Skip to main content

Platform updates

· 34 min read

The updates on this page apply to the Veracode Platform. Updates that apply to certain regions are marked with a region icon.

March 24, 2025

Map multiple domains to a single identity provider

If you've configured single sign-on (SSO) to use service provider (SP)-initiated Security Assertion Markup Language (SAML), you can now map multiple domains to a single identity provider (IdP) for an organization. For more information, see Service provider-initiated SAML authentication.

March 7, 2025

Reporting REST API now available in European Region

The Reporting REST API is now available in the European Region. To access this API, submit a request to Veracode Technical Support via an email to [email protected]. For more details about the Reporting API, see the Veracode documentation.

March 6, 2025

Customizable PDF displays SCA Component License Risk policy compliance

The Customizable PDF takes into account policy rules for SCA Component License Risk. The components' license risk policy compliance status will now be displayed in the Executive Summary and Detailed SCA Findings by Component sections of the report.

February 19, 2025

Upgrade to Looker 24.18

Veracode has upgraded Veracode Analytics to use Looker version 24.18 in the United States Federal region.

SCA Component Blocklist rule removed from built-in policies

Veracode has removed the SCA Component Blocklist rule from the built-in Veracode Recommended policies in the United States Federal Region instance. This change does not impact policy compliance for existing applications. For more details, see the Product Announcement on the Veracode Community.

February 18, 2025

New look for Veracode Platform pages

The following pages in the Veracode Platform have an updated look and feel, and support light and dark mode based on your selected theme.

  • Platform Home
  • Your Account Settings
  • API Credentials
  • Notification Settings

These updated pages and theme settings are currently available to a limited set of users in the Commercial region. Veracode is gradually updating more pages and will make them available in other regions in future updates.

February 12, 2025

Customize columns in the All Users table

Administrators can now select the Set Columns button to customize the All Users table on the Administration page.

February 7, 2025

Customer Managed Encryption Keys

Veracode Customer Managed Encryption Keys (CMEK) allows you to encrypt your data in Veracode Platform using your own root encryption key. With CMEK you can:

  • Control encryption and access to your data
  • Manage your root encryption key in your KMS
  • Configure Veracode application profiles to use your root encryption key
  • Periodically rotate your root encryption key

This feature is available for both new and existing application profiles.

February 5, 2025

SCA Component Blocklist rule removed from built-in policies

Veracode has removed the SCA Component Blocklist rule from the built-in Veracode Recommended policies in the European Region instance. This change does not impact policy compliance for existing applications. For more details, see the Product Announcement on the Veracode Community.

January 30, 2025

SCA Component Blocklist rule removed from built-in policies

Veracode has removed the SCA Component Blocklist rule from the built-in Veracode Recommended policies in the Commercial Region instance. This change does not impact policy compliance for existing applications. For more details, see the Product Announcement on the Veracode Community.

January 28, 2025

Reporting REST API v1.4

Veracode has released Reporting REST API version 1.4. This update adds support for filtering Findings and Scans reports using development sandbox IDs. The API specification is available on SwaggerHub.

January 23, 2025

Upgrade to Looker 24.18

Veracode has upgraded Veracode Analytics to use version 24.18 of the Looker platform in the Commercial and European regions.

January 6, 2025

Longer passwords required

Veracode has changed the minimum length for passwords from 8 characters to 10. For existing users, this change will take effect the next time you change your password.

December 16, 2024

US Federal region status page

You can now get status about planned maintenance events and incidents, and subscribe to notifications for the US Federal region at the new US Federal region status page, available at https://status.veracode.us.

November 22, 2024

Updated SCA Findings dashboard

The SCA Findings dashboard includes the following improvements:

  • Libraries with Vulnerable Methods: The Library Issues Count measure is now called Libraries Count to provide a more accurate representation of impacted libraries.
  • How Risky Are My Licenses?: The Vulnerability Count measure is now called Issue Count to improve consistency with other metrics.

November 22, 2024

PCI 4.0 support

The Veracode PCI Report now supports the latest version of the PCI standard.

October 9, 2024

Custom roles for user accounts and API service accounts

You can now create, edit, and manage unique, tailored roles for more precise control over user access and permissions in your organization. With custom roles, you can:

For more details, see the Veracode documentation and the updated Identity API specification on SwaggerHub.

