tmc3 Limited

Static Application Security Testing (SAST)

Veracode Static Analysis (SAST) is an enterprise-class application security solution, which allows DevOps teams to shift-left in their security approach. Veracode Static Analysis provides fast, automated feedback to developers in the IDE and CI/CD pipeline, conducts a full Policy Scan before deployment, and gives clear guidance to fix issues fast.

Features

• Veracode Static Application Security Testing (SAST): identify and remediate vulnerabilities
• Veracode Pipeline Scanning: SAST for build pipeline
• Veracode IDE Scanning: integrated continuous flaw feedback and education solution
• Pipeline scan provides security-feedback on code at a team level
• Just-in-time learning to empower developers to remediate faster
• Veracode Discovery – quickly inventory Internet-facing applications
• Interactive Developer Training – Help developers write secure code
• 9-Time Leader in the Gartner Magic-Quadrant for application security scanning
• Provides visibility into application status across all testing types
• Automated security feedback to developers in the IDE and pipeline

Benefits

• Shift-left in your Secure Software Development Lifecycle (SSDLC)
• Develop better quality and more secure software, faster
• Manage risks of using open source / third party code
• Industry Leading Accuracy: Veracode’s false positive rate is around 1%
• Veracode is the only native SaaS application security solution
• Reduce remediation time by up to 90%
• Manage risk and satisfy compliance requirements, without interrupting developer workflows
• Median scan time of 90 seconds enables quicker code fix
• Comprehensive integrations with Development, Security and Operations
• Remove development re-work, reducing cost and improving output

£225 to £7,754 a unit a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Frameworks@tmc3.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

817622502013122

Contact

Nathan Tittensor
0113 8730449
Frameworks@tmc3.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Veracode is a Cloud service that does not require the installation of hardware. Maintenance windows are advised in advance to users. Uptime can be monitored here: http://status.veracode.com/; ; Supported integrations are detailed at https://help.veracode.com
• System requirements:
  • Web browser
  • Veracode.com whitelisting e.g. https://analysiscenter.veracode.com or https://api.veracode.com
  • Software packaged in accordance to our compilation guide at https://help.veracode.com
  • Supported languages and frameworks listed at https://help.veracode.com for technologies
  • Full list of requirements for tool chain support at https://help.veracode.com

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: Technical Support response times are details here: https://www.veracode.com/resources/datasheets/technical-support
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Without purchase of a designated customer success bundle, the buyer will receive entry-level support to address any issues that relate to service disruption and necessary bug fixes and service restoration. Service levels for entry-level support is detailed at the following address: https://www.veracode.com/resources/datasheets/technical-support. We recommend to all buyers that they include an appropriate Customer Success Bundle, based on licence requirements to meet their likely needs. Scanning software with Veracode is easy. A user can receive results within minutes, and in some cases seconds. Application security though is hard. Helping to instil a secure-by-design culture, that embraces continuous feedback is not easy. Software and technical environments may be complex. We support over 100 languages and frameworks. From time-to-time, the buyer organisation's engineers will most likely need guidance about which configuration is optimal. Developers often need to challenge and be listened to. A tool alone cannot meet the need of development teams to engage in dialogue and receive coaching on best practice. Veracode offers different tiers of service packages to match the number of applications that are being assessed. These cover 'Advanced Technical Support', 'Remediation Coaching' and 'Security Programme Management'.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: As Veracode offers a SaaS platform, there is limited setup. Customers can scan their applications through several integrations, including automated pipelines. https://www.veracode.com/integrations ; ; The Veracode Security Programme Manager (SPM) can provide on-boarding assistance. The SPM will schedule an on-boarding call to give the development team a demo of the Veracode platform and make sure that platform accounts are created. An Upload Call is highly encouraged for an application’s first scan. Veracode Security Consultants will provide advice on how to configure and submit binaries for scanning to ensure full coverage and quality. Contact support@veracode.com for scheduling with your availability. Online training and help materials are available to assist on-boarding of users and applications. Onsite training and consultation is available subject to prior agreement.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Customers can download all their previous scan data and reports from the Veracode browser console, or via the API at the end of the contract. This is the responsibility of the customer.; ; Data can be extracted via XML, PDF, and XLS files. This can be retrieved via the user interface or by API calls.
• End-of-contract process: No additional costs.; ; Except for the Statistical Data, Veracode shall destroy data using industry standard methods (i) all copies of each Customer Application within sixty (60) days following the availability of the Report related thereto or earlier if requested by Customer and (ii) all copies of the results of the Assessments of each Customer Application (excluding the Statistical Data), Customer Confidential Information, and all associated documentation and related materials provided by Customer within sixty (60) days following any termination or expiration of this Agreement or earlier if requested by Customer; and upon request, Veracode shall confirm such destruction in writing. Upon the expiration or termination of any Order Form granting Customer access to On-Site Software, Customer shall promptly destroy such On-Site Software.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: API calls and supported integrations in general are described at https://help.veracode.com , or specifically here: https://help.veracode.com/reader/QJgoLlv~uqsO6Zvu9jG9pw/h2NG_xyaRqXJtAUioBS2SA The user does not need to login to the Veracode Platform via a web browser to interact with scanning services - this can be automated by the API. In terms of limitations on API calls, a fair use policy applies which should not restrict normal reasonable scan operations or platform requests.
• API documentation: Yes
• API documentation formats:
  • HTML
  • Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Branding options exist within the Veracode Platform. Role-based access control (RBAC) - covering a wide variety or user types and group allocations. Communication preferences. Login via Single Sign-on (SSO) Additional customisations may be considered on request.

