The activities during the mitigation review will include the following:
- An initiation meeting during which (a) CA Veracode will recommend mitigation techniques based on industry best practice necessary for a mitigation proposal to be considered “valid” for each Common Weakness Enumerator (CWE) ID in Customer’s CA Veracode Policy as defined on the CA Veracode Platform (the “Scanning Policy”) and (b) the Customer will provide input as to how it would like to handle certain specific types of mitigation. Collectively, the mitigation techniques will be referred to as the “Risk Tolerance Guidelines” (RTGs). Should the Customer wish to have a more detailed set of RTGs for their organization beyond what can be covered in a single initiation meeting, they have the option to purchase a more in-depth workshop to establish such detailed risk tolerance guides. Note that the initiation meeting will be held once per Customer, not for each review.
- For each of the five Mitigation Proposal Reviews, CA Veracode will perform one Mitigation Proposal Review of mitigations proposed by the developers of an Application (either a Customer Application or a Third-Party Application), applying the RTGs to the proposed mitigations; this review will be performed within fourteen (14) working days after CA Veracode is informed that the proposed mitigations are ready to review, assuming there are no unanswered inquiries or questions pending to the Customer.
- Following the review, CA Veracode will provide Customer a “Mitigation Proposal Report” for the Application which will describe whether the mitigation conforms to the RTGs.
- Only mitigations proposed for each Common Weakness Enumerator (CWE) IDs that affect the Scanning Policy will be reviewed and included in the Mitigation Proposal Report.
- Within 5 working days of receiving a Mitigation Proposal Review Report, Customer or Third-Party Vendor may request one 60 minute discussion to review the results, otherwise the Mitigation Proposal Review will be consider completed. If requested, the results review session must take place within two weeks of the request.
Customer’s CA Veracode Security Program Management team will assist with the following activities:
- Facilitate distribution and handling the Mitigation Proposal Review Reports to the Customer.
- Inform Customer or Third-Party vendors about the outcome of the Mitigation Proposal Review for the application.
- Coordinate results review discussion, if requested between Customer, Third-Party vendors (if applicable), and CA Veracode.
- If applicable, inform Third-Party vendors of their responsibilities for appropriate documentation of Mitigation Proposals.
The review is limited to no more than 160 proposed mitigations to review per Mitigation Proposal Review. Proposed mitigations in excess of 160 (and in increments of 160) shall be counted as an additional review. If CA Veracode finds a mitigation proposal that doesn’t meet the RTGs, the proposal will be rejected without further review. Mitigation Proposals will be marked as not conforming to the RTGs in cases where CA Veracode cannot find supporting evidence in the CA Veracode Platform for the Application.
In support of Mitigation Proposal Review, the Customer will need to:
- Send email to CA Veracode Security Program Management team to requests a review of mitigation proposals.
- Submit Mitigation Proposals using the TSRV (Techniques, Specifics, Risk unaddressed, and Verification) method.
- Support conversations, prioritization and interactions with developers and Third-Party vendors.
- Provide access to a member of Customer’s staff capable of choosing recommended courses of action on issues where a supplied mitigation proposal ambiguously addresses the Risk Tolerance Guidelines; Customer will provide CA Veracode with decision on their choice within a five working day period after query is raised by CA Veracode.
While Mitigation Proposal reviews are based on industry best practice and the RTGs, CA Veracode does not guarantee the effectiveness of any mitigations, nor does CA Veracode control whether such mitigations will be implemented or followed (if at all) by Customer. Accordingly, CA Veracode will have no liability in the event any security vulnerability or breach. In addition, in no event will CA Veracode actually write any code to fix identified weaknesses, nor does the Mitigation Proposal Review involve any re-writing of mitigation proposals by CA Veracode. Responsibility for coding fixes to the flaws or re-writing mitigations remains with Customer’s or its Third-Party vendors’ developers.