September 30, 2024

New Scans report available for the Reporting API commercial-icon.png

The Reporting REST API can now generate a Scans report. Similar to the existing Findings report, you can query Veracode Analytics for information about Static Analysis, linked Dynamic Analysis, and Manual Penetration Testing scans.

For more details, see the Reporting API specification on SwaggerHub.

September 13, 2024

New status and maintenance REST API endpoint

The REST API endpoint for checking the current status and upcoming maintenance schedule for Veracode services has changed from https://api.status.veracode.com/status to https://status.veracode.com/api/v2/summary.json. Veracode recommends you move any automation to the new endpoint as soon as possible.

The previous endpoint will be retired on October 31, 2024.

September 9, 2024

The Manual Testing API has been migrated to the Findings API

Veracode has moved all functionality of the Manual Testing REST API to the Findings REST API. All endpoint signatures and response objects remain the same. However, the following input parameters have been updated:

  • The scan GUID parameter for getScan has been replaced with integer scanId. scanId is found in the getScans response.
  • The scan GUID parameter for getFindings has been replaced with integer scanId. scanId is found in the getScan response.
  • The finding GUID parameter for getFinding has been replaced with integer findings[].id. findings[].id is found in the getFindings response.

The Findings API specification is available on SwaggerHub for more details.

August 13, 2024

Upgrade to Looker 24.6

Veracode has upgraded Analytics to use version 24.6 of the Looker platform in the Commercial and European regions.

June 20, 2024

Project scan IDs added to Reporting API

Added the following fields to the Findings report of the Reporting API for findings from agent-based scans that are linked to applications:

  • original_project_scan_id: The original project scan in which an SCA agent identified the application-linked finding.
  • latest_project_scan_id: The most recent project scan in which an SCA agent identified the application-linked finding.

Changes to dates for application-linked SCA agent findings in Analytics

Veracode Analytics and the Reporting API have updated how they determine the values for date fields of agent-based scan findings that are linked to applications. The following fields now retrieve data from the agent-based scanning history instead of the SCA upload scan history:

  • First Found Date
  • First Found in Application Date
  • Library First Found in Active Scans Date
  • Last Found Date
  • Reopened Date
  • Fixed Date

This update impacts the following fields because they derive data from the updated fields listed above:

  • Resolved Date
  • Grace Period Expiration Date
  • Flaw Age

May 6, 2024

New columns in SCA License Risk Data Export report

The SCA License Risk Data Export report now includes the following columns:

  • Business Unit for applications associated with SCA upload scans
  • Project Name for SCA agent-based scanning projects
  • Library Version for libraries found in SCA agent-based scans
  • Last Scanned Date and SPDX ID for libraries found in SCA agent-based scans or upload scans

April 28, 2024

Upgrade to Looker 24.0

Veracode has upgraded Analytics to use version 24.0 of the Looker platform. Key updates include:

  • AND/OR filtering
  • Performant field picker
  • Quick resize and tile repositioning

The complete list of changes is available in the Looker documentation.

April 10, 2024

Add a Git repository to application metadata

You can now add the URL of a Git repository to the application profile metadata using the Applications REST API and the Veracode Platform.

April 4, 2024

Veracode Analytics updates

The Veracode Analytics Findings explore includes the following improvements:

  • Updated the Policy Rule Passed (Yes / No) field to match the new policy logic changes to findings from a Software Compsition Analysis (SCA). If SCA findings violate policy, but are within the grace period, the Veracode Platform does not report them as not passing policy, or "No".
  • Added a new Findings Policy Status field that you can use to tag findings that violate policy and are within grace period as Conditional Pass.
  • The SCA Agent-Based Scan Issues page now provides data about the projects and workspaces that generated the issues.

April 3, 2024

The Veracode Documentation has the following improvements:

  • New Learning paths provide a sequence of videos and documentation that walk you through using Veracode products. For example, the steps show you how to prepare applications for scanning, run a Static Analysis or Dynamic Analysis in the Veracode Platform, and then review the results. By following these paths, new users can onboard and experienced users can gain a deeper understanding of Veracode products, features, and best practices.
  • New search experience that helps you more easily search across all documentation and filter the results.

