What is the Charles Schwab VAST Program?

Charles Schwab has initiated a Vendor Application Security Testing (VAST) program focused on reducing risks posed by security vulnerabilities in software used by Charles Schwab. Charles Schwab is asking all Software Suppliers or Service Providers to participate in this critical program and has selected Veracode, Inc. to manage the program on their behalf and perform Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).  

Who is Veracode?

Veracode’s Security Program Management Team manages the Charles Schwab Vendor Application Security Testing Program.  The Program Management Team is responsible for working with Vendors to ensure they understand the program requirements and can successfully enroll and participate in the program.  Veracode also offers software providers the ability to perform independent third party testing while protecting intellectual property as Veracode does not require source code for its security analysis.

What policy will my application be assessed against?

Applications will be assessed against the Charles Schwab application security policy.  This policy is a set of rules that determine which types of flaws need to be fixed and what criteria should be met in order for the application to be of an acceptable security posture.  The policy does not change the way in which the application is scanned – all applications are scanned the same.  The policy is simply a lens by which to view the results.  Policy criteria can be granular, such as specific Common Weakness Enumeration (CWE) IDs are not allowed, through to high level, i.e., no flaws of medium severity or above allowed. Charles Schwab has been using a similar policy for internal applications since 2012. The policy will be shared with you during the program “Introduction” call or can be emailed to you upon your request.

 What are the benefits of participating in the program?

The VAST program helps vendors to manage and reduce security risks in their software offerings while ensuring compliance with Charles Schwab’s application security policy. Independent attestation of the security of your offerings will be a market differentiator. By participating, you will demonstrate commitment to producing software that is both functional and secure, using industry standards and best practices. By improving secure coding practices and automating security analysis during the software development lifecycle, vendors will see a positive impact on future remediation costs.

Is the VAST program mandatory?

Yes – Charles Schwab’s expectation is for all externally developed code to be held to the same security standards regardless of the type of application or service leveraging software. Therefore, all Software Suppliers or Service Providers are being requested to participate to ensure your application meets policy.

What if our product is not policy compliant?

Vendors must remediate software flaws and vulnerabilities in order to be compliant with the Charles Schwab application security policy. This policy is also available from the Veracode Program Management Team or can be emailed to you upon request. Vendors can leverage their resources, Veracode services or other third-parties to assist in understanding and remediating vulnerabilities to achieve compliance.

 How often are assessments required?

Charles Schwab requires new test results for any new release, product enhancement, or upgrade. Charles Schwab might ask you to produce an additional report given any change of your application code.

How are Veracode assessment results utilized?

When assessment results are completed, vendors are required to share the high-level Summary assessment results with Charles Schwab via the Veracode Platform. Charles Schwab will then review the report to confirm the vendor is policy compliant.

What if my company is using another independent third party for software security testing?

Please reach out to the CS VAST team at CSVAST@veracode.com to enroll in the alternative attestation process. Veracode will provide guidance around program requirements and coordinate the gathering and submittal of the requested material to Charles Schwab for validation that the results meet its application security policy.

Where do we learn more about this program?

Veracode Team – CSVAST@Veracode.com