Securing The Entire Software Development Static Analysis
2y ago
70 Views
1 Downloads
2.21 MB
13 Pages
Report/dmca
Download PDF

Transcription

Securing theEntire SoftwareDevelopmentPipelinewith VeracodeStatic AnalysisFrom “my code” to “our code” to “production code,”Veracode’s Static Analysis product family is optimized tosecure code throughout the development process.

But many traditional AppSec solutions — which focusedsolely on scanning completed applications against policyAs organizations attempt— created these roadblocks. Often taking hours toto reduce the time itcomplete, these solutions left developers unable to movetakes their developmentteams to create andrelease new software,development practices arerapidly changing. Moderndevelopment practices hingeon fast, agile processeswith no roadblocks. Anddevelopers need securityforward, provided feedback out of context, and delayedthe release of software.Veracode’s Static Analysis solution works for organizationsseeking to better secure their applications withoutreducing development velocity within the business.It’s designed to deliver faster, automated securityfeedback earlier in the pipeline as well as full policyscans later in the development cycle prior to final coderelease. The result is unsurpassed accuracy and agility,and improved compliance with critical industry standardsand regulations. Veracode Static Analysis delivers the rightscan, at the right time, in the right place.testing solutions that cankeep pace.Securing the Entire Software Development Pipeline with Veracode Static Analysis2

A Better WayOur Static Analysis solution delivers ultra-fastscans along with detailed security feedback.It offers highly targeted analysis and powerful toolsthat address developers and security professionals’needs and the way they work, as well as anorganization’s requirements, at every stage ofthe coding process, from the IDE to production.Veracode Static Analysis provides scans thatare optimized for when they’re leveraged inthe software development lifecycle, and whetherthe intent of the scan is for full applicationsecurity assurance, rapid feedback in the pipeline,or individual developer continuous flaw feedbackand education.Our Static Analysis solution allows youto do the right scans, at the right time,in the right place.Securing the Entire Software Development Pipeline with Veracode Static Analysis3

D E V E L O P E R S R AT E T H E I R D E V O P S P R A C T I C E S A S33% fair28% good17% poorThe most common reason cited for problemsis manual processes/a lack of automation. 1Our updated Static Analysis solution addresses three primary areasof the development process with three different scanning types:IDE ScanPipeline ScanPolicy ScanSecuring the Entire Software Development Pipeline with Veracode Static Analysis4

My CodeIDE / EDITOR (IDE SCA N )As developers write code, there’s traditionally been noway for them to know if and when they’re introducingerrors and creating flaws. The IDE Scan analyzes thecode that a developer is currently working on andprovides real-time feedback to help developers answerthe question "Is the code I'm writing secure?" beforethey commit it into the main repository.BEN EFI T SThe IDE Scan provides feedback in seconds, reinforcingsecure coding practices and flagging potential security flawsin real-time, which helps developers continuously buildbetter secure coding practices. This approach helps reduceflaws introduced in new code by more than 60 percent onaverage. The IDE Scan also helps developers learn on thejob through positive reinforcement, remediation guidance,code examples, and links to Veracode AppSec Tutorials.Securing the Entire Software Development Pipeline with Veracode Static Analysis5

DEVELOPERS DEPLOY43%multipletimes a day41%betweenonce a dayand oncea month 2Securing the Entire Software Development Pipeline with Veracode Static Analysis6

Our CodeC I PIPELINE (P IP EL INE SCAN )The Pipeline Scan integrates into the CI pipelineto offer test results each time code is committed.With a median scan time of just 90 seconds, thisscan directly embeds into teams’ CI tooling andprovides fast feedback on flaws being introducedin new commits. It answers the question “Is thecode my team is writing secure?”BEN EFI T SThe Pipeline Scan is designed to run on every build toprovide security feedback on the code at a team levelon every commit. It offers crucial analysis and capabilities,including the ability to break the build if new securityissues appear so that teams can prevent security flawsfrom entering their application and receive in-contextfeedback without triggering a full security audit.Securing the Entire Software Development Pipeline with Veracode Static Analysis7

There are currentlymore than200,000C O M M I T S P E R D AYin public repositories.3Securing the Entire Software Development Pipeline with Veracode Static Analysis8

