View
93
Download
4
Category
Preview:
Citation preview
Joost de JongJanuary, 2017
Veracode Introduction
2
The world is under attack from cybercrime and nation states
3
DescriptionVeracode is a U.S.-based, well-established and rapidly growing provider of SAST and DAST cloud services, software supply chain testing and mobile AST. For SAST, Veracode has been a pioneer in the analysis of binary code, not requiring the source code for testing. Its 2012 acquisition of Marvin security accelerated its mobile AST capabilities where it was also an early innovator. In 2014, Veracode added integrated software composition analysis capabilities into its AST services for the identification of vulnerable open source components. Veracode's AST services will meet the requirements of organizations looking for a broad set of AST services — SAST, DAST and mobile AST — that want to delegate their AST and SCA to a third-party expert with a strong reputation for the quality of its services and demonstrated innovation in application security.
The analyst view: Gartner
4
of breaches are through by web applications
Applications are insecure
40%
61%
of apps do not pass OWASP top 10 on first assessment
of Java applications contain a known vulnerability in a third party component
97%
Sources::Verizon Data Breech and Incident Report 2016Veracode State of Software Security 2016
5
And companies aren’t equipped to address it
of the top 10 computer science universities require students to take a cybersecurity class for their degree in computer science
0
of developers could correctly answer what helps to protect against cross-site scripting in a recent survey by Denim Group
11%
is the ratio of InfoSec professionals to InfoSec jobs on LinkedIn4:3
Sources::Dark ReadingDenim Group
6
The Questions We Hear From Customers
How Can We…
Build and deploy applications faster while reducing business risk?
Reduce our risk even as we build, buy and integrate more software than ever?
Defend applications in production while traditional security erodes in effectiveness?
Spend our security budget most efficiently so we can focus more on adding business value?
Shorten time to value for the investments we make?
Improve capabilities without new hiring for hard-to-find skillsets?
7
A Lifecycle Approach Reduces Cost, Risk
$15.4 million*Verizon Breach Report, 2015
Cost
to R
emed
iate
Develop QA Operate
$
$$
Application Lifecycle
Exploit
8
Application Lifecycle
Application Security Transforms to Meet These Needs
Unified Platform
Strong Ecosystem
Speed Productivity
Seamlessness
Accuracy Stability
Integration
Develop QASpeed
ActionabilityCoverage
Operate
10
Automate & Integrate Throughout App Lifecycle
Code Commit Build Test Release Deploy Operate
Veracode Greenlight
Veracode Static Analysis
Veracode Web Application Scanning
Veracode Runtime Protection
Veracode Software Composition Analysis
Veracode APIs for Custom Integrations
IDEs GRCs
SIEMs
WAFs
Build or Buy Test Operate
Bug TrackingCI/CD Systems
Build Tools
DevOpsCI/CDAgile
Security AssuranceContinuous Testing & Integration Continuous Scanning & Protection
11
Covering Your Entire SDLC
OPERATETEST DEVELOP
SDLC
Veracode Runtime Protection
Veracode eLearning
Green Light
Veracode Static Analysis
Veracode Software Composition Analysis
Veracode DAST
VC/Partner Manual Penetration Testing
Veracode Web Application Perimeter Monitoring
VC/Partner Mitigation Proposal Review
VC/Partner Vendor Application Security Testing
Veracode Support Services
VC/Partner Program Management
VC/Partner Remediation Advisory Services
Automation
Services
12
END-TO-ENDSingle central platform
+ Central policies & metrics for consistent controls across global BUs & dev teams
+ Best solution for reducing software supply chain risk
+ Easiest way to embed appsec across dev, security,ops
+ Broad coverage via multiple techniques (SAST, DAST, behavioral, web perimeter & SCA) across web, mobile and legacy apps
BUILT FOR SCALE
+ Shortest time to risk reduction at scale
+ Purpose-built as automated cloud-based service
+ Platform is continuously learning to address new threats & reduce false positives
+ Fast turnaround & tight integration with agile developmentworkflows via APis
SYSTEMATICReduced enterprise risk
+ Transform de-centralized processes into structured governance programs
+ Security development experts to help fix security issues
+ Best practices learned from securing the world’s largest global enterprises
+ Single point of accountability & focus on successful outcomes
How we’re different
Cloud-based automation
13
MARKET LANDSCAPE
14
The analyst view: 451 Group
• 14
• Source: 451 Research, Voice of the Enterprise: Information Security, Q3 2015
60 65 70 75 80 8560
65
70
75
80
85
Veracode Application Security Software
WhiteHat Security Sentinel
Tenable Nessus
Qualys Web Application Scanning (WAS)
HP FortifyIBM Application Security
Open Source Solution
Other Vendors
Promise
Fulfi
llmen
t
Circle Size Reflects Market Adoption
451 Research Vendor Window Dynamic/Static Application Security Tools (DAST/SAST)
The Vendor Window plots enterprise adoption as well as Promise and Fulfillment Indices that compare a measure of perceptions of vendor’s promise prior to actual product/service delivery with a measure of execution effectiveness. It is based on large sample surveys of existing customers that are currently using each vendors’ product. A vendor located in the upper right quadrant — under-promising and over-delivering — is rated highly for both its promise and ability to fulfill relative to its peers. Conversely, a vendor in the lower left quadrant rates lower than its peers on the same criteria. The Vendor Promise Index is designed as a measure of perceptions of vendor’s promise prior to actual product/service delivery and use. The Vendor Fulfillment Index is designed as a measure of execution effectiveness criteria which are related to the physical product/service delivery and customer experience of using the product or service.The intersecting lines indicate the average vendor score.Source: 451 Research, Voice of the Enterprise: Information Security, Q3 2015
Veracode Application Security Software, n=14; Whitehat Security Sentinel, n=11; Qualys Web Application Scanning (WAS), n=16; Tenable Nessus, n=32; IBM Application Security, n=34; HP Fortify, n=31; Open Source Solution (OpenVAS, Burp Suite, etc.), n=29; Other Vendors, n=35; Total Respondents, n=202.
Vendor Promise Score Fulfillment ScoreAverage 73 72
Veracode Application Security Software 80 77
WhiteHat Security Sentinel 73 75
Qualys Web Application Scanning (WAS) 72 73
Tenable Nessus 72 73
IBM Application Security 73 69
HP Fortify 72 69
Open Source Solution (OpenVAS, Burp Suite, etc.) 65 67
Other Vendors 77 77
Low Promise, High Fulfillment
High Promise, High Fulfillment
Low Promise, Low Fulfillment
High Promise, Low Fulfillment
Non-listed Vendors: Checkmarx CxSASTRapid7 AppSpiderTrustwave App Scanner Family (formerly Cenzic)
THANK YOU
Recommended