We’ve been VerAfied! Part Two

If you have not read part one of this post, read it here.

 

Veracode’s Risk Adjusted Verification Methodology

The ‘VerAfied’ standards-based mark of security quality is one established by Veracode to provide a pragmatic approach to measure and compare risk levels related to application security, and is wholly designed with industry standards in mind.  Its basis is the “Security Quality Score”, which is an aggregate of all the security flaws uncovered by the above scans, categorized by severity of flaw, and normalized to a 0 to 100 scale.  As stated above, PortalGuard has achieved a ‘100’ “Security Quality Score” for both the Static and Dynamic evaluation types, and has therefore been confirmed to contain no vulnerabilities for any severity levels (varying from very low, to very high) in either test, nor any traces of vulnerabilities within the OWASP Top 10 or CWE/SANS Top 25 lists of vulnerabilities.  The major credibility behind the ‘VerAfied’ mark is that it aims to combine an array of respected industry standards into one meaningful system.  Some of the industry standards it leverages are:

MITRE’s  Common Weakness Enumeration (CWE) – A compilation of identified flaws, each associated with a CWE ID number, and a severity measurement based on the confidentiality, integrity, and availability impacts the flaw may cause as defined in FIRST’s CVSS, described below.

FIRST’s  Common Vulnerability Scoring System (CVSS) – Is a vulnerability scoring system utilized by the National Vulnerability Database, NIST’s U.S government repository of standards based vulnerability management data, as well as other major software corporations.  The system has been highly recommended and described by Gartner as “…a powerful approach for businesses to standardize the impact assessment and prioritization of IT vulnerabilities.”

NIST’s  definitions of assurance levels – Found in their OMB document M-04-04, the assurance levels described there contain are organized according to damage to reputation, financial loss or liability, harm to operations, unauthorized information disclosure, personal safety, among others.  Specifically, Veracode’s scans support the requirements of the NIST Source Code Security Analysis Tool Functional Specification Version 1.0.

 

For more information on these systems, please visit their organizations’ respective websites included above.  More information regarding Veracode and their mark of quality can be found on their website.

 

We are very excited to have worked with Veracode on achieving PortalGuard’s ‘VerAfied’ status, and even more excited to have had our product pass all of their vulnerability scans with perfect scores, and flying colors.

We’ve been VerAfied! Part One

If you have visited our PortalGuard.com homepage recently, you might have noticed that the PortalGuard product has been officially awarded the ‘VerAfied’ status by Veracode, a leading company in Application Risk Management and analysis.  What this means, is that throughout the scrutiny of Veracode’s series of formal application assessments, the PortalGuard software had either met or exceeded the criteria outlined in their Risk Adjusted Verification Methodology for mission critical applications.  What this means, is that you can rest assured that PortalGuard, from security and security compliance standpoints, front-end to back-end, is a truly rock-solid Authentication Platform solution.

In order to support this claim, allow me to describe in more detail what it means to be VerAfied, and the process it takes to attain this status.  First, let’s go over the major types of assessments that had been performed, and the nature of the vulnerabilities they attempt to uncover. In part two of the post we will elaborate on the effectiveness and credibility of Veracode’s Risk Adjusted Verification Methodology System.

 

Static Binary Analysis

Static Binary Analysis, or “white-box” testing, is a meticulous look into the product’s source code.  This method of analysis seeks to uncover vulnerabilities and flaws that may otherwise be concealed once the software is in a runtime environment.  By automatedly walking through the application’s control and data flow, via its executable machine code, the examination is able to identify often difficult to find vulnerabilities relating to linked-libraries, APIs, compiler optimizations, and other areas that simple code debugging cannot.  The approach goes beyond other source code tools, and is able to detect threats arising from possible malicious code and backdoors from within the core application, extending to those potentially in 3rd party libraries or other pre-packaged components.  The result is the most intensive, accurate, and complete software security testing available.  Having been reviewed by this process, the PortalGuard software has been rewarded the highest score available in Static Binary Analysis and by extension, regulatory compliance.

 

Dynamic Analysis

While “white-box” analysis performs examination on software outside of the runtime environment, the complement approach of Dynamic Analysis, or “black-box” testing, covers vulnerabilities best found by probing the application from within the runtime environment.  Research by Gartner and the U.S Computer Emergency Response Team has shown that 75% of malicious attacks on web applications specifically target the application layer, seeking to exploit potential weaknesses hidden there.  Veracode’s automated Dynamic Analysis vulnerability scanner takes a similar approach by conducting examination during runtime and detecting flaws within the application layer in much the same way a hacker would.  The automated process can, however, map far more of the application than a hacker practically could, and so it identifies far greater numbers of vulnerability attack vectors, and in far less time.  In addition, since Veracode’s Dynamic scanner keeps records of all the previous scans it has performed, it’s always applying the latest knowledge of common vulnerabilities and is always evolving to stay current with the latest web technologies.  Whereas Static Analysis is the ultimate in terms of source code analysis, Dynamic scanning completes the picture by offering the ultimate vulnerability scan for web application front-end flaws and exploits.  Having been rigorously tested by the Dynamic scanning processes first automatedly, and then with a comprehensive set of automation scripts to cover a large variety of unique usage scenarios, the PortalGuard software has been rewarded the highest score available for dynamic evaluation.

 

Remember to read Part Two tomorrow.