New assurance mark of software application security

Waterfall Security: Trust issues with your firewalls? Eliminating vulnerabilities that accompany firewalls is a click away.

Veracode unveiled the VERAFIED High Assurance mark of software application security for the CWE/SANS Top 25 Most Dangerous Software Errors.

This industry “seal of approval” indicates to a software provider’s customers and partners that an application has been independently assessed and that the testing did not detect exploitable software weaknesses identified in the list of the Top 25 Most Dangerous Software Errors as defined by the MITRE Common Weakness Enumeration (CWE) project that is sponsored by the US Federal Government.

Software providers whose applications earn the VERAFIED mark may display it as an indicator to customers of their successful efforts to eliminate known, dangerous vulnerabilities. Additionally, the application may be added to Veracode’s VERAFIED Software Directory. CIOs, CISOs and others who acquire software may also use the mark as a threshold for security quality delivered by commercial, outsourced or open source suppliers.

To earn the mark, software providers submit their final integrated application – binary or bytecode – to Veracode SecurityReview for assessment. The application is analyzed by the company’s cloud-based automated security verification service and then subjected to additional manual penetration testing by the company or its partners.

Following the remediation of any vulnerabilities of severity medium or higher, as defined by FIRST’s CVSS vulnerability scoring system, and any identified vulnerabilities that are errors included in the Top 25 Most Dangerous Software Errors list compiled by MITRE and SANS and a consortium of other organizations, the application is then resubmitted to Veracode for complete security regression testing and verification.

Given the ad hoc approach to security testing done by most organizations today, this consistent and repeatable framework and process enables software suppliers to differentiate applications that are VERAFIED for CWE/SANS Top 25 compliance and display the mark that demonstrates they have applied diligent efforts to find and remediate all known dangerous vulnerabilities.