Veracode announces a free Community Edition of Veracode Security Labs – a platform aimed to give a comprehensive sandbox environment to research and practice static code analysis. The concept behind is pretty similar to PortSwigger Web Security Academy – another great tool that allows practicing dynamic application security testing.
Static code analysis or static application security testing (SAST) assumes you have access to application source code and can apply analysis techniques, both automated and manual, to reveal vulnerabilities in the source code. Whilst dynamic application security testing (DAST) techniques focus on the analysis of the application in its run-time environment and finding security flaws when it is functioning. One can imagine SAST as testing the application from the inside, and DAST – from the outside.
Veracode mentions that their Community Edition is designed with developers in mind, who may lack security training and would hesitate to invest in minimizing their knowledge gaps. With the Community Edition they can get free access to most important typical vulnerabilities descriptions, launch containerized test applications with such vulnerabilities embedded, have access to the corresponding source code, and the possibility to prepare and apply security fixes. The Enterprise Edition will be licensed per user and will have extended topics coverage with additional features, such as leadership board, single sign-on, reporting for compliance, and others.
Based on our experience such platforms are great for the beginners in application security. They allow developers and security professionals to learn and practice basic skills. We widely use them in our training programs and definitely can recommend them to those who feel strong in self-education.