Application security testing conducted in the absence of an overarching program and policy governing application risk management within the organization is simply ad-hoc testing. Without establishing policies that take into account elements such as business criticality, regulatory impact, brand risk etc. there is no comprehensive understanding of the risk exposure posed by the application portfolio. With Ad-hoc testing, there is no way to accurately measure whether the money being spent on application security is cost effective and what the outcome of the dollars being invested really is. CA Veracode’s Governance Model capabilities were designed to make it easy for organizations to identify their application inventories, set policy and initiate workflow to bring the rest of the organizations testing efforts in alignment with the business value posed by those applications. Below is a description of the key features that constitute the Governance Model component of the CA Veracode platform:
Application Inventory Manager:
This provides an XML import capability that allows you to quickly import application inventory information into the CA Veracode cloud-based platform from systems such as configuration management databases and GRC products. The application inventory manager also offers a rich GUI that allows managers to manually enter applications and associated metadata into the platform.
Application Policy Manager:
Provides a dashboard which you can use to define and assign security policies as well as measure compliance against them. You may choose the default CA Veracode policy based on accepted industry standards includingMITRE’s Common Weakness Enumeration (CWE) for classification of software weaknesses and FIRST’s Common Vulnerability Scoring System (CVSS) for severity and ease of exploitability and NIST's definitions of assurance levels. Alternatively you can pick policies based on Industry standards such as OWASP Top 10 or CWE/SANS Top 25. The policy manager also supports custom policies that may be articulated as granular rules such as the application must be free from certain categories or severities of vulnerabilities. You may also use the policy manager to help with regulatory compliance initiatives such as PCI, FISMA, GLBA, HIPAA and SOX
The application policy manager dashboard gets updated with the compliance status as scanning and manual testing activities are completed. This update allows visibility into how an organization is performing against the stated thresholds for each application and where investments, resources, and training activities need to be directed.
This component of the Governance model automatically issues notifications to the business owners associated with the applications when an application is assigned a security policy. This automated workflow reduces the communication overhead that would otherwise be associated with rolling out a comprehensive application risk management framework.