The Veracode Platform enables an organization to define and enforce a uniform application security policy across all applications in its portfolio. The elements of an application security policy include the:
- Target Veracode Level for the application
- Types of flaws that should not be in the application. You can restrict flaws by flaw severity, flaw category, CWE, or a common standard including OWASP, OWASP Mobile, CWE/SANS Top 25, or PCI.
- Minimum Veracode security score
- Required scan types and frequencies
- Grace period within which any policy-relevant flaws should be fixed
Policies have three main constraints that can be applied: rules, required scans, and remediation grace periods.
Evaluating applications against a policy
When an application is evaluated against a policy, it can receive one of the following four assessments:
- Not assessed
- The application has not yet had a scan published.
- The application has passed all the aspects of the policy, including rules, required scans, and grace period.
- Did not pass
- The application has not completed all required scans, has not achieved the target Veracode Level, or has one or more policy relevant flaws that have exceeded the grace period to fix.
- Conditional pass
- The application has one or more policy relevant flaws that have not yet exceeded the grace period to fix.