AnchorPoint Security » Veracode Unified Solutions

Veracode + AnchorPoint Unified Solution

41% of companies name public-facing web apps as the leading cause of breaches.

Application Security-as-a-Service with Veracode

Overview of Application-as-a-Service offering

Service offering

Concerned that your applications are adding risk to your network? You should be! According to SANS 2016 State of Application Security , 41% of companies name public-facing web apps as the leading cause of breaches.

If you conduct in-house development or need to make sure your vendors aren’t polluting your network with poorly written code, AnchorPoint’s AppSec-as-a-Service solution is for you.

We help small and mid-sized organizations lacking the time and trained staff necessary to mitigate application related risk by BECOMING your application security program.

How does it work?

Our service is delivered through Veracode’s application scanning technology and manually inspected by application security experts. You get actionable reports from each code review that your developers can use to immediately fix vulnerabilities. Our team of experts stands by to engage directly with your dev team in order to walk them through uncertainty.

The result You reduce rework, which reduces cost; the number of security flaws caught on the first-iteration is significantly increased, which reduces project duration and makes your customers happy; no more exposing vulnerabilities to the world because a proper AppSec program wasn’t in place; the total cost of each sprint/project is reduced because security is built into your SDLC.

Application Security Testing

Overview You need to add ongoing, automated scanning to protect your application infrastructure — without hiring more consultants or installing more servers and scanning tools. Manual penetration testing should be a supplement to ongoing scans.

AnchorPoint’s experts follow a phased approach to launch your program and then transition to continuous monitoring for the remainder of your subscription:

Initial Launch Phase 1 – will conduct a complete application inventory Phase 2 – quickly mitigate risk by automatically feeding intelligence directly to Web Application Firewalls (WAFs) Phase 3 – Conduct deep scans using credentials to password-protected areas of the application and feed the intelligence directly to WAFs Phase 4 – Deploy and execute a Virtual Scan Appliance (VSA) to QA environments and help protect against insider threats such as the intentional or unintentional inclusion of a “back-door”

Continuous Monitoring Cycle  

Before During the initial code development phase, experts recommend code-level analysis via SAST, in addition to best practices such as secure architectural design and threat modeling. Addressing security during the development phase of the SDLC produces stronger application security at lower cost.

  • SAST tests applications from the “inside out” and is sometimes called “white-box” testing. It examines static code for common vulnerabilities such as SQL injection and cross-site scripting, as well as coding errors such as buffer overflows and unhandled error conditions.
  • Veracode is the only enterprise security vendor to offer binary static analysis, which allows you to test applications without access to source code — including third-party software such as commercial applications, outsourced code, third-party libraries and open source.
  • SAST analyzes binary code to create a detailed model of the application’s data and control paths. Then the model is searched for paths through the application that represent a potential weakness. For example, if a data path through the application originates from an HTTP Request and flows through the application without validation or sanitization to reach a database query, then this would represent a SQL Injection flaw.
  • Our SAST is designed for agile development processes, with 80% of all static scans completing within 4 hours and more than 90% completing within a day.
  • We have a proven and repeatable process for rapidly on-boarding development teams and tightly integrating security testing with existing processes and tools including IDEs (Eclipse, Visual Studio, etc.), build processes (Jenkins, Ant, Maven, TFS, etc.) and issue tracking systems (JIRA, Bugzilla, Archer, etc.).
  • We provide detailed information with line of code details to assist programmers in locating flaws in their source code and reproducing them, along with suggested corrective actions.
  • We support all widely-used languages for desktop, web and mobile applications including:
    • Java & .NET
    • C/C++: Windows, Linux & Solaris
    • Web Platforms: J2EE, ASP.NET, Classic ASP (including VBScript and VB6), PHP, Cold Fusion, Ruby, JavaScript (including Jquery and Node.js)
    • Mobile Platforms: Objective C for iOS, Java for Android & J2ME for BlackBerry, JavaScript frameworks including PhoneGap, Apache Cordova, Appcelerator Titanium
    • Legacy Business Applications: COBOL

During Both SAST and DAST are typically used in pre-production testing (during the QA phase). For highly critical applications, manual penetration testing is also recommended. Our solutions integrate with widely-used WAFs such as Radware and Imperva so you can quickly mitigate vulnerabilities via virtual patching.

