Veracode Application Security Platform Release Notes

Veracode Release Notes

July 8, 2019

Retiring Basic Authentication for APIs and Integrations
In the September 2019 Veracode Platform release, Veracode will retire basic authentication for Veracode integrations and XML APIs. Basic authentication consists of only a username and password. If you currently use basic authentication, complete these steps:
  1. Generate API ID and key credentials for your Veracode Platform account.
  2. Configure your integration to use API ID and key credentials. This step applies to officially supported Veracode integrations and custom-scripted integrations.
    Note: The Veracode Java and C# API wrappers support API ID and key credentials. For other custom integrations, you must include HMAC signing in your script.

For more information, see the Veracode Community or contact Veracode Technical Support.

CWE Version 3.2
Veracode now supports Common Weakness Enumeration (CWE) version 3.2.

Veracode references the CWE for many of the findings discovered through its products. Updating to CWE 3.2 impacts which CWE IDs you need to fix to comply with the OWASP 2017, CERT, and PCI standards. Applications that had previously passed policy may fail if they include findings that are now included in these standards.

To understand how this change impacts your security program, see the new mappings for each security standard.

For more information about CWE 3.2, see the announcement from MITRE.

July 1, 2019

SSL Certificates Will Begin to Expire
Starting mid-July 2019, Veracode SSL certificates that may be embedded in local trust stores will begin to expire. If this change affects your use of the Veracode APIs, read more in the Help Center for instructions on resolving the issue.

June 19, 2019

New Python eLearning Courses
Veracode eLearning has released this set of secure coding courses for Python:
  • Secure Coding for Python - Authentication
  • Secure Coding for Python - Authorization
  • Secure Coding for Python - Configuration & Deployment
  • Secure Coding for Python - Data Protection
  • Secure Coding for Python - Information Handling
  • Secure Coding for Python - Trust Boundaries
  • Secure Coding for Python - Validation and Encoding

These courses cover application security practices and associated vulnerabilities, including the OWASP Top Ten, and secure coding techniques in Python.

When managing eLearning users who use custom curriculum, administrators can add new courses to existing and new curriculum by selecting the Required option in the Curriculum Details section of the respective curricula.

June 13, 2019

Configurable Sandbox Notifications
Veracode provides the option to configure your sandbox scan notification settings to send emails regarding only the sandboxes you create. This additional customization eliminates unnecessary emails while providing visibility to your relevant scan activity.

May 30, 2019

Veracode Platform Disables Unused User Accounts

The Veracode Platform automatically disables any user account not logged into within two years from the last login. Please contact Veracode Technical Support if you need to re-enable an account.

Findings REST API Adds Statistics Endpoint

The new Findings REST API statistics endpoint summarizes findings information for an application by resolution type, finding status, severity, and CWE. This additional level of statistics provides the detail needed to create more comprehensive reports.

May 29, 2019

CWE Version 3.2
In the 2019.6 Veracode Platform release, Veracode will introduce support for Common Weakness Enumeration (CWE) version 3.2.

Veracode references the CWE for many of the findings discovered by its products. Updating to CWE 3.2 will impact which CWE IDs you need to fix to comply with the OWASP 2017, CERT, and PCI standards. When the June release implements this update, applications that had previously passed policy may fail if they include findings that have been added to these standards.

To understand how this change may impact your security program, see the new mappings for the OWASP and CERT standards. You can also generate a report of the applications the update affects.

For more information about CWE 3.2, see the announcement from MITRE.
Data Export Includes Informational Flaws Category
The Applications data export has a new column that lists Informational Flaws. This change affects any downstream reporting that relies on an expected column order for the Applications data export. You generate data exports from the Analytics tab in the Veracode Platform.
Veracode Help Center Updated With XML API for Uploading Large Files
Veracode has updated the Help Center to describe the uploadlargefile.do API call. You can use the call to upload a large file for static scanning. The call uploads the file as a set of parts to avoid timeout errors, which can occur when uploading a file with the uploadfile.do call.

May 15, 2019

Unsubscribe from Optional Scan Notifications

Veracode now provides the option to unsubscribe from some scan notifications. Instead of receiving all the scan notifications associated with your role and team membership, you can disable the optional email notifications for specific scan types that are not relevant to you.

May 6, 2019

Updated Introduction to PCI DSS for Developers eLearning Course
Veracode has updated the eLearning course Introduction to PCI DSS for Developers to reflect the PCI standard update from version 3.2 to version 3.2.1.