March 26, 2024

Add Git repository to application metadata

You can now specify the URL of a Git repository in the application profile metadata using the Applications REST API and the Veracode Platform.

Previous updates

2023 updates

2023 updates

November 27, 2023

Free trial of DAST Essentials

Veracode now offers a free 14-day trial of DAST Essentials in the Veracode Platform. To sign up, on the Sign in page, select Sign Up to create your account. If you are a Veracode customer and want to try DAST Essentials, contact your sales associate.

November 27, 2023

Free trial of DAST Essentials

Veracode now offers a free 14-day trial of DAST Essentials in the Veracode Platform. To sign up, on the Sign in page, select Sign Up to create your account. If you are a Veracode customer and want to try DAST Essentials, contact your sales associate.

October 17, 2023

New Veracode Analytics fields available

The new Second Party Component and Fixable (Yes / No) fields in the Veracode Analytics Findings explore are now available.

October 16, 2023

New Veracode Analytics fields available in European Region

The new Second Party Component and Fixable (Yes / No) fields in the Veracode Analytics Findings explore are now available in the European Region.

September 29, 2022

New Application Security Platform features available in European Region

The following features are now available in the European Region.

July 19, 2023

Upgrade to Looker 22.20

Veracode has upgraded Analytics to use version 22.20 of the Looker platform. All existing dashboards now reflect the new Looker experience.

This upgrade introduces a known issue that prevents you from scrolling in the Timeline visualization. Additionally, you may experience an issue that automatically enables the Row Totals column in some pivot tables, which can cause rows to be double counted in stacked visualizations. To fix this issue, edit the dashboard and visualization, clear the Row Totals option, and save your changes.

Updated Security Program Overview Dashboard

The default number of applications displayed in the What is my policy compliance over time? section of the Security Program Overview dashboard in Veracode Analytics has decreased from 100 to 25.

To view additional applications, customize the visualization and adjust the Application Rank by Published Date Descending filter.

2022 updates

2022 updates

July 15, 2022

CWE Top 25 Now Reflects 2022 Version

The Auto-Update CWE Top 25 security standard that you use in Veracode policies now reflects the 2022 CWE Top 25 list.

June 28, 2022

Updated Single Sign-On and Just-In-Time Provisioning

New single sign-on (SSO) and Just-In-Time (JIT) provisioning capabilities in the Veracode Platform improve reliability and supportability and extend the roles that JIT provisioning supports. Before using this feature, you must update your SSO settings in your identity provider.

To begin the process of enabling these capabilities, contact Veracode Support.

May 19, 2022

The Issues Vulnerability Count Measure Changed

Issues Vulnerability Count now includes only issues where the Issue Type is a Vulnerability Issue. In the past, this measure included the count of Vulnerability, License, and Library issues. The calculation of Issues Vulnerability Count is still based on the filters you select.

  • Issues Issue Count: count of issues, regardless of type
  • Issues Vulnerability Count: count of vulnerability issues
  • Issues Libraries with Issues: total number of unique libraries with at least one issue

May 10, 2022

Sandbox Information Available in Unsubmitted Static Scans Data Export

Veracode has added sandbox information to the Unsubmitted Static Scans data export to make it easier to find the incomplete static scans for an application.

SCA dashboards available in Analytics

Data from Veracode Software Composition Analysis (SCA) agent-based scans and upload scans is now available in Veracode Analytics for the European Region. The predefined Veracode dashboards, including the SCA Findings dashboard, now contain SCA scan data. You can also use the Findings, SCA Agent-Based Scans, and SCA Agent-Based Scan Issues data explores for custom reporting.

May 6, 2022

End of Support for Internet Explorer 11

Veracode will no longer support Microsoft Internet Explorer 11 after June 30, 2022. This change follows the Microsoft updates to its support model for Internet Explorer. Veracode recommends that you switch to a supported browser to avoid issues.

Official Support for Microsoft Edge

The Veracode Docs are updated to confirm that Microsoft Edge is a supported browser.

May 3, 2022

Support cases and scheduled consultations now available

You can now raise a support case and schedule a consultation from the Veracode Platform in the European Region.

Veracode Platform services updated to current versions

Applications and policies for the European Region now run on the current versions in the Veracode Platform.

