- Veracode Transitional Policies: the default policies for all organizations and which are designed to set a minimum level for those initially adopting Veracode for application security programs.
- Veracode Recommended Policies: the best practice recommendation based on Veracode Levels.
Veracode Transitional Policies
Veracode Transitional Policies are assigned to all customer applications by default and are the default policies for newly created applications. The policies emphasize performing an initial scan to establish the baseline quality of an application, and use the Veracode score (numeric score 1-100) as a progressive quality gate.
|Policy Name||Target VL||Minimum Score||Scan Requirement||Grace Period|
|Veracode Transitional Very High||VL1||90||Any (Once)||0|
|Veracode Transitional High||VL1||80||Any (Once)||0|
|Veracode Transitional Medium||VL1||70||Any (Once)||0|
|Veracode Transitional Low||VL1||60||Any (Once)||0|
|Veracode Transitional Very Low||VL1||50||Any (Once)||0|
Veracode Recommended Policies
Veracode Recommended Policies are available for customers as an option when they are ready to move beyond the initial requirements set by the Veracode Transitional Policies. The policies are based on the Veracode Level definitions.
|Policy Name||Target VL||Flaw Severities||Minimum Score||Scan Requirement||Grace Period|
|Veracode Recommended Very High||VL5||No Medium or above||90||Static (quarterly) Manual (annually)||0|
|Veracode Recommended High||VL4||No Medium or above||80||Static (quarterly)||0|
|Veracode Recommended Medium||VL3||No High or above||70||Static (quarterly)||0|
|Veracode Recommended Low||VL2||No Very High or above||60||Any (semi-annually)||0|
|Veracode Recommended Very Low||VL1||Any (once)||0|
|Veracode Recommended Mobile Policy||Static (quarterly)||0|