The Sarbanes–Oxley Act of 2002, commonly called SOX or SarbOx, is a United States federal law passed in response to a number of major corporate and accounting scandals. The legislation is wide ranging and establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms which are overseen by the newly created Public Company Accounting Oversight Board (PCAOB) in accordance with SEC rules.

Section 404 of the Act requires annual evaluation and documentation of the internal controls and procedures in place to secure the integrity of financial information. Internal controls must be documented, and a system must be implemented to monitor their effectiveness. Section 302 requires the CEO and CFO to quarterly certify the existence of internal controls and sign off on the veracity of the company’s financial statements. Key to their ability and willingness to sign off are the concepts of data transparency and accountability.

According to Gartner, 75 percent of all new attacks are directed at software applications. These applications control financial transactions and vulnerabilities in software put the integrity of financial results at risk. In fact, the National Vulnerability Database reported over 3,400 new software vulnerabilities disclosed in the 1st half 2007 alone. Public companies must ensure that software applications have been tested for vulnerabilities that may compromise their systems in order to comply with SOX Section 404.

Veracode’s on-demand application security testing service allows public companies to embed application security testing into their processes as an automated control to cost-effectively achieve SOX compliance. Many organizations use the IT Governance Institute’s Control Objectives for Information and Related Technology (COBIT) framework to implement SOX compliant IT processes. Veracode provides independent application security testing which enables organizations to demonstrate compliances with relevant sections of SOX following the COBIT framework:

• AI2 Acquire and Maintain Application Software - Veracode enables organizations to identify risks and address application security requirements as part of the software lifecycle process. Learn More…
• AI5 Procure IT Resources – Veracode is the only solutions provider which can scan packaged COTS applications without requiring access to source code, allowing companies to embed security into their procurement process in accordance with the COBIT framework. Learn More…
• AI7 Install and Accredit Solutions and Changes – Veracode enables organizations to quickly conduct testing of changes and satisfy “independence” guidelines by providing an independent review and rating. Learn More…
• DS2 Manage 3rd Party Services – Software used by suppliers to deliver critical services can be scanned to manage risks associated with vulnerabilities that may impact the integrity of financial reporting. Learn More…
• DS5 Ensure System Security – Veracode’s SecurityReview is used to meet COBIT security testing and malicious software prevention requirements.
• PO9 Assess and Manage IT Risk – Veracode application testing allows organizations to assess risks and vulnerabilities in software that handles financial transactions.

Learn more about Veracode’s solutions...