April 4, 2022

Improved Team Management in the Veracode Platform

Veracode has improved the usability of the team management options on the Administration page in the Veracode Platform.

March 22, 2022

View Applications by Policy Evaluation Date

You can now view the date and time of the most recent event that triggered a policy evaluation for an application in a new field in the Applications REST API and the Applications list in the Veracode Platform. You can use this field to search for applications that have had new scans or approved mitigations since the listed date.

2021 updates

2021 updates

December 9, 2021

OWASP Top 10 2021
  • The Auto-Update OWASP requirement available for application security policies now reflects the 2021 version of the OWASP Top 10.

November 5, 2021

New Veracode Documentation URL
Deprecation of Veracode Documentation PDFs
  • Veracode has deprecated the PDF files of publications available on the Veracode Documentation website. By December 2021, you will no longer be able to download these PDFs, but you can create custom PDFs using the print feature in your browser. To create a custom PDF, click Print (printer icon) in a publication title bar or to the right of a topic title, select the topics to include or exclude, then click Print.

September 28, 2021

API Rate Limit Enforcement
  • Veracode is now enforcing API rate limiting to ensure optimal performance and availability of Veracode services.

September 15, 2021

Updated Subprocessor List
  • Veracode has updated the list of subprocessors used to process customer personal information.

August 31, 2021

2021 CWE Top 25 Support
  • The Auto-Update CWE Top 25 policy rule in Veracode security policies now reflects the 2021 CWE Top 25 standard. In a future release, Veracode will add the option to specifically select the 2021 CWE Top 25 standard in policy rules.
CWE 4.5 Support
  • Veracode CWE support now reflects the changes MITRE introduced in version 4.5 of the CWE list.

August 12, 2021

Updated Video - Create a Policy in the Veracode Platform
  • This video shows you how to create a custom policy in the Veracode Platform.

July 20, 2021

Improved Veracode Onboarding Experience
  • Veracode has improved the onboarding experience to help developers and application security managers get started with Veracode. In the Veracode Platform, select Resource Center > Getting Started to open the new Getting Started with Veracode guidance, which provides a walk-through of Veracode products and training offerings.

July 8, 2021

Updated Video - Create a New Application Profile in the Veracode Platform
  • This video shows you how to create a new application profile in the Veracode Platform.

June 29, 2021

Improved Veracode Platform Homepage
  • The homepage in the Veracode Platform is updated to make it easier to perform several common functions, such as generating API credentials.

May 25, 2021

Automatically Update to Latest Version of Security Standards in Policy Rules
  • You can set rules in your application security policies that automatically update to use the most recent version of the supported security standards. With this update, you can require applications to comply with the latest version of security standards, such as OWASP Top 10 or CERT, as soon as Veracode supports them.
2020 CWE Top 25 Standard Available in Policy Rules
  • Veracode now supports using the 2020 version of the CWE Top 25 standard as a requirement in application security policies.
PCI Standard Includes 2020 CWE Top 25 Most Dangerous Software Weaknesses
  • A new version of the PCI security standard, which includes the 2020 CWE Top 25 most dangerous software weaknesses, is now available as a requirement in application security policies.
PCI Report Now Evaluated Against the Auto-Update PCI Standard
  • The PCI report available from the Veracode Platform is now evaluated against the Auto-Update version of the PCI security standard. This update ensures that the report always uses the latest version of the PCI standard.

April 8, 2021

Access the Veracode Community from the Veracode Platform
  • You can now access the Veracode Community directly from the Veracode Platform without logging in to a separate Community account. The Veracode Community provides best practice documentation, new feature previews, and a forum for asking questions about how to most effectively use Veracode products and services.

April 7, 2021

Evaluation Timeframe for Security Policies

You can now include evaluation timeframes in Veracode application security policies to define when findings can impact policy compliance. In your policies, you can:

  • Disallow findings opened after a specific date to ignore technical debt.
  • Disallow findings opened before a specific date to ignore new findings that are out of scope for an audit requirement.

