Skip to main content

VRM updates

The updates on this page apply to Veracode Risk Manager (VRM).

March 27, 2025

New VRM features

New Connectors

These new connectors allow Veracode Risk Manager (VRM) to quickly and easily ingest security findings and asset inventory from a variety of popular security tools.

Azure DevOps Ticketing

This ticketing connector enhances the issue management workflow in VRM by allowing users to create tickets in Azure DevOps (ADO) for any issue in VRM. This connector is bidirectional: as tickets are resolved in ADO that status change will be reflected in VRM.

CrowdStrike CWP

CrowdStrike Cloud Workload Protection (CWP) provides runtime protection, threat detection, and visibility for workloads across cloud environments. It helps secure containers, virtual machines, and Kubernetes deployments by identifying and stopping threats in real time.

GitHub Advanced Security

GitHub Advanced Security (GHAS) delivers integrated security capabilities to secure the software development lifecycle directly within GitHub. It includes code scanning for identifying vulnerabilities in code, secret scanning to detect and prevent credential exposure, and dependency review to analyze risks in third-party packages.

JFrog Artifactory

JFrog Artifactory is a universal artifact repository that securely stores, manages, and distributes software packages, binaries, and containers.

Qualys

Qualys is a widely recognized leader in cloud-based vulnerability management, offering comprehensive security solutions to help organizations identify, assess, and remediate potential threats. VRM’s connector ingests vulnerability findings from Qualys for inclusion in VRM’s issue analysis and reporting.

Second-party package analysis

VRM now analyzes Veracode SAST findings to identify Second Party Packages, which are libraries built internally and used across application teams. VRM creates solutions that identify the specific package so development teams can select the highest-impact remediation actions.

Column management

In the issue and asset tables, you can customize the displayed columns. This allows you to select from VRM’s extensive contextual data, including numerous Urgency Factors and Severity Factors. These tools enable you to create views that instantly identify outliers and dangerous factor combinations and assess compliance without needing to drill down into the details.

Ticketing metrics

Application security teams can now track MTTR and MTTA for their Jira, ServiceNow, and ADO tickets created within VRM. Ticket disposition is easily tracked in any VRM table or dashboard.

Dashboard charts

Custom dashboards have two new card types: donut charts and bar charts. These new dashboard card types can be used to graphically represent issues and can be filtered by any dimension available in VRM, including account, tag, application, asset type, compliance framework, and ticket status.

October 31, 2024

New VRM features

Custom risk remediation dashboards

With VRM custom dashboards, administrators can easily customize how you visualize your application security, risk reduction, or issue prioritization. You can create dashboards that meet the specific needs of your organization.

Okta SSO Integration

You can now easily manage users via SSO using VRM's Okta integration. Enabling SSO for users allows you to manage authentication compliance through a central system rather than ensuring VRM's sign-on is also compliant, reducing the organizational overhead needed to manage another system's authentication.

ServiceNow Connector

The ServiceNow Connector for VRM connects VRM's best next actions and issues to ServiceNow's IT Service Management (ITSM) plugin. The connector leverages the ServiceNow API to create incident or request tickets to ensure VRM's powerful recommendations get to the next stage of remediation and are delivered to the correct teams' workflows.

Veracode Connector 1.5

VRM ingests and analyzes all your Veracode AST findings to create a complete and unified view across Veracode Static Analysis, Dynamic Analysis, and SCA issues. VRM leverages the Veracode Platform's policy enforcement and vulnerable methods data for issue urgency analysis.

In this release, you can also map Veracode issues back to the source code repository where the issues originated. These changes provide rich remediation instructions for weaknesses and vulnerabilities detected by Veracode AST products.

Vulnerability Management Connectors: Rapid7 and Tenable

The new Rapid7 and Tenable connectors for VRM allow you to bring in critical operational vulnerability data from the assets you are scanning. Coordinating this data with other risk elements allows your teams to save significant expert time and create tasks that make the most of your resource investments.

August 16, 2024

New VRM features

Application security heatmap

With VRM Applications, you can organize assets into groups that align with your organization’s internal applications. These applications can reflect the work of internal development teams or simply be logical collections of runtime assets that deliver a business function for the enterprise. The application security heatmap provides you with an at-a-glance view of risk for all applications and allows you to drill down and see the assets, issues, solutions, and score trending for a specific application.

Universal Connector 1.0

The VRM Universal Connector enables you to connect to any data source to ingest assets and findings. It unlocks the potential for VRM to provide its issue prioritization and enrichment to any data source, whether it be a vulnerability scanner, asset discovery tool, CNAPP solution, or cloud security utility, through a straightforward API setup.

GitLab Repository Connector

VRM has added support for the GitLab Repository Connector. This allows VRM to connect to your GitLab repositories, scan the files and logs, and then analyze that data to identify IaC configuration files and inventory image hashes. VRM uses this data to map runtime ACR and ECR images to their origin in the version control system.

GitLab Ultimate security findings: Container & SAST

VRM has added support for the GitLab Ultimate Connector. This connector allows VRM to create issues from Container and SAST findings discovered by GitLab Ultimate. This capability requires no additional setup. If you have already configured the GitLab Repository Connector and you have a license to GitLab Ultimate, VRM will gather these findings automatically.

Veracode connector: New asset type for application profiles

With the Veracode Connector, you can now create assets based on Veracode application profiles. VRM can display all SAST, DAST, and SCA issues in association with their parent application profile in the Asset and Issue tables in the VRM console. VRM admins can also group these application profile assets within any VRM application (VRM’s native asset grouping).

UI enhancement: Saved filters

You can now save filters with all the filter menus in the VRM console. You can easily save any combination of filters set for tables or dashboards without needing to leave the filter menus. This allows customers to easily save critical use cases and easily access them across the product.

Early release: Custom compliance mappings

The VRM platform now allows you to filter the Issues table by custom compliance standards that you define. This feature is in early release. To enable it, please reach out to your Customer Success Manager.

In addition to any custom compliance mappings your organization implements, VRM supports the following compliance frameworks out-of-the-box: CIS AWS 1.4, CIS AWS 1.5, CIS AWS 2.0, NIST 800-53 Rev 5

Additional updates

  • Updated the API to allow editing of multiple applications in one API request
  • Added support for filters when editing applications with the API
  • Added hash-based vulnerability findings detection to enable collection of additional vulnerabilities from Azure
  • Added “group by” support for specific fields when listing solutions with the API.

Bug fixes

  • Fixed issue where some CVE issues would not be created for application profile assets.
  • Fixed issue where some Prisma Cloud finding types would not generate solutions.
  • Fixed issue with the application histogram where issues with scores at division boundaries were not grouped properly.