Understanding Veracode Mitigation Proposal Reviews

Results and Reports

You can purchase an optional Veracode Mitigation Proposal Review (MPR) service from Veracode to request that Veracode consultants perform additional mitigation triage work for your applications.

Your security team can use the Veracode Mitigation Proposal Review to request Veracode application security consultants to review mitigation proposals that your developers enter. Your security team can make a more informed decision about whether to accept or reject a mitigation proposal.

To request a Mitigation Proposal Review, contact [email protected].

During the review, the Veracode application security consultants provide feedback on the mitigation proposal based on your custom risk-tolerance guidelines. The Veracode consultants can propose these mitigation types:

Conforms

Veracode has determined the mitigation is present and functioning as described. The mitigation may reduce the risk that the flaw presents.

Deviates

Veracode determined that the described mitigation is not present or may not reduce the risk presented by the flaw. Veracode specifies a mitigation as Deviates if the mitigation relies on factors such as:

  • Trusted sources of data
  • Configuration file settings
  • Operating system controls
  • Network controls

The Veracode consultants also specify a mitigation as Deviates if they cannot find the described control or cannot determine how the mitigation is intended to work.

Defer

Veracode has reviewed the finding proposal and the custom risk-tolerance guidelines and has determined that the mitigation requires a more thorough review by your security team.

If Veracode performed the mitigation proposal review for you, you can filter the proposed mitigations by the Mitigation Conformation type.