Software providers whose applications earn the VERAFIED mark may display it as an indicator to customers of their successful efforts to eliminate known, dangerous vulnerabilities. Additionally, the application may be identified with a VERAFIED High Assurance mark in Veracode’s VERAFIED Software Directory. CIOs, CISOs and others who acquire software may also use the mark as a threshold for security quality delivered by commercial, outsourced or open source suppliers.
“Among the most important things that can be done to improve software security is for buyers of software to require evidence of an acceptable minimum level of security that is able to be substantiated by a credible independent source,” said Joe Jarzombek, director for software assurance, National Cyber Security Division, Department of Homeland Security. “We support qualification and test activities that enable consumers of software and procurement groups to make better informed decisions based on a standard benchmark of software security. We applaud industry-led efforts that leverage the use of our US Federal Government-sponsored CWE to unambiguously make statements about mitigating software security risk exposures.”
To earn the VERAFIED High Assurance mark for the CWE/SANS Top 25 Most Dangerous Software Errors, software providers submit their final integrated application – binary or bytecode – to Veracode SecurityReview for assessment. The application is analyzed by Veracode’s patented cloud-based automated security verification service and then subjected to additional manual penetration testing by Veracode or its partners. Following the remediation of any vulnerabilities of severity medium or higher, as defined by FIRST’s CVSS vulnerability scoring system, and any identified vulnerabilities that are errors included in the Top 25 Most Dangerous Software Errors list compiled by MITRE and SANS and a consortium of other organizations, the application is then resubmitted to Veracode for complete security regression testing and verification. Given the ad hoc approach to security testing done by most organizations today, this consistent and repeatable framework and process enables software suppliers to differentiate applications that are VERAFIED for CWE/SANS Top 25 compliance and display the mark that demonstrates they have applied diligent efforts to find and remediate all known dangerous vulnerabilities.
“It is well established that the software supply chain poses a significant amount of unknown risk to every enterprise’s reputation and business continuity,” said Matt Moynahan, CEO of Veracode. “By displaying the VERAFIED mark for CWE/SANS Top 25 to indicate their developers’ vigorous efforts to eliminate dangerous software errors, commercial software providers, open source projects and outsourced software suppliers can differentiate themselves as good partners in the effort to reduce application-related risk.”
Veracode is the world’s leader in cloud-based application risk management. With patented binary code analysis, dynamic Web assessments and developer e-learning, Veracode SecurityReview' is the most accurate and cost-effective way to independently verify application security in both internally developed applications and third-party software without requiring source code or expensive tools. Veracode provides the most simple, complete way to implement security best practices, reduce operational cost and comply with internal security policies or external standards such as OWASP Top 10, Top 25 and PCI. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com, follow on Twitter @Veracode or read the ZeroDay Labs™ blog.