Veracode:

Veracode is a leading application security (AppSec) platform that helps organizations identify and
remediate vulnerabilities in their software throughout the development lifecycle. By integrating
seamlessly with DevOps workflows, Veracode empowers developers and security teams to build
secure applications from the ground up.

Top 10 use cases of Veracode:

1. Static Application Security Testing (SAST): Scan source code for
vulnerabilities like SQL injection and cross-site scripting (XSS) early in the
development process.
2. Dynamic Application Security Testing (DAST): Simulate attacks to uncover
runtime vulnerabilities in web applications and APIs.
3. Software Composition Analysis (SCA): Identify and manage security risks
within open-source and third-party software dependencies.
4. Interactive Application Security Testing (IAST): Monitor deployed
applications for real-time attack attempts and suspicious activity.
5. Penetration Testing: Engage expert security professionals to manually test
applications for complex vulnerabilities.
6. Compliance Management: Ensure adherence to industry security standards like
PCI DSS, HIPAA, and GDPR.
7. DevSecOps Integration: Integrate security scanning tools into development
pipelines for continuous code improvement.
8. Security Education and Training: Empower developers and security teams with
knowledge and best practices for building secure software.
9. Threat Intelligence: Provide actionable insights into the latest security threats
and vulnerabilities to proactively protect applications.
10. Application Security Risk Management: Gain centralized visibility and
reporting on application security risks across the organization.

Benefits of Using Veracode:

 Reduced Time to Market: Find and fix vulnerabilities early in the development
process, speeding up software delivery.
 Improved Software Quality: Build more secure and reliable applications,
boosting user trust and confidence.
 Reduced Security Costs: Proactive vulnerability detection can prevent costly
data breaches and reputation damage.
 Streamlined Workflows: Integrate seamlessly with existing development tools
and practices for efficient security analysis.
 Compliance Assurance: Demonstrate compliance with industry regulations and
standards.

If you’re looking to:

 Secure your software
 Protect your data
 Build trust with your users

Veracode can be a valuable partner in your cybersecurity journey.

What are the features of Veracode:
Testing Approaches:
 Static Application Security Testing (SAST): Analyzes source code to identify
vulnerabilities like SQL injection, cross-site scripting (XSS), and buffer overflows.
 Dynamic Application Security Testing (DAST): Simulates attacks against
running applications to uncover vulnerabilities in web applications and APIs.
 Software Composition Analysis (SCA): Scans open-source and third-party
libraries for known vulnerabilities and license compliance issues.
 Interactive Application Security Testing (IAST): Monitors application behavior
during testing to provide more accurate results.
 Penetration Testing: Offers manual testing by security experts for in-depth
vulnerability assessment.
Integration and Automation:
 DevSecOps Integration: Integrates seamlessly with popular development tools
and CI/CD pipelines for continuous security testing and feedback.
 API Integration: Supports integration with third-party tools for ticketing systems,
issue trackers, and governance platforms.
 Automation: Automates vulnerability scanning and reporting processes for
efficient workflows.
Vulnerability Management:
 Centralized Vulnerability Tracking: Provides a centralized dashboard to track
and manage vulnerabilities across applications.
 Prioritization and Remediation Guidance: Helps prioritize vulnerabilities based
on their severity and provides clear remediation guidance for developers.
 Remediation Tracking: Monitors remediation progress and ensures
vulnerabilities are fixed effectively.
Compliance:
 Compliance Reporting: Generates reports to demonstrate compliance with
industry standards like PCI DSS, HIPAA, and GDPR.
 Compliance Frameworks: Supports various compliance frameworks to
streamline compliance processes.
Additional Features:
 Threat Intelligence: Leverages threat intelligence to identify and prioritize
emerging threats.
 Security Education and Training: Offers security training resources for
developers and security teams.
 Application Security Risk Management: Provides a holistic view of application
security risks across the organization.
 Customizable Dashboards: Allows users to create custom dashboards and
reports to visualize security data in a way that suits their needs.
 Scalability: Can be scaled to meet the needs of organizations of all sizes.

