• First, an assurance level is assigned for each application based on business risk factors such as: reputation damage, financial loss, operational risk, sensitive information disclosure, personal safety, and legal violations.
• The assurance levels are typically determined by the enterprise looking at deploying third-party software to determine acceptable risk levels prior to purchase or software vendors who will typically opt for higher assurance levels to increase the marketability of their applications.

Download our assurance level worksheet to determine the business criticality of your applications.

• Veracode applies specific assessment techniques based on the assurance level. The most business critical applications (highest assurance level) will undergo static binary application security testing, dynamic application security testing and manual penetration testing.
• Veracode then assigns a rating for each application. The baseline rating is based on a Security Quality Score – SQS (0 to 100 with 100 being the most secure) and an assurance level that is jointly determined with the software vendor/enterprise (1 to 5 with 5 being the highest business criticality)
• The SQS and the assurance level are converted into a final grade (similar to Moody’s for financial services). The best possible grade is “AAA” which combines static, dynamic and manual analysis. Static and Dynamic analysis would provide a two-letter grade, static analysis only a single-letter grade.

Learn more about what the Ratings mean to Your organization

Learn more about the ratings process as part of how Vendor SecurityReview works if you are an enterprise requesting a third-party software assessment.

Learn more about ratings process as part of how SDLC SecurityReview works