Veracode enhances application testing service to introduce download of vulnerability identification

Veracode has enhanced its SecurityReview web application testing service to allow developers to upload applications automatically.

The improvements also allow developers to download line-of-code specific vulnerability identification and remediation instructions directly to defect tracking systems and integrated development environments (IDEs). 

Veracode SecurityReview now features a number of new APIs and reference integrations that support security testing in popular Java, .Net, C/C++, ColdFusion and PHP development environments.

It works with developers uploading the executable (not source) or providing the URL to Veracode's cloud-based platform at points of their choosing in the development lifecycle for automated static binary and dynamic web application security testing.

Depending on the size and complexity of the application, developers then receive line-of-code specific vulnerability identification and remediation instructions that according to Veracode, are often 100 per cent lower in false positives than on-premise source code tools.  These results may be integrated into defect tracking systems and IDEs using SecurityReview's results APIs and XML formatted output.

Jon Stevenson, senior vice president of technology and service operations at Veracode, said: “Until now, developers responsible for incorporating security testing into their development lifecycles have had two options – on-premise tools with high false positive rates, or manual third-party penetration testing that can be time consuming and costly.

“With this announcement, we are truly offering developers the best of all worlds – the integration advantages that on-premise tools have sometimes delivered plus the benefits of an expert security partner. Veracode is changing the game for software development, destroying the myth that improving the security of every application is prohibitively slow, complicated and expensive.”

Nigel Stanley, practice leader at Bloor Research, said: “By integrating cloud-based testing capabilities directly into tools that are part of a developer's everyday life, Veracode is really completing the ‘last mile' needed to deliver the advantages of both static and dynamic cloud-based security testing into the on-premise development climate.

“It's one of the few really useful examples of the cloud that I have seen and the potential is clear – more secure code for substantially less developer effort.”

Sign up to our newsletters