April 6, 2021

End of Browser Support for Legacy Versions of Safari and Android

Veracode no longer supports these legacy versions of Safari and Android because of their use of weak ciphers (TLS 1.2):

  • Safari 6 on iOS 6.0.1

  • Safari 7 on iOS 7.1

  • Safari 8 on iOS 8.4

  • Safari 7 on OS X 10.9

  • Safari 8 on OS X 10.10

  • Android 5.0.0

  • Android 6.0

You cannot access analysiscenter.veracode.com using these browsers.

Administrators Cannot Assign Applications to Teams
  • Administrators in the Veracode Platform can no longer assign applications to teams unless they have another role that grants them permission to edit application profiles. Veracode removed this rarely used functionality to provide a more consistent experience for users.
Allow Access to New URL for Penetration Testing Services
  • Veracode has introduced a new URL for a future feature that will support better reporting of our penetration testing services. If you restrict access to public internet sites for your organization, add pt.analysiscenter.veracode.com to your allowlist.

March 31, 2021

Changes to Email Addresses Require Verification
  • If you update the email address in your Veracode Platform user account, Veracode sends you an email to confirm the new address. You must confirm the email address to complete the update.

March 26, 2021

New Analytics Dimension for Findings and Scans
  • Veracode Analytics provides you with the ability to filter findings and scans based on their archive status. You can use these filters to easily find findings and scans that Veracode deleted as part of the sandbox scan retention process.

March 22, 2021

Improved User Management in The Veracode Platform
  • Veracode has improved the usability of the user management options in the Veracode Platform. Administrators and Team Admins can now search for users by name, email address, username, or API ID.

March 9, 2021

Veracode Analytics Updates to the SCA Findings Dashboard
  • Veracode has updated the SCA Findings dashboard to improve the visualization of data and provide more information on how fixing code libraries impacts findings.

February 9, 2021

New Static Analysis Findings Information in Veracode Analytics
  • Veracode Analytics now provides more details about findings that relate to your Static Analysis scans, including the function name, class path, and most recent line number in which Veracode discovers the findings. This data enables you to recreate a similar view as the Triage Flaw view in the Veracode Platform, but across multiple application profiles.

February 8, 2021

New Security Program Overview Dashboard in Veracode Analytics
  • Veracode Analytics provides a new dashboard that contains data to help you track and understand how your AppSec program is trending, based on your target goals. With this dashboard, you can see current and historical trends for policy compliance, as well as better understand policy compliance behavior. New information available to you includes details such as how an application is meeting compliance over time.

January 26, 2021

Improved User Interface for Managing Applications
  • Veracode has updated the user interface in the Veracode Platform for creating, viewing, updating, and deleting applications to improve usability.

January 19, 2021

Improved Email Notifications for Expiring API Credentials
  • Veracode sends an email notification when your Veracode API credentials are about to expire. The email now displays your API username for quickly identifying the account for which you need to generate new credentials.

2020 updates

2020 updates

December 7, 2020

Additional SCA Details Available from the Findings REST API
  • With the Veracode Findings REST API, you can identify whether Software Composition Analysis findings are from agent-based scans or upload scans and whether they are from a direct or transitive dependency. You can also filter your findings by scan type or dependency type.

November 23, 2020

Updates to the Findings REST API

You can now perform these tasks with the Veracode Findings REST API:

  • Retrieve the expiration date of the remediation grace period for findings that violate a security policy.
  • Retrieve findings with comments or mitigations added after a specific date, such as the date of your most recent scan.
Healthcheck REST API
  • You can use the Veracode Healthcheck REST API to test the availability of Veracode core services.

October 29, 2020

Changes to OWASP Mobile Policy Rules

  • Veracode has updated policy rules that include the OWASP Mobile security standard to reflect additional research. OWASP Mobile policy rules now include these CWEs: CWE-77, 78, 80, 252, 287, 319, 345, 404, 415, 416, 601, 614, 676, 693, 757.

  • Applications that contain these flaws may fail OWASP Mobile policy rules as a result of this update. Veracode will apply the update upon rescan of the application.

Improved Notifications for Delayed Scan Results
  • Veracode has improved communication about delayed scan results. You now receive email notifications that include additional details and links for the affected scan. Veracode has also improved the Veracode Platform to indicate delayed scans that are under investigation.

October 19, 2020

Applications REST API
  • You can now view application data and create, update, and delete applications using the Veracode Applications REST API.

