View the list below for highlights of releases in 2016.
Veracode Static Analysis
- ECMAScript 2016 Support
- Python httplib2 Support
- Veracode has improved static analysis of Python applications to support the httplib2 library.
- New Approved .NET Cleansing Function
Veracode Application Security Platform
- New Course - PHP Secure Coding
- Veracode has expanded its suite of language specific secure coding eLearning courses, currently consisting of Java and .NET, to now include PHP. This course covers topics ranging from trust boundaries to information handling and data protections. PHP developers can learn how to code using application security best practices from sample code examples throughout the course.
- Operating System Command Injection (OSCI) AppSec Tutorial
- A new eLearning AppSec tutorial course has been released for the Operating System Command Injection (OSCI) flaw. During this 10-minute course, eLearning users can learn about what makes an OSCI flaw, watch an OSCI attack take place, and learn how to protect against an OSCI attack.
- Updated Scan Menu
- Changes have been made to improve the user experience of the navigation menu. The Scans menu has been renamed to Scans & Analysis, and items have been rearranged across the menu to provide a more logical user experience.
- Improvements to Application Custom Fields
- Improvements have been made to the application profile level custom fields metadata fields. Administrators can now choose to increase the custom field limit from 5 to up to 25 for their account. Additionally, account administrators can now rename custom fields. If administrators rename custom fields associated with the Veracode JIRA Import Plugin, TFS Flaw Synchronizer, or custom integration code, they need to update the associated custom field in the Veracode JIRA Import Plugin, TFS Flaw Synchronizer, or custom integration code.
- Release Notes Improvements
- You can now access release notes on the Veracode Security Platform Home page by clicking the Release Notes link under the Learn tile.
- Data Dictionary for Custom Reports in Analytics
- In addition to the recommended dashboard and metrics provided by Analytics, Veracode now enables users to explore their application security data available in custom reports. The data dictionary provides details of the measures and attributes used in the custom reports to enable users to better understand their application security information.
- Save IDE Scan Results Locally in Visual Studio
- Visual Studio users now have the ability to automatically save their IDE scan results locally. When users close and reopen their IDE, they can navigate to the results without having to connect to Veracode and download the results again.
- Support for RAD 9.5
- Veracode has added support for Rational Application Developer (RAD) 9.5 to our Eclipse IDE plugin. The plugin allows users to upload and scan their code, view results, and mitigate findings from their IDE.
- End of Life: Plugin Support for Visual Studio 2005 and 2008
- Veracode is discontinuing IDE plugin support for Visual Studio 2005 and 2008 because these versions are no longer actively supported by Microsoft. The Veracode static engine continues to support applications compiled with Visual Studio 2003 and later.
The November release delivers new support for Python and RPG programming languages, as well as support and documentation improvements to six other static binary analysis languages and frameworks. In addition, the Veracode Jenkins plugin now supports Credentials Binding and Jenkins Pipeline, which helps Jenkins users mask sensitive data and better support continuous delivery. This release also delivers a new eLearning course on PHP secure coding, and eLearning users now have the capability to print certificates for courses they pass.
Veracode Static Analysis
- Static Scanning of Python 2.x Applications
- Veracode is excited to announce support of the Python programming language with Veracode
Static Analysis. Our support of Python includes support for several important Python
application frameworks and libraries, including:
- Static Scanning of RPG Applications
- Veracode is also excited to announce support of the RPG programming language with Veracode Static Analysis.
- Android 7.0 (Nougat) Support
- Veracode has improved static analysis of Android applications to support the latest version of Android, Version 7 (Nougat).
- PHP 5.6 Support
- Veracode has improved static analysis of PHP applications by adding support for PHP version 5.6.
- Google Web Toolkit Support
- Veracode has improved static analysis of Java applications by adding support for the Google Web Toolkit framework.
- Cheerio.js Support
- OpenJDK Support
- Veracode has improved static analysis of Java applications by releasing support for OpenJDK.
- JSX Support
- Compilation Guide Refresh
- We have made some substantial updates to our entire compilation guide and static section of the online Help Center, including clarifying language, removing redundant information, and rearranging content.
- Log Entry for Rescan without Reupload
- Veracode has improved our Platform to create a log entry when performing an application rescan.
Veracode Application Security Platform
- Allowed IP Addresses Field Now Optional
- The Allowed IP Addresses field is now no longer required when you create an API user, so that you can choose whether or not you want to implement an IP address restriction for API users.
- New eLearning Course Certificate
- eLearning users can now be rewarded with certificates after they complete Veracode eLearning courses. You can download these certificates from the Veracode Platform to share or print.
