Use and distribution of this report are governed by the agreement between Veracode and its customer. In particular, this report and the results in the report cannot be used publicly in connection with Veracode’s name without written permission.
About Veracode's Methodology
The Veracode Platform uses static and DynamicDS analysis (for web applications) to inspect executables and identify security flaws in your applications. Using both static and DynamicDS analysis helps reduce false negatives and detect a broader range of security flaws. The static binary analysis engine models the binary executable into an intermediate representation, which is then verified for security flaws using a set of automated security scans. Dynamic analysis uses an automated penetration testing technique to detect security flaws at runtime. Once the automated process is complete, a security technician verifies the output to ensure the lowest false positive rates in the industry. The end result is an accurate list of security flaws for the classes of automated scans applied to the application.
Veracode Rating System Using Multiple Analysis Techniques
Higher assurance applications require more comprehensive analysis to accurately score their security quality. Because each analysis technique (automated static, automated dynamic, manual penetration testing, or manual review) has differing false negative (FN) rates for different types of security flaws, any single analysis technique or even a combination of techniques is more likely to produce a certain level of false negatives. Some false negatives are acceptable for lower business critical applications, therefore, a less expensive analysis using only one or two analysis techniques is acceptable. At higher business criticality the FN rate should be close to zero, so multiple analysis techniques are recommended.