Veracode provides the world’s leading Application Risk Management Platform. Veracode's patented and proven cloud-based capabilities allow customers to govern and mitigate software security risk across a single application or an enterprise portfolio with unmatched simplicity. Veracode was founded with one simple mission in mind: to make it simple and cost-effective for organizations to accurately identify and manage application security risk.
2. An introduction to Veracode
Who we are
The people, process and technology needed to deliver a scalable and cost
effective software security program
The only Complete Application Security offering in the cloud (SaaS)
Core patented technology developed in 2002
Veracode established 2006
(ex @stake, Guardent, Symantec and VeriSign)
What we do
Provide world class automated static , dynamic and mobile application
security testing service and complementary consulting and remediation
services
Scalable and rapid delivery model
Frictionless integration
Industry bench marking
2
3. Veracode: some facts
Over 600 customers
• In more that 80 countries
• Across all industry sectors
58 Billion lines of code scanned
• 5.046m valid security flaws detected by SAST alone
• Test repository of over 70,000 applications
• Over 425,000 separate flaws identified
270% increase in SAST scan volumes year on year
• 12 major releases – SaaS continuous learning – maintaining leadership
• 3 hour average scan time for java and .NET
3
4. Independent recognition
“Veracode has cleverly taken advantage of its unique technology (static
binary analysis) and matched it up with its SaaS platform and program
management and sales services to create an offering that takes both
effort and cost away from the enterprise CISO.” (2012)
“Visionary” in Gartner’s magic quadrant for Dynamic Application
Security Testing (2011)
“Leader” Gartner’s magic quadrant for Static Application Security Testing
(2010)
“SC Award for Information Security Product of the Year” (2012)
“Veracode ranked #20 on Forbes Most Promising Companies in America”
(2013)
4
5. Veracode Platform and Services
Platform
No hardware
No software
No maintenance
Services
Expertise on demand
Cost effective
5
7. Veracode Patented Binary Static Analysis
Automated “inside-out” code analysis without requiring access to source code
How it works:
Benefits:
• Tests executables
• Complete application coverage
• IDs vulnerabilities & backdoors
• Scales out: Thousands of apps
• Covers 3rd party code
• Scales up: Multi-gig applications
• Test what runs and what is attacked
• Supports web, non-web, internal,
commercial, mobile, cloud apps
• Protects IP for third-party apps
• Low false positives, Fast turnaround
• Actionable remediation advise
“Not having binaries tested
leaves a gap in application
security.”
--Joseph Feiman, Gartner
Open Source
Internally Developed
Third-Party Libraries
Cloud
Outsourced
Mobile
Commercial
Veracode positioned as a leader in Gartner’s SAST MQ
7
8. Veracode Dynamic Analysis
Automated “outside-in” web application testing at scale with speed
Discovery
• Find web applications
and prepare target list
for analysis
Benefits:
Benefits:
DynamicMP
• Scan thousands in days
not months
• Track rapidly growing
application perimeter
• Massively parallel, rapid
baseline scanning of all
perimeter applications
• Gain total website coverage
• Non-disruptive
• Low False Positives
DynamicDS
• Fast Turnaround
• Deep scanning of
external and internal
applications
.com
.co
.ca
.tv
.info
.tv
.uk
.org
.com
Veracode positioned as visionary in Gartner’s DAST MQ
8
9. Veracode Application Analytics
Security data analytics, application intelligence and peer benchmarking
Benefits:
How it works:
Aggregated program statistics
across all testing activities and
supplies
• Manage all activities through
one platform
• Measure and demonstrate
on-going progress
• Make informed decisions
Provides application
inventory snapshots
• Understand performance
relative to others
Offers policy compliance
as well as interactive
dashboards and querying
Enables peer
benchmarking
1
Read our latest State of Software Security Report at www.veracode.com
9
10. Policy Manager
A policy framework and workflow system to enable a programmatic approach to
application security
Benefits:
How it works:
• Enables quick security policy
definition and assignment
Leverages industry standards
(CWE, CVSS, NIST) for policy
creation
• Replace ad-hoc compliance
management with a systematic
approach
Provides pre-built policy
