Veracode for Vendors: How it Works
Veracode is designed for companies that need to verify the code of third-party applications. Veracode’s Rating System is a simple four-step program- the 4-S Program: Start, Scan, Score and Secure. All the enterprise needs to provide is contact information for the vendors they would like to have assessed and Veracode will complete the process. Here is how it works:
Enterprise sends contact information to Veracode regarding vendors and applications they would like to have assessed. Vendor uploads the binary executables (no source code required) and/or provides a URL for web scanning.
Veracode conducts vulnerability testing which is completed within 24 to 72 hours depending on the size and complexity of the application.
Veracode creates a rating for each application based on industry-standard benchmarks from NIST, CVSS and CWE which is provided to both the enterprise and the vendor. As an independent trusted advisor, Veracode sends the full disclosure of all detailed information only to the vendor.
4. Secure (Your Enterprise)
With the security rating in hand, the enterprise determines which vendor applications pass a pre-defined security threshold (e.g. "A"-Rating as a minimum threshold) as part of the secure procurement process.