What the Ratings Mean

The basis for Veracode’s rating is the Security Quality Score (SQS), which leverages standards-based classification schemes such as Common Weakness Enumeration – CWE; Common Vulnerability Scoring System – CVSS; and the National Institute of Standards and Technology - NIST; to determine weaknesses and severity levels. For the SQS, the severities of all security flaws are aggregated and normalized to a scale of 0 to 100, where 100 is the highest score an application can receive. The score generated by each type of assessment (automated static, automated dynamic, or manual) is then mapped to a rating given the application’s business criticality (assurance requirements).

Higher assurance applications require a higher score than lower assurance applications to receive an A rating. Since Veracode assigns a rating to each application that is assessed, enterprises gain insight into the security quality of software they have purchased similar to that provided by Moody's®, Standard and Poor's® or Consumer Reports® for other products. The best possible score an application can achieve is AAA.

The first letter in a software rating represents automated static binary analysis testing, the second letter represents automated dynamic analysis testing and the third letter represents human testing. The letters run from “A” to “F”, skipping “E.” Veracode believes high assurance applications require all three testing techniques and has built the ratings service and service platform to incorporate and integrate all three. The rating should always be interpreted in the context of the application's assurance level.

Veracode provides a formal Verified by VeracodeTM logo program for applications achieving at least an “A” Rating. Learn more about the Verified by Veracode program.