Manage risk

During security scanning, Veracode uses specific methodologies and techniques to determine the overall security score of your applications. Veracode provides the scan results in various reports, which you can review to understand the security of your applications and to determine the next steps for addressing security findings.

Findings

Findings are the flaws and vulnerabilities that Veracode scanning found in your application code. Prioritize and resolve these findings to secure your applications.

All findings for an application are available in the scan results. The results include the finding severities and guidance for resolving them.

In the Veracode Platform, use the Triage Flaws page and associated reports to prioritize SAST and DAST findings, and get actionable guidance on which findings to resolve.

Learn about reviewing and mitigating findings, and how to develop a remediation plan for resolving them.

Scoring methodology

To determine the security risk for an application, we use a methodology and multiple analysis techniques to identify and assess findings, and provide a consolidated application security rating.

We provide a score, on a scale of 1-100, that indicates the overall risk level of the application. This score is useful as a general assessment, but it's important that you review the severity of each finding for a more accurate assessment of the risk each finding poses to your application.

The Veracode scoring system is based on industry-standard classifications of security findings and exploit impact.

Policies

Use security policies to establish a consistent security policy for all, or specific, applications in your organization.

The policy constraints specify rules, with which application code must comply, and grace periods, which specify how much time teams must resolve finding to bring an application into compliance.

By default, policies are based on the application's business criticality, risk tolerance, and its anticipated use.

Analytics

Analytics provides a view of your application risk and compliance across your entire application portfolio.

Use the dashboards and data visualizations to get insight into the overall security posture of your entire application portfolio. For example, you can track findings and policy compliance across applications and understand what scans your organization uses, who submits them, and how often. You can also identify finding trends and their status (open, closed, reopened), and much more.

Your organization can use this data to proactively resolve findings and improve its application security posture.

Reports

Use reports to evaluate findings and their resolution. Specific reporting features help you verify that findings are resolved.

The reports are available in the Veracode Platform, Veracode integrations, and as downloadable PDF and XML files.

Example reports include:

• Customizable Report
• Detailed Veracode Report
• Summary Report
• PCI Report
• Application Activity Report

Veracode Fix

Use Veracode Fix to apply AI-generated patches to flaws found by Veracode Pipeline Scan. To automate fixes, integrate Veracode Fix.