Integrating security practices into the software development lifecycle and verifying security of internally developed applications before they are deployed can help mitigate risk from internal sources. Using CA Veracode for internal applications helps customers implement this security program in a simple and cost-effective way. By offering unlimited scans on any number of internal applications it truly provides an opportunity to expand their internal application security program to a broader cross-section of applications in their inventory than was previously possible due to cost and scale concerns.
Below are some of the key features made available as part of this service:
Application Portfolio Dashboard:
Leverage a centralized view of risk and security information to manage, set policy, track and report on all your internal applications across your entire geographically dispersed development teams.
Automated Code Review (Binary Static Analysis):
CA Veracode’s patented automated static binary analysis reviews the final integrated application, including libraries and 3rd party components. This approach allows for the most accurate detection of commonly occurring security vulnerabilities including backdoors and malicious code. The unlimited subscription allows customers to perform any number of static scans of any number of internal applications.
Automated Web Vulnerability Scanning (Dynamic Analysis):
CA Veracode’s automated web application vulnerability scanning, also known as dynamic analysis or black-box testing empowers companies to identify and remediate security issues in their running web applications before hackers can exploit them. The unlimited subscription allows customers to perform any number of scans of any number of web applications.
Open Source Ratings Database:
Access to CA Veracode’s database of security scores for enterprise-class open source projects enabling you to gain an understanding of the risk/benefit trade-off of integrating open source versus commercially developed software.
Executive, Security and Developer Reports:
CA Veracode’s services platform offers summary and detailed reports to support the activities of CISOs, engineering managers and developers. CISOs can gain a centralized view of regulatory and corporate security policy compliance across the organization. Engineering managers can gain an understanding of the most prominent sources of risk in their internal application portfolio and developers can get detailed remediation advice on how to address application vulnerabilities in a prioritized manner to most efficiently comply with corporate security policies.
Extensible, Open Platform:
CA Veracode’s application risk management platform has been designed as an open and extensible platform that allows for easy integration with other technology platforms, IDEs and bug tracking systems that form the fabric of the software development infrastructure. For security and compliance personnel we offer automated integration with Archer’s GRC Framework product. For developers we offer xml exports and a results api that can be used to integrate our findings with tools that typically form part of the SDLC such as bug and defect tracking systems.
Program Management Services Built-in:
For premium edition customers we offer a half-time customer success manager that will help develop the policies and program framework for securing your SDLC by kicking off the engagement with a focused workshop. They will also work on an on-going basis with your key stakeholders to manage the rollout and aggressively drive adoption and success within your internal development teams.
VerAfied Security Mark:
Due to the nature of software security testing, no organization can guarantee that their software is completely secure. However, through rigorous testing using CA Veracode’s automated static binary analysis, automated dynamic web vulnerability scanning (if applicable), and/or manual penetration analysis, the VerAfied mark signifies that software vendors have utilized the most widely accepted and comprehensive methods available to secure their software. The VerAfied mark indicates that an application has received an independent security verification from CA Veracode and the provider has resolved or mitigated any vulnerabilities identified by automated static binary analysis and automated dynamic analysis (if applicable). The VerAfied High Assurance mark indicates that an application has received an independent security verification from CA Veracode and the provider has resolved or mitigated any vulnerabilities identified by automated static binary analysis, automated dynamic analysis (if applicable) and manual penetration testing. Any application tested using the subscription and found to meet the passing criteria for the VerAfied and VerAfied HA marks will be eligible for earning the mark.