templates for PCIDSS, OWASP Top Ten, SANS
Top25
• Offload internal communication
overhead
• Simplify GRC for applications
Add CERT secure coding
standards to pre-built
templates
Provides several options for
custom policy definitions
Tracks remediation progress
Automates internal
communication workflow
10
11. Veracode eLearning
Online training courses, knowledge base and assessments for developer education
How it works:
Provides over 50 courses with
extensive coverage of key
topics addressing basic and
advanced concepts
Provides tracks tailored
for development, QA and
security
Contains pre-built
assessments for testing
purposes
Benefits:
• Professional development for
developers
• Better application security out
of the gate
• Use testing results to direct
elearning course
• Strengthen new hire due
diligence
• Scale easily to thousands of
developers and security
personnel
• Integrated analytics
empowering course
recommendations
11
12. Veracode Mobile Application Analysis
Binary static analysis on mobile applications to discover security vulnerabilities and data
privacy issues
Benefits:
How it works:
• Minimize risk without impeding
mobile adoption
Identifies opportunities for
data exfiltration, unsafe data
storage, and privacy violations
• Understand data leak potential
• Understand risks in mobile apps
developed by third-parties
Detects mobile backdoors
capabilities (remote tracking
apps, personal information
theft, remote listening)
• Independent verification
addresses security concerns
Supports Android, iOS, Windows
Mobile and Blackberry detecting
flaws that threaten mobile hardware
and OS
a
12
14. The first completely outsourced solution that attests the security of your
software supply chain.
A VAST Program helps reduce your software security risk by inducing
vendors to comply with your policies.
Solution cost is shared with your vendors.
Solution Benefits:
Reduce software security risk across your
portfolio.
Outsource to the experts, save internal
resources.
Vendor compliance visibility with monthly
reporting.
Low friction for vendors and suppliers.
14
15. A massively scalable solution
for rapidly gathering vulnerability intelligence
across every enterprise web application.
A known perimeter with fewer vulnerabilities
Solution Benefits:
Instant web application inventory.
Rapid risk assessment at massive scale.
Efficient monitoring of rapidly changing
application perimeter.
Vulnerability intelligence.
15
16. Solutions designed to get enterprise software
development on the RAMP to real risk reduction.
Solution Benefits:
Reduce software security risk across internally developed applications.
Enable risk reduction earlier in development lifecycle
Practical implementation with measurable value.
Scale program adoption across enterprise.
Low friction for development teams.
16
18. Integration of Veracode Scanning into the
Development Process
pick up binaries from integration sandboxes
scan via Veracode
analyze the XML results – XML processing via Tamino XML
Server
create issues in security bug tracking system
integration with existing JIRA bug tracking system
communication with developers via the existing JIRA system
when issues get fixed or set to mitigitated, check via automatic
scanning if they are really fixed
19. Benefits of integrating Veracode
no changes to existing development process
no new systems for developers to learn
no changes to build and promotion systems needed
regular scanning and analysis for potential vulnerabilities
daily feedback and metrics
fully automated
whenever new builds are available, they can be directly scanned
and anaylzed
based on information available in existing bug tracking
system, issues can be automatically assigned to responsible
development teams
scalable to many products
only a set of configuration parameters need to be set to include
additional products into the scanning process
Veracode Application AnalyticsWhat: Security data analytics, application intelligence and peer benchmarkingHow: Aggregated program statistics across all testing activities and suppliersProvides policy compliance and application inventory snapshotsOffers interactive dashboards and queryingEnables peer benchmarkingBenefits: Manage all activities through one platformMeasure and demonstrate on-going progressMake informed decisionsUnderstand performance relative to others
Egwe specifically look for cases where applications access sensitive data like the address book, email, SMS, photos, etc. then send the data off the device