The VerAfied Directory is a list of software products that have successfully completed the Veracode Security Verification Process. The VerAfied and VerAfied High Assurance security marks are quality indicators for the security level of applications and software components and demonstrate that the Software Vendor has achieved appropriate levels of security. Veracode’s ratings are completely transparent and based on industry accepted standards for software assessment from NIST, CWE and CVSS against vulnerability benchmarks such as the OWASP Top 10 and CWE-SANS Top 25.
Why Should Software Vendors Get VerAfied?
- Differentiate your product - Software security is an increasingly important customer purchase requirement. Set yourself apart by visibly demonstrating independent security verification.
- Create a trusted brand - Brand conveys your quality standards. The VerAfied mark tells customers you care about security quality.
- Anticipate and resolve customer concerns - Customers appreciate proactive suppliers. Don’t wait to be asked for your security results. Promote your efforts to improve security quality.
- Accelerate (or preempt) application security audits - Customer audits are part of doing business. The VerAfied mark indicates you have successfully completed independent verification of security quality to industry standards or better and can document security quality results.
- Lower costs by building security quality into every application - It always costs more to find security vulnerabilities after the application is deployed – it costs more to fix and damages may be assessed.
How do I get my application VerAfied and Listed?
To get VerAfied requires a simple four step process enabled by Veracode. Here is how it works:
Software Vendor contacts Veracode. Veracode will provide guidance on what modules should be assessed for thorough analysis and what security testing techniques are most appropriate. Veracode will provision the Software Vendor on the Veracode cloud-based platform to upload the target binary executables and required libraries (no source code required) for a static analysis (white box testing) or provide a URL for a dynamic analysis (black box testing).
Veracode conducts a vulnerability assessment which is completed within 24-72 hours depending on the VerAfied mark sought and the application’s complexity and composition.
Veracode produces a complete security assessment report detailing the application’s security quality and top security vulnerabilities for the Software Vendor to remediate, if necessary. After successfully remediating vulnerabilities, usually in 1 or 2 additional submissions the Software Vendor may apply for a VerAfied mark.
If earned, the VerAfied or VerAfied High Assurance marks are issued by Veracode for use by the Software Vendor, and the application is put into the VerAfied directory for other prospects and customers to see.
Frequently Asked Questions about VerAfied
What does the VerAfied security mark mean?
Due to the nature of software security testing, no organization can guarantee that their software is completely secure. However, through rigorous testing using Veracode’s automated static binary analysis, automated dynamic web vulnerability scanning (if applicable), and/or manual penetration analysis, the VerAfied mark signifies that software vendors have utilized the most widely accepted and comprehensive methods available to secure their software.
The VerAfied mark indicates that an application has received an independent security verification from Veracode and the provider has resolved or mitigated any vulnerabilities identified by automated static binary analysis and automated dynamic analysis (if applicable).
The VerAfied High Assurance mark indicates that an application has received an independent security verification from Veracode and the provider has resolved or mitigated any vulnerabilities identified by automated static binary analysis, automated dynamic analysis (if applicable) and manual penetration testing.
What types of applications get VerAfied?
Only Veracode can verify security quality in applications that are stand-alone, multi-tiered or part of an interconnected system without requiring any source code. Veracode assesses 100% of the application code including third-party libraries for any application written in C/C++, Java, C#.NET, ASP.NET, VB.NET, ColdFusion, RIM Mobile and Windows Mobile across common Solaris, Windows and Linux platforms.
What types of security risk are found in the VerAfied process?
Veracode finds the security risks that matter most to your customers. The VerAfied security mark is based on industry standards including MITRE’s Common Weakness Enumeration (CWE) for classification of software weaknesses and FIRST’s Common Vulnerability Scoring System (CVSS) for severity and ease of exploitability. The process also draws on the CWE-SANS Top 25 Most Dangerous Programming Errors and the Open Web Application Security Project (OWASP) Top Ten. These include cross-site scripting, SQL injection, buffer overflow, directory traversal, info leak, integer overflow, the absence and presence of security features (e.g. encryption) and backdoors in third-party code that may lead to insider fraud and cyber terrorism.