Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/22/2019
09:40 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Veracode Releases Advanced Software Composition Analysis Solution Decreasing Open Source Risk

Cloud-based solution helps developers prioritize and remediate open source vulnerabilities quickly within DevSecOps environments.

BURLINGTON, Mass., Aug. 20, 2019 (GLOBE NEWSWIRE) -- Veracode, a leading provider of application security testing (AST), today announced its new Veracode Software Composition Analysis (SCA), the only solution that offers both vulnerable methods detection technology as well as machine learning models to identify vulnerabilities that have been fixed by open source projects but not disclosed to the National Vulnerability Database (NVD). This vulnerable method functionality doesn’t just identify which applications have a vulnerable component but additionally identifies whether or not an attacker can exploit the vulnerable code, saving development time by allowing developers to prioritize fixes based on risk and exploitability.

Veracode SCA combines automated vulnerability remediation with machine learning models that detect unreported vulnerabilities in open source libraries in near-real time, creating the most comprehensive SCA offering in the market. The new solution is a fully integrated part of the Veracode Platform, which provides analytics across various assessment types, including SAST, DAST, and penetration testing. Veracode SCA allows development teams to harness the power of open source code to speed up development cycles without introducing unnecessary risk or interfering with the development process.

“While the use of open source could be considered the most important accelerator in the history of software development, it also brings with it a significant number of security vulnerabilities that have been responsible for some of the world’s most significant breaches,” said Dave Gruber, senior analyst with Enterprise Strategy Group. “As developers strive to deliver secure applications at the pace of business they need tools that were designed from the ground-up for use in fast moving DevSecOps environments. The new offering, which fully leverages the SourceClear technology acquired last year, transforms Veracode’s SCA capabilities, allowing developers to rapidly prioritize, categorize and remediate open source related issues in a low-noise environment. As part of the broader Veracode Platform, development teams can now leverage a common platform to secure applications while measuring the effectiveness of their overall AppSec program.”

The use of open source libraries allows organizations to meet the demands of accelerated development times, but with more than 5 million open source libraries available today and an estimated half billion more libraries to be released in the next decade, organizations face increased exposure to vulnerabilities. Veracode SCA limits risk associated with integrating open source software components into applications as part of the DevSecOps process. It provides visibility on all direct and indirect open source libraries in use, identifies known and unknown vulnerabilities in those libraries, and shows how the vulnerabilities affect applications without slowing down development velocity. The solution has extensive language coverage, supporting Java, JavaScript, Python, Ruby, PHP, Node.js, Go, Objective C, Swift, C/C++, .NET, and Scala.

According to the State of Software Security Vol. 9, 87.5% of Java applications contain at least one vulnerable component and it takes organizations an average of 140 days to close just 50% of flaws in Java. The open source community finds many vulnerabilities and fixes them without a disclosure, meaning companies are not aware of the need to update or patch thereby compounding the problem. Veracode’s leading proprietary vulnerability database, built using machine learning and data mining, crawls open source project repositories continuously and extracts vulnerability information to build a database that has 40% more vulnerabilities versus simply using the NVD. Veracode SCA also looks for malicious packages which have intentionally planted vulnerabilities that act as backdoors.

By scanning open source libraries with a database augmented by machine learning, companies gain the advantage of identifying vulnerabilities that would otherwise have gone undetected. Yet, finding vulnerabilities is only half the challenge in application security. Veracode SCA provides automated prescriptive fix information enabling organizations to improve fix rates quickly and reduce risk.

“Developers are reliant on open source components in their software and may unknowingly introduce vulnerabilities and license risks into applications. The reality is that identifying open source risk and manually cataloguing open source libraries isn’t feasible,” said Chris Wysopal, Chief Technology Officer and co-founder at Veracode. “Veracode SCA is unique in offering the power and speed of machine learning to mine open source repositories, the flexibility of a SaaS-based solution to scale with the needs of the business, and automated fixes to match the pace of DevSecOps practices.”

Veracode SCA offers automatic generation of pull requests and remediation guidance to accelerate fixes, helping developers remediate faster and eliminating open source vulnerabilities that could lead to catastrophic data breaches without costly manual processes. Customers can leverage these benefits directly in their native environment through seamless integrations.

Customers have the ability to upload applications using an agent-based scan or an application upload scan, providing flexibility for developers to either integrate scanning via agent into their pipeline or upload code to be scanned by both Veracode Static Analysis and Veracode SCA. Veracode SCA can also link application scan results with agent-based scans to simplify policy compliance and internal reporting needs.

For more information on Veracode SCA, visit here.

About Veracode
With its combination of automation, process, and speed, Veracode becomes a seamless part of the software lifecycle, eliminating the friction that arises when security is detached from the development and deployment process. As a result, enterprises are able to fully realize the advantages of DevOps environments while ensuring secure code is synonymous with high-quality code. 

Veracode serves more than 2,100 customers worldwide across a wide range of industries. The Veracode Platform has assessed more than 10 trillion lines of code and helped companies fix more than 36 million security flaws.

Learn more at www.veracode.com, on the Veracode blog and on Twitter.

Copyright © 2019 Veracode, Inc. All rights reserved. All other brand names, product names, or trademarks belong to their respective holders.

Media Contact:
Pete Daly
Veracode 
[email protected]  
339-674-1528

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1817
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information.
CVE-2013-2091
PUBLISHED: 2019-11-20
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.
CVE-2012-1257
PUBLISHED: 2019-11-20
Pidgin 2.10.0 uses DBUS for certain cleartext communication, which allows local users to obtain sensitive information via a dbus session monitor.
CVE-2013-1816
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sending a specially crafted request.
CVE-2011-4455
PUBLISHED: 2019-11-20
Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php.