September 30, 2020

Updates to Required Veracode Domains

September 26, 2020

Rolling Sandbox Histories

  • Rolling sandbox histories let you limit sandbox data by restricting the number of retained scans for each sandbox to 15. After more than 15 scans, the Veracode Platform deletes the oldest scan, though the data remains available through Veracode Analytics. If enabled, this feature replaces the previous data limitation method of expiring old sandboxes.

  • To request access to rolling sandbox histories, contact Veracode Technical Support.

Updates to Some XML API Deletion Calls
  • To improve performance, the deleteuser.do, deleteteam.do, deleteapp.do, and removefiles.do XML API calls now return an HTTP 200 response and a change summary, instead of a list of the items remaining after the deletion.
  • You can now share links to Veracode Analytics dashboards, including Veracode dashboards and dashboards that your organization creates. To access a dashboard link, you must log in to the Veracode Platform and have permission to view the data in the dashboard.
Activity Log Updates
  • You can now download a report of the full history of application profile activity, scan activity, and sandbox activity. The activity log in the Veracode Platform now displays activity data for the past 90 days.
Technique Removed from TSRV Format for Accepting Risk
  • Veracode has removed Technique from the TSRV standard when you perform the Accept the Risk mitigation action because none of the techniques are relevant to accepting risk. Specifics, Remaining Risk, and Verification are still required fields.
Updates to CWE Top 25 Policy Rules
  • The Latest CWE Top 25 policy rule in the Veracode Platform now reflects the 2020 CWE Top 25 standard. Veracode has also updated the 2019 CWE Top 25 policy rule to disallow the children of CWE-94: CWE-91, 95, 98, 185, and 830.

September 17, 2020

Improved Business Units Tab
  • On the Administration page in the Veracode Platform, Veracode has improved the usability of the Business Units tab.

September 10, 2020

New Video - Create and Manage API Users in the Veracode Platform

August 29, 2020

All Applications Page Now Available to Mitigation Approver and Delete Scans Roles
  • You can now access the All Applications page in the Veracode Platform with the Mitigation Approver or Delete Scans roles. From the All Applications page, you can, then, select an application to approve mitigations or delete scans.
CWE-74 Now Disallowed for the OWASP Security Standard
  • Veracode has reclassified CWE-74 "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" as a high severity finding. CWE-74, which Veracode discovers during Dynamic Analysis, is now included on the disallowed CWE IDs list in the latest version of the OWASP security standard. If your organization is using the OWASP 2017 security standard, you may see more findings violating policy or see your application fail policy as a result of this change.
Support for MITRE CWE List Version 4.1

  • Veracode now provides reporting based on CWE version 4.1 definitions, which changes the names and descriptions of a few existing CWE categories. The complete list of changes in CWE version 4.1 is available from the MITRE website. This new version does not impact the CWE mappings for the OWASP, CWE Top 25, or CERT security standards.

  • MITRE is updating their CWE list on a more frequent basis, but Veracode remains committed to staying up-to-date with each new version. As MITRE updates their CWE database, you might notice periodic changes in Veracode reports, such as differences between parent-child relationships or mappings.

August 21, 2020

Findings API Version 2
  • The Veracode Findings REST API v2 is now available. With this API, you can access information about open and mitigated findings associated with applications and sandboxes. It supports Static Analysis, Dynamic Analysis, Manual Penetration Testing, and Software Composition Analysis scans.

July 28, 2020

Improved User Activity Report
  • An improved user activity report is now available to download as a CSV file, providing easier access to information about user actions.

July 7, 2020

Administrators Can Turn Off Optional Notifications for Their Entire Organization
  • Administrators in the Veracode Platform can now turn off all optional notifications for all new and existing users in their organization account. Individual users have the option to turn the notifications back on for their own user account.

June 29, 2020

New Accept the Risk Mitigation Type
  • Veracode now allows you to resolve a finding by stating that your business is willing to accept the risk associated with that finding. This mitigation type allows you to track and report the risk while continuing to maintain the mitigation and resolution approval process. Veracode updated the mitigationinfo.xsd file to include this mitigation type.

