Veracode Extends DAST Reach Left Toward Developers

Veracode this week launched a version of its automated dynamic application security testing (DAST) testing tool, dubbed DAST Essentials, that is designed to be embedded within an integrated development environment.

In addition, the company has made available a Veracode GitHub App that makes it possible to configure Veracode DAST tools to automatically scan code any time it is added to a repository.

Veracode already makes available a DAST tool that can be integrated with Veracode Fix, a tool that makes use of a large language model (LLM) curated by Veracode to apply artificial intelligence to surfacing recommendations to remediate vulnerabilities. Developers can then automatically update their source code or apply the recommended remediations as a patch using a pull request.

Brian Roche, chief product officer at Veracode, said in addition to embedding DAST capabilities into a DevSecOps workflow, DAST Essentials provides DevSecOps teams with the option to push scanning further left into integrated development environments (IDEs).

The overall goal is to automate code scanning and remediation across the entire software development life cycle. As part of that effort, Veracode will also be extending the integration of its DAST tools into additional software repositories, noted Roche.

It’s not clear whether AI will fully resolve software supply chain security concerns, but the one thing that is certain is the amount of code being generated is already starting to exceed the ability of DevSecOps teams to effectively manage. DAST Essentials provides a way to apply scanning at the front end of the application development process in the hopes that fewer issues will arise once code is merged with a build. However, given the number of issues that can arise, most organizations will also need to continuously scan builds as they are updated.

In the longer term, Veracode also plans to scan code after it’s been deployed in a production environment to enable DevSecOps teams to address zero-day vulnerabilities that are discovered after an application is deployed.

While a lot of DevSecOps progress has been made in recent years, there is still much work to be done. Developers still don’t scan code as frequently as they should, and there are still updates being made to codebases that occur outside of a DevSecOps workflow. However, as regulations for building and deploying software become more rigorous in the years ahead, it’s only a matter of time before automatically invoking code scans at multiple points of the software engineering process becomes mandatory.

In the meantime, DevSecOps teams will need to find ways to address application security issues in a way that causes the least amount of friction possible. Most developers have an appreciation for security, but far too many still view it as an obstacle to be overcome rather than a quality attribute that needs to be attained and maintained. However, those same developers will complain when cybersecurity teams discover potential vulnerabilities that a developer first must determine affect an application and then apply a patch as necessary. The challenge, as always, is finding a way to ensure application security without slowing down the pace of application development.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Recent Posts

Dell Brings DevOps to Edge Computing Environments

Dell Technologies updated its edge computing platform to make it simpler to programmatically provision infrastructure using DevOps best practices.

16 hours ago

Blueprints for a Secure, Future-Proof Hybrid Cloud

To avoid data loss and maintain a level of protection, organizations need a blueprint for adopting their hybrid cloud systems.

21 hours ago

AWS Cost Management in 2024

As businesses scale and diversify AWS services, it becomes crucial to manage costs to ensure cloud expenditures align with strategic…

22 hours ago

Tabnine Extends Generative AI Testing Platform by Embracing RAG

Tabnine's generative AI platform for creating test code can make more accurate and personalized recommendations based on specific code and…

2 days ago

3 Quick Fixes for Event-Driven Architecture (EDA) Complexity

EDA and the adoption of event streaming throughout enterprises are essential architectural requirements, but can introduce complexity. Here are three…

2 days ago

What Does Build Quality Look Like in Software Design?

By leveraging modern build health tools, DevOps teams can more effectively monitor a project’s overall quality and performance.

2 days ago