The document presents the Veracode platform as a comprehensive solution for application security, emphasizing the importance of integrating security practices within the development process. It discusses various analysis techniques such as Static and Dynamic Analysis, Software Composition Analysis, and the necessity of training developers in secure coding. Additionally, it outlines an agenda for improving application security maturity through automation and integration into existing development tools.

1. The CA Technologies | Veracode Platform:
A 360-Degree View of Your Application's Security
Austin Britt
DST43T
DEVSECOPS
Solutions Architect Team Lead
Veracode

2. 2 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
© 2017 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2017 presentation is intended for informational purposes only and does not form any type
of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation

3. 3 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Abstract
Having a single view into the security of your application code, any third-party
components and current state and changes to your Web perimeter provides valuable
insight into your overall application security program. Integrating that capability into your
software development environment allows security to partner with development rather
than impede it. Enabling access to security results across local and distributed
development and security teams allows for faster remediation efforts. Providing relevant
secure coding educational resources in the same platform where code vulnerabilities are
reported supports developers in fixing flaws faster and developing improved secure
coding practices. This session will provide a full demonstration of Veracode's cloud-
based application security platform, which addresses each of these areas.
Austin
Britt
Veracode
Solutions Architect –
Team Lead

4. 4 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Agenda
RIGHT SIZING SECURITY
PLUG INTO PREEXISTING SOLUTIONS
AUTOMATION BEST PRACTICES
APPLICATION SECURITY MATURITY
PRODUCT DEMONSTRATION
1
2
3
4
5

5. 5 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Manage Application Risk Through a Centralized Platform
$80 (X) $240 (4X) $960 (10X) $7,600 (100X)
CODE BUILD TEST PROD
Greenlight
File level analysis from IDE
Sandbox
Developers can check code without effecting policy compliance
Software Composition Analysis (SCA)
Identify and eliminate risk in third-party components
Binary Static Analysis (SAST)
Asses your applications for policy compliance
Web Application Security (DAST)
Find flaws in applications deployed to production
Focused Manual Penetration Testing (MPT)
Test application for business logic attacks that automation cannot find
Developer Secure Code Training
Enable Developers with computer based training
On-Demand Application Security Consultants (ASC)
On-demand remediation guidance for developers and security
Security Program Management (SPM)
Successfully launch your program for immediate results and scale without adding headcount

6. 6 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Integrate into existing Agile, DevOps & CI/CD Toolchain
Centralized AppSec
Platform

7. 7 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
AppSecProgram
Maturity
Optimal time to
onboard additional
apps or dev
teams
ContinuousRefinement/Improvement
Gain commitment from executive level, security, and development
Define application inventory, business criticality, and target rollout phases
Define policy(s)
Baseline scan of 1st phase of applications
Define program metrics
Develop a remediation & mitigation strategy, adjust policy(s) accordingly
Integrate into IDE(s)
Automate scans with build server plugins
Deploy a defense in depth strategy - i.e. Greenlight, IAST, or RASP
Develop internal AppSec expertise
Automated security into CI/CD pipeline – gate repo, build(s), or deployment(s)
Include SCA in design phase & SAST in the requirements phase development
Vendor application security testing (VAST)
Integrate into defect tracking system
Phased
Activities
AppSec Maturity Roadmap

8. 8 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
CODE BUILD TEST STAGE PROD
Veracode Plugin
Veracode Step
Automate Security into Existing SDLC
Staging
ProductionStatic Analysis
SCA
Sandbox
IDE
Greenlight
Code Repo
Build Server
Dynamic
Analysis
Defect
Tracking
System

9. 9 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Veracode Platform Overview

10. 10 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Recommended Sessions
SESSION # TITLE DATE/TIME
DST50T How Components Increase Speed and Risk 11/15/2017 at 1:45 pm
DST40T
Scale Your Application Security Program Effectively
with the Right Program Management Model
11/15/2017 at 3:30 pm
SCT40T
Don’t Overreact: How to Respond to Vulnerability
Disclosures
11/15/2017 at 3:30 pm
DST39T DevOps: Security’s Chance to Get It Right 11/16/2017 at 12:45 pm
SCT41T
Testing the Fences: Recent Attacks Are Harbingers
of a More Serious Threat
11/16/2017 at 4:15 pm

11. 11 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Must See Demos – Wed & Thurs
Securing
Apps from Dev
to Production CA Veracode Static Analysis
CA Veracode Greenlight
CA Veracode Remediation
Guidance
Manage
Your
Software Risk
Open Sourced Component
Scanning
Developer Training on Secure
Coding
Integrations into Your Dev
Tools
301
Manage
Your
Software Risk
CA Veracode Static Analysis
CA Veracode Web Application
Scanning
CA Veracode Greenlight
CA Veracode Static Analysis
CA Veracode Greenlight
CA Veracode Remediation
Guidance
506P 509P
DevOps-CD SecuritySecurity

12. 12 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Stay connected at https://community.veracode.com
Thank you.

13. 13 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
DevSecOps
For more information on DevSecOps,
please visit: http://cainc.to/CAW17-DevSecOps