June 27, 2020

Veracode Policies Now Support 2019 CWE Top 25 Security Standard
  • Veracode updated the PCI security standard in the Veracode Platform to include the 2019 CWE Top 25 Security Standard, previously called the SANS Top 25 standard. Applications with findings included in the new standard may fail the PCI policy or PCI standard requirement as a result. Veracode applies the update to applications upon rescan.

June 16, 2020

Veracode Analytics Provides Ignored Issue SCA Data
  • Veracode Analytics now supports SCA agent-based scan issue data about ignored issues, including details of when a user ignored an issue and the username for the user who ignored the issue.

June 11, 2020

New Sandbox Attributes Added to Veracode Analytics
  • Veracode Analytics now provides attributes for tracking sandbox usage. You can view sandbox expiration dates and determine if the Veracode Platform sandboxes are configured for Veracode to automatically recreate them after expiration.
New Dynamic Analysis Dimensions Available in Veracode Analytics
  • Veracode Analytics now provides the Dynamic Analysis fields Path and Vulnerable Parameter, which allow you to better focus and prioritize your remediation efforts.

June 8, 2020

SCA Agent Data Available in Veracode Analytics
  • The Software Composition Analysis (SCA) dashboard is updated in Veracode Analytics to reflect recommended charts for tracking your use of SCA agent-based and upload-and-scan workflows. In addition, Veracode Analytics provides two new explores for SCA agent data: SCA Agent Issues and SCA Agent Scans. These explores enable you to create your own charts and dashboards, providing a better understanding of your open-source risk.

May 28, 2020

Update to Industry Values in Application Profile

  • Veracode has updated the values for industries in application profiles to more accurately reflect the market. Because applications include industry values to help inform the Veracode State of Software Security report, this change affects the createapp.do and updateapp.do XML API calls.

  • If you have a script coded with an expected value for the industry field, please update your script to reflect the updated values or use the default value already provided.

May 13, 2020

Analytics Scan Frequency Requirements Data
  • Veracode Analytics now provides visibility into scan frequency requirements for an application. These requirements include the frequency mandated by the policy, upcoming scan due dates, and any past due dates.

May 7, 2020

New Team Admin Role
  • Veracode has added the new Team Admin user role that an administrator can grant to users. With the Team Admin role, you can create, edit, and delete users within the teams you manage. This new role makes it easier for organizations to manage permissions for a large number of users.
New Mitigation Type
  • Veracode has added a new mitigation type to allow you to propose mitigations using the mitigation type Mitigated - Referred to Library Maintainer. You can classify findings related to libraries developed by another development team. Another development team may build libraries in-house, but they may not own the application Veracode is scanning.

April 30, 2020

New Identity REST APIs
  • The new Identity REST APIs allow you to manage users, teams, and business units. You can also use these REST APIs to create API service accounts and manage API ID/key credentials.
Updated Greenlight Scans Explore Page
  • Veracode has updated the Analytics page Greenlight Scans Explore to reflect the new terminology of IDE scan (formerly known as Greenlight) and to include pipeline scan data.
Updated Applications List View
  • The All Applications page in the Veracode Platform now provides customizable columns and improved searching and filtering. Veracode is gradually releasing this feature as part of each Platform release, so it may not be immediately available to you.
New Secure Coding Foundation eLearning Courses

Veracode eLearning has released a new set of secure coding foundation courses:

  • Secure Coding Foundations - Authentication
  • Secure Coding Foundations - Authorization
  • Secure Coding Foundations - Configuration and Deployment
  • Secure Coding Foundations - Data Protection
  • Secure Coding Foundations - Information and Error Handling
  • Secure Coding Foundations - Trust Boundaries
  • Secure Coding Foundations - Validation and Encoding

These courses cover application security practices and associated vulnerabilities.

eLearning User Interface Enhancements

Veracode has improved these eLearning windows:

  • Manager window you use to assign learners to a manager
  • Curriculum window you use to assign learners to a curriculum

April 21, 2020

Updated Applications List View

  • The All Applications page in the Veracode Platform now provides customizable columns and improved searching and filtering.

