Veracode’s SBOM API Simplifies Software Security for Devs
New features in Veracode’s Continuous Software Security Platform include extended integrations to support software composition analysis (SCA), an SBOM Application Programming Interface (API), and additional language and framework support for static analysis. Frequent scanning of code using tools like Veracode’s mitigates the risk from both proprietary and open source vulnerabilities, such as Log4j.
“The federal government’s May 2021 executive order highlighted the importance of securing the software supply chain and the role of a Software Bill of Materials in that process,” said Janet Worthington, an analyst at Forrester Research. “Since then, we have seen an increase in government agencies and private sector companies asking us how to request an SBOM. Software providers aren’t far behind, and many of them now proactively generate SBOMs. Integrating SBOM generation tools into the development CI/CD process gives software providers the flexibility to generate and update the SBOM throughout the product lifecycle.”
Veracode’s SBOM API enables developers to easily generate an SBOM in CycloneDX JSON format — one of the approved formats for compliance with the U.S. Executive Order. This will help confirm that the code being used or built is clear of vulnerabilities.
“With the volume of open source code that developers are building upon today, manual processes can slow developers and security teams down,” Chris Wysopal, CTO and co-founder at Veracode, told The New Stack. “The Veracode SBOM API was introduced to make it easier to provide visibility when using third-party components. By taking manual inventory steps out of software composition analysis, resources and time can be dedicated to quicker update and vulnerability response instead.”
Moreover, modern applications are assembled, not written from scratch, according to Brian Roche, Chief Product Officer at Veracode. And open source code makes up a significant proportion of audited code bases, increasing security risk and the need to identify supply chain risk. For example, 97% of the typical Java application is made up of open source libraries, he said.
“Our SBOM API, is designed to make it easier for developers to inventory their code base, including third-party components, allowing them to act quickly if new vulnerabilities emerge,” Roche said in a statement. “Since the launch of our Continuous Software Security Platform in May, we have introduced additional capabilities that meet developers right where they work: in the integrated developer environment (IDE), code repository, and command line interface. These innovations are designed to drive adoption by making the platform even more developer friendly.”
By incorporating SBOM generation into the software development lifecycle, software vendors gain visibility into the components and libraries they assemble and package with their products, Worthington said.
“These practices give them an edge over the competition when customers request an SBOM during the sales and procurement process,” she noted.
Meanwhile, Veracode has introduced integrations that enable developers to work in their familiar environments or to meet developers where they work. For instance, the Veracode Azure DevOps Extension has a new SCA Flaw Importer to automatically import flaws into the IDE, which makes it easy to find and fix any static or SCA security flaws.
The company is also about to release a Veracode for Visual Studio Code extension, which will provide detailed information on vulnerabilities, license risks, and recommended versions of open source libraries and transitive dependencies, Roche said.
Veracode’s platform supports more than 100 languages and frameworks, including those for cloud native application development and older languages used with legacy assets, like COBOL. The new version of the platform provides adding support for Rails 7.0, Ruby 3.x, and PHP Symfony.
“Veracode brought a complete platform for us to build security tools into our development pipelines, as well as helped us grow our knowledge to keep getting better at security,” said Peter Evans, engineering director at QAD Precision GTTE, in a statement. “Veracode was also a good fit because the platform can scan Java code in the Spring framework where we develop our software. We’ve gone from reviewing code to integrating continuous scans into our daily pipelines. Security threats don’t stand still and Veracode provides us the tools to keep up with the latest vulnerabilities and rules.”