If you have not read part one of this post, read it here.
Veracode’s Risk Adjusted Verification Methodology
The ‘VerAfied’ standards-based mark of security quality is one established by Veracode to provide a pragmatic approach to measure and compare risk levels related to application security, and is wholly designed with industry standards in mind. Its basis is the “Security Quality Score”, which is an aggregate of all the security flaws uncovered by the above scans, categorized by severity of flaw, and normalized to a 0 to 100 scale. As stated above, PortalGuard has achieved a ‘100’ “Security Quality Score” for both the Static and Dynamic evaluation types, and has therefore been confirmed to contain no vulnerabilities for any severity levels (varying from very low, to very high) in either test, nor any traces of vulnerabilities within the OWASP Top 10 or CWE/SANS Top 25 lists of vulnerabilities. The major credibility behind the ‘VerAfied’ mark is that it aims to combine an array of respected industry standards into one meaningful system. Some of the industry standards it leverages are:
MITRE’s Common Weakness Enumeration (CWE) – A compilation of identified flaws, each associated with a CWE ID number, and a severity measurement based on the confidentiality, integrity, and availability impacts the flaw may cause as defined in FIRST’s CVSS, described below.
FIRST’s Common Vulnerability Scoring System (CVSS) – Is a vulnerability scoring system utilized by the National Vulnerability Database, NIST’s U.S government repository of standards based vulnerability management data, as well as other major software corporations. The system has been highly recommended and described by Gartner as “…a powerful approach for businesses to standardize the impact assessment and prioritization of IT vulnerabilities.”
NIST’s definitions of assurance levels – Found in their OMB document M-04-04, the assurance levels described there contain are organized according to damage to reputation, financial loss or liability, harm to operations, unauthorized information disclosure, personal safety, among others. Specifically, Veracode’s scans support the requirements of the NIST Source Code Security Analysis Tool Functional Specification Version 1.0.
For more information on these systems, please visit their organizations’ respective websites included above. More information regarding Veracode and their mark of quality can be found on their website.
We are very excited to have worked with Veracode on achieving PortalGuard’s ‘VerAfied’ status, and even more excited to have had our product pass all of their vulnerability scans with perfect scores, and flying colors.