The activities during the mitigation review will include the following:
- An initiation meeting during which (a) CA Veracode will recommend mitigation techniques based on industry best practice necessary for a mitigation proposal to be considered “valid” for each Common Weakness Enumerator (CWE) ID in Customer’s CA Veracode Policy as defined on the CA Veracode Platform (the “Scanning Policy”) and (b) the Customer will provide input as to how it would like to handle certain specific types of mitigation. Collectively, the mitigation techniques will be referred to as the “Risk Tolerance Guidelines” (RTGs). Note that the initiation meeting will be held once per Customer.
- CA Veracode will perform Mitigation Proposal Reviews of mitigations proposed by the developers of an Application (either a Customer Application or a Third Party Application), applying the RTGs to the proposed mitigations; reviews will be performed within the CA Veracode Platform, after CA Veracode is informed that the proposed mitigations are ready to review, assuming there are no unanswered inquires or questions pending to the Customer.
- Only mitigations proposed for each Common Weakness Enumerator (CWE) ID’s that affect the Scanning Policy will be reviewed.
- Customer’s CA Veracode Security Program Management team will assist with the following activities:
- Inform Customer or Third Party vendors about the outcome of the Mitigation Proposal Review for the application.
- Coordinate results review discussion, if requested between Customer, Third Party vendors (if applicable), and CA Veracode.
- If applicable, inform Third Party vendors of their responsibilities for appropriate documentation of Mitigation Proposals.
If CA Veracode finds a mitigation proposal that doesn’t meet the RTGs, the proposal will be rejected without further review. Mitigation Proposals will be marked as not conforming to the RTGs in cases where CA Veracode cannot find supporting evidence in the CA Veracode Platform for the Application.
In support of Mitigation Proposal Review, the Customer will need to:
- Send email to CA Veracode Security Program Management team to requests a review of mitigation proposals.
- Submit Mitigation Proposals using the TSRV (Techniques, Specifics, Risk unaddressed, and Verification) method.
- Support conversations, prioritization and interactions with developers and Third Party vendors.
- Provide access to a member of Customer’s staff capable of choosing recommended courses of action on issues where a supplied mitigation proposal ambiguously addresses the Risk Tolerance Guidelines; Customer will provide CA Veracode with decision on their choice within a five working day period after query is raised by CA Veracode.
While Mitigation Proposal reviews are based on industry best practice and the RTGs, CA Veracode does not guarantee the effectiveness of any mitigations, nor does CA Veracode control whether such mitigations will be implemented or followed (if at all) by Customer. Accordingly, CA Veracode will have no liability in the event any security vulnerability or breach. In addition, in no event will CA Veracode actually write any code to fix identified weaknesses, nor does the Mitigation Proposal Review involve any re-writing of mitigation proposals by CA Veracode. Responsibility for coding fixes to the flaws or re-writing mitigations remains with Customer’s or its Third Party vendors’ developers.