/apr 30, 2018

What the Veracode Verified Standard Tier Looks Like

By Suzanne Ciccone

We recently revamped and relaunched our Veracode Verified program. To better suit the needs of organizations that are producing and updating apps at DevOps speed, we are moving away from attesting to the security of an application at one point in time, and, rather, attesting to the security of the overall development process of an application. In this way, your prospects and customers can rest assured that security was embedded into the development process that created your product. With the Verified seal, you prove at a glance that you’ve made security a priority, and that your security program is backed by one of the most trusted names in the industry.

Is the Veracode Verified program right for you? It is if you are:

  • Looking for a way to speed sales cycles by addressing customer and prospect security concerns pre-emptively
  • Tired of bogging down security resources with audit requests from customers
  • Ready to embark on an application security initiative, but don’t know where to start
  • Required to justify your AppSec spend

The Veracode Verified program includes three tiers, allowing you to quickly get ramped up and achieve your first seal, then work toward the other tiers over time as you grow and mature your application security program. The first tier of the Veracode Verified program is the Standard tier. What does application security look like at this tier?

Organizations in the standard tier:

Assess first-party code with static analysis: The ultimate goal of an application security program is to assess the security of every application – both those created internally, plus third-party and open source code – with multiple testing types. However, most organizations start small and build their program over time, and a good place to start is by assessing your internally developed code with static analysis. Unlike manual code reviews or penetration tests, Veracode Static Analysis is an automated process that delivers repeatable results. Since we give you accurate results and prioritize them based on severity, you won’t need to waste resources dealing with hundreds of false positives.

To get a better sense of our static analysis works, get a personal demo.

Document that the application does not allow Very High flaws in first-party code: Tackling the most severe vulnerabilities first is always best practice. Ultimately, successful vulnerability management is all about prioritizing remediation based on risk. Encouragingly, we found that to be a best practice among our customer base in 2017. Our most recent State of Software Security report compared the fix rate of very high and high severity vulnerabilities to the overall fix rate, and found that organizations are reducing the most severe flaws at about twice the overall fix rate.

Provide developers with remediation guidance: Effective application security doesn’t stop at finding flaws, it also fixes them. But many developers aren’t equipped to remediate the vulnerabilities static analysis uncovers. In fact, in a survey we conducted with DevOps.com, seven in 10 developers said their organizations don’t provide adequate training in security, and 76 percent reported that they weren’t required to complete any security courses while in school. On the other hand, providing the team with remediation guidance gets results. Research done for our 2017 State of Software Security report revealed that Veracode customers that offer developers remediation coaching improve fix rates by 88 percent.

Get Started

Application security can be a daunting prospect for many, but breaking it into manageable steps, prioritizing the tasks, and starting small make it doable. The Veracode Verified program can help you do just that, while proving to your prospects that security is a priority at your organization.

Ready to reach the Standard tier? Contact us to get started.

Related Posts

By Suzanne Ciccone

Suzanne is part of the content team at Veracode, working to create resources that shed light on AppSec problems and solutions.