Veracode Inc

Veracode Application Security Testing (AST) - Leader in Gartner MQ

Veracode is a leading provider of enterprise-class application security, seamlessly integrating agile security solutions for organizations around the globe. In addition to application security services and secure DevOps services, Veracode provides a full security assessment to ensure your website and applications are secure, and ensures full enterprise data protection.

Features

  • Static Application Security Testing (SAST): identify and remediate security flaws.
  • WebApp Dynamic Application Security Testing (DAST): scalability, speed, and accuracy.
  • Software Composition Analysis (SCA) - identify risk in Open Source.
  • Greenlight – IDE/CI integrated continuous flaw feedback and education solution.
  • Veracode Discovery – quickly inventory Internet-facing applications.
  • Developer Training – Help developers identify and fix flaws earlier.
  • Vendor Application Security Testing – independent assessment of 3rd-party software.

Benefits

  • Industry Leading Results Accuracy
  • Easy to Start and Scale with Elastic Compute Power
  • Rapid Risk Reduction
  • Automation, Management and Measurement of Open Source Risk
  • Comprehensive Integrations with Development, Security and Operations
  • Most Trusted and Advanced SaaS Application Security Platform
  • World Renowned Expertise and Research in Application Security
  • Meet Compliance Requirements Across Organisation

Pricing

£350 per user per year

  • Free trial available

Service documents

Framework

G-Cloud 11

Service ID

9 4 3 0 7 2 0 6 0 3 3 1 4 0 2

Contact

Veracode Inc

Paula Kanikuru

+44 (0)20 3761 5501

emea@veracode.com

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
Veracode is a Cloud service that does not require the installation of hardware. Maintenance windows are advised in advance to users. Uptime can be monitored here: http://status.veracode.com/

Supported integrations are detailed at https://help.veracode.com
System requirements
  • HTML5 browser: Safari(Latest), Chrome(Latest), Firefox(latest), IE 11
  • IDE Support for Visual Studio, Eclipse & Intellij
  • *.veracode.com whitelisting e.g. https://analysiscenter.veracode.com or https://api.veracode.com
  • Software packaged in accordance to our compilation guide at https://help.veracode.com
  • Supported languages and frameworks listed at https://help.veracode.com for technologies
  • Full list of requirements for tool chain support at https://help.veracode.com

User support

Email or online ticketing support
Yes, at extra cost
Support response times
Support response times
Technical Support response times are details here: https://www.veracode.com/resources/datasheets/technical-support
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Without purchase of a designated customer success bundle, the buyer will receive entry-level support to address any issues that relate to service disruption and necessary bug fixes and service restoration. Service levels for entry-level support is detailed at the following address: https://www.veracode.com/resources/datasheets/technical-support. We recommend to all buyers that they include an appropriate Customer Success Bundle, based on licence requirements to meet their likely needs. Scanning software with Veracode is easy. A user can receive results within minutes, and in some cases seconds. Application security though is hard. Helping to instil a secure-by-design culture, that embraces continuous feedback is not easy. Software and technical environments may be complex. We support over 100 languages and frameworks. From time-to-time, the buyer organisation's engineers will most likely need guidance about which configuration is optimal. Developers often need to challenge and be listened to. A tool alone cannot meet the need of development teams to engage in dialogue and receive coaching on best practice. Veracode offers different tiers of service packages to match the number of applications that are being assessed. These cover 'Advanced Technical Support', 'Remediation Coaching' and 'Security Programme Management'. Please review 'Veracode Customer Success Bundles' in the Digital Marketplace
Support available to third parties
Yes

