Veracode - Inglês
Download as PPTX, PDF2 likes999 views
Veracode is a well-established US-based provider of application security testing (AST) services including static application security testing (SAST), dynamic application security testing (DAST), mobile AST, and software composition analysis (SCA). Veracode offers a broad set of AST services to help organizations build and deploy applications faster while reducing business risk. The company pioneered binary code analysis and was an early innovator in mobile AST and SCA. Veracode aims to help customers reduce risk across their entire software development lifecycle through its unified cloud-based platform and services.
Veracode - Inglês
- 1. Joost de Jong January, 2017 Veracode Introduction
- 2. 2 The world is under attack from cybercrime and nation states
- 3. 3 Description Veracode is a U.S.-based, well-established and rapidly growing provider of SAST and DAST cloud services, software supply chain testing and mobile AST. For SAST, Veracode has been a pioneer in the analysis of binary code, not requiring the source code for testing. Its 2012 acquisition of Marvin security accelerated its mobile AST capabilities where it was also an early innovator. In 2014, Veracode added integrated software composition analysis capabilities into its AST services for the identification of vulnerable open source components. Veracode's AST services will meet the requirements of organizations looking for a broad set of AST services — SAST, DAST and mobile AST — that want to delegate their AST and SCA to a third-party expert with a strong reputation for the quality of its services and demonstrated innovation in application security. The analyst view: Gartner
- 4. of breaches are through by web applications Applications are insecure 40% 61% of apps do not pass OWASP top 10 on first assessment of Java applications contain a known vulnerability in a third party component 97% Sources:: Verizon Data Breech and Incident Report 2016 Veracode State of Software Security 2016
- 5. And companies aren’t equipped to address it of the top 10 computer science universities require students to take a cybersecurity class for their degree in computer science 0 of developers could correctly answer what helps to protect against cross-site scripting in a recent survey by Denim Group 11% is the ratio of InfoSec professionals to InfoSec jobs on LinkedIn 4:3 Sources:: Dark Reading Denim Group
- 6. The Questions We Hear From Customers How Can We… Build and deploy applications faster while reducing business risk? Reduce our risk even as we build, buy and integrate more software than ever? Defend applications in production while traditional security erodes in effectiveness? Spend our security budget most efficiently so we can focus more on adding business value? Shorten time to value for the investments we make? Improve capabilities without new hiring for hard-to-find skillsets?
- 7. A Lifecycle Approach Reduces Cost, Risk $15.4 million *Verizon Breach Report, 2015 $ $ $ Application Lifecycle
- 8. Application Lifecycle Application Security Transforms to Meet These Needs Unified Platform Strong Ecosystem Speed Productivity Seamlessness Accuracy Stability Integration Develop QA Speed Actionability Coverage Operate
- 9. Automate & Integrate Throughout App Lifecycle Code Commit Build Test Release Deploy Operate Veracode Greenlight Veracode Static Analysis Veracode Web Application Scanning Veracode Runtime Protection Veracode Software Composition Analysis Veracode APIs for Custom Integrations IDEs GRCs SIEMs WAFs Build or Buy Test Operate Bug TrackingCI/CD SystemsBuild Tools DevOpsCI/CDAgile Security AssuranceContinuous Testing & Integration Continuous Scanning & Protection
- 10. Covering Your Entire SDLC SDLC Veracode Runtime Protection Veracode eLearning Green Light Veracode Static Analysis Veracode Software Composition Analysis Veracode DAST VC/Partner Manual Penetration Testing Veracode Web Application Perimeter Monitoring VC/Partner Mitigation Proposal Review VC/Partner Vendor Application Security Testing Veracode Support Services VC/Partner Program Management VC/Partner Remediation Advisory Services Automation Services
- 11. 12 END-TO-END Single central platform + Central policies & metrics for consistent controls across global BUs & dev teams + Best solution for reducing software supply chain risk + Easiest way to embed appsec across dev, security,ops + Broad coverage via multiple techniques (SAST, DAST, behavioral, web perimeter & SCA) across web, mobile and legacy apps BUILT FOR SCALE + Shortest time to risk reduction at scale + Purpose-built as automated cloud-based service + Platform is continuously learning to address new threats & reduce false positives + Fast turnaround & tight integration with agile development workflows via APis SYSTEMATIC Reduced enterprise risk + Transform de-centralized processes into structured governance programs + Security development experts to help fix security issues + Best practices learned from securing the world’s largest global enterprises + Single point of accountability & focus on successful outcomes How we’re different Cloud-based automation
- 13. 14 The analyst view: 451 Group • 14 • Source: 451 Research, Voice of the Enterprise: Information Security, Q3 2015 Veracode Application Security Software WhiteHat Security Sentinel Tenable Nessus Qualys Web Application Scanning (WAS) HP Fortify IBM Application Security Open Source Solution Other Vendors 60 65 70 75 80 85 60 65 70 75 80 85 Fulfillment Promise Circle Size Reflects Market Adoption 451 Research Vendor Window Dynamic/Static Application Security Tools (DAST/SAST) The Vendor Window plots enterprise adoption as well as Promise and Fulfillment Indices that compare a measure of perceptions of vendor’s promise prior to actual product/service delivery with a measure of execution effectiveness. It is based on large sample surveys of existing customers that are currently using each vendors’ product. A vendor located in the upper right quadrant — under-promising and over-delivering — is rated highly for both its promise and ability to fulfill relative to its peers. Conversely, a vendor in the lower left quadrant rates lower than its peers on the same criteria. The Vendor Promise Index is designed as a measure of perceptions of vendor’s promise prior to actual product/service delivery and use. The Vendor Fulfillment Index is designed as a measure of execution effectiveness criteria which are related to the physical product/service delivery and customer experience of using the product or service. The intersecting lines indicate the average vendor score. Source: 451 Research, Voice of the Enterprise: Information Security, Q3 2015 Veracode Application Security Software, n=14; Whitehat Security Sentinel, n=11; Qualys Web Application Scanning (WAS), n=16; Tenable Nessus, n=32; IBM Application Security, n=34; HP Fortify, n=31; Open Source Solution (OpenVAS, Burp Suite, etc.), n=29; Other Vendors, n=35; Total Respondents, n=202. Vendor Promise Score Fulfillment Score Average 73 72 Veracode Application Security Software 80 77 WhiteHat Security Sentinel 73 75 Qualys Web Application Scanning (WAS) 72 73 Tenable Nessus 72 73 IBM Application Security 73 69 HP Fortify 72 69 Open Source Solution (OpenVAS, Burp Suite, etc.) 65 67 Other Vendors 77 77 Low Promise, High Fulfillment High Promise, High Fulfillment Low Promise, Low Fulfillment High Promise, Low Fulfillment Non-listed Vendors: Checkmarx CxSAST Rapid7 AppSpider Trustwave App Scanner Family (formerly Cenzic)
- 14. THANK YOU