Dynamic Application Security Testing (DAST) tests applications in a running state by probing their exposed web interfaces from the “outside in.” For this reason, it is often called “black box” testing. DAST typically looks for vulnerabilities such as SQL injection and cross-site scripting as well as issues that only surface when the application is running such as authentication vulnerabilities and server misconfiguration errors. It’s important to test both credentialed and anonymous access, since some vulnerabilities may not be visible to a random attacker, but show up when logging in as a known user. Random black box testing is more representative of how an outside cyber-criminal will act, but it takes longer to run and cannot exercise all data and control paths through the application in the same way that SAST does.

Since pre-production environments are usually located behind the firewall, we also provide a Virtual Scanning Appliance (VSA) . The VSA is a locally-installed virtual appliance (software-based) that provides full DAST capabilities and is fully-integrated with our central cloud-based platform. This allows local DAST results to be managed via a single set of policies and reports, in combination with automated SAST and manual penetration testing results, to maximize accuracy and minimize false positives.

After We help deliver ongoing compliance by ensuring that:

  • Discovery searches are conducted on a regular basis to identify all web applications associated with your domain and external IP ranges, including temporary marketing sites, international domains and sites obtained via M&A.
  • Production web applications are continuously monitored for vulnerabilities to maintain your security posture.
  • WAFs are continuously updated with security intelligence obtained from assessments.
  • Applications are automatically assessed before deployment as a standard step in the build and release process.
All results are made available from the cloud-based web portal.
Penetration Testing

Manual penetration testing adds the benefit of human expertise to our Veracode-powered binary static and dynamic analysis — and it uses the same methodology cyber-criminals use to exploit application weaknesses such as business logic vulnerabilities.

Reducing false negative (FN) rates in your most critical applications requires a combination of multiple techniques, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and manual penetration testing.

The cloud-based platform provides a single central location for consolidating results from these multiple techniques, as well as for sharing results across multiple teams and evaluating risk using a consistent set of enterprise-wide policies. Colud Hosting

Manual penetration testing and automated scans are two totally different tools with different use cases. Certain vulnerabilities such as Cross-Site Request Forgery (CSRF) — an OWASP Top 10 vulnerability — are only detectable via manual techniques.

We are here to help you understand when to use a penetration test and when to use a different control. For example, the practice of an “annual pen-test” is foolish to implement and our experts will tell you why. We will show you how to use penetration tests in a way that saves you money and increases security, rather than simply providing check-box compliance.

Our manual penetration testing teams consist of elite security practitioners with real-world experience finding exploitable vulnerabilities that can have the highest impact on your business.

How manual penetration testing works

  • We start with an application inventory
  • We create a risk profile and prioritize your apps
  • We work with you to customize the scope of each project, determining which applications and vulnerability classes to focus on.
  • Focused manual penetration testing examines specific flaw categories that currently require manual inspection to determine adequately. The purpose of focused manual penetration testing is to identify specific application vulnerabilities within scoped domains.
  • Comprehensive manual penetration testing extends beyond identifying discrete vulnerabilities. The goals of these assessments are more situational, such as investigating whether multiple lower-risk flaws can be compounded into a more significant attack scenario.
  • Results from the automated and manual testing are combined to deliver a consolidated assessment report to simplify the remediation process.
Application Security Training

AnchorPoint will teach your developers application security awareness and best practices with comprehensive web-based training delivered via our Veracode cloud-based platform.

We’ve found that a hybrid approach to training is most effective from retention and cost perspectives. We recommend a training package that puts AnchorPoint experts in the room with your developers to reinforce the lessons learned from the structured, online courses.

This scalable, cost-effective approach can easily be deployed across your organization at a lower cost than traditional consulting engagements. Best of all, AnchorPoint Security bundles this into one, simple, turnkey training solution with no additional hardware, software, travel or on-site training expenses.

We understand that training programs are hit or miss, at best. Sometimes, you get an outstanding instructor and you feel like the ROI is good. Sometimes, the instructor is horrible and you feel like you just wasted everyone’s time and the company’s money.

AnchorPoint eliminates this variability by guiding developers through a proven, structured, and web-based training program and augmenting that experience with subject matter experts, on-site.

We think this is the best training approach for teaching application security, but if you would rather try and track down a software developer with advanced application security knowledge who can communicate coherently with a group of people for several hours at a time – good luck! 🙂

How we can help you: