Skip to main content

Get started with the VRM platform

The Veracode Risk Manager (VRM) platform integrates, normalizes, and unifies cross-service context across security tools, applying deep contextual analysis to pre-investigate each issue and determine its root cause and urgency. VRM then prioritizes remediation recommendations and provides Best Next Actions™ to efficiently reduce the most risk with the least amount of effort. Deployment is fast and agentless, with integrations across various security findings tools, code repositories, cloud environments, and more.

Problem that VRM addresses

Today’s application security environment is distributed across teams and infrastructure protected often by dozens of security tools. Teams do not have a unified way to surface, manage, and remediate risk across their code, cloud, and application stack. Organizations’ security teams struggle to make sense of thousands of alerts across their applications, lacking context on what matters most and the root cause of issues.

Top issues in managing application risk:

  • Lack of unified risk visibility from code to cloud
  • Cannot centrally report and measure risk
  • Difficult to prioritize issues that matter most across the security stack
  • Difficult to identify root cause and origin of risk
  • Overly complex remediation workflows

Outcomes achieved

VRM provides a real-time, data-driven view of risk and urgency, helping organizations manage security risk at the source. The platform's intuitive UI enables analysts to efficiently monitor and measure risk burn-down. Customers achieve a fast ROI, with significant productivity gains in issue investigation and remediation.

VRM results:

  • Unified, contextualized, and prioritized risk visibility
  • Real-time view into application and cloud assets, identifying key control
    coverage and gaps
  • Accelerated remediation through root cause analysis and precise recommendations
  • Centralized, custom risk remediation dashboard
  • Surfaces the Best Next Actions reducing the most risk with the least amount of effort

VRM platform overview

The first step to achieve risk reduction through VRM is to understand the major components of the interface. This section walks through each section of the product, providing a brief introduction to what you can expect to see, and how it all fits together to provide a data-driven view of risk and urgency, helping your organization to manage security risk at the source.

Dashboard

On login, after configuring multi-factor authentication, you see the Dashboard page. By default, this page shows an overview of the analysis VRM has completed, including top risky issues and assets, Best Next Actions, and an overview of issue sources and asset categories. Like all pages in VRM, this page supports filtering and deep drill-down capability to navigate from the highest level to review specific attributes of individual risk components.

Dashboard overview

You can also add custom dashboards through this page to define bespoke views into priority risks scoped to provide business units, application teams, and leadership audiences with interfaces that are most relevant for their needs.

Custom dashboard overview

To navigate to this page, select the dial icon from the left navigation bar and then select Dashboard in the top navigation bar.

Funnel

This page shows a summarized view into the analysis VRM has done within your environment to:

  • Ingest findings from a wide variety of sources
  • Deduplicate and prioritize findings by analyzing runtime security control, business value, and threat intel context
  • Trace runtime findings to origin in code, and provide specific solution recommendations of Best Next Actions to maximally reduce risk

You can drill down from this page directly to view solutions, issues, assets, and findings.

To navigate to this page, select the dial icon settings_icon.png from the left navigation bar and then select Dashboard in the top navigation bar.

Dashboard overview

Applications

The Applications view shows an overview of relative risk for applications defined within your VRM tenant. You can drill down from this screen to view the details of each application, or to see filtered views of the assets, issues, and solutions associated with each application.

Dashboard overview

To navigate to this page, select the cube-within-a-hexagon icon from the left navigation bar.

For more information on how to create, edit, and delete applications, see Using Applications.

Solutions and Best Next Actions

Dashboard overview

The Solutions page shows the top actions your team can take to reduce the most risk by addressing issues at the level of root cause. From this page, you can:

  • Apply filters to produce tear-sheets for specific application and BU teams
  • Drill down to facilitate investigation
  • View specific remediation recommendations to address each solution
  • Create tickets with recommended solutions within connected ticketing systems to address problems at the root cause, with a one-to-many remediation approach

To view all solutions ranked by priority, select the table icon in the upper left next to Solutions.

To navigate to this page, select the fire extinguisher icon solutions_icon.png from the left navigation bar.

Issues

The Issues page provides the results of VRM’s finding deduplication and issue urgency analysis: a prioritized table correlating across all connected tools to identify the most urgent issues to remediate. Like Solutions, you can filter this page in many ways to flexibly highlight your remediation priorities.

Dashboard overview

The Issues page also supports drilling down to view individual issue details, including:

  • Results of our white-box urgency analysis model that correlates asset security control and business context as well as threat intel
  • Reviewing the exact results from each finding from each finding source that contributed to the issue
  • Recommended solutions for addressing each issue, whether at origin in code or in runtime
  • Creating tickets to address individual issues
  • Exporting filtered issue tables to produce tear-sheets for specific application and BU teams

To navigate to this page, select the fire icon issues_icon.png from the left navigation bar.

Assets

This page shows all assets that VRM has ingested from connected data sources. In VRM, an asset is any technical artifact that might have security risks associated with it. On this page, you can:

  • Apply deep filters
  • Drill down to view asset details, including associated issues
  • Ad assets to applications and edit existing asset-to-application mappings
  • Export filtered asset lists

Dashboard overview

To navigate to this page, select the cube icon assets_icon.png from the left navigation bar.

Findings

This page shows a list of findings ingested from finding sources. This is the raw data that VRM uses in its analysis for producing prioritized issues, solutions, and summary dashboards. Interacting with this page is less useful for introductory users than interacting with the pages where we surface the results of our analysis, but it is available for troubleshooting and visibility purposes.

Dashboard overview

To navigate to this page, select the radar icon findings_icon.png from the left-navigation bar.

Settings

This page provides the following options for VRM Admin users:

  • On the Connectors tab, add and manage connectors to direct data into and out of VRM (including cloud service providers, finding sources, source code management, and ticketing connectors).

    Dashboard overview

  • On the Users tab, add and manage user accounts within VRM. VRM also supports single sign-on (SSO) integration and encourages you to use SSO as a security best practice.

  • On the API keys tab, add and manage API keys.

  • On the Labels tab, add and manage labels that you can apply to applications, issues, and assets. Labels are key-value pairs that help you organize data in VRM with meaningful metadata.

To access the Settings page, click the gear icon settings_icon.png in the left navigation bar.

Give feedback

From any page within VRM, you can select the text bubble icon feedback_icon.png to provide feedback or ask questions about VRM features. Veracode reviews and responds to these comments daily.

Dashboard overview

My account

Select the circle icon myAccount_icon.png to review your account details or access the VRM GraphQL API explorer interface. You can change your account password on the My Account page.

Common workflows

Below are brief descriptions of two workflows that users have implemented to reduce risk through VRM.

Persona: BISO

Goal: For a particular scope of relevant business units and applications, understand risk and drive risk reduction within the scope of visibility.

Workflow:

  1. Log into VRM and select the custom dashboard pertaining to your relevant scope of applications and business units to review risk status.
  2. Drill down to view individual priority issues and solutions.
  3. Identify applications where the most urgent action needs to be taken.
  4. Submit tickets to remediate priority risk (automate this process once comfortable with flow).
  5. Follow up with application owner to support them on next steps for priority risk reduction.

Pre-requisites:

  1. Integration with finding sources
  2. Integration with CSP or other asset sources
  3. Integration with ticketing sources
  4. Defined custom dashboards
  5. Defined applications

Persona: Application team

Goal: Validate and address risks efficiently with as little interruption as possible to ongoing business priorities.

Workflow:

  1. Receive ticket from VRM that identifies priority Best Next Action to maximally reduce risk in your application or business unit.
  2. Follow detailed steps within the ticket to address risk at the level of root cause in code.
  3. Close ticket and trigger rescan to validate fix.
Last updated on