According to the OWASP Foundation, “The OWASP Foundation is pleased to see Veracode using the OWASP Top 10 application security risks. Managing application security requires real visibility into exactly what has been verified and what has not. Veracode’s transparency around its combination of manual and automated verification techniques stands in stark contrast to those product vendors that wrongly and dangerously assert complete automated coverage and compliance with the Top 10.”
Software providers whose applications earn the VERAFIED mark may display it as an indicator to customers that independent automated and manual testing did not detect the list of known, dangerous vulnerabilities and demonstrates the software is in successful compliance with the PCI Data Security Standard as well as other software assurance policies based on the OWASP Top 10. Additionally, the application may be identified with a VERAFIED High Assurance mark in Veracode’s VERAFIED Software Directory. CIOs, CISOs and others who acquire software may also use the mark as a threshold for independently verified security quality delivered by commercial, outsourced or open source suppliers.
To earn the VERAFIED High Assurance mark for the OWASP Top 10, software providers submit their final integrated application – binary or bytecode – to Veracode SecurityReview for assessment. The application is analyzed by Veracode’s patented cloud-based automated security verification service and then subjected to additional manual penetration testing by Veracode or a security consultant in Veracode’s growing partner ecosystem. Following the remediation of any vulnerabilities of severity medium or higher, as defined by FIRST’s CVSS vulnerability scoring system, and any vulnerabilities identified in the OWASP Top 10, the application is then resubmitted to Veracode for complete security regression testing and verification. Given the ad hoc approach to security testing adopted by most organizations today, this consistent and repeatable framework and process enables software suppliers to differentiate applications that are VERAFIED for OWASP Top 10 compliance and display the mark of independent verification.
“As web applications increasingly connect organizations to a network of their customers, partners and other stakeholders, malicious attacks have been on the rise and hackers have turned to web applications, which often represent a weak link in enterprise security,” said Matt Moynahan, CEO of Veracode. “Displaying the VERAFIED mark for the OWASP Top 10 indicates an organization is serious about securing their applications deployed in SaaS, PaaS and other cloud-based environments, and should be recognized by potential customers and partners for their efforts in managing their application-related security risk.”
To learn more about the OWASP Top 10, visit http://www.owasp.org or http://tinyurl.com/Veracode-OWASP-Top-10. OWASP does not endorse or recommend any company, product or service.
Veracode is the world’s leader in cloud-based application risk management. With patented binary code analysis, dynamic Web assessments and developer e-learning, Veracode SecurityReview' is the most accurate and cost-effective way to independently verify application security in both internally developed applications and third-party software without requiring source code or expensive tools. Veracode provides the most simple, complete way to implement security best practices, reduce operational cost and comply with internal security policies or external standards such as OWASP Top 10, Top 25 and PCI. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com, follow on Twitter @Veracode or read the ZeroDay Labs™ blog.