Establish Corporate Security Policies

Security policy can be defined for individual or groups of applications to set measurable acceptance and deployment security criteria. There are typically three types of application security policy categories implemented by Veracode’s customers, although the Veracode application risk management services platform will enable the definition of custom security policies as well.

Industry Security Standard Policies

Security policy can be based on industry standards. Veracode offers customers the ability to compare their application security quality to any or all of the following standards:

• OWASP Top 10
• CWE/SANS Top 25
• Veracode’s risk adjusted or VerAfied High Assurance
• Customized Security Thresholds

In addition, Veracode Analytics service aggregates anonymous security testing results from Veracode to enable customers to compare their security quality to peers, across types of software suppliers (outsource, open source, commercial), by programming language (C/C++, Java, .Net, ColdFusion, and others), web and non-web applications, and more. With Veracode, security policies based on industry standards have never been more informed.

Regulatory and Compliance Policies

Veracode's regulatory compliance solutions help organizations manage risk, improve security and pass their compliance audits. Vulnerability results are filtered and prioritized through the Veracode reporting framework to meet the following regulatory compliance standards:

• PCI - Merchants, Service Providers and Payment Application Software Vendors use Veracode's service to meet the application security and code review requirements of PCI's DSS and PA-DSS standards. Learn More...
• FISMA - Federal Agencies use Veracode to ensure their software applications have been evaluated for vulnerabilities in accordance with the Federal Information Security Management Act of 2002. Learn More...
• GLBA - Veracode helps financial institutions meet the applicaitons security testing requirements of the Gramm-Leach-Bliley Act (GLBA) of 1999. Learn More...
• HIPAA - Health care institutions protect the confidentiality of patient information required by the Health Insurance Portability and Accountability Act with Veracode's cloud-based application secuirty testing solutions. Learn More...
• SOX - Public companies automate software vulnerability testing with Veracode to comply with the Sarbanes-Oxley Act of 2002. Learn More...

VerAfied Application Business Criticality Policies

Veracode provides a simple method for assigning business criticality based on industry standard application assurance guidelines developed by NIST. Applications are grouped into easy to understand criticality levels from Low to Very High. Using this methodology, Veracode makes recommendations on testing methods and acceptance criteria enabling organizations to create a uniform standard across the enterprise.

Veracode’s platform also enables customers to set customized security policies for their application inventory.