The activities during the twelve (12) months of the subscription term will include the following:
- Perform “As-is”/ “To-Be” analysis of Customer’s current application security program and outline the desired state using RAS. Analysis will specifically evaluate:
- Existing CA Veracode scanning workflow at Customer (including CA Veracode Platform on-boarding, scanning, remediation, and mitigation processes);
- Customer’s existing application security program communications used to interact with development teams;
- Defining, documenting, and agreeing with Customer new or amended workflows for a RAS enabled application security program; and
- Defining, documenting, and agreeing with Customer on new or amended communication plans and templates.
- “Onboarding” applications to the RAS Program (the “RAS Onboarded Applications”)
- The RAS Onboarded Applications will include only Customer applications written using programming languages and frameworks supported by the CA Veracode Platform and shall not include any Third Party (i.e VAST) Applications.
- Establish high-level guidance to be provided for mitigation techniques based on knowledge of Customer’s environment and industry best practice necessary for a mitigation proposal to be considered “valid” for each Common Weakness Enumerator (CWE) ID in Customer’s CA Veracode Policy as defined on the CA Veracode Platform (the “Customer Policy”). Collectively, the mitigation techniques will be referred to as the “Risk Tolerance Guidelines.” The Risk Tolerance Guidelines will be used in the course of performing RAS.
Provide remediation coaching and guidance for RAS Onboarded Applications covering “High” and “Very High” severity flaws as listed by default severity levels on the CA Veracode Platform. Such remediation and coaching may include:
- Working with development and security teams to help ensure that the scanning coverage is appropriate to the Application (including helping to address pre-scan issues and module selection issues);
- Triaging flaws within an application to determine which ones may be mitigated per the Customer’s Risk Tolerance Guidelines and which ones should be remediated (fixed) in the code;
- Identifying remediation techniques and encoding libraries and methods that Customer’s developers should consider using to fix identified flaws;
- Explaining the output of the triage and suggested mitigation techniques to the developers;
- Provide guidance to Customer’s application security team on the proposed mitigations that have been submitted for RAS-on boarded applications; and
- Provide secure coding advice and guidance during the Customer’s development lifecycle for RAS-on boarded applications.
While such coaching and guidance will be based on industry best practice and the Customer’s Risk Tolerance Guidelines, CA Veracode does not guarantee the effectiveness of such coaching and guidance, nor does CA Veracode control how any such coaching and guidance will be implemented or followed (if at all) by Customer’s developers. Accordingly, CA Veracode will have no liability in the event any security vulnerability or breach. In addition, in no event will CA Veracode actually write any code. The purpose of RAS is to guide a customer’s developers to write code more securely from the start and to help guide the developers in fixing flaws found. Responsibility for coding fixes to the flaws remains with Customer’s developers.
In support of RAS, the Customer will need to:
1. Support escalations, conversations, prioritization and interactions with Customer’s developers.
2. Provide remote access for CA Veracode Application Security Consultants to Customer Systems in a manner that will allow the CA Veracode Application Security consultant to effectively provide RAS coaching and guidance. Such access may include:
- Customer laptops or Virtual Desktop Environment;
- Customer Email Systems;
- Customer Instant Messaging and collaboration systems; and/or
- Other such information system resources as required to deliver RAS.
3. Provide access to a member of Customer’s staff capable of choosing recommended courses of action on issues where a developer’s mitigation proposal may not be in conformity with the Risk Tolerance Guidelines.
4. Pro Provide program management staff as may be required to guide applications and development teams through any new application security workflows, including:
- Reminders and following up activities to get developers to scan, fix, mitigate, etc.;
- On-boarding Customer’s developers to the CA Veracode Platform; and
- CA Veracode Platform administration.
5. Provide access to Customer staff required by CA Veracode to provide RAS, including but not limited to:
- Customer Application Security Service Owner;
- Members of Customer Application Security Team;
- Members of Customer Software Development Team; and
- Other members of Customer’s staff as required to support RAS.