BURLINGTON, Mass. Veracode, Inc., the world's leader in cloud-based application risk management, today unveiled a new VERAFIED mark of security quality that indicates an application has been independently assessed and found to have no "very high," "high" or "medium" severity vulnerabilities as defined by MITRE, nor any of the top 10 vulnerabilities as defined by the Open Web Application Security Project (OWASP Top 10). The independent high assurance assessment is performed with SecurityReview, Veracode's patented cloud-based automated security verification service, and complemented by manual penetration testing by Veracode or its partners to identify flaws in business logic and design.
According to the OWASP Foundation, "The OWASP Foundation is pleased to see Veracode using the OWASP Top 10 application security risks. Managing application security requires real visibility into exactly what has been verified and what has not. Veracode's transparency around its combination of manual and automated verification techniques stands in stark contrast to those product vendors that wrongly and dangerously assert complete automated coverage and compliance with the Top 10."
Software providers whose applications earn the VERAFIED mark may display it as an indicator to customers that independent automated and manual testing did not detect the list of known, dangerous vulnerabilities and demonstrates the software is in successful compliance with the PCI Data Security Standard as well as other software assurance policies based on the OWASP Top 10. Additionally, the application may be identified with a VERAFIED High Assurance mark in Veracode's VERAFIED Software Directory. CIOs, CISOs and others who acquire software may also use the mark as a threshold for independently verified security quality delivered by commercial, outsourced or open source suppliers.
To earn the VERAFIED High Assurance mark for the OWASP Top 10, software providers submit their final integrated application - binary or bytecode - to Veracode SecurityReview for assessment. The application is analyzed by Veracode's patented cloud-based automated security verification service and then subjected to additional manual penetration testing by Veracode or a security consultant in Veracode's growing partner ecosystem. Following the remediation of any vulnerabilities of severity medium or higher, as defined by FIRST's CVSS vulnerability scoring system, and any vulnerabilities identified in the OWASP Top 10, the application is then resubmitted to Veracode for complete security regression testing and verification. Given the ad hoc approach to security testing adopted by most organizations today, this consistent and repeatable framework and process enables software suppliers to differentiate applications that are VERAFIED for OWASP Top 10 compliance and display the mark of independent verification.
"As web applications increasingly connect organizations to a network of their customers, partners and other stakeholders, malicious attacks have been on the rise and hackers have turned to web applications, which often represent a weak link in enterprise security," said Matt Moynahan, CEO of Veracode. "Displaying the VERAFIED mark for the OWASP Top 10 indicates an organization is serious about securing their applications deployed in SaaS, PaaS and other cloud-based environments, and should be recognized by potential customers and partners for their efforts in managing their application-related security risk."