Veracode

Overview

Veracode is a leading application security testing platform that provides comprehensive security analysis for applications throughout the software development lifecycle. It offers both static application security testing (SAST) and dynamic application security testing (DAST) capabilities to identify vulnerabilities before they reach production.

Platform Capabilities

Static Application Security Testing (SAST)

Source code analysis without executing the application
Identifies security flaws in the codebase during development
Supports multiple programming languages including JavaScript, TypeScript, Java, C#, and Python
Integrates with development environments and CI/CD pipelines

Dynamic Application Security Testing (DAST)

Tests running applications from the outside
Simulates attacks on web applications and APIs
Identifies runtime vulnerabilities and configuration issues
Tests authentication, session management, and input validation

Software Composition Analysis (SCA)

Identifies known vulnerabilities in open source components
Monitors third-party libraries and dependencies
Provides remediation guidance for vulnerable components
Tracks license compliance for open source usage

How Schwab Uses Veracode

Development Integration

At Charles Schwab, Veracode is integrated into the software development lifecycle to ensure security is built into applications from the ground up:

CI/CD Pipeline Integration: Automated security scans are triggered during the build process
Developer Tools: IDE plugins provide real-time security feedback during coding
Pull Request Gating: Security scans must pass before code can be merged

Application Portfolio Security

Regular Scanning: All applications undergo periodic security assessments
Risk Assessment: Vulnerabilities are categorized and prioritized based on business impact
Compliance Reporting: Generates reports for regulatory compliance requirements
Remediation Tracking: Monitors the resolution of identified security issues

Enterprise Security Program

Policy Enforcement: Enforces company-wide security standards and policies
Security Training: Provides developers with security education and best practices
Metrics and Reporting: Delivers security metrics to leadership and stakeholders
Vendor Risk Management: Assesses the security posture of third-party applications

Key Features for Financial Services

Regulatory Compliance

Supports compliance with financial industry regulations (SOX, PCI DSS, GLBA)
Provides audit trails and documentation for regulatory reviews
Maintains security standards required for financial institutions

Data Protection

Identifies vulnerabilities that could lead to data breaches
Ensures proper handling of sensitive financial information
Validates encryption and data protection mechanisms

Risk Management

Provides risk-based prioritization of security issues
Offers executive dashboards for security program oversight
Enables informed decision-making about security investments

Integration with Development Workflow

NextJS Web Monorepo Integration

In the context of the NextJS Web Monorepo:

TypeScript/JavaScript Analysis: Scans React and NextJS applications for security vulnerabilities
Dependency Scanning: Analyzes npm packages and dependencies used across the monorepo
API Security: Tests API endpoints and server actions for security flaws
Configuration Review: Validates security configurations in Next.js applications

Automated Security Gates

Pre-deployment Scanning: All applications are scanned before production deployment
Continuous Monitoring: Ongoing security assessment of deployed applications
Vulnerability Management: Automated tracking and remediation workflows
Security Metrics: Integration with development metrics and reporting systems

Benefits for Schwab's Development Teams

Early Detection

Identifies security issues during development rather than in production
Reduces the cost and effort required to fix security vulnerabilities
Prevents security-related delays in application deployment

Developer Empowerment

Provides security guidance and education to development teams
Offers actionable remediation advice for identified vulnerabilities
Integrates security into the developer workflow without disruption

Operational Efficiency

Automates security testing processes across multiple applications
Standardizes security assessment practices across development teams
Provides centralized visibility into the security posture of all applications

Veracode plays a crucial role in Schwab's application security strategy, ensuring that financial services applications meet the highest security standards while enabling rapid and secure software delivery.

Overview​

Platform Capabilities​

Static Application Security Testing (SAST)​

Dynamic Application Security Testing (DAST)​

Software Composition Analysis (SCA)​

How Schwab Uses Veracode​

Development Integration​

Application Portfolio Security​

Enterprise Security Program​

Key Features for Financial Services​

Regulatory Compliance​

Data Protection​

Risk Management​

Integration with Development Workflow​

NextJS Web Monorepo Integration​

Automated Security Gates​

Benefits for Schwab's Development Teams​

Early Detection​

Developer Empowerment​

Operational Efficiency​