Production CodeC D PIPELINE (P OL ICY SCA N S)Ensuring that applications are meeting policycompliance and industry standards, the Policy Scanevaluates the entire application against one policy ina median time of eight minutes and delivers detailedanalytics that can be used for any level of internal orexternal auditing. It can also notify a GRC system withthe results of the scan. This scan answers the question“Are my organization’s applications secure?”BEN EFI T SThe Policy Scan generates reports that allow developmentteams to preview compliance in a sandbox before promotingthe scan to policy and finalizing a release, update, or newsoftware application. It produces the detailed informationthat auditors require and helps an organization achieveinternal and external compliance. In addition, by providingvisibility into how flaws are propagating over time at thedeveloper, team, and business unit level, the Policy Scan’sin-depth analytics allow security and development managersto proactively address risk across their organizations.Securing the Entire Software Development Pipeline with Veracode Static Analysis9

C O N T I N U O U S D E L I V E RY— a cornerstone of DevOps —is a concept that developersview as critical.43%believe that deploymentmust take placeon-demand, whichcould include multipledeployments per day.13%say that it’s acceptableto deploy codebetween oncea month and everysix months. 4Securing the Entire Software Development Pipeline with Veracode Static Analysis10

ScanningNew HorizonsOur Static Analysis delivers a best-practice approachto static scanning. It makes accuracy a priority,producing a less than 1.1 percent false positive ratewithout tuning.With this solution in place, developers are ableto go about their work with a focus on securitybut without the burden of constantly stopping andstarting for code reviews. They’re also able to learnas they go through the use of constant feedback.Our Static Analysis provides quality results,including pointing out where flaws commonlytake place, their severity, and the potential risk.By combining the IDE and Pipeline Scans,one major technology firm slashed thenumber of new flaws introduced into itsmaster branch by 79 percent, comparedto relying on policy scans alone.Securing the Entire Software Development Pipeline with Veracode Static Analysis11

D E V E L O P E R S S AY70% ARE EXPECTEDTO W R I T E S E C U R E C O D E16273849510B U T R AT E T H E I R S E C U R I T YP R A C T I C E S A S O N LY25%good53%fair to poor 5Securing the Entire Software Development Pipeline with Veracode Static Analysis12

To learn moreabout our StaticAnalysis solution andhow it can help youand your developmentteam identify andremediate securityflaws, please visitOUR WEBSITE12“2019 Global Developer Report:DevSecOps,” GitLab.Ibid.3“The State of the Octoverse,”GitLab.4“2019 Global Developer Report:DevSecOps,” GitLab.5Ibid.Veracode gives companies a comprehensiveand accurate view of software securitydefects so they can create secure software,and ensure the software they are buying ordownloading is free of vulnerabilities. As aresult, companies using Veracode are free toboldly innovate, explore, discover, and changethe world.With its combination of automation,integrations, process, and speed, Veracodehelps companies make security a seamlesspart of the development process. This allowsthem to both find and fix security defects sothat they can use software to achieve theirmissions.Veracode serves more than 2,000 customersworldwide across a wide range of industries.The Veracode Platform has assessed more than8 trillion lines of code and helped companiesfix more than 36 million security flaws.Learn more at www.veracode.com,on the Veracode blog and on Twitter.Copyright 2020 Veracode, Inc. All rightsreserved. All other brand names, productnames, or trademarks belong to theirrespective holders.

provide security feedback on the code at a team level on every commit. It offers crucial analysis and capabilities, including the ability to break the build if new security issues appear so that teams can prevent security flaws from entering their application and receive in-context feedback w

Related Books

Best Practices of Securing Your Software Intellectual .

Best Practices of Securing Your Software Intellectual .

Women's monologues! As alwaysread the entire script before .

Women's monologues! As alwaysread the entire script before .

KCM STOOD WITH ME IN PRAYER THROUGH THE ENTIRE ORDEAL.

KCM STOOD WITH ME IN PRAYER THROUGH THE ENTIRE ORDEAL.

Biblenotes The entire Holy Bible is summarized with easy .

Biblenotes The entire Holy Bible is summarized with easy .

The Entire Deck of 78 Tarot Cards - THE GROOVY GROUP

The Entire Deck of 78 Tarot Cards - THE GROOVY GROUP

Activities for the Entire Family - The Farmers Museum

Activities for the Entire Family - The Farmers Museum

The entire staff at Vincent Investment Properties ,LLC .

The entire staff at Vincent Investment Properties ,LLC .

Integrated RANS/LES Computations of an Entire Gas

Integrated RANS/LES Computations of an Entire Gas

Permit to Work Software - Innovative Software Development .

Permit to Work Software - Innovative Software Development .

Securing the Largest Global Implementation of SAP S/4HANA

Securing the Largest Global Implementation of SAP S/4HANA

CCNP Security: Securing Networks with ASA VPNs

CCNP Security: Securing Networks with ASA VPNs

Securing RESTful Web Services Using Spring and OAuth 2

Securing RESTful Web Services Using Spring and OAuth 2

PopularTags

Recent Views