VerAfied Methodology

VerAfied is the industry’s first standards-based mark of security quality for both internally developed and third-party software applications. By leveraging industry standards, Veracode provides a pragmatic and repeatable method for organizations developing or procuring software to measure, compare and reduce risks related to application security.

Veracode uses static binary analysis, dynamic analysis and/or manual penetration testing to identify security flaws in software applications. The basis for the VerAfied security mark is the Security Quality Score (SQS) which aggregates the severities of all security flaws found during the assessment and normalizes the results to a scale of 0 to 100. Applications found to have no “very high”, “high” or “medium” severity vulnerabilities, nor any OWASP Top 10 or CWE/SANS Top 25 vulnerabilities that could be discovered using Veracode’s automated analysis may earn the VerAfied mark.

Standards-based ratings

The VerAfied assessment is based on respected industry standards including MITRE’s Common Weakness Enumeration (CWE) for classification of software weaknesses and FIRST’s Common Vulnerability Scoring System (CVSS) for severity and ease of exploitability and NIST's definitions of assurance levels. Veracode is the only organization to combine these standards into a meaningful and practical way to assess software security across internally developed and externally purchased applications.

Veracode is a participating organization in the CWE community effort and was the first application security vendor to implement MITRE’s CWE as a standard identifier. CWE is now becoming broadly adopted across the application security space by many other vendors and security practitioners. Each identified flaw is associated with a CWE ID and a severity weight based on the confidentiality, integrity, and availability impacts for that flaw as defined by the Common Vulnerability Scoring System (CVSS). See MITRE’s compatibility section to compare Veracode’s support of CWE versus other vendors.

CVSS is utilized by the National Vulnerability Database and by major software companies such as Cisco and Oracle to prioritize their security remediation and establish compliance initiatives such as PCI. Version 2.0 of CVSS was released by FIRST in June 2007. Gartner believes that CVSS should be incorporated by IT vendors for vulnerability and patch reporting and has stated that “CVSS is a powerful approach for businesses to standardize the impact assessment and prioritization of IT vulnerabilities.”

Software security metrics for business and government require the context of an assurance level. Veracode uses the definitions of assurance levels that are defined in the OMB document M-04-04. This assurance definition takes into account the organization impacts to: damage to reputation, financial loss or liability, harm to operations, unauthorized information disclosure, personal safety, and civil or criminal violations. Veracode participates in theNIST Software Assurance Metrics and Tools Evaluation (SAMATE) Project. Our static analysis supports the requirements of the NIST Source Code Security Analysis Tool Functional Specification Version 1.0.