The Veracode Platform enables an organization to define and enforce a uniform application security policy across all applications in its portfolio. The elements of an application security policy include the:
- Target Veracode Level for the application,
- Types of flaws that should not be in the application (which may be defined by flaw severity, flaw category, CWE, or a common standard including OWASP, CWE/SANS Top 25, or PCI)
- Minimum Veracode security score
- Required scan types and frequencies
- Grace period within which any policy-relevant flaws should be fixed
Policies have three main constraints that can be applied: rules, required scans, and remediation grace periods.
Evaluating Applications Against a Policy
When an application is evaluated against a policy, it can receive one of four assessments:
- Not Assessed
- The application has not yet had a scan published.
- The application has passed all the aspects of the policy, including rules, required scans, and grace period.
- Did Not Pass
- The application has not completed all required scans; has not achieved the target Veracode Level; or has one or more policy relevant flaws that have exceeded the grace period to fix.
- Conditional Pass
- The application has one or more policy relevant flaws that have not yet exceeded the grace period to fix.