Application Security Testing is a required element of key federal mandates, as outlined in the White House Cybersecurity Executive Order 14028, section 4e, which states that the security of software used by the Federal Government's ability to perform its critical functions, and there is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.

According to the NIST Secure Software Development Framework (SSDF), secure software development practices should be integrated throughout software life cycles for three reasons: 1) to reduce the number of vulnerabilities in released software, 2) to reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and 3) to address the root causes of vulnerabilities to prevent recurrences.

Acting to ensure that the above guidance is met, the Office of Management and Budget includes Application Security Testing as a vital component in Memo M-22-09, 'Moving the U.S. Government Toward Zero Trust Cybersecurity Principles,' which stipulates that federal agencies must achieve specific zero trust security goals by the end of Fiscal Year (FY) 2024 (September 30, 2024).

Veracode can assist federal agencies to comply with the above guidance and mandates through provision of the following product and service offerings:

Veracode Static Analysis: Secure Software as you write it You need a holistic, scalable way to reduce security risk, align teams, and enable developers. Veracode Static Analysis provides fast, automated feedback to your developers in the IDE and CI/CD pipeline, conducts a full Policy Scan before deployment, and gives clear guidance on how to find, prioritize, and fix issues fast and accurately, with a <1.1% false positive rate.

Veracode Dynamic Analysis: Secure Software in the Runtime Environment. According to the 2020 Verizon Data Breach Investigations Report, web applications were the source of 43% of breaches, more than double that in 2019.

Veracode Dynamic Analysis scans runtime applications, providing the scale necessary to audit hundreds of target applications simultaneously, including APIs (Application Programming Interface.) Used in conjunction with Static and Software Composition Analysis, Veracode Dynamic Analysis complements a shift-left approach to application security by verifying in production that vulnerabilities were addressed or mitigated before application release.

Veracode Software Composition Analysis: Secure the Software Supply Chain.

With third-party components, including open-source libraries, making up as much as 80% of an applications codebase, it is critical to scan those libraries for vulnerabilities to reduce the introduction of risk into your apps. The recent log4j vulnerability only served to emphasize the importance of scanning and securing open-source libraries.

Veracode software Composition Analysis (SCA) identifies risks from open-source libraries early so you can reduce unplanned work, covering both security and license risk. SCA helps Engineering keep roadmaps on track, Security achieves regulatory compliance (SBOM), and the Business makes smart decisions.

Veracode SCA protects your applications from open-source risk by identifying known vulnerabilities in open-source libraries used by your applications. In addition to providing a list of vulnerabilities when your application is scanned, Veracode SCA can also alert you when new vulnerabilities are discovered after your application has been scanned or when existing known vulnerabilities have had their severity level upgraded. Integrated with CI (Continuous Integration) systems, you can fail your build based on vulnerabilities discovered as well as any components that your security team has blocked. As part of the Veracode Platform, Veracode SCA provides a unified experience to display all your security testing results in one place.

Security Labs: Enable developers.

Data from the 12th edition of Veracode's State of the Software Security shows that developers who complete at least one training course from Veracode Security Labs fix security flaws over 35% faster than those who have not. With security absent from most Computer Science programs it is critical to give your development team a leg up both on the competition and on bad actors.

Veracode Security Labs shifts software security knowledge left, giving you hands-on training to confidently tackle modern threats by exploiting and patching real code, and applying developer principles to deliver secure code on time.