The consumerization of IT can bring new workforce efficiencies, as well as potentially devastating enterprise security and compliance risks. As organizations grapple with the new era of mobile device management, a one-size-fits-all approach to application security policy management and compliance isn’t sufficient.
Veracode announced a more effective approach with the launch of its new Policy Manager which allows enterprises to move rapidly from ad-hoc testing to proven and enforceable security programs and policies for their entire software application portfolio, including mobile.
Veracode currently provides application security verification across primary mobile platforms – BlackBerry, Windows Mobile, Android and Apple iOS.
A cloud-based service, Veracode Policy Manager provides CISOs with a dashboard that offers a centralized view of their portfolio of internal and third-party applications with details on how each application is performing from a policy perspective.
The interface offers specific compliance requirement tracking capabilities and enables users to tick through a series of best practice-based or customizable drop-down menus that identify appropriate security policy options, including recommended remediation times based on the criticality of the flaw, criticality of the application and established CISO requirements.
Specific features of Veracode Policy Manager include:
Application policy dashboard: Centralized dashboard for applying policies, assigning business owners, adding new applications and tracking policy compliance across application inventory.
Policy editor: Interface to defining custom policies based on standards (e.g., OWASP/SANS Top 25), flaw type (CWE), severity and Veracode rating with capability to specify assessment frequency, acceptable remediation timeframes and grace periods.
Policy control reports: Detailed reports depicting status against all controls specified within applicable policy, provides snapshot of compliance on a per-application basis.
Notification workflow: Support for automated notifications to business owners regarding policy assignment, testing requirements and compliance status.