Security at DevOps Speed: How Veracode Reduces False Positives

Originally Published on November 27, 2017 -- Updated on January 7, 2020

Application security solutions that slow or stall the development process simply aren’t feasible in a DevOps world. AppSec will increasingly need to fit as seamlessly as possible into developer processes, or it will be under-used or overlooked. But overlooking AppSec puts your organization at high risk of a damaging breach. Our most recent State of Software Security report found that a whopping 83 percent of apps had at least one vulnerability on initial scan. Leaving your code vulnerable leaves your organization open to breach. In the end, you need AppSec, but you also need AppSec that developers will use. Reduction of false positives is a big part of this requirement. False positives are always a key concern because they make developers and security folks spin their wheels, so solutions should minimize them as much as possible.

How Veracode Works to Reduce False Positives

We aim for full automation and high speeds for all of our scans, but that doesn’t mean that we compromise on quality. Unique to our position as a SaaS provider, our security research team regularly samples customer app submissions to manually review flaws. This ensures that we have met our standards for accuracy in terms of both false positives and negatives. By reviewing actual customer apps, we get a much broader and realistic set of cases than would be possible in a QA lab that only tests applications built as internal test cases.

Our review of these applications leads to improvements that are implemented back into our static analysis engine. 

The SaaS Advantage

As a native SaaS provider, Veracode has a strategic advantage in improving false-positive rates. To date, we’ve assessed over 13.5 trillion lines of code and performed more than 4 million scans, and with every release, our solution gets smarter. On-premises solutions, on the other hand, require their customers to manually create custom rules to adjust for false positives in their vendor’s software, which can be very time consuming and complicated, or to wait for their on-premises vendor to release a new revision to the scanner, which requires downtime and unplanned work for the security teams. We at Veracode improve our static analysis engine at least monthly, and improvements we have made by observing the behavior of all customer applications are available with minimal disruption to your processes.

The result for our customers is that they get very high quality at high speeds (89 percent of our scans finish in less than an hour), without having to train and maintain a team for customizing scan rules to avoid false positives. This rule customization can be costly and time consuming, and requires a skill set that is hard to come by. In addition, customizations can be challenging to maintain if the person who wrote the code leaves the company. Finally, rule customization can muddy results for attestations – it’s hard to prove to third parties that your apps are secure if anyone can rig the results by manipulating rules.

On the other hand, our false-positive rate is a low 1.1 percent – with zero rule customizing. This 1.1 percent false positive rate across real-world applications is verified and based on feedback from our customers on vulnerabilities they have reviewed. By comparison, our competitors claim a 32 percent false positive rate.

Bottom Line

The Veracode solution has scanned hundreds of thousands of enterprise, mobile and cloud-based apps, and we’ve helped our customers fix more than 48 million flaws. Bottom line? Better analytics, faster improvements, increased accuracy and the ability to create more software, more securely than ever before.

Find out more about the Veracode Application Security solution.