How to Customize Veracode’s Scan Policies for Different Development Environments

by

Veracode is a popular application security platform that helps organizations identify and fix security vulnerabilities in their software. One of its key features is the ability to customize scan policies to suit different development environments. This ensures that security scans are both effective and efficient, tailored to the needs of each stage in the development lifecycle.

Understanding Veracode’s Scan Policies

Scan policies in Veracode define the rules and settings used during security scans. They specify which vulnerabilities to look for, the severity levels to report, and the types of scans to perform. Customizing these policies allows teams to focus on relevant security concerns depending on whether they are in development, testing, or production.

Steps to Customize Scan Policies

  • Access the Policy Management Console: Log into your Veracode account and navigate to the Policy Management section.
  • Create a New Policy: Choose to create a new policy or duplicate an existing one for customization.
  • Define Policy Settings: Adjust settings such as the severity thresholds, scan types (static, dynamic, software composition analysis), and specific vulnerability rules.
  • Assign Policies to Environments: Link each customized policy to a specific development environment, such as development, staging, or production.
  • Save and Deploy: Save your policies and ensure they are correctly assigned to the relevant projects or teams.

Best Practices for Environment-Specific Policies

When customizing scan policies, consider the following best practices:

  • Development Environment: Use relaxed policies that focus on high-severity vulnerabilities to speed up development cycles.
  • Testing Environment: Increase the sensitivity of scans to catch more vulnerabilities before release.
  • Production Environment: Enforce strict policies that include comprehensive scans and detailed reporting to ensure security compliance.

Conclusion

Customizing Veracode’s scan policies for different development environments enhances security while maintaining development efficiency. By tailoring scan settings to the needs of each stage, organizations can better manage vulnerabilities and improve their overall security posture.