Ensure that proposed mitigations are effective and satisfy auditors
Developers mitigate rather than fix about 10% of vulnerabilities. Mitigations may be effective but development teams are not impartial and don’t have the application security expertise needed to satisfy an auditor’s scrutiny. In addition, security teams lack the staff to review proposed mitigations and evaluate whether they are sufficient. Reviewing mitigations requires both application security and programming knowledge, and this combination of skills is hard to hire. Best case, this leads to failed audits or delayed releases because mitigations were reviewed improperly or too late. Worst case, companies risk a security incident.
About 10% of flaws found in an application are mitigated by developers.
Veracode Mitigation Proposal Review (MPR) enables you to speed application development while ensuring that you remain secure. You’ll be able to tap Veracode’s security and development expertise to swiftly review proposed mitigations and evaluate whether they are valid, appropriate, and effective. Veracode gives you the peace of mind that your mitigating controls conform with your application security policy, or that they are swiftly returned to development teams to be improved. With Veracode MPR you can save time, reduce the cost of addressing compliance issues, and securely ship software.
Keep mitigation reviews from becoming a release bottleneck
When finding a vulnerability shortly before a release, mitigations are often the faster option. Turnaround time is critical, and your security team may be working on other priorities – if you have the right expertise at all. Veracode’s application security consultants have a background in software development and the ability to review your developers’ mitigation proposals on your behalf. By reviewing your developers’ mitigations, they help ensure that your application is safe, save you time, and get the application released on time.
Ensure compliance with your application security policy
Veracode’s application security consultants review your developers’ mitigations with your application security policy and your organizational risk tolerance in mind, and customize their reviews to ensure they reflect your industry and compliance needs. Having this impartial, qualified review from a technical and compliance perspective is a huge step in satisfying auditors.
Document the mitigation in a standardized format
Veracode uses its custom, standardized TSRV format for mitigation proposals to ensure that compensating controls are accurately captured, described, and implemented. The format captures the mitigation technique, specific compensating controls, remaining risk, and a documentation of how the mitigation was verified. Using a standardized format greatly helps streamline the documentation, review and audit.
Request reviews through the Veracode Platform or your IDE
The Veracode Application Security Platform integrates into your existing development toolchains and processes. Developers can request reviews from the Veracode Platform or right from their IDE. Veracode delivers review results either through those same means or via ticketing systems.
With Veracode MPR, an insurance company reviewed 5x as many mitigation proposals at a much lower cost per flaw by saving developer time - within the first month.
Track flaws, reviews, and compliance through a single platform
All Veracode services are delivered through the Veracode Platform, which provides a central repository for information about your software weaknesses, as well as proposed, accepted, and rejected mitigations. And the same workflow can be used for static, dynamic, or manual findings. Veracode application security consultants can make more informed decisions on whether a proposed mitigation is effective because they can see the exact application data flow that was analyzed as part of the static analysis.
If you’re already scanning your own code with Veracode, contact your support representative to find out how we can help your program go faster.