Independent Audits for ISVs

Now more than ever, Independent Software Vendors (ISVs) and outsourced development firms are asked to certify that their software is secure as a pre-requisite to becoming approved suppliers. This is often driven by formal governance programs instituted by enterprises for managing third-party risk in the software supply chain.

Fact is, the Financial Services Information Sharing and Analysis Center (FS-ISAC) — an industry working group consisting of security executives from Morgan Stanley, CITI, Goldman Sachs, Aetna, GE Capital, RBS, Thomson Reuters and other global leaders — has published a list of recommended control types for third-party software. The group’s recommendations include implementing binary static analysis (SAST) as a detective control for assessing the security of all third-party software — including commercial off-the-shelf software, outsourced code, third-party components and open source.

Our Vendor Application Security Testing (VAST) program helps ISVs and other third-party developers document their compliance with enterprise security policies. As a trusted, independent party, we provide an independent audit of your software that you can use as an alternative to self-attestation. Plus we provide detailed test results and step-by-step remediation assistance for your developers so they can quickly remediate critical vulnerabilities that can damage your brand by enabling cyber-attacks on your customers.

We provide this via a scalable cloud-based platform that gives you full IP protection because we don’t require access to your source code — and you can get started immediately without hiring more security experts or purchasing additional servers and tools.

Key capabilities

  • Our cloud-based platform automates all test procedures and analyzes binaries without requiring access to source code.

  • We provide analytics and detailed test results with line of code level information to help development teams prioritize vulnerabilities and rapidly remediate them.

  • Our platform performs a rigorous analysis of any application using best practices and standard controls such as the OWASP Top 10, CWE/SANS Top 25 and PCI.

  • We support for all widely-used languages and platforms for web and mobile applications including:

    • Java & .NET

    • C/C++: Windows, Linux & Solaris

    • Web Platforms: J2EE, ASP.NET, Classic ASP, PHP, Cold Fusion, Ruby

    • Mobile Platforms: Objective C for iOS, Java for Android & J2ME for BlackBerry‚Äč

  • We provide tight integration with existing processes and tools including IDEs (Eclipse, Visual Studio, etc.), build processes (Jenkins, Ant, Maven, TFS, etc.) and issue tracking systems (JIRA, Bugzilla, Archer, etc.).

  • You have the option to publish summary test reports to our directory of vendors that have taken appropriate steps to remove vulnerabilities in their software or to comply with respected industry standards such as the OWASP Top 10 or the CWE/SANS Top 25 Most Dangerous Software Errors.

  • We provide dedicated developer support and step-by-step expert guidance for successful remediation efforts.