Veracode continuously updates its features and capabilities to address evolving security
threats and industry requirements.
Components:
1. Veracode Platform: The central hub that orchestrates all security analyses and
manages data. It includes:
1. Scanners: Engines for different analysis types like SAST, DAST, and SCA.
2. Database: Stores information on applications, vulnerabilities, and
analysis results.
3. Workflow Engine: Automates workflows for scanning, reporting, and
remediation.
4. User Interface: Provides access to tools, reports, and security insights.
2. Integrations: Veracode connects seamlessly with various developer tools and
platforms like IDEs, CI/CD pipelines, and issue trackers.
3. Applications: Organizations upload their software code, web applications, or
dependencies for analysis.
4. Analysis Tools: Different tools handle specific tasks:
1. SAST: Scans source code for vulnerabilities in programming languages
like Java, Python, and C++.
2. DAST: Simulates real-world attacks on running applications to detect
exploitable weaknesses.
3. SCA: Analyzes dependencies to identify known vulnerabilities and
licensing issues.
5. Vulnerability Management: After analysis, vulnerabilities are identified and
classified based on severity and risk.
1. Veracode offers features like:
 Prioritization: Ranking vulnerabilities based on potential
impact and exploitability.
 Remediation guidance: Providing developers with clear steps
to fix vulnerabilities.
 Tracking and reporting: Monitoring progress towards
resolving vulnerabilities.
Benefits of Veracode’s Architecture:
  Cloud-based: Accessible from anywhere with an internet connection and scales
easily.
 Integrated: Seamlessly connects with development workflows for efficiency.
 Automated: Automates scans, reporting, and remediation tasks for faster
execution.
 Comprehensive: Offers a range of analysis tools and vulnerability management
features.
 Secure: Data is encrypted at rest and in transit.
Veracode provides a comprehensive and well-designed architecture for managing
application security throughout the development lifecycle.

How to Install Veracode it?

Veracode is a cloud-based platform, so you don’t install it locally like traditional software.
Here’s the general process to get started:

1. Sign up for a Veracode account:

1. Visit the Veracode official website and create a trial or paid account.

2. Provide basic information about your organization and contact details.

2. Access the Veracode Platform:
1. Once your account is created, you’ll receive login credentials.

2. Use those credentials to access the Veracode Platform through a web

browser.
3. Integrate with Development Tools (Optional):
1. If you want to integrate Veracode with your development tools or CI/CD
pipeline, follow the specific instructions provided by Veracode.
2. This involves setting up plugins or integration points for your chosen
tools.
4. Upload Applications:
1. To start scanning your applications, you’ll need to upload them to the
Veracode Platform.
2. You can upload source code, binaries, or deployable packages, depending
on the types of analysis you want to perform.
5. Configure Scans:
1. Set up the desired security scans for your applications, such as SAST,
DAST, or SCA.
2. Choose appropriate scanning options and configurations based on your
needs and risk tolerance.
6. Initiate Scans:
1. Once applications and scans are configured, you can initiate the scanning
process.
2. Veracode will analyze your applications and identify potential
vulnerabilities.
 7. Review Results:
1. Access the Veracode dashboard to view scan results, including identified
vulnerabilities, their severity, and remediation guidance.
2. Prioritize vulnerabilities based on their risk and work on fixing them.

8. Basic Tutorials of Veracode: Getting

Started

1. Create a Free Trial Account:

 Visit the Veracode official website and click on “Free Trial.”

 Fill out the registration form with your basic information and desired plan.
 Verify your email address and follow the onboarding steps to access the Veracode
platform.

2. Upload Your Web Application:

 Click on the “Scan” tab in the dashboard.

 Choose the “Scan a URL” option.

 Enter the public URL of your web application (demo or test site).
 Check the application details and press “Start Scan.”

3. Configure the DAST Scan (Dynamic Application Security Testing):

 Choose the “Dynamic Scan” analysis type.

 Adjust any settings if needed:

o Scan Depth: Decide how thoroughly you want Veracode to explore your
application.
o Scan Duration: Limit the scan time if required.
o Crawler Paths: Specify specific URLs or pages to focus on.
 You can leave most settings at default for the initial scan.

4. Initiate the Scan and Monitor Progress:

 Click “Start Scan” to begin the DAST analysis.

