data and control flow of the application to suggest the best way to fix the issue.
We help to reduce the introduction of new flaws through e-learning and direct feedback through the integrated development environment (IDE) scanning that engages developers at an elevated level and offers lab courses that guide them through the process of finding and fixing real applications.