Ensuring your purchased software is secure Veracode provides enterprises with an independent security assessment of purchased commercial off-the-shelf software – stopping security risk before it enters the organization. COTS SecurityReview: How it Works
COTS SecurityReview is designed for companies that need to verify the code of third-party applications. Veracode’s Rating System is a simple four-step program- the 4-S Program: Start, Scan, Score and Secure. All the enterprise needs to provide is contact information for the vendors they would like to have assessed and Veracode will complete the process. Here is how it works:
1. Start
Enterprise sends contact information to Veracode regarding vendors and applications they would like to have assessed. Vendor uploads the binary executables (no source code required) and/or provides a URL for web scanning. 2. Scan
Veracode conducts vulnerability testing which is completed within 24 to 72 hours depending on the size and complexity of the application. 3. Score
Veracode creates a rating for each application based on industry-standard benchmarks from NIST, CVSS and CWE which is provided to both the enterprise and the vendor. As an independent trusted advisor, Veracode sends the full disclosure of all detailed information only to the vendor. 4. Secure (Your Enterprise)
With the security rating in hand, the enterprise determines which vendor applications pass a pre-defined security threshold (e.g. "A"-Rating as a minimum threshold) as part of the secure procurement process. |
