Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/22/2019
09:40 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Veracode Releases Advanced Software Composition Analysis Solution Decreasing Open Source Risk

Cloud-based solution helps developers prioritize and remediate open source vulnerabilities quickly within DevSecOps environments.

BURLINGTON, Mass., Aug. 20, 2019 (GLOBE NEWSWIRE) -- Veracode, a leading provider of application security testing (AST), today announced its new Veracode Software Composition Analysis (SCA), the only solution that offers both vulnerable methods detection technology as well as machine learning models to identify vulnerabilities that have been fixed by open source projects but not disclosed to the National Vulnerability Database (NVD). This vulnerable method functionality doesn’t just identify which applications have a vulnerable component but additionally identifies whether or not an attacker can exploit the vulnerable code, saving development time by allowing developers to prioritize fixes based on risk and exploitability.

Veracode SCA combines automated vulnerability remediation with machine learning models that detect unreported vulnerabilities in open source libraries in near-real time, creating the most comprehensive SCA offering in the market. The new solution is a fully integrated part of the Veracode Platform, which provides analytics across various assessment types, including SAST, DAST, and penetration testing. Veracode SCA allows development teams to harness the power of open source code to speed up development cycles without introducing unnecessary risk or interfering with the development process.

“While the use of open source could be considered the most important accelerator in the history of software development, it also brings with it a significant number of security vulnerabilities that have been responsible for some of the world’s most significant breaches,” said Dave Gruber, senior analyst with Enterprise Strategy Group. “As developers strive to deliver secure applications at the pace of business they need tools that were designed from the ground-up for use in fast moving DevSecOps environments. The new offering, which fully leverages the SourceClear technology acquired last year, transforms Veracode’s SCA capabilities, allowing developers to rapidly prioritize, categorize and remediate open source related issues in a low-noise environment. As part of the broader Veracode Platform, development teams can now leverage a common platform to secure applications while measuring the effectiveness of their overall AppSec program.”

The use of open source libraries allows organizations to meet the demands of accelerated development times, but with more than 5 million open source libraries available today and an estimated half billion more libraries to be released in the next decade, organizations face increased exposure to vulnerabilities. Veracode SCA limits risk associated with integrating open source software components into applications as part of the DevSecOps process. It provides visibility on all direct and indirect open source libraries in use, identifies known and unknown vulnerabilities in those libraries, and shows how the vulnerabilities affect applications without slowing down development velocity. The solution has extensive language coverage, supporting Java, JavaScript, Python, Ruby, PHP, Node.js, Go, Objective C, Swift, C/C++, .NET, and Scala.

According to the State of Software Security Vol. 9, 87.5% of Java applications contain at least one vulnerable component and it takes organizations an average of 140 days to close just 50% of flaws in Java. The open source community finds many vulnerabilities and fixes them without a disclosure, meaning companies are not aware of the need to update or patch thereby compounding the problem. Veracode’s leading proprietary vulnerability database, built using machine learning and data mining, crawls open source project repositories continuously and extracts vulnerability information to build a database that has 40% more vulnerabilities versus simply using the NVD. Veracode SCA also looks for malicious packages which have intentionally planted vulnerabilities that act as backdoors.

By scanning open source libraries with a database augmented by machine learning, companies gain the advantage of identifying vulnerabilities that would otherwise have gone undetected. Yet, finding vulnerabilities is only half the challenge in application security. Veracode SCA provides automated prescriptive fix information enabling organizations to improve fix rates quickly and reduce risk.

“Developers are reliant on open source components in their software and may unknowingly introduce vulnerabilities and license risks into applications. The reality is that identifying open source risk and manually cataloguing open source libraries isn’t feasible,” said Chris Wysopal, Chief Technology Officer and co-founder at Veracode. “Veracode SCA is unique in offering the power and speed of machine learning to mine open source repositories, the flexibility of a SaaS-based solution to scale with the needs of the business, and automated fixes to match the pace of DevSecOps practices.”

Veracode SCA offers automatic generation of pull requests and remediation guidance to accelerate fixes, helping developers remediate faster and eliminating open source vulnerabilities that could lead to catastrophic data breaches without costly manual processes. Customers can leverage these benefits directly in their native environment through seamless integrations.

Customers have the ability to upload applications using an agent-based scan or an application upload scan, providing flexibility for developers to either integrate scanning via agent into their pipeline or upload code to be scanned by both Veracode Static Analysis and Veracode SCA. Veracode SCA can also link application scan results with agent-based scans to simplify policy compliance and internal reporting needs.

For more information on Veracode SCA, visit here.

About Veracode
With its combination of automation, process, and speed, Veracode becomes a seamless part of the software lifecycle, eliminating the friction that arises when security is detached from the development and deployment process. As a result, enterprises are able to fully realize the advantages of DevOps environments while ensuring secure code is synonymous with high-quality code. 

Veracode serves more than 2,100 customers worldwide across a wide range of industries. The Veracode Platform has assessed more than 10 trillion lines of code and helped companies fix more than 36 million security flaws.

Learn more at www.veracode.com, on the Veracode blog and on Twitter.

Copyright © 2019 Veracode, Inc. All rights reserved. All other brand names, product names, or trademarks belong to their respective holders.

Media Contact:
Pete Daly
Veracode 
[email protected]  
339-674-1528

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...