Veracode delivers the application security solutions and services today’s software-driven world requires. Veracode’s unified platform assesses and improves the security of applications from inception through production so that businesses can confidently innovate with the web and mobile applications they build, buy and assemble as well as the components they integrate into their environments.
Veracode’s powerful cloud-based platform, deep security expertise and systematic, policy-based approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global software infrastructures.
Veracode serves hundreds of customers across a wide range of industries, including nearly one-third of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes’ 100 Most Valuable Brands. Learn more at www.veracode.com, on the Veracode blog and on Twitter.
Web Application Security
More than half of all breaches involve web applications* — yet less than 10% of organizations ensure all critical applications are reviewed for security before and during production†.
Clearly, organizations need a way to replace fragmented, manual pen testing with ongoing, automated scanning so they can protect their global application infrastructures — without hiring more consultants or installing more servers and scanning tools.
The leading vector for cyber-attacks
Applications have become the path of least resistance for cyber-attackers because they are:
- Constantly exposed to the Internet and easy to probe by outside attackers using freely available tools that look for common vulnerabilities such as SQL Injection.
- Easier to attack than traditional targets such as the network and host operating system layers which have been hardened over time. Plus, networks and operating systems are further protected by mitigating controls such as next-generation firewalls and IDS/IPS systems.
- Driven by short development cycles that increase the probability of design and coding errors — because security is often overlooked when the key objective is rapid time-to-market.
- Assembled from hybrid code obtained from a mix of in-house development, outsourced code, third-party libraries and open source — without visibility into which components contain critical vulnerabilities.
Discover and continuously monitor all your web applications
- Discovery: According to SANS, many organizations don’t even know how many applications they have in their domains. Our Discovery service addresses this visibility gap by creating a global inventory of all your public-facing web applications such as corporate sites, temporary marketing sites, related sites (.mail, .info, etc.), international domains and sites obtained via M&A. Plus, Discovery leverages our massively parallel, auto-scaling infrastructure to discover thousands of applications per day.
- DynamicMP (Massively Parallel): Baseline your application risk by quickly identifying highly exploitable vulnerabilities such as those found in the OWASP Top 10 and CWE/SANS Top 25. Leverage our massively parallel infrastructure to test thousands of web applications simultaneously with lightweight, non-authenticated dynamic scans. Rapidly mitigate risk by shutting down temporary sites and feeding security intelligence information to Web Application Firewalls (WAFs).
- DynamicDS (Deep Scan): Perform a comprehensive deep scan that identifies web application vulnerabilities using both authenticated and non-authenticated scans, including looking for attack vectors such as cross-site scripting (XSS), SQL injection, insufficiently protected credentials and information leakage. Also integrates security intelligence information with WAFs to enable virtual patching.
- Virtual Scan Appliance (VSA): Perform a deep scan of applications located behind the firewall, typically in QA or staging environments, in order to find vulnerabilities prior to deployment. The VSA also helps secure internal web applications from insider attacks or attacks by malicious outsiders who gain access to insider credentials.
- All results are consolidated with other threat intelligence through our central cloud-based platform.