Onboarding and offboarding

Getting started
The Veracode Security Programme Manager (SPM) can provide on-boarding assistance. The SPM will schedule an on-boarding call to give the development team a demo of the Veracode platform and make sure that platform accounts are created. An Upload Call is highly encouraged for an application’s first scan. Veracode Security Consultants will provide advice on how to configure and submit binaries for scanning to ensure full coverage and quality. Contact support@veracode.com for scheduling with your availability. Online training and help materials are available to assist on-boarding of users and applications. Onsite training and consultation is available subject to prior agreement.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Data can be extracted via XML, PDF, and XLS files. This can be retrieved via the user interface or by API calls.
End-of-contract process
Except for the Statistical Data, Veracode shall destroy data using industry standard methods (i) all copies of each Customer Application within sixty (60) days following the availability of the Report related thereto or earlier if requested by Customer and (ii) all copies of the results of the Assessments of each Customer Application (excluding the Statistical Data), Customer Confidential Information, and all associated documentation and related materials provided by Customer within sixty (60) days following any termination or expiration of this Agreement or earlier if requested by Customer; and upon request, Veracode shall confirm such destruction in writing. Upon the expiration or termination of any Order Form granting Customer access to On-Site Software, Customer shall promptly destroy such On-Site Software.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
No
Designed for use on mobile devices
No
Service interface
No
API
Yes
What users can and can't do using the API
What users can and can't do using the API
API calls and supported integrations in general are described at https://help.veracode.com , or specifically here: https://help.veracode.com/reader/QJgoLlv~uqsO6Zvu9jG9pw/h2NG_xyaRqXJtAUioBS2SA The user does not need to login to the Veracode Platform via a web browser to interact with scanning services - this can be automated by the API. In terms of limitations on API calls, a fair use policy applies which should not restrict normal reasonable scan operations or platform requests.
API documentation
Yes
API documentation formats
  • HTML
  • Other
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Branding options exist within the Veracode Platform. Role-based access control (RBAC) - covering a wide variety or user types and group allocations. Communication preferences. Login via Single Sign-on (SSO) Additional customisations may be considered on request.

Scaling

Independence of resources
The Veracode Platform uses auto-scaling compute resources provided by AWS

Analytics

Service usage metrics
Yes
Metrics types
Customisable service metrics dashboards can be define within the Analytics package. Default dashboards are provided. Information about Analytics is provided here: https://help.veracode.com Default Dashboards: Policy Compliance Overview, Scan Activity, Sandbox Scan Activity, Scan Times, Findings Details, Findings Status and History, Resolution and Mitigation Details, Security Consultation. If you want to view data differently than the predefined dashboards, you can modify existing dashboards and visualizations to suit your own needs. You have the ability to customize dashboards and visualizations to view your data in different ways.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Via the Veracode Platform through the UX or via API Data formats in main Veracode Platform: CSV, XML, PDF Within analytics module: TXT, XLSX, CSV, JSON, HTML or PNG for dashboard views
Data export formats
  • CSV
  • Other
Other data export formats
  • XML
  • PDF
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Service Level: Veracode shall maintain the Availability Percentage (as defined below) of the automated Solution (the “Automated Solution”) at or above ninety-nine percent (99%) during any calendar month. “Availability Percentage” is expressed as the percentage defined as (i) the Availability (as defined below) less any Unavailability (as defined below) during any particular calendar month divided by (ii) the total number of minutes during such calendar month. “Unavailable” or “Unavailability” consists of the number of minutes during a particular calendar month that the Automated Solution was not Available to Customer, but expressly excludes any time the Automated Solution was not Available as a result of (i) any planned maintenance and support, not to exceed 8 hours per calendar month, which shall generally occur on average twice per calendar month during maintenance windows between the hours of 9PM ET and 4AM ET or on non-business days (which Veracode shall endeavour to notice on the Veracode platform at least three Business Days in advance) or such other mutually convenient time as agreed upon between the parties; or (ii) an event of Force Majeure as described in the Agreement.
Approach to resilience
This information is defined in the Veracode Information Security Exhibit and is available with a mutual non-disclosure agreement.
Outage reporting
API, email alerts and public dashboard Information is available here: http://status.veracode.com/

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Source IP Address can be restricted. Accounts may be restricted for 2FA-only access (recommended). Account access can be restricted to be accessed by SAML 2.0 trust contract only.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
SOC II Type 2 Report

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
Other
Other security governance standards
SOC II TYPE 2 (Audited)
Information security policies and processes
These are articulated with the Veracode Information Security Exhibit which is available under mutual non-disclosure agreement.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
This is defined within the Veracode Information Security Exhibit which is available under mutual non-disclosure agreement.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
This is defined within the Veracode Information Security Exhibit which is available under mutual non-disclosure agreement.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
This is defined within the Veracode Information Security Exhibit which is available under mutual non-disclosure agreement.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
This is defined within the Veracode Information Security Exhibit which is available under mutual non-disclosure agreement.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£350 per user per year
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
Typical trial is 10 days in duration. 5 SAST Licences, 5 DAST Licences, 5 Software Composition Analysis Licences, 5 Greenlight Licences, 1 eLearning Licence. Granting of a free trial is subject to the buyer disclosing objectives or success factors for the trial.

Service documents

Return to top ↑