Scaling

• Independence of resources: The Veracode Platform uses auto-scaling compute resources provided by AWS.; ; The Veracode platform is an auto-scaling SaaS offering. As demand increases, more resources are provisioned to handle the extra scanning demand. Veracode handles hundreds of thousands of scans per month across thousands of customers.

Analytics

• Service usage metrics: Yes
• Metrics types: Customisable service metrics dashboards can be define within the Analytics package. Default dashboards are provided. Information about Analytics is provided here: https://help.veracode.com Default Dashboards: Policy Compliance Overview, Scan Activity, Sandbox Scan Activity, Scan Times, Findings Details, Findings Status and History, Resolution and Mitigation Details, Security Consultation. If you want to view data differently than the predefined dashboards, you can modify existing dashboards and visualizations to suit your own needs. You have the ability to customize dashboards and visualizations to view your data in different ways.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Veracode

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Application data can be uploaded manually through the Veracode browser console, or automated via the API. When working at scale with several applications, application data is typically uploaded via the API in a CI/CD pipeline. ; ; Via the Veracode Platform through the UX or via API Data formats in main Veracode Platform: CSV, XML, PDF Within analytics module: TXT, XLSX, CSV, JSON, HTML or PNG for dashboard views
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • XML
  • PDF
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Service Level: Veracode shall maintain the Availability Percentage (as defined below) of the automated Solution (the “Automated Solution”) at or above ninety-nine percent (99%) during any calendar month. “Availability Percentage” is expressed as the percentage defined as (i) the Availability (as defined below) less any Unavailability (as defined below) during any particular calendar month divided by (ii) the total number of minutes during such calendar month. “Unavailable” or “Unavailability” consists of the number of minutes during a particular calendar month that the Automated Solution was not Available to Customer, but expressly excludes any time the Automated Solution was not Available as a result of (i) any planned maintenance and support, not to exceed 8 hours per calendar month, which shall generally occur on average twice per calendar month during maintenance windows between the hours of 9PM ET and 4AM ET or on non-business days (which Veracode shall endeavour to notice on the Veracode platform at least three Business Days in advance) or such other mutually convenient time as agreed upon between the parties; or (ii) an event of Force Majeure as described in the Agreement.
• Approach to resilience: This information is defined in the Veracode Information Security Exhibit and is available with a mutual non-disclosure agreement.
• Outage reporting: API, email alerts and public dashboard Information is available here: http://status.veracode.com/

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Source IP Address can be restricted. Accounts may be restricted for 2FA-only access (recommended). Account access can be restricted to be accessed by SAML 2.0 trust contract only.; ; Veracode defines access control objectives to manage access to information; prevent unauthorized access to information systems; ensure the protection of networked services; prevent unauthorized computer access; detect unauthorized activities; and ensure information security when mobile computing network facilities are used. This section provides standards that are required to comply with Veracode’s Access Control objectives. ; ; Please see the Veracode Information Security Exhibit (VISE) Section titled “Access Control” for more information.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: SOC II Type 2 Report

