Frequently Asked Questions from Software Vendors regarding the VAST Program
Q: What is the VAST Program?
A: The vendor application security testing (VAST) program is the Enterprise's solution to provide complete application security compliance for large enterprise customers and their software vendors. As the Enterprise has selected CA Veracode as its provider of choice for the VAST program, meaning CA Veracode will work with the Enterprise and its vendors to analyze and attest their software security policy based on industry compliance standards. VAST is the Enterprise 's first comprehensive vendor application security compliance program that complements its existing governance, risk management, IT vendor management, and regulatory efforts.
Q: What if we have done a penetration test which should meet this policy.
A: Great, please share the report, name of the independent analysts and the assessment methodology with the Enterprise VAST Team and they will determine if this is adequate. Keep in mind the Enterprise requirement requires new test results for any new release, product enhancement, or upgrade. The Enterprise might ask you to produce an additional report again with any change of your application code.
Q: We are using another independent third party for software security testing. How do I submit this report?
A: Please work with the Enterprise VAST Team [email protected] to determine if the provider, report, and methodology meet the requirements of the Enterprise's security policy.
Q: The application purchased by the Enterprise is a desktop app, tool, or otherwise is not web facing or access any critical data. Do I still need to participate?
A: The Enterprise has taken the approach that all externally developed code needs to be held to the same security standards regardless of the type of application. You are one of over one thousand vendors who are being required to take part in this program.
Q: How do we provide information about the internal analysis we perform against our applications?
A: The Enterprise is requiring independent analysis to ensure that commonly found vulnerabilities are identified, fixed and not overlooked. While internally security testing will speed your time to compliance with the Enterprise 's security policy, the Enterprise is requiring independent, third party security analysis.
Q: Why should we work with the VAST Team to demonstrate the security of our software?
A: The Enterprise determined that CA Veracode is the best organization to manage the vendor application security testing (VAST) program on behalf of the Enterprise. In addition to program management, CA Veracode also offers the ability for software providers to perform independent third party testing while protecting intellectual property since CA Veracode does not require source code in its analysis process.
Q: What are acceptable third parties I can use to provide this independent attestation of software security to the VAST Program?
A: CA Veracode is the preferred vendor to work with for the VAST Program. Please work with the Enterprise VAST Team [email protected] if you would like to discuss other options.
Please feel free to contact CA Veracode at any time with your questions or concerns. We look forward to speaking with you.