Date post: | 04-Dec-2014 |
Category: |
Technology |
Upload: | salil-kumar |
View: | 591 times |
Download: | 4 times |
Veracode Overview
Brought to you by
An introduction to Veracode
Who we areThe people, process and technology needed to deliver a scalable and cost effective software security program The only Complete Application Security offering in the cloud (SaaS) Core patented technology developed in 2002 Veracode established 2006
(ex @stake, Guardent, Symantec and VeriSign)
What we doProvide world class automated static , dynamic and mobile application security testing service and complementary consulting and remediation services Scalable and rapid delivery model Frictionless integration Industry bench marking
2
Veracode: some facts
Over 600 customers• In more that 80 countries• Across all industry sectors
58 Billion lines of code scanned• 5.046m valid security flaws detected by SAST alone• Test repository of over 70,000 applications• Over 425,000 separate flaws identified
270% increase in SAST scan volumes year on year• 12 major releases – SaaS continuous learning – maintaining leadership • 3 hour average scan time for java and .NET
3
Independent recognition“Veracode has cleverly taken advantage of its unique technology (static binary analysis) and matched it up with its SaaS platform and program management and sales services to create an offering that takes both effort and cost away from the enterprise CISO.” (2012)
“Visionary” in Gartner’s magic quadrant for Dynamic Application Security Testing (2011)“Leader” Gartner’s magic quadrant for Static Application Security Testing (2010)
“SC Award for Information Security Product of the Year” (2012)
“Veracode ranked #20 on Forbes Most Promising Companies in America” (2013)
4
Veracode Platform and Services
5
PlatformNo hardwareNo softwareNo maintenance
ServicesExpertise on demandCost effective
Platform Services
Veracode Patented Binary Static Analysis
Outsourced
7
Automated “inside-out” code analysis without requiring access to source code
Internally Developed
Open Source Third-Party Libraries
Mobile
Benefits:• Complete application coverage
• Scales out: Thousands of apps
• Scales up: Multi-gig applications
• Test what runs and what is attacked
• Protects IP for third-party apps
• Low false positives, Fast turnaround
• Actionable remediation advise
Veracode positioned as a leader in Gartner’s SAST MQ
CommercialCloud
• Tests executables
• IDs vulnerabilities & backdoors
• Covers 3rd party code
• Supports web, non-web, internal, commercial, mobile, cloud apps
How it works:
“Not having binaries tested leaves a gap in application security.”
--Joseph Feiman, Gartner
Veracode Dynamic AnalysisAutomated “outside-in” web application testing at scale with speed
DynamicMP
• Massively parallel, rapid baseline scanning of all perimeter applications
.org
.tv .com
.co
.tv .info
.com.ca
.uk
DynamicDS
• Deep scanning of external and internal applications
Benefits:• Find web
applications and prepare target list for analysis
Discovery
Veracode positioned as visionary in Gartner’s DAST MQ
8
Benefits:• Track rapidly growing
application perimeter
• Scan thousands in daysnot months
• Gain total website coverage
• Non-disruptive
• Low False Positives
• Fast Turnaround
Offers policy compliance as well as interactive dashboards and querying
Enables peer benchmarking
Aggregated program statistics across all testing activities and supplies
Veracode Application Analytics
9
Security data analytics, application intelligence and peer benchmarking
Benefits:• Manage all activities through
one platform
• Measure and demonstrate on-going progress
• Make informed decisions
• Understand performance relative to others
1 Read our latest State of Software Security Report at www.veracode.com
Provides application inventory snapshots
How it works:
10
Provides pre-built policy templates for PCI-DSS, OWASP Top Ten, SANS Top25
Add CERT secure coding standards to pre-built templates
Leverages industry standards (CWE, CVSS, NIST) for policy creation
Tracks remediation progress
Policy ManagerA policy framework and workflow system to enable a programmatic approach to application security
Benefits:
• Enables quick security policy definition and assignment
• Replace ad-hoc compliance management with a systematic approach
• Offload internal communication overhead
• Simplify GRC for applications
Automates internal communication workflow
How it works:
Provides several options for custom policy definitions
Veracode eLearning
11
Provides over 50 courses with extensive coverage of key topics addressing basic and advanced concepts
Provides tracks tailored for development, QA and security
Contains pre-built assessments for testing purposes
Online training courses, knowledge base and assessments for developer education
Benefits:• Professional development for
developers
• Better application security out of the gate
• Use testing results to direct elearning course
• Strengthen new hire due diligence
• Scale easily to thousands of developers and security personnel
• Integrated analytics empowering course recommendations
How it works:
a
Benefits:• Minimize risk without impeding
mobile adoption
• Understand data leak potential
• Understand risks in mobile apps developed by third-parties
• Independent verification addresses security concerns
12
Veracode Mobile Application AnalysisBinary static analysis on mobile applications to discover security vulnerabilities and data privacy issues
Identifies opportunities for data exfiltration, unsafe data storage, and privacy violations
Supports Android, iOS, Windows Mobile and Blackberry detecting flaws that threaten mobile hardware and OS
Detects mobile backdoors capabilities (remote tracking apps, personal information theft, remote listening)
How it works:
Veracode Solutions
14
The first completely outsourced solution that attests the security of your software supply chain.
A VAST Program helps reduce your software security risk by inducing vendors to comply with your policies.
Solution cost is shared with your vendors.
Solution Benefits: Reduce software security risk across your
portfolio. Outsource to the experts, save internal
resources. Vendor compliance visibility with monthly
reporting. Low friction for vendors and suppliers.
15
A massively scalable solution for rapidly gathering vulnerability intelligence
across every enterprise web application.
Solution Benefits:
Instant web application inventory.
Rapid risk assessment at massive scale.
Efficient monitoring of rapidly changing application perimeter.
Vulnerability intelligence.
A known perimeter with fewer vulnerabilities
16
Solution Benefits:
Reduce software security risk across internally developed applications.
Enable risk reduction earlier in development lifecycle
Practical implementation with measurable value.
Scale program adoption across enterprise.
Low friction for development teams.
Solutions designed to get enterprise software development on the RAMP to real risk reduction.
Seamless integration into the SDLC
Integration of Veracode Scanning into the Development Process
pick up binaries from integration sandboxes
scan via Veracode
analyze the XML results – XML processing via Tamino XML
Server
create issues in security bug tracking system
integration with existing JIRA bug tracking system
communication with developers via the existing JIRA systemwhen issues get fixed or set to mitigitated, check via
automatic scanning if they are really fixed
Benefits of integrating Veracode
no changes to existing development process no new systems for developers to learn no changes to build and promotion systems needed
regular scanning and analysis for potential vulnerabilities daily feedback and metrics
fully automated whenever new builds are available, they can be directly
scanned and anaylzed based on information available in existing bug tracking system,
issues can be automatically assigned to responsible development teams
scalable to many products only a set of configuration parameters need to be set to include
additional products into the scanning process
21
Hamad AlfataihRegional DirectorTel: +966114502334Mob: +966597822244BOX: 2454 Riyadh 11451www.greenmethod.com.sawww.greenmethodonline.comh.alfataih@greenmethodonline.com
الفطيح حمد
األقليمي المدير
966114502334 +هاتف:966597822244جوال: + : ب. البريدي 2454ص 11451الرمز
. . .www greenmethod com sa
. .www greenmethodonline com. .h alfataih@greenmethodonline com