Veracode this week launched a version of its automated dynamic application security testing (DAST) testing tool, dubbed DAST Essentials, that is designed to be embedded within an integrated development environment.
In addition, the company has made available a Veracode GitHub App that makes it possible to configure Veracode DAST tools to automatically scan code any time it is added to a repository.
Veracode already makes available a DAST tool that can be integrated with Veracode Fix, a tool that makes use of a large language model (LLM) curated by Veracode to apply artificial intelligence to surfacing recommendations to remediate vulnerabilities. Developers can then automatically update their source code or apply the recommended remediations as a patch using a pull request.
Brian Roche, chief product officer at Veracode, said in addition to embedding DAST capabilities into a DevSecOps workflow, DAST Essentials provides DevSecOps teams with the option to push scanning further left into integrated development environments (IDEs).
The overall goal is to automate code scanning and remediation across the entire software development life cycle. As part of that effort, Veracode will also be extending the integration of its DAST tools into additional software repositories, noted Roche.
It’s not clear whether AI will fully resolve software supply chain security concerns, but the one thing that is certain is the amount of code being generated is already starting to exceed the ability of DevSecOps teams to effectively manage. DAST Essentials provides a way to apply scanning at the front end of the application development process in the hopes that fewer issues will arise once code is merged with a build. However, given the number of issues that can arise, most organizations will also need to continuously scan builds as they are updated.
In the longer term, Veracode also plans to scan code after it’s been deployed in a production environment to enable DevSecOps teams to address zero-day vulnerabilities that are discovered after an application is deployed.
While a lot of DevSecOps progress has been made in recent years, there is still much work to be done. Developers still don’t scan code as frequently as they should, and there are still updates being made to codebases that occur outside of a DevSecOps workflow. However, as regulations for building and deploying software become more rigorous in the years ahead, it’s only a matter of time before automatically invoking code scans at multiple points of the software engineering process becomes mandatory.
In the meantime, DevSecOps teams will need to find ways to address application security issues in a way that causes the least amount of friction possible. Most developers have an appreciation for security, but far too many still view it as an obstacle to be overcome rather than a quality attribute that needs to be attained and maintained. However, those same developers will complain when cybersecurity teams discover potential vulnerabilities that a developer first must determine affect an application and then apply a patch as necessary. The challenge, as always, is finding a way to ensure application security without slowing down the pace of application development.