Application Security Policies

Results and Reports

The Veracode Platform enables an organization to define and enforce a uniform application security policy across all applications in its portfolio. The elements of an application security policy include the:
  • Target Veracode Level for the application,
  • Types of flaws that should not be in the application (which may be defined by flaw severity, flaw category, CWE, or a common standard including OWASP, CWE/SANS Top 25, or PCI)
  • Minimum Veracode security score
  • Required scan types and frequencies
  • Grace period within which any policy-relevant flaws should be fixed

Policy Constraints

Policies have three main constraints that can be applied: rules, required scans, and remediation grace periods.

Evaluating Applications Against a Policy

When an application is evaluated against a policy, it can receive one of four assessments:
Not Assessed
The application has not yet had a scan published.
The application has passed all the aspects of the policy, including rules, required scans, and grace period.
Did Not Pass
The application has not completed all required scans; has not achieved the target Veracode Level; or has one or more policy relevant flaws that have exceeded the grace period to fix.
Conditional Pass
The application has one or more policy relevant flaws that have not yet exceeded the grace period to fix.