Vendor Application Security Testing

The Veracode Vendor Application Security Testing (VAST) program helps enterprises better understand and reduce the security risks associated with using vendor-supplied software.

VAST programs strengthen vendor compliance with enterprise IT application security policies by analyzing and attesting to the security posture of each application in the software supply chain of the enterprise.

The VAST solution is the first comprehensive vendor application security compliance program, which is a crucial part of sound governance, risk management, IT vendor management, and regulatory efforts.

Scan your application as a vendor

As a third-party software vendor, your enterprise customer has asked you to submit your application to Veracode for scanning.

Use the Veracode Platform to scan your application, review the scan results, and share the results with the enterprise organization.

Veracode sends you your credentials for signing in to the Veracode Platform.

1. Go to the Veracode Platform and sign in.

2. Submit a scan.

   • Static Analysis

   • Software Composition Analysis (SCA)

   • Dynamic Analysis

   • Manual Penetration Testing (MPT)

     note

     Your enterprise customer might require you to use a specific security policy. When creating an application profile for the scan, ensure you apply the correct policy.

3. Mitigate flaws.

4. Review the report.

5. Share your results.

Share scan results

Vendors who want to share the results from a third-party scan of their application can generate reports of the results, and share the reports with enterprise organizations.

As a vendor, you access the results from Veracode, and may propose and approve mitigations for any findings in the report at any time.

If the enterprise has already received the summary results, their report is automatically updated with new approved mitigations.

Before you begin:

• To enable the sharing of Veracode reports, contact Veracode Technical Support.

To complete this task:

1. In the Veracode Platform, from the left navigation menu of the application page, select Results. The Results page opens.
2. To share the results of the latest scans of each scan type, select Share in the top right to open the Share this Report window. If this icon is disabled, contact Veracode Technical Support to establish the relationship between you and the enterprise organization.
3. Select the enterprise organization with whom you want to share the report. This dropdown list is based on vendor relationships you have with other organizations. To add more organizations to this list, contact Veracode Technical Support.
4. Select the policy against which you want to calculate the results of the report. The policy details appear, showing you the description, rules, and scan requirement of the policy.
5. Select Save and Continue. The generated report is listed in the Shared Reports page, which you access from the left navigation menu. At a glance you can see which reports you generated and when. The color of the shield icon in the Generated For column indicates whether the policy compliance is a pass (green), conditional pass (orange), or fail (red).
6. When you are ready to send the generated report to the selected organization, select Share Now. You receive a prompt to confirm that you are ready to share.

You are only sharing the Summary Report. If you have a Software Composition Analysis (SCA) license, you can also share the SCA Report, which lists the security vulnerabilities in open-source components. The Detailed Report is specifically for your information only.

Unshare scan results

To unshare a report, select Undo to revoke the shared action. When prompted to confirm your choice, select Yes.

The report is no longer available to view or download by the enterprise recipient.