Veracode Platform Enhancements Improve Developers’ Ability to Secure Software Supply Chains
At Black Hat USA 2022, Veracode announced the enhancement of its continuous software security platform with substantial enhancements to its embedded developer experience.
New features include expanded integrations to support Software Composition Analysis (SCA), a Software Bill of Materials (SBOM) application programming interface (API), and additional language and framework support for software composition analysis (SCA). static analysis, further improving developers’ ability to secure software in the environments they work in.
Brian Roche, product manager at Veracode, said, “Modern applications are mostly put together, not written from scratch. Open source code represents a significant portion of audited codebases (for example, 97% of the typical Java application consists of open source libraries), which increases security risks and the need to identify security risks. Supply Chain. Our SBOM API is designed to make it easier for developers to inventory their codebase, including third-party components, allowing them to act quickly if new vulnerabilities emerge.
Since launching our Continuous Software Security Platform in May, we’ve introduced additional features that meet developers where they work: in the integrated development environment (IDE), code repository, and command line. These innovations are designed to drive adoption by making the platform even more developer-friendly. »
Veracode’s platform supports over 100 languages and frameworks, including those for developing cloud-native applications and older languages used with legacy assets, like COBOL. Large enterprises have applications in a myriad of languages and the ability to deploy a continuous security testing solution in all of these languages simplifies the process, while providing consistent results.
The company’s latest State of Software Security (SoSS) 12 study analyzed the most common flaws by language and found that a flaw prevalent in one language may not be of concern in another. For example, cross-site scripting (XSS) is the most common flaw for PHP, at 77%, but not even in the top 10 for C++.
Additionally, flaws are constantly changing, which means that even if a flaw is not prevalent in a programming language, practitioners still need to take active steps to prevent it from impacting their code. Since remediation tactics vary by defect and programming language, having a wide range of supported languages in one place makes developers’ jobs easier by freeing up their time to focus on compliance. tight deployment deadlines.
Frequent scanning of proprietary and third-party code mitigates risk from proprietary and open-source vulnerabilities, such as Log4j. Veracode’s new developer-focused tools and services are designed to make this process faster and easier, especially with the added ability to scan third-party proprietary libraries.
Peter Evans, Director of Engineering at QAD Precision GTTE, said, “Veracode has given us a comprehensive platform to integrate security tools into our development pipelines, and helped us grow our knowledge to continue to improve in safety. Veracode was also a good choice because the platform can analyze Java code in the Spring framework where we develop our software. We’ve moved from code reviews to integrating continuous analytics into our daily pipelines. Security threats don’t stand still and Veracode gives us the tools to keep up with the latest vulnerabilities and rules.
Veracode Continuous Software Security Platform updates include:
SBOM for SCA
With government regulations dictating the standards for securing software supply chains, having an SBOM is increasingly important for organizations. The Veracode SBOM API in SCA allows developers to easily generate an SBOM in CycloneDX JSON format, one of the formats approved for US Executive Order compliance. This helps confirm that the code they are using or building is free from vulnerabilities.
IDE and integrations for SCA
To make software security a seamless experience, Veracode continues to introduce integrations that meet developers where they work.
- The Veracode Azure DevOps extension has a new “SCA flaw importer” to automatically import SCA flaws into Azure DevOps boards and work items
- The soon-to-be-released Veracode Extension for Visual Studio Code provides detailed information about vulnerabilities, licensing risks, and recommended versions of open source libraries and transitive dependencies so developers can react quickly to any risks.
Extensive support for frameworks and languages for static analysis
- The company is committed to keeping up with the latest languages and frameworks developers work with, adding support for Rails 7.0, Ruby 3.x, and PHP Symfony.
Roche concluded: “As a pioneer in application security, we are uniquely positioned to combine unparalleled experience with the latest innovations in cloud development. Unlike on-premises providers, our SaaS solution is both scalable and elastic, meaning customers are always ready to meet unexpected demand. Powered by nearly two decades of cumulative data, our platform provides detailed historical benchmarking against industry benchmarks and peers, a highly relevant level of insight for management teams and the board. Our platform also saves developers time by providing highly accurate results and enabling them to find and fix vulnerabilities in minutes, meaning they can ship code quickly with confidence is secure. »