Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/28/2010
10:23 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Veracode Announces VERAFIED Mark Of Software Security

New mark indicates software has been independently assessed for the CWE/SANS Top 25 Most Dangerous Software Errors

BURLINGTON, Mass. – July 28, 2010 – Veracode, Inc., the world’s leader in cloud-based application risk management, today unveiled the new VERAFIED™ High Assurance mark of software application security for the CWE/SANS Top 25 Most Dangerous Software Errors. This prominent industry “seal of approval” indicates to a software provider’s customers and partners that an application has been independently assessed and that the testing did not detect exploitable software weaknesses identified in the list of the Top 25 Most Dangerous Software Errors as defined by the MITRE Common Weakness Enumeration (CWE) project that is sponsored by the US Federal Government. The independent high assurance assessment is performed with SecurityReview', Veracode’s patented cloud-based automated security verification service, and complemented by manual penetration testing to identify flaws in business logic and design.

Software providers whose applications earn the VERAFIED mark may display it as an indicator to customers of their successful efforts to eliminate known, dangerous vulnerabilities. Additionally, the application may be identified with a VERAFIED High Assurance mark in Veracode’s VERAFIED Software Directory. CIOs, CISOs and others who acquire software may also use the mark as a threshold for security quality delivered by commercial, outsourced or open source suppliers.

“Among the most important things that can be done to improve software security is for buyers of software to require evidence of an acceptable minimum level of security that is able to be substantiated by a credible independent source,” said Joe Jarzombek, director for software assurance, National Cyber Security Division, Department of Homeland Security. “We support qualification and test activities that enable consumers of software and procurement groups to make better informed decisions based on a standard benchmark of software security. We applaud industry-led efforts that leverage the use of our US Federal Government-sponsored CWE to unambiguously make statements about mitigating software security risk exposures.”

To earn the VERAFIED High Assurance mark for the CWE/SANS Top 25 Most Dangerous Software Errors, software providers submit their final integrated application – binary or bytecode – to Veracode SecurityReview for assessment. The application is analyzed by Veracode’s patented cloud-based automated security verification service and then subjected to additional manual penetration testing by Veracode or its partners. Following the remediation of any vulnerabilities of severity medium or higher, as defined by FIRST’s CVSS vulnerability scoring system, and any identified vulnerabilities that are errors included in the Top 25 Most Dangerous Software Errors list compiled by MITRE and SANS and a consortium of other organizations, the application is then resubmitted to Veracode for complete security regression testing and verification. Given the ad hoc approach to security testing done by most organizations today, this consistent and repeatable framework and process enables software suppliers to differentiate applications that are VERAFIED for CWE/SANS Top 25 compliance and display the mark that demonstrates they have applied diligent efforts to find and remediate all known dangerous vulnerabilities.

“It is well established that the software supply chain poses a significant amount of unknown risk to every enterprise’s reputation and business continuity,” said Matt Moynahan, CEO of Veracode. “By displaying the VERAFIED mark for CWE/SANS Top 25 to indicate their developers’ vigorous efforts to eliminate dangerous software errors, commercial software providers, open source projects and outsourced software suppliers can differentiate themselves as good partners in the effort to reduce application-related risk.”

About Veracode

Veracode is the world’s leader in cloud-based application risk management. With patented binary code analysis, dynamic Web assessments and developer e-learning, Veracode SecurityReview' is the most accurate and cost-effective way to independently verify application security in both internally developed applications and third-party software without requiring source code or expensive tools. Veracode provides the most simple, complete way to implement security best practices, reduce operational cost and comply with internal security policies or external standards such as OWASP Top 10, Top 25 and PCI. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com, follow on Twitter @Veracode or read the ZeroDay Labs™ blog.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.