How Static Analysis Has Changed in a DevOps World

The industry-wide shift to DevOps practices has changed more than just developer processes. It has also had a major impact on security, including application security testing techniques. Static analysis, for instance, has had to evolve along with development processes. Unlike early versions of static analysis solutions that only assessed completed code at the end of the development cycle, today’s static analysis solutions check and secure code from development to production, as the code moves from the individual developer, to the development team, to the security team and enterprise policy level. For instance, CA Veracode’s application security solution now features CA Veracode Greenlight for developer in-line static scanning, a Developer Sandbox to check code against policy beyond the eyes of the security team and CA Veracode Static Analysis for the final policy check on the full application. CA Veracode Greenlight allows developers to test the code that they’re working on in their IDE (integrated development environment), getting results back in seconds and highlighting areas where they’ve successfully applied secure coding principles. Then the Developer Sandbox functionality enables engineers to test and fix code between releases without triggering a failed policy compliance report to the security team. Finally, CA...
Read more

Security at DevOps Speed: How CA Veracode Reduces False Positives

Application security solutions that slow or stall the development process simply aren’t feasible in a DevOps world. AppSec will increasingly need to fit as seamlessly as possible into developer processes, or it will be under-used or overlooked. But overlooking AppSec puts your organization at high risk of a damaging breach. Our most recent State of Software Security report (which is based on our Platform data) found that a whopping 77 percent of apps had at least one vulnerability on initial scan. Leaving your code vulnerable leaves your organization open to breach. In the end, you need AppSec, but you also need AppSec that developers will use. Reduction of false positives is a big part of this requirement. False positives are always a key concern because they make developers and security folks spin their wheels, so solutions should minimize them as much as possible. How CA Veracode Works to Reduce False Positives We always aim for full automation and high speeds for all of our scans, but that doesn’t mean that we compromise on quality. During both the early adopter phases of supporting a new language, as well as throughout the course of generally available support, we...
Read more

Announcing Mobile Security Testing at DevOps Speed

CA Veracode is pleased to announce a completely redesigned, significantly faster mobile application security scanner for iOS, and mobile behavioral analysis for iOS and Android applications. Our new iOS scanner and mobile behavioral analysis technology combine to give you faster, more thorough mobile scanning results. Faster scan times, plus a unified view of results in the CA Veracode platform, means mobile application security testing keeps moving at DevOps speed. New iOS Scanner CA Veracode Static Analysis now includes our fastest-ever mobile application scanner for iOS applications. Thanks to an innovative new scanning engine, scans now complete in a fraction of the time compared to the performance of previous iOS scanning technology. This scanner also supports iOS 11, which was just released by Apple in late September, and will serve as the basis of all new iOS scanner development. New Behavioral Analysis Additionally, we are launching mobile behavioral analysis for both iOS and Android mobile applications. Mobile behavioral analysis provides security teams with a better understanding of insecure application behavior.  For instance, a common risk present in mobile applications is "over-permissioning,” where the app uses more permissions than is necessary (such as reading from address...
Read more

Announcing Support for the Scala Language and the Boto3 Framework

Making Our Static Analysis Even Better As development speed has skyrocketed, security testing has shifted “left,” where it increasingly falls within the realm of the developer, rather than the security team. Today, modern application security programs feature centralized governance by security, but testing and fixing are owned by development in an automated fashion throughout the build process. In this approach, security owns setting policies, tracking KPIs and providing security coaching to developers. In turn, application security needs to work with and how developers work – or get left behind. To facilitate this alignment, AppSec solutions today must support the testing of applications written in languages developers are currently using. Introducing Scala and Boto3 Support In our ongoing efforts to improve this alignment with developer processes, we are pleased to announce the following two enhancements to Veracode Static Analysis: Scala language support: Veracode Static Analysis can now find security-related defects in applications built with the Scala language. Scala, a functional programming language rising in popularity and closely related to Java, is used by many large technology firms and enterprises. It is viewed as better for supporting concurrency than other modern languages like Ruby, and, in 2016, was the No. 1 most...
Read more