Burlington, Mass. — June 6, 2016 — Veracode, a leader in securing the world’s software, today announced new products and innovations that help extend application security across the entire software development lifecycle. Today’s announcements highlight new ways in which Veracode helps developers and security teams wrestle with some of their greatest challenges, namely protecting applications in operation without sacrificing time to market, and making secure coding practices a more seamless and positive part of the software development process. They are part of Veracode’s strategy to transform application security to increase its speed and effectiveness in the face of changing software development processes and the explosion of software development across all industries.
Detect and block attacks against applications in real-time
According to Verizon’s most recent Data Breach Report[1], 40 percent of breaches are tied to web applications. Veracode’s own analysis of thousands of enterprise applications revealed that on initial scans more than half contained cross-site scripting vulnerabilities and more than a third were susceptible to SQL injection attacks[2].
Veracode Runtime Protection is a Runtime Application Self-Protection (RASP) technology deployed as an agent to help detect these common attacks, preventing the return of sensitive data to attackers, and providing insight into the attack for security operations teams. Because Veracode Runtime Protection incorporates visibility into key characteristics - such as application logic, event and data flow, and executed instructions - it provides greater effectiveness than Web Application Firewalls, reducing false positives and preventing unauthorized access to sensitive information.
It is simple to install and can be deployed in minutes with a one-line change to the application server settings. It also does not require the level of ongoing maintenance required to get value from Web Application Firewalls. Veracode Runtime Protection gives security operations personnel much-needed insight into application behavior and attack patterns at the application level.
Besides shielding production applications from attacks, Veracode Runtime Protection - in conjunction with Veracode’s WAS dynamic applications security testing service - will be used for application security testing, assuring unmatched accuracy of vulnerability detection at the pre-production phase. With this announcement, Veracode begins to offer the most complete set of security technologies in the market, including: Veracode Static Analysis, Veracode Software Composition Analysis, Veracode’s web application security products, and the newly announced Veracode Runtime Protection for RASP and IAST (Interactive Application Security Testing).
Provide positive reinforcement where developers took active measures to increase security
Veracode’s newly-patented, automated coaching methodology provides positive feedback to developers on good security practices as part of the coding process, helping them create better code ‘on the fly’. The motivation for this approach is based on the desire to make secure code creation a positive and integral part of software development, where developers see not only security defects to be remediated, but also have the ability to recognize and repeat good secure coding practices.
“Major changes in how software is being developed, coupled with the increased value and risk associated with the software that powers every aspect of our lives, demand a transformation in how application security is done,” said Sam King, Veracode’s Chief Strategy Officer. “Application security has to become a seamless part of how software is developed in the first place to support the move to DevOps and Continuous Integration processes. It also has to extend all the way to protect applications as they are running. We’re moving forward on both of those paths and today’s announcements are evidence of that strategy in action.”
“Products such as Veracode Runtime Protection, as part of a complete lifecycle approach to application security, give security teams and developers new tools to manage risk and speed,” said Joseph Feiman, Chief Innovation Officer for Veracode and former Gartner analyst for Application Security. “We are broadening the choices security teams and developers have for eliminating vulnerabilities as early as possible in the development process, and deploying compensating controls where necessary.”
Veracode Runtime Protection is being announced for early-access customers immediately. The patented in-line coaching methodology will be incorporated into Veracode products to help developers improve code security through positive reinforcement of good coding practices.
[1] 2016 Verizon Data Breach Investigations Report
[2] Veracode State of Software Security Report and follow-on research, 2015