Beruflich Dokumente
Kultur Dokumente
- Go to the free service Web page - Create an account by registering with your email address and a password - Create a profile for your application, supplying metadata including name of the application, build version etc., to create a placeholder for your upload. - Navigate to the compiled archive (.jar, .war., .zip) on your local file-system through an Explorer-type interface select it and upload. (The archives are encrypted in transit and on Veracodes servers)
- The archive undergoes a pre-scan check to make sure there is code that can be scanned for cross-site scripting. You can wait for the pre-scan to be complete or log out and go back in when you receive a confirmation email. - Once pre-scan completes click the Begin Scan button. Veracode then scans the application and notifies you by email that the results are ready.
Its also the most pervasive vulnerability category, accounting for 51% of all vulnerabilities found, according to Veracodes State of Software Security Report. Cross-site scripting vulnerabilities are widely exploited because they are so prevalent. Just as they are easy for developers and security practitioners to detect, they are easily found by attackers once an application is deployed and accessible from the Internet using an assortment of off-the-shelf commercial scanners or free tools such as XSSer, XSSploit and Burp Scanner. The problem becomes even more acute when one takes into account that a corporate application is often an amalgam of code from disparate sources. (Veracode has observed that between 30% and 70% of all code comprising internally developed applications were identifiably from third parties.)
The detailed report provides the information that will primarily be used by developers to triage aws. It lists each aw, with a link to its CWE number (Veracode ndings are very much standards based, referencing CWE ID), a description, detailed remediation guidance (including Veracodes estimate of the effort required), and the source le and line number where the aw occurs.
The report also helps you assess the areas of highest risk and prioritize remedial activity through the Fix First chart, a plot chart that shows at-a-glance the frequency of a vulnerabilitys occurrence represented by the size of the circle representing the aw, the severity and average remediation effort based on CWE ID. The Triage Flaws View provides the under-the-hood level of detail for developers to dig in and learn where and how each aw occurred and a platform for determining if and how it should be remediated. The triage view allows developers to overlay source code against the Veracode ndings while keeping it on their local machinethe Veracode service only requires compiled code, so the source code never leaves your environment.
WHITE PAPER
ABOUT VERACODE Veracode, Inc. 4 Van de Graaff Drive Burlington, MA 01803 Tel +1.781.425.6040 Fax +1.781.425.6039 www.veracode.com 2011 Veracode, Inc. All rights reserved.
WP/CSS/0111
Veracode is the only independent provider of cloud-based application intelligence and security verification services. The Veracode platform provides the fastest, most comprehensive solution to improve the security of internally developed, purchased or outsourced software applications and third-party components. By combining patented static, dynamic and manual testing, extensive eLearning capabilities, and advanced application analytics Veracode enables scalable, policy-driven application risk management programs. Veracode delivers unbiased proof of application security to stakeholders across the software supply chain while supporting independent audit and compliance requirements for all applications no matter how they are deployed, via the web, mobile or in the cloud. The companys more than 175 customers include Barclays PLC, California Public Employees Retirement System (CalPERS), Computershare and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com, read the ZeroDay Labs blog or follow on Twitter @Veracode.