Policies
Use Veracode security policies to define and enforce a uniform application security policy for all applications across your entire application portfolio, including applications you develop and third-party applications.
After scanning an application, Veracode assesses the scan results against the assigned policy. To pass a security policy, an application must comply with the policy's security requirements, or constraints.
If you're using Veracode Package Firewall, see manage custom policies for Veracode Package Firewall.
Benefits
Security policies provide several benefits, such as:
- A Veracode Level that applications must comply with to pass the policy. Each level has a minimum security score.
- Rules that define findings that an application must not have, such as findings included in security standards, such as OWASP, OWASP Mobile, CWE Top 25, or PCI.
- For SCA scan results, rules that define open-source components that are not allowed.
- Required types of scans to run on an application and how often they must occur to meet policy compliance.
- Evaluation timeframes that establish the period during which findings, if not resolved, can impact policy compliance.
- Grace periods that establish the amount of time your teams have to resolve findings before impacting policy compliance.
You can also manage policies with the Policy API.
Create and assign security policies
Assign policies to one or more application profiles or SCA agent workspaces. You can also set default policies to automatically assign to newly created application profiles or SCA agent workspaces.
You can assign built-in policies, which have pre-configured constraints, or create and assign custom policies to configure the constraints that enforce specific security requirements for your organization.
Review policy compliance
Review an application's policy compliance in the Veracode Platform. The notification emails also summarize this policy compliance information.
To complete this task:
- Sign in to the Veracode Platform.
- On the Applications page, select the application name to open the application overview.
- In the left navigation menu, under Results, select View Report. The Detailed Veracode Report opens.
- Select the Policy Control tab. This tab lists the names and descriptions of the assigned policies and details how the application complies with the following policy rules:
- Veracode Level rule and any custom rules, including blocklist rules
- Scan requirements
- Remediation levels
Policy assessment status
When you evaluate an application's scan results against a policy, the application receives one of the following statuses. In a product interface, such as the Veracode Platform, the status might appear as a color-coded shield.
| Status | Shield | Description |
|---|---|---|
| Not Assessed | Gray | The application has not yet had a scan published. |
| Passed | Green | The application has passed all the constraints of the policy, including rules, required scans, and grace period. |
| Did Not Pass | Red | The application has not completed all required scans; has not achieved the target Veracode Level; or has one or more policy relevant flaws that have exceeded the grace period to fix. |
| Conditional Pass | Orange | The application has one or more flaws related to a policy and these flaws have not yet exceeded the grace period to fix. All sandbox scans also have this status. |
About Veracode Levels
Veracode determines the Veracode Level (VL) of an application by the type of testing it performs on the application and the severity and types of flaws it detects. A minimum security score is required for each level.
There are five standard Veracode Levels: VL1, VL2, VL3, VL4, and VL5. VL1 is the lowest level, achieved by demonstrating that automated static or dynamic security testing is used during the software delivery lifecycle. VL5 is the highest level, achieved by performing both automated and manual testing and removing all significant flaws. VL2, VL3, and VL4 form a continuum of increasing software business criticality between VL1 and VL5.
For example, a web application tested with static analysis that has no Very High or High severity flaws and a score of at least 70 achieves VL3. To achieve VL4, you must also remediate all Very High, High, and Medium severity flaws. To achieve VL5, you must perform manual testing in addition to remediating all Very High, High, and Medium severity flaws.
There are three Veracode Levels that contain the same requirements as the Veracode Levels, plus Veracode Software Composition Analysis. The levels are denoted as VL5 + SCA, VL4 + SCA, and VL3 + SCA.
For IT staff operating applications, you can use Veracode Levels to set application security policies. You should use different VLs for deployment scenarios of varying business criticality. For example, the policy for applications that manage credit card transactions, and, therefore, have PCI compliance requirements, should be VL5. A medium business-critical, internal application could have a policy requiring VL3.
Software developers can decide which VL they want to achieve, based on the requirements they are given. Developers of software that is mission-critical want to achieve VL5. Developers of general-purpose software may target VL3 or VL4. Veracode Level can be communicated to the clients through a Veracode report.
Veracode Level requirements
The following table defines the requirements for achieving each Veracode Level. Dynamic is only an option for web applications and REST APIs.
| Veracode Level | Flaw severities not allowed | Testing required | Minimum score |
|---|---|---|---|
| VL5 + SCA | V.High, High, Medium | Static, Manual, and Software Composition Analysis | 90 |
| VL5 | V.High, High, Medium | Static and Manual | 90 |
| VL4 + SCA | V.High, High, Medium | Static and Software Composition Analysis | 80 |
| VL4 | V.High, High, Medium | Static | 80 |
| VL3 + SCA | V.High, High | Static and Software Composition Analysis | 70 |
| VL3 | V.High, High | Static | 70 |
| VL2 | V.High | Static, Dynamic, or Manual | 60 |
| VL1 | Static, Dynamic, or Manual |
When multiple scan techniques are used, it is likely that not all testing are performed on the exact same scan. If that is the case, the latest scan results from a particular technique are used to calculate the current Veracode Level. After six months, test results are deemed out of date and no longer used to calculate the current Veracode Level.
SCA findings do not override higher Veracode Level achievements. For example, if an application contains zero Medium Static Analysis findings, but does contain Medium SCA findings, the application still achieves VL4.
Configure notifications to notify your teams about policy-related events and to stay current on the policy compliance of the applications to which policies are assigned.
Notification events
The Veracode Platform can send notifications automatically when specific policy-related events occur. Whether you receive policy notifications depends on your notification settings.
The Veracode Platform does not send notifications that contain sensitive information about your application, including the policy status, Veracode Level, or any other information about the application that could identify a weakness in your application or your organization.
The Veracode Platform automatically sends policy-related notifications to the team assigned to the application, to any users with the Security Lead role, and to the Business Owner email address identified on the application profile.
The Veracode Platform sends notifications for three events: policy changes, upcoming scans required, and grace period expirations.
Policy change
The Veracode Platform sends this notification when the policy assigned to an application changes, either a new policy assignment or an update to an existing policy assignment. The Veracode Platform sends the notifications immediately when the new policy assignment or update occurs.
Upcoming scan required
The Veracode Platform sends this notification when a required scan is due in approximately 30 days, based on the schedule defined in the policy for the application. The Veracode Platform checks once a day during the night to send any Upcoming Scan Required notifications.
Grace period expiring soon
The Veracode Platform sends this notification when a finding approaches the expiration date of the grace period set in the policy. The Veracode Platform sends the notification a specific number of days ahead of the actual expiration date, on a sliding scale ranging from a day ahead to 30 days ahead based on the length of the grace period.