- Introduction to PCI Updates
- Veracode has updated the Introduction to PCI DSS for Developers course to meet the recent updated standards of the organization. The course now reflects PCI DSS 3.2.
Veracode Secure Development
- Jenkins Credentials Binding Plugin Support
- The Veracode Jenkins plugin now supports credentials managed by Credentials Binding, to support additional methods for storing and masking Veracode credentials.
- Jenkins Pipeline Support
- Veracode plugin now supports Jenkins Pipeline, which allows Jenkins users to manage and store continuous delivery pipeline as Groovy code. Please note: Pipeline is a separate plugin for Jenkins 1.x, but is included with Jenkins 2.x.
The September release of the Veracode service introduces a mitigation workflow for Software Composition Analysis (SCA), improved support for GCC 4.8, CWE 90, and Android 5.1, and two new eLearning courses. API access is now more secure with the introduction of ID/key credentials, and Web Application Security improvements include the integration of linked DynamicMP results into Analytics as well as improved use of the Bing search engine in Discovery scans. Please note: Veracode has now blocked Internet Explorer 10 due to security concerns.
Veracode Static Analysis
- GCC 4.8 Support - 32-bit
- Veracode has improved static analysis of C and C++ applications by adding support for version 4.8 of the GCC compiler on 32-bit platforms.
- CWE 90 (LDAP Injection) Support for Java
- Veracode has improved static analysis of Java applications by adding support for CWE 90, LDAP Injection.
- Android 5.1 (Lollipop) API Support
- Veracode has improved static analysis of Android applications by adding additional security checks for Android 5.1 Lollipop-specific APIs.
Veracode Application Security Platform
- Internet Explorer 10 is Now Blocked
- Starting in the 2016.9 release, Veracode is blocking Internet Explorer 10 due to security concerns. Please upgrade to a Veracode supported browser now to avoid any issues.
- eLearning AppSec Byte for CRLF Injection
- There is a new AppSec Byte course about the Carriage Return Line Feed (CRLF) Injection flaw that explains what comprises a CRLF Injection, shows a CRLF Injection attack take place, and teaches how to protect against CRLF Injection.
- Secure Coding .NET - Trust Boundaries Course Enhancements
- The Secure Coding for .NET - Trust Boundaries course is updated with new interactivity and animations for improved usage of course materials.
Veracode Secure Development
- SCA Mitigations
- It is now possible to mitigate Veracode Software Composition Analysis (SCA) results using the new mitigation workflow.
- VSTS/TFS Integration
- An enhancement to the existing Veracode VSTS/TFS Build/Release extension now provides options to import Veracode scan results into a build or release summary and stop a build or release if an application fails policy. This enhancement requires a build or release step to wait for the scan to complete.
- VSTS/TFS SSO Support
- Single Sign-on (SSO) support is now available for the Veracode VSTS/TFS Build/Release extension, which supports the definition of service endpoints for credential management that can accept either a username and password or an API ID and key.
- Local IDE Scan Results
Scan results viewed in Eclipse and IntelliJ are now automatically saved to the local computer. Users can resume work after closing their IDE by opening the local copy of the results. This feature is only available for Eclipse and IntelliJ, however, we will provide the same feature for the Veracode Visual Studio integration in the future.
- Increased API Security
- API security is enhanced with a new, more secure self-managed ID/key credential option that is available to all users. Both current and new API user credentials are supported at this time.
Veracode Web Application Services
- Bing Search Engine Discovery Plugin
- Veracode has enhanced the ability to use the Microsoft Bing search engine within Discovery to find more websites and more consistent results in general.
- Discovery Excel Results Enhancements
- We have resolved Excel pivot table issues for Apple Macintosh users who view the Discovery results in Microsoft Excel 2011 and 2016 for Mac.
- DynamicMP Analytics
- DynamicMP scan results linked to applications profiles are now integrated into Analytics in the Platform. Please use the automated application linking feature in DynamicMP.
The August release introduces the new Dynamic Vulnerability Rescan feature, which provides the capability to rescan previously found vulnerabilities without running a complete rescan. In addition, the Visual Studio Team Services (VSTS) build extension was updated to support Team Foundation Server 2015 (TFS), and there is new eLearning messaging functionality that allows eLearning managers to send emails to eLearners directly from the Veracode Platform.
- Handlebars.js Support
- Hogan.js Support
- TFS 2015 Support
- The Visual Studio Team Services (VSTS) build extension was updated to support Team Foundation Server (TFS), which supports TFS 2015 update 2 and later, and is integrated with TFS builds with GUI instead of XAML.
