Mitigation Proposal Review (CS-MPR-APP and CS-MPR-APP-10)
The activities during the mitigation review will include the following:
- An initiation meeting during which (a) Veracode will recommend mitigation techniques based on industry best practice necessary for a mitigation proposal to be considered “valid” for each Common Weakness Enumerator (CWE) ID in Customer’s Veracode Policy as defined on the Veracode Platform (the “Scanning Policy”) and (b) the Customer will provide input as to how it would like to handle certain specific types of mitigation. Collectively, the mitigation techniques will be referred to as the “Risk Tolerance Guidelines” (RTGs). Should the Customer wish to have a more detailed set of RTGs for their organization beyond what can be covered in a single initiation meeting, they have the option to purchase a more in-depth workshop to establish such detailed risk tolerance guides. Note that the initiation meeting will be held once per Customer, not for each review.
- Veracode will perform one Mitigation Proposal Review of mitigations proposed by the developers of an Application (either a Customer Application or a Third-Party Application), applying the RTGs to the proposed mitigations; this review will be performed within ten (10) working days after Veracode is informed that the proposed mitigations are ready to review, assuming there are no unanswered inquiries or questions pending to the Customer.
- Following the review, Veracode will provide Customer a “Mitigation Proposal Report” for the Application which will describe whether the mitigation conforms to the RTGs.
- Only mitigations proposed for each Common Weakness Enumerator (CWE) IDs that affect the Scanning Policy will be reviewed and included in the Mitigation Proposal Report.
- Within 5 working days of receiving a Mitigation Proposal Review Report, Customer or Third-Party Vendor may request one 60 minute discussion to review the results, otherwise the Mitigation Proposal Review will be considered completed. If requested, the results review session must take place within two weeks of the request.
Customer’s Veracode Security Program Management team will assist with the following activities:
- Facilitate distribution and handling the Mitigation Proposal Review Reports to the Customer.
- Inform Customer or Third-Party vendors about the outcome of the Mitigation Proposal Review for the application.
- Coordinate results review discussion, if requested between Customer, Third-Party vendors (if applicable), and Veracode.
- If applicable, inform Third-Party vendors of their responsibilities for appropriate documentation of Mitigation Proposals.
The review is limited to no more than 8 hours per Mitigation Proposal Review, and a single Application. If Veracode finds a mitigation proposal that doesn’t meet the RTGs, the proposal will be rejected without further review. Mitigation Proposals will be marked as not conforming to the RTGs in cases where Veracode cannot find supporting evidence for the proposal in the Veracode Platform for the Application.
In support of Mitigation Proposal Review, the Customer will need to:
- Send email to Veracode Security Program Management team to requests a review of mitigation proposals.
- Submit Mitigation Proposals using the TSRV (Techniques, Specifics, Risk unaddressed, and Verification) method.
- Support conversations, prioritization and interactions with developers and Third-Party vendors.
- Provide access to a member of Customer’s staff capable of choosing recommended courses of action on issues where a supplied mitigation proposal ambiguously addresses the Risk Tolerance Guidelines; Customer will provide Veracode with decision on their choice within a five working day period after query is raised by Veracode.
While Mitigation Proposal reviews are based on industry best practice and the RTGs, Veracode does not guarantee the effectiveness of any mitigations, nor does Veracode control whether such mitigations will be implemented or followed (if at all) by Customer. Accordingly, Veracode will have no liability in the event any security vulnerability or breach. In addition, in no event will Veracode actually write any code to fix identified weaknesses, nor does the Mitigation Proposal Review involve any re-writing of mitigation proposals by Veracode. Responsibility for coding fixes to the flaws or re-writing mitigations remains with Customer’s or its Third Party vendors’ developers.