veracodeVeracode delivers the application security solutions and services today’s software-driven world requires. Veracode’s unified platform assesses and improves the security of applications from inception through production so that businesses can confidently innovate with the web and mobile applications they build, buy and assemble as well as the components they integrate into their environments.

Veracode’s powerful cloud-based platform, deep security expertise and systematic, policy-based approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global software infrastructures.

Veracode serves hundreds of customers across a wide range of industries, including nearly one-third of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes’ 100 Most Valuable Brands. Learn more at, on the Veracode blog and on Twitter.

Web Application Security

More than half of all breaches involve web applications* — yet less than 10% of organizations ensure all critical applications are reviewed for security before and during production†.

Clearly, organizations need a way to replace fragmented, manual pen testing with ongoing, automated scanning so they can protect their global application infrastructures — without hiring more consultants or installing more servers and scanning tools.

The leading vector for cyber-attacks

Applications have become the path of least resistance for cyber-attackers because they are:

  • Constantly exposed to the Internet and easy to probe by outside attackers using freely available tools that look for common vulnerabilities such as SQL Injection.
  • Easier to attack than traditional targets such as the network and host operating system layers which have been hardened over time. Plus, networks and operating systems are further protected by mitigating controls such as next-generation firewalls and IDS/IPS systems.
  • Driven by short development cycles that increase the probability of design and coding errors — because security is often overlooked when the key objective is rapid time-to-market.
  • Assembled from hybrid code obtained from a mix of in-house development, outsourced code, third-party libraries and open source — without visibility into which components contain critical vulnerabilities.
  • Likely to present a larger attack surface with Web 2.0 technologies that incorporate complex client-side logic such as JavaScript (AJAX) and Adobe Flash.

Discover and continuously monitor all your web applications

  • Discovery: According to SANS, many organizations don’t even know how many applications they have in their domains. Our Discovery service addresses this visibility gap by creating a global inventory of all your public-facing web applications such as corporate sites, temporary marketing sites, related sites (.mail, .info, etc.), international domains and sites obtained via M&A. Plus, Discovery leverages our massively parallel, auto-scaling infrastructure to discover thousands of applications per day.
  • DynamicMP (Massively Parallel): Baseline your application risk by quickly identifying highly exploitable vulnerabilities such as those found in the OWASP Top 10 and CWE/SANS Top 25. Leverage our massively parallel infrastructure to test thousands of web applications simultaneously with lightweight, non-authenticated dynamic scans. Rapidly mitigate risk by shutting down temporary sites and feeding security intelligence information to Web Application Firewalls (WAFs).
  • DynamicDS (Deep Scan): Perform a comprehensive deep scan that identifies web application vulnerabilities using both authenticated and non-authenticated scans, including looking for attack vectors such as cross-site scripting (XSS), SQL injection, insufficiently protected credentials and information leakage. Also integrates security intelligence information with WAFs to enable virtual patching.
  • Virtual Scan Appliance (VSA): Perform a deep scan of applications located behind the firewall, typically in QA or staging environments, in order to find vulnerabilities prior to deployment. The VSA also helps secure internal web applications from insider attacks or attacks by malicious outsiders who gain access to insider credentials.
  • All results are consolidated with other threat intelligence through our central cloud-based platform.

Secure Web Application Development

When 12,000 security professionals were asked to name what the number one security threat was for their organization, 69% said application-layer vulnerabilities* — yet less than 10% ensure that all their business-critical applications are reviewed for security before and during production.

Clearly, organizations need a better way to scale their secure development programs so they can protect their entire application infrastructures in a cost-effective manner — without hiring more consultants or installing more servers and tools.

Our strategic, policy-based approach to application security is based on a centralized cloud-based platform that scales to cover your global application infrastructure.

Our scalable cloud-based platform secures all your applications across the Software Development Lifecycle (SDLC) — from code development to pre-production testing and production:

  • Multiple analysis techniques, built upon a single unified platform — including Static Application Security Testing (SAST), Web Application Discovery and Monitoring, Dynamic Application Security Testing (DAST), behavioral analysis (for mobile applications) and manual penetration testing  — deliver a holistic, policy-based view of application layer threats.
  • Enterprise policies are based on the minimum acceptable levels of risk for applications according to their business criticality. Risk is based on the severity of flaws identified in the application, using standards such as the OWASP Top 10 (for web applications), the CWE/SANS Top 25 (for non-web applications) or compliance mandates such as PCI.
  • Analysis is optimized for low false positives and prioritized based on severity so you don’t waste time on things that don’t matter.
  • Role-Based Access Control (RBAC) provides granular, permission-based access to results for multiple teams based on their roles, including development, security and audit/compliance.

Secure Your Mobile Applications

Find and Fix Software Vulnerabilities in Your Mobile Applications

Mobile internet usage has long surpassed desktop usage. It’s quick and easy to develop mobile applications, and the competition is fierce. Because end users have high expectations, your mobile applications need to be revised and updated even more frequently than conventional applications. At the same time, serious risk of breach and regulatory pressures are driving you to turn attention to the security of mobile applications, but you don’t have the time, people or money to move the needle.

Veracode’s mobile application security testing (MAST) solution enables you to quickly identify and remediate mobile application security flaws through automated code review and manual penetration testing. As a SaaS-based model, Veracode is easy to use and delivers highly accurate results because our engine learns with every scan. Our team of experts helps lead you to success with a combination of program management, application security consulting, and premium support. Veracode helps you comply with regulations and enables you to expand to other types of application security testing within the same platform.

Most applications were not built with security in mind: More than 63 percent of applications fail the OWASP Top 10 on first scan.

Test mobile apps to the appropriate depth

Not all mobile applications are created equal when it comes to security assurance. A simple marketing application may just need a fast automated scan with each incremental release. On the other hand, for an application that handles personal, financial or health care information, you need to secure the entire mobile ecosystem, including the customer-installed application, the back-end web services it communicates with, and the data that flows between them. Veracode’s mobile application security testing solution addresses the full range of use cases for mobile application security. Use Veracode Static Analysis to get fast, fully automated code security results for all of your front-end and back-end applications. And for those mission-critical mobile applications, you can supplement our fully automated analysis with manual penetration testing to spot issues that require skilled human review.

Third-Party Security

Whether you work for an enterprise and want to make sure all your vendor-supplied software is secure – or you’re a vendor who wants to prove to enterprises your applications comply with security standards – we can help.

If you’re like most businesses, more than two-thirds of your enterprise software portfolio — including commercial and outsourced applications, SaaS, third-party libraries and open source code — is provided by third-parties.

Source: Quocirca

Supply chain security 

We’ll help ensure all your vendor-supplied code is up to your internal security standards by working with your vendors to assess and remediate their code, and by helping you implement a governance process for third-party software based on industry best practices.

Independent audits for ISVs

Learn how to take the time, money and effort out of proving your software is secure. As a trusted, independent party, we provide an independent audit and listing in our VerAfied Directory of your software that you can use as an alternative to self-attestation. Plus we provide detailed test results and step-by step remediation assistance so your developers can quickly remediate any critical vulnerabilities.

Call us for more information or to request a quote