- Jenkins ID and Key Authentication Update
- Veracode has updated the Jenkins plugin to support API ID and Key authentication for job configuration.
- Jenkins Plugin Now Stops Build When Applications Fail Policy
- The Jenkins plugin now provides functionality for teams to stop a build or release if the application fails policy via the new Wait for scan to complete option.
- Streamlined IDE credential storage
- Veracode has streamlined the authentication process across all IDE plugins by automatically deselecting the Do not use stored credentials to log in option, eliminating the Make this the default username option, and updating the documentation for Visual Studio, Eclipse, and IntelliJ.
- Streamlined JIRA configuration
- The JIRA plugin now automatically configures Veracode custom fields to eliminate the most time-consuming and error-prone part of the installation.
- Developer Sandbox General Availability
- The Developer Sandbox, a patented feature that provides teams the ability to scan applications and measure results against policy without affecting policy score, is now available to all static customers. Please contact Veracode Support to enable the feature for your account.
- IE10 Blocked After the 2016.9 Release
- Internet Explorer 10 will be blocked from the Veracode Platform by default due to security concerns beginning in September, 2016 (2016.9 release). Please upgrade to a Veracode supported browser now to avoid any upgrade issues in September 2016. If you use this browser and are unable to upgrade to a Veracode supported browser, please contact Veracode Support for assistance.
- Improved New User Registration Experience
- Improvements have been made to the new user registration process, including a unique user-friendly registration page, accompanying emails, and workflow. The registration process utilizes a unique registration code, and is now available in addition to a one-time registration link.
- Improvements to Status Column in Triage Flaws View
- Improvements have been made to the Status column in the Triage Flaws View. The following
statuses have been added, which you can filter on:
- Findings approved as Mitigated by OS Environment, Mitigated by Network Environment, and Mitigated by Design.
- Potential False Positive
- Flaws approved as Potential False Positive.
- Mitigation Review Summary Information Now Available in Reports
- Mitigation Review Summary information is now available in HTML, PDF and XML application reports.
- eLearning Course Status Emails
- eLearning managers are now able to send emails to eLearners from the Veracode Platform to prompt them to finish an incomplete course, retake a failed course, or congratulate them for passing a course.
- iOS eLearning Course Updated
- The Authentication and Authorization for iOS course has been updated based on advances in iOS development and customer feedback.
- Updated eLearning Course Interactivity
- The Introduction to Web Application Security course has been updated with new interactivity and animations.
Web Application Security
- Dynamic Vulnerability Rescan
- Veracode is introducing the Dynamic Vulnerability Rescan feature that provides the
capability to rescan previously found vulnerabilities. Instead of running a complete
time-consuming rescan, this feature saves you time by quickly rescanning only the
vulnerabilities. The DynamicDS Scanner Options page has an additional option to run a
flaw-only rescan. The Dynamic Flaw Inventory page provides a view of vulnerabilities across
multiple scans with detailed statuses:
- Open and Reopened
- Cannot reproduce
- Dynamic Reporting Updates
- The DynamicDS Summarized Results on the Veracode Platform and detailed PDF and XML reports
available for download have been updated to match the new DynamicDS flaw inventory statuses.
- A new Cannot Reproduce status
- New, Open, Reopened, Fixed status counts are now calculated using the new status definition logic for DynamicDS scans only
The July release provides increased support for .NET, Ruby on Rails, and GCC. In addition, there is support for two new CWEs, enhanced support for three currently supported CWEs, and Software Composition Analysis (SCA) results are now available in the XML report on the Veracode Platform. The IntelliJ plugin is updated to support versions of the IntelliJ IDEA up to version 2016.1.x.
- .NET Core 1.0 Support
- Veracode has improved static analysis of .NET applications to support .NET Core 1.0. Additional support for .NET Core 1.0-specific APIs and features will be added in future releases.
- Ruby on Rails 4.x Support
- Veracode has improved static analysis of Ruby on Rails applications by adding support for Ruby on Rails Version 4.x.
- GCC 4.8 Support
- Veracode has improved static analysis of C and C++ applications by adding support for version 4.8 of the GCC compiler.
- Cryptography-related Scan Improvements
- Veracode has improved static analysis of Java applications by refining existing and adding support for additional cryptography-related findings in Java applications. Veracode now supports CWE 338 and 780, and has refined detection of CWEs 326, 327, and 329.
- SCA Results
- Veracode customers who have Software Composition Analysis (SCA) can now view those results in the XML report available in the Veracode Platform and by using the Veracode APIs.
- IntelliJ IDEA 2016.1.x Support
- Veracode has updated the IntelliJ plugin to support IntelliJ IDEA versions up to 2016.1.x.