Veracode Static Analysis: Comprehensive analysis across the development lifecycle

Veracode, the largest independent global provider of application security testing (AST) solutions, announced the launch of the next-generation of Veracode Static Analysis.

The new release features comprehensive analysis across the development lifecycle, including a new Pipeline Scan that is optimized for use when code is submitted to the build process.

Veracode Static Analysis is part of the Veracode SaaS platform providing comprehensive software security analysis capabilities, developer enablement, and AppSec governance, including compliance frameworks and market-leading analytics.

Veracode Static Analysis is a DevSecOps solution for companies that innovate through software and need to deliver secure code on time. The Veracode Static Analysis product family includes:

• IDE Scan: IDE Scan, formerly Veracode Greenlight, allows developers to discover flaws pre-commit in real-time as they write code, shifting security left to catch issues while they are easier and less expensive to fix. IDE Scan returns results in a median time of 3 seconds, reducing the number of new flaws introduced and allowing developers to deliver secure code while staying on schedule and reducing unplanned work. Because developers get immediate feedback and remediation advice on their own code, IDE Scan also provides effective on-the-job secure coding training.
• Pipeline Scan: The first of its kind in the market, this is a fast, new scan that fits developers’ DevSecOps requirements and helps them address security flaws quickly in the pipeline. The median scan time for Pipeline Scan is just 90 seconds. This new scan type addresses a widespread industry need for fast feedback on every build in a continuous integration environment, which is critical for developer success in DevSecOps practices. It also reduces costly unplanned work later.
• Policy Scan: Prior to releasing software, Policy Scan completes a full assessment of the code with an audit trail for management and compliance purposes. This comprehensive scan with detailed logging completes in a median scan time of 8 minutes. Development teams can also preview compliance in a sandbox environment before communicating results to security and governance teams. Each application is evaluated against the company’s security policy, delivering a clear pass/fail result.

“In a DevSecOps world, developers come first and the tools they use to secure their code have to fit with how they work,” said Ian McLeod, Chief Product Officer at Veracode.

“Veracode Static Analysis provides powerful capabilities for developers to focus on fixing, not just finding, flaws in code. The speed these products offer organizations is unrivaled in the industry, without sacrificing accuracy. Application security programs are most comprehensive and effective when individual developers in the organization become engaged participants and stakeholders.”

Veracode Static Analysis allows organizations to scan early and frequently, providing developers with clear guidance on what issues to focus on and how to fix them faster, while offering comprehensive scanning of the full application to meet security team requirements.

A large technology firm using Veracode Static Analysis reduced the number of new flaws introduced into its master branch by 79%, or about 150,000 flaws. Veracode Static Analysis ensures the highest possible accuracy with a developer-reported false positive rate of less than 1.1% without manual tuning.