Veracode Overview

Brought to you by

An introduction to Veracode

Who we areThe people, process and technology needed to deliver a scalable and cost effective software security program The only Complete Application Security offering in the cloud (SaaS) Core patented technology developed in 2002 Veracode established 2006

(ex @stake, Guardent, Symantec and VeriSign)

What we doProvide world class automated static , dynamic and mobile application security testing service and complementary consulting and remediation services Scalable and rapid delivery model Frictionless integration Industry bench marking

2

Veracode: some facts

Over 600 customers• In more that 80 countries• Across all industry sectors

58 Billion lines of code scanned• 5.046m valid security flaws detected by SAST alone• Test repository of over 70,000 applications• Over 425,000 separate flaws identified

270% increase in SAST scan volumes year on year• 12 major releases – SaaS continuous learning – maintaining leadership • 3 hour average scan time for java and .NET

3

Independent recognition“Veracode has cleverly taken advantage of its unique technology (static binary analysis) and matched it up with its SaaS platform and program management and sales services to create an offering that takes both effort and cost away from the enterprise CISO.” (2012)

“Visionary” in Gartner’s magic quadrant for Dynamic Application Security Testing (2011)“Leader” Gartner’s magic quadrant for Static Application Security Testing (2010)

“SC Award for Information Security Product of the Year” (2012)

“Veracode ranked #20 on Forbes Most Promising Companies in America” (2013)

4

Veracode Platform and Services

5

PlatformNo hardwareNo softwareNo maintenance

ServicesExpertise on demandCost effective

Platform Services

Veracode Patented Binary Static Analysis

Outsourced

7

Automated “inside-out” code analysis without requiring access to source code

Internally Developed

Open Source Third-Party Libraries

Mobile

Benefits:• Complete application coverage

• Scales out: Thousands of apps

• Scales up: Multi-gig applications

• Test what runs and what is attacked

• Protects IP for third-party apps

• Low false positives, Fast turnaround

• Actionable remediation advise

Veracode positioned as a leader in Gartner’s SAST MQ

CommercialCloud

• Tests executables

• IDs vulnerabilities & backdoors

• Covers 3rd party code

• Supports web, non-web, internal, commercial, mobile, cloud apps

How it works:

“Not having binaries tested leaves a gap in application security.”

--Joseph Feiman, Gartner

Veracode Dynamic AnalysisAutomated “outside-in” web application testing at scale with speed

DynamicMP

• Massively parallel, rapid baseline scanning of all perimeter applications

.org

.tv .com

.co

.tv .info

.com.ca

.uk

DynamicDS

• Deep scanning of external and internal applications

Benefits:• Find web

applications and prepare target list for analysis

Discovery

Veracode positioned as visionary in Gartner’s DAST MQ

8

Benefits:• Track rapidly growing

application perimeter

• Scan thousands in daysnot months

• Gain total website coverage

• Non-disruptive

• Low False Positives

• Fast Turnaround

Offers policy compliance as well as interactive dashboards and querying

Enables peer benchmarking

Aggregated program statistics across all testing activities and supplies

Veracode Application Analytics

9

Security data analytics, application intelligence and peer benchmarking

Benefits:• Manage all activities through

one platform

• Measure and demonstrate on-going progress

• Make informed decisions

• Understand performance relative to others

1 Read our latest State of Software Security Report at www.veracode.com

Provides application inventory snapshots

How it works:

10

Provides pre-built policy templates for PCI-DSS, OWASP Top Ten, SANS Top25

Add CERT secure coding standards to pre-built templates

Leverages industry standards (CWE, CVSS, NIST) for policy creation

Tracks remediation progress

Policy ManagerA policy framework and workflow system to enable a programmatic approach to application security

Benefits:

• Enables quick security policy definition and assignment

• Replace ad-hoc compliance management with a systematic approach

• Offload internal communication overhead

• Simplify GRC for applications

Automates internal communication workflow

How it works:

Provides several options for custom policy definitions

Veracode eLearning

11

Provides over 50 courses with extensive coverage of key topics addressing basic and advanced concepts

Provides tracks tailored for development, QA and security

Contains pre-built assessments for testing purposes

Online training courses, knowledge base and assessments for developer education

Benefits:• Professional development for

developers

• Better application security out of the gate

• Use testing results to direct elearning course

• Strengthen new hire due diligence

• Scale easily to thousands of developers and security personnel

• Integrated analytics empowering course recommendations

How it works:

a

Benefits:• Minimize risk without impeding

mobile adoption

• Understand data leak potential

• Understand risks in mobile apps developed by third-parties

• Independent verification addresses security concerns

12

Veracode Mobile Application AnalysisBinary static analysis on mobile applications to discover security vulnerabilities and data privacy issues

Identifies opportunities for data exfiltration, unsafe data storage, and privacy violations

Supports Android, iOS, Windows Mobile and Blackberry detecting flaws that threaten mobile hardware and OS

Detects mobile backdoors capabilities (remote tracking apps, personal information theft, remote listening)

How it works:

Veracode Solutions

14

The first completely outsourced solution that attests the security of your software supply chain.

A VAST Program helps reduce your software security risk by inducing vendors to comply with your policies.

Solution cost is shared with your vendors.

Solution Benefits: Reduce software security risk across your

portfolio. Outsource to the experts, save internal

resources. Vendor compliance visibility with monthly

reporting. Low friction for vendors and suppliers.

15

A massively scalable solution for rapidly gathering vulnerability intelligence

across every enterprise web application.

Solution Benefits:

Instant web application inventory.

Rapid risk assessment at massive scale.

Efficient monitoring of rapidly changing application perimeter.

Vulnerability intelligence.

A known perimeter with fewer vulnerabilities

16

Solution Benefits:

Reduce software security risk across internally developed applications.

Enable risk reduction earlier in development lifecycle

Practical implementation with measurable value.

Scale program adoption across enterprise.

Low friction for development teams.

Solutions designed to get enterprise software development on the RAMP to real risk reduction.

Seamless integration into the SDLC

Integration of Veracode Scanning into the Development Process

pick up binaries from integration sandboxes

scan via Veracode

analyze the XML results – XML processing via Tamino XML

Server

create issues in security bug tracking system

integration with existing JIRA bug tracking system

communication with developers via the existing JIRA systemwhen issues get fixed or set to mitigitated, check via

automatic scanning if they are really fixed

Benefits of integrating Veracode

no changes to existing development process no new systems for developers to learn no changes to build and promotion systems needed

regular scanning and analysis for potential vulnerabilities daily feedback and metrics

fully automated whenever new builds are available, they can be directly

scanned and anaylzed based on information available in existing bug tracking system,

issues can be automatically assigned to responsible development teams

scalable to many products only a set of configuration parameters need to be set to include

additional products into the scanning process

21

Hamad AlfataihRegional DirectorTel: +966114502334Mob: +966597822244BOX: 2454 Riyadh 11451www.greenmethod.com.sawww.greenmethodonline.comh.alfataih@greenmethodonline.com

الفطيح حمد

األقليمي المدير

966114502334 +هاتف:966597822244جوال: + : ب. البريدي 2454ص 11451الرمز

. . .www greenmethod com sa

. .www greenmethodonline com. .h alfataih@greenmethodonline com