Open source libraries allow developers to meet the demands of today's accelerated development times. However, they are also becoming the most popular attack vector. With Veracode Software Composition Analysis (SCA), teams can take advantage of open source libraries without increasing risk.
Veracode SCA scans open source dependencies for known vulnerabilities and makes recommendations on version updating.
Veracode SCA builds a call graph to identify which methods in the open source libraries are being used. By prioritizing vulnerabilities that lie in the execution path, companies reduce remediation time by up to 90 percent.
Many open source libraries depend on other libraries. Veracode SCA finds vulnerabilities not only in direct dependencies but also several layers deep.
Veracode Static Analysis provides fast, automated security feedback in the IDE and the pipeline, and conducts a full policy scan before deployment. It then provides clear guidance on what issues to focus on and how to fix them faster.
As developers are writing code, the IDE Scan provides focused, real-time security feedback. It also helps developers remediate faster and learn on the job through positive reinforcement, remediation guidance, code examples, and links to Veracode AppSec Tutorials.
The Pipeline Scan is run on every build and provides security feedback on the code at a team level - with a median scan time of 90 seconds and the ability to break the build if new security issues are found.
Teams can integrate Veracode into their tooling with more than 30 out-of-the-box integrations, plus APIs and code samples to support continuous scanning in any environment.