3rd Party RiskVeracode’s State of Software Security report indicated that up to 40% of applications are considered 3rd-party applications by customers. It further revealed that between 30 and 70% of applications that are thought of as internally developed are actually comprised of 3rd-party libraries and components. 40% of applications analyzed by Veracode’s customer base were identified as third-party (commercial, outsourced or open source) applications by the submitter. In the light of these findings it is an imperative to manage risk from third-parties as represented by the extended software supply chain of commercial software vendors, open source code and outsourcers. By offering a security assessment on an unlimited number of vendors, Veracode provides organizations with the only viable solution for verifying security of 3rd-party applications in a cost-effective and scalable manner.
Below are some of the key features made available as part of this service: Application Portfolio Dashboard:Leverage a centralized view of risk and security information to manage, set policy, track and report on all your 3rd-party software vendors. Automated Code Review (Binary Static Analysis):Veracode’s patented automated static binary analysis reviews the final integrated application, including libraries and 3rd party components, without requiring your vendors to expose their intellectual property in the form of source code. Enterprises are able to request an assessment of a third-party on the platform. Vendors simply upload their binaries to the Veracode platform and we manage the overall process. The service allows for any number of remediation scans to allow the vendor to achieve the security threshold deemed acceptable by the Enterprise. Automated Web Vulnerability Scanning (Dynamic Analysis):For 3rd-party web applications, Veracode’s automated web application vulnerability scanning, also known as dynamic analysis or black-box testing empowers enterprises to identify and remediate security issues in their 3rd-party web applications before hackers can exploit them. Open Source Ratings Database:Access to Veracode’s database of security scores for enterprise-class open source projects enabling you to gain an understanding of the risk/benefit trade-off of integrating open source versus commercially developed software. Enterprise Summary Reports, Vendor Detailed Reports:In order to respect intellectual property ownership, Veracode only makes available the detailed findings to the 3rd-party vendor and a high-level summary report for the enterprise. The summary report provides the overall security quality score with enough information on the application’s performance for the enterprise to make a purchase or acceptance decision. Extensible, Open Platform:Veracode’s application risk management platform has been designed as an open and extensible platform that allows for easy integration with other technology platforms, IDEs and bug tracking systems that form the fabric of the software development infrastructure. For the enterprise we offer automated integration with Archer’s GRC Framework product to obtain a centralized view of vendor policies and compliance. For the software vendor we offer xml exports and a results api that can be used to integrate our findings with tools that typically form part of the SDLC such as bug and defect tracking systems. Program Management Services Built-in:For premium edition customers we offer a half-time customer success manager that will help develop the policies and program framework for managing third-party risk by kicking off the engagement with a focused workshop. They will work with the enterprises’ key stakeholders on an on-going basis to on-board the 3rd-parties and manage the testing and acceptance process. This transfers the risk and overhead of dealing with multiple third-parties to Veracode’s customer success manager who also bring to the table extensive experience rolling out 3rd-party risk management programs within large enterprises. |