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: SOC II TYPE 2 (Audited)
• Information security policies and processes: These are articulated with the Veracode Information Security Exhibit which is available under mutual non-disclosure agreement.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Veracode has a formal change management process in place.; ; Our change management tools (e.g., code-versioning software and online ticketing system) maintain a record of all changes, including the implementer’s name, approvers’ names, implemented solution, roll-back plans, and any issues arising from the change.; ; Role-based Access Control is applied to ensure segregation of duties and prevent unauthorized changes.; ; See also the Veracode SOC 2 report for validation of testing.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: All systems within the platform are set up and managed by experts according to industry best practices where hardened configurations are used to limit unnecessary attack vectors. All configuration activity follows a formal process that encompasses documentation, testing and approval. Only authorized personnel are allowed to set up and manage systems. Operating system patches are monitored and applied as necessary to maintain the highest level of security.; ; Critical and severe patches are handled on a case-by-case basis and resolved as soon as possible.; ; High-severity patches are patched within 30 days.; ; Timeframes for patches categorized based on severity
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Operational and security logs are forwarded and consolidated into Veracode’s Splunk instance. Veracode’s 3rd party Managed Security Services Provider (MISP) ingests these files and other files sent directly to them for monitoring. Based on industry standard alert types and Veracode specific monitoring requests the MISP will notify Veracode’s Internal Information Security team of alerts requiring their attention based on severity.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Veracode has a dedicated Product Security Incident Response Team (PSIRT) ; Their responsibilities include:; ; • Tactical cross-functional product teams who assess immediate and emerging threats to Veracode’s Products & Services Systems ; ; • Develops direct tactical response plans (countermeasures) to secure Veracode’s Products & Services Systems ; ; • Provides opportunities for collaboration between Research and Engineering on new and existing security initiatives ; ; • Comprised of Security Champions who are sources of security expertise for their team to embed security more deeply into the SDLC

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  At Veracode, we aim to be efficient and sustainable in our operations, minimizing our environmental impact wherever possible. Veracode operates in a LEED Gold certified building, the highest standard for green certification for buildings. This LEED certification ensures that we minimize our energy and water consumption, avoid waste, improve indoor air quality, and limit our environmental impact. Our headquarters is also an Energy Star certified campus, meeting the strict energy performance standards set by the EPA.; We are committed to increasing our purchase of recycled and reusable items, and have set goals to audit our waste streams and increase our diversion rates. In addition, we:; • Employ a single stream recycling and composting program in our cafe; • Use completely paperless and digital services for client-facing work
• Equal opportunity:

  Equal opportunity

  At Veracode, we believe that diversity of background, thought, and experience is what drives innovation and resilience. We recognize that representation is critical to building a true culture of belonging, and we strive to continuously create a more diverse and inclusive team across every level of our business.; ; Our passion, strength, and uncompromising commitment to making secure software a competitive advantage for our customers come from the incredible individuals – we call them Veracoders – who make up our team. We value diversity and celebrate our differences, not only because it’s the right thing to do, but also because it’s good for our business.; ; We’ve made a public pledge to recruit, hire, and advance a more diverse and inclusive workforce. We’re putting that pledge into practice through initiatives including a recruiting collaboration with PowertoFly to reach underrepresented populations of candidates, and joining the MassTLC Tech Compact for Social Justice – a unified effort among tech companies to combat racial inequality and support a more welcoming Massachusetts to black Americans and people of color. Through this compact, our initiatives include providing our employees with education and resources, making charitable donations that progress racial and social justice, removing insensitive/oppressive terminology from our products, and providing our data to support a compilation of aggregated employee demographics.; ; In addition, although we are proud of the diversity we have at Veracode, and 40 percent of our executive team is female, we’re committed to doing better and improving our gender diversity at all levels. We’re partnering with McKinsey to understand how we compare to other technology companies with respect to women in the workforce, and to explore ways to improve those numbers.

Pricing

• Price: £225 to £7,754 a unit a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Typical trial is 10 days in duration. 5 SAST Licences (including Pipeline and IDE scanning), 5 DAST Licences, 5 Software Composition Analysis Licences, 1 eLearning Licence. Granting of a free trial is subject to the buyer disclosing objectives or success factors for the trial.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Frameworks@tmc3.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.