According to Consultant Solution Architect at Veracode, Colin Domoney, application security company secures the software that “powers your world” – no matter if you are a developer software testing, writing a new application, a business owner with a portfolio of apps, or a CISO responsible for a major enterprise – “Veracode has a solution to help you produce, build and operate securely”.
“We inspect the source code, how it’s built, then what goes through applications through white-box testing; a method of testing software that tests internal structures or workings, instead of functionality (black-box testing),” says Domoney.
“White-box testing is an inside-out view of looking into the internals of an application. We also offer software composition analysis which creates an inventory of open source and 3rd party components used in applications. Whilst the use of such components increases the speed of software delivery the problem with these components is that they may contain flaws.”
As well as white-box testing, Veracode uses dynamic analysis (a type of black-box testing), which can be applied virtually to every level of software testing (unit, integration, system and acceptance); a method that examines the functionality of an application without peering into its internal structures or workings.
“Dynamic analysis is black-box testing, but instead operates an application the way an attacker would – the complete opposite of white-box testing,” continues Domoney.
Veracode’s primary product is static analysis, both at an application level and individual file level with its new Greenlight products.
“Greenlight testing is useful. If you are testing an application it can take a long time to test. We want to encourage testers to test quickly. It gives you instant testing directly, with instant results,” advises Domoney.
Different developers, of course, have different approaches towards testing. Since the 1950s, programmers knew it was better to start testing earlier, which is when ‘shift-left’ testing began, according to smart bear. Despite this, application security was a “latecomer” to this way of testing.
Traditionally, security testing has been a manually driven process such as ‘pen tests’. The remediation cycles associated with such tests would be measured in weeks or months due to the review and triage processes required.
“Security testing is normally a manual process. You create a statement of work and then sign a contract. It can take days, weeks or months to test software. People have expectations that it is going to be a long-running process (usually around three weeks). It doesn’t fit well in the “left-shift” development side. We try to reposition the way people think, and what is capable, but it doesn’t always work like that,” reveals Domoney.
Veracode has to address three perceptions around the way they do testing: that security testing is difficult to use (they do this by integrating and automating with ease), that security tests are full of false positives (they have a demonstrably low false positive rate) and that security testing takes a long time (their scan times have reduced dramatically).
“Three of the main problem switching to the ‘DevOps way of doing things’ was security testing – testing tools are difficult to use; tests take longer, run slowly, and are full of false positives,” admits Domoney
“At Veracode, the changes we had to make to adapt was to create easy products user-friendly. We had to make sure we integrated well with environment developers. The false-positive problem means that testing a piece of code can create extra pieces of work; although our scan times have reduced dramatically to 15 minutes or less since the DevOps transition –a massive turnaround from three years ago.”
Domoney unveils a couple of trends to note: the change in the way developers are building applications is changing dramatically. Domoney clarified: “We’re seeing the breakdown of the monolith and a tremendous adoption of microservices, container technology and of course a move to the cloud.”
This has meant that developers want to test ever increasingly smaller chunks of code, as well as test more and more frequently. The large-scale adoption of automation (driven largely by the adoption of DevOps).
Domoney adds” “Traditionally, people used to use a self-contained single-tiered software application, which combined user interface and data access code in a single programme from a single platform.
“The way people build applications is changing. At first, testers would use the monolith application, which is hard to change without the whole thing crashing down. Organisations need to be more adaptive and responsive, which is challenging from a security point-of-view, because of the changes. The adoption of Docker is also getting used a lot, so developers are testing smaller and smaller pieces of code.
“Most of the times problems aren’t around technology, but around changing the status-quo and the way people think they should face a problem. I want people to build more secure code. It’s a people problem, not a technology problem.”
Veracode will continue to address the demands of the industry, to ensure that the balance between security and speed is balanced and addressed adequately. Growth will be driven by the overwhelming groundswell in the industry, as it is no longer acceptable to produce software that hasn’t been tested particularly for security, according to Domoney.
Domoney also notes Veracode’s challenge is to ensure that solutions are constantly evolving and improving – specifically through better integrations and quicker scans. Veracode believes its huge user base will start to become pivotal to success and growth – “driving adoption and embedding in more and more places”!
Written by Leah Alger