March 28, 2020

CWE 4.0 Support
  • Veracode CWE support is updated to reflect the latest changes from MITRE in the CWE 4.0 release.
Enable Automatic Re-creation of Existing Sandboxes
  • You can now edit existing sandboxes to enable the setting for automatically re-creating the sandbox when it expires.
Due Date Notifications for eLearning Students
  • eLearning administrators can now specify when to send email reminders to notify students about the due dates for assigned courses.
New Python and JavaScript eLearning Courses
  • Veracode has added secure coding courses for Python and JavaScript to eLearning learner levels.

March 19, 2020

New Grace Period Expiration Date in Analytics
  • Veracode Analytics now provides the date when a grace period expires. An expired grace period causes the finding to fail the policy associated with the application. Veracode calculates the date based on the First Found or Last Reopened date, whichever is more recent.
Account Lock Does Not Trigger Email to Administrator
  • To prevent redundant notifications, Veracode no longer sends an email to Administrators in the Veracode Platform when users in their organization are locked out of their accounts. This email is now unnecessary because users can unlock their own accounts.

March 3, 2020

Improved Developer Sandbox Scanning and Added Expiration Date

Veracode has made these improvements to developer sandboxes:

  • You can now perform up to ten sandbox scans simultaneously for a single application. Before starting additional scans, you must wait for at least one running scan to complete.
  • The sandbox list in the application profile now shows all sandboxes in the application that have running scans.
  • All sandboxes now have an expiration date. After a sandbox reaches its expiration date, you can no longer perform scans in it. Seven days after the expiration date, the Veracode Platform automatically removes the sandbox. All data about the removed sandbox is available from Veracode Analytics. You can use the re-create option to have the Veracode Platform automatically create a new sandbox with the same name as a previously-removed sandbox.
Applications REST API Adds Policy Compliance Information
  • Veracode has improved the Applications REST API to include information about the policy compliance of the application.
Executive Summary in Customizable Report PDF Includes Informational Findings
  • The executive summary in the downloadable PDF of the Customizable Report now shows informational findings. The informational findings provide information that can help you ensure your application meets policy compliance.
Email Notifications for eLearning Curriculum Due Date Changes
  • eLearning administrators can now send emails to notify students and their managers when the due date for an assigned curriculum changes. They can also send emails to notify managers when a due date on a curriculum has passed and students have not completed the curriculum.

February 21, 2020

New JavaScript eLearning Courses

Veracode eLearning has released a new set of secure coding courses for JavaScript:

  • Secure Coding for JavaScript - Authentication & Authorization
  • Secure Coding for JavaScript - Configuration and Deployment
  • Secure Coding for JavaScript - Data Protection
  • Secure Coding for JavaScript - Information and Error Handling
  • Secure Coding for JavaScript - Validation and Encoding

These courses cover application security practices and associated vulnerabilities, including the OWASP Top Ten, and secure coding techniques in JavaScript, including using the AngularJS and ReachJS frameworks.

February 19, 2020

Updated Look-and-Feel with New Veracode Branding
  • Veracode has updated the look-and-feel of the Veracode Platform with new branding.

January 28, 2020

Updates to Sandbox Functionality

Veracode has implemented these changes to improve the performance of sandbox scans:

  • You can delete a sandbox and all of its scans when you promote it to policy.
  • You may have a maximum number of sandboxes you can create for each application. The default limit is 25.
Automated Emails for eLearning Curriculum Updates
  • Veracode eLearning administrators can turn on automated email notifications to alert eLearning students and managers when the administrator assigns a curriculum to a student.

January 24, 2020

New Video - Create a Custom Policy in the Veracode Platform
  • This video shows you how to create a custom policy in the Veracode Platform.

January 13, 2020

SCA Findings Dashboard Available in Analytics
  • Veracode Analytics has a new dashboard that provides Software Composition Analysis (SCA) findings on open vulnerabilities, license risk, issue severities, and library data. Veracode Analytics does not currently display findings from agent-based scans.

January 8, 2020

New Video - Review Scan Results
  • This video shows you how to view Veracode scan results in the Veracode Platform.

January 2, 2020

SCA Findings Available in Veracode Analytics

  • Veracode Analytics now provides details about Software Composition Analysis (SCA) findings. If you have an SCA subscription, you can view SCA vulnerabilities displayed in the Findings Status & History dashboard and the Resolution and Mitigation Details dashboard.

  • Veracode Analytics does not currently display findings from agent-based scans.