 Monitor the progress in the dashboard. This might take a few minutes depending
on your application size.
 You can access additional information like crawl progress and resource utilization
during the scan.

5. Review the DAST Results:

 Once the scan finishes, access the “Results” tab.

 You’ll see a summary of identified vulnerabilities, categorized by severity and

potential impact.
  Click on each vulnerability to learn more about its details, exploitability, and
recommended remediation steps.
 Download the full report for further analysis and sharing with your development
team.

6. Explore Remediation Guidance:

 Each vulnerability report will provide clear steps to fix it.

 Veracode may offer suggestions like code changes, configuration adjustments, or

security best practices.

7. Next Steps:
 Implement the remediation steps for identified vulnerabilities in your web
application.
 You can re-scan your application after fixes to verify successful remediation.
 Explore other Veracode features like SAST for deeper code analysis, SCA for third-
party library checks, or integrate with your development tools for continuous
security.

Scan for VS Code Scan for VS Code | Veracode Docs

Veracode Scan for VS Code is an extension for the VS Code IDE that integrates Static
Application Security Testing (SAST), Software Composition Analysis (SCA), and Veracode
Fix into your Software Development Lifecycle (SDLC).

From within your IDE, you can:

 Run a Static Analysis of your project to detect flaws in your code and use the
provided remediation guidance to resolve them.
 Use Veracode Fix to remediate flaws by applying suggested fixes.
 Perform SCA agent-based scans to detect vulnerabilities in open-source libraries
and the risk level of third-party licenses.

Scan results are only available in the IDE. They are not available in the Veracode
Platform.

About application packaging

Before the extension runs a Static Analysis of your application, it uses an auto-
packager to automatically package the code into a supported artifact, such as ZIP or
EXE. If the packager is not able to package your application, or you prefer to create the
artifact yourself, you can use the Veracode packaging guidance to package your
application manually. This option does not apply to SCA scans.
By default, the extension expects the manually packaged artifact to be
in $PROJECT_ROOT/.verascan. When you start the scan, the extension first looks for an
artifact in the default location. To store your artifact in a different location, where the
extension will look next, configure the setting veracode-scan.SAST Features.artifactGlob.

Prerequisites
Before you can install and use Veracode Scan for VS Code, you must have:

 A supported version of VS Code and a source project of a supported language or

framework. Monorepos are not supported.
 Stored your API credentials in an API credentials file. The extension uses these
credentials to authenticate with Veracode.
 If you use a proxy to access Veracode, ensure you have configured a proxy in VS
Code. You cannot configure a proxy in the Veracode extension. For more
information, see the VS Code documentation.
 To view and apply suggested fixes for flaws, you must have a Veracode Fix license
and a supported code language.
 To see the prerequisites for a scan type, select from the following:

1. SAST

To run Static Analysis scans and view flaws, you must have:

o An active Static Analysis license.

o One of the following Veracode accounts:
 A human user account with the Security Lead, Creator, or
Submitter user role.
 An API service account with the Upload and Scan API or Upload API -
Submit Only API role.
o To use the auto-packager, you must have one of the following package
managers:
 Java: Maven or Gradle.
 JavaScript: NPM or Yarn.
o Ensured your application builds successfully. If your project files change
between scans, rebuild your project and ensure it builds successfully.
o Ensured the artifact you want to scan does not exceed the total file size limit
of 200 MB.
o Enabled one-way communication on port 443.

2. SCA

To run SCA scans and view vulnerabilities, you must have:

 An active Veracode SCA subscription.

 A human user account with the Security Lead, Workspace Administrator,
Workspace Editor, or Submitter role. API service accounts are not supported.
 The SCA workspace My Workspace with an available project slot. The extension
can only use My Workspace.
 Activated the Unified Policy for your account. You use this policy to assign an SCA
security policy to your project. To activate the Unified Policy, contact Veracode
Technical Support. You can only assign policies that contain the Findings by
Severity or Vulnerability CVSS Score rule types.
 Added your project to a Git-based repository, or configured a source code
management (SCM) environment variable, such as SRCCLR_NO_GIT=1.
 Installed a supported package manager.
 If your open-source libraries are stored in an internal repository that rejects traffic
from your proxy, contact Veracode Technical Support.