Third-Party Security

Whether you work for an enterprise and want to make sure your third-party software is secure or you’re a vendor who wants to prove to enterprises your applications comply with security standards — such as the OWASP Top 10 and PCI — we can help.

Vendor Application Security Testing (VAST)

VAST reduces the risk associated with third-party software — so you can innovate with more speed and confidence than ever. With VAST, we manage the entire third-party program for you as a cloud-based service — and work directly with vendors in your software supply chain to ensure they’re compliant with your corporate security policies.

Independent audit services

Take the complexity, cost and hassle out of proving your applications are secure.  Get listed in our Directory of VerAfied applications

Our independent software audit service gives you a simple and cost-effective way to give your enterprise customers the third-party security attestation they require. And thanks to our patented binary static analysis, you don’t need to upload your source code to our platform, protecting your intellectual property.

How VAST works

To help enterprises better understand and reduce the security risks associated with the use of third-party software, the VAST program consists of three stages:


  • We work with you to formulate a third-party compliance policy and acceptance criteria, based on best practices and your corporate security policies around business criticality and risk.

  • We offer guidance for the creation of non-compliance penalties and escalation procedures for third-parties.

  • We assist you in assembling lists of vendors and applications for the program.

  • We provide standard templates for communicating with third-parties about the requirement to be assessed by an independent organization, typically signed by a senior executive in vendor management or procurement, security and/or IT.


  • Third-party uploads binaries to our security platform.

  • We analyze applications for vulnerabilities, based on the enterprise’s security policy.

  • We publish summary report to all stakeholders via our cloud-based platform.


  • If necessary, the software provider remediates or mitigates vulnerabilities with assistance from our security experts.

  • The remediated application is then re-tested to meet enterprise security policy.

  • We alert stakeholders when vendor-supplied software is compliant with your corporate policy.

  • Some enterprises allow software suppliers to submit their own attestations based on their internal testing results. These attestations are also collected and published to stakeholders via our cloud-based platform.


* State of Software Security Report (Vol. 5)