tmc3 Limited

Veracode Application Security Testing

Veracode is an enterprise-class application security solution, which allows DevOps teams to shift-left in their security approach. Veracode provides Static Analysis, Dynamic Analysis, Software Composition Analysis API Scanning solutions. SaaS platform helps automate security feedback and aligns with development technologies, providing the highest accuracy and broadest coverage in the industry.

Features

• Veracode Static Application Security Testing (SAST): identify and remediate vulnerabilities
• Veracode Pipeline Scanning: SAST for build pipeline
• Veracode IDE Scanning: integrated continuous flaw feedback and education solution
• WebApp Dynamic Application Security Testing (DAST): scalability, speed, and accuracy
• Veracode Software Composition Analysis (SCA) - for Open Source/Third-Party code
• Veracode Discovery – quickly inventory Internet-facing applications
• Interactive Developer Training – Help developers write secure code
• 9-Time Leader in the Gartner Magic-Quadrant for application security scanning
• Provides visibility into application status across all testing types
• Automated security feedback to developers in the IDE and pipeline

Benefits

• Shift-left in your Secure Software Development Lifecycle (SSDLC)
• Develop better quality and more secure software, faster
• Manage risks of using open source / third party code
• Industry Leading Accuracy: Veracode’s false positive rate is around 1%
• Veracode is the only native SaaS application security solution
• Reduce remediation time by up to 90%
• Manage risk and satisfy compliance requirements, without interrupting developer workflows
• Comply with Cyber Security Frameworks and reduce security incidents
• Comprehensive integrations with Development, Security and Operations
• Remove development re-work, reducing cost and improving output

£76 to £7,754 a unit a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Frameworks@tmc3.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

877198849475540

Contact

Nathan Tittensor
0113 8730449
Frameworks@tmc3.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Veracode is a Cloud service that does not require the installation of hardware. Maintenance windows are advised in advance to users. Uptime can be monitored here: http://status.veracode.com/; ; Supported integrations are detailed at https://help.veracode.com
• System requirements:
  • Web browser
  • Veracode.com whitelisting e.g. https://analysiscenter.veracode.com or https://api.veracode.com
  • Software packaged in accordance to our compilation guide at https://help.veracode.com
  • Supported languages and frameworks listed at https://help.veracode.com for technologies
  • Full list of requirements for tool chain support at https://help.veracode.com

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: Technical Support response times are details here: https://www.veracode.com/resources/datasheets/technical-support
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Without purchase of a designated customer success bundle, the buyer will receive entry-level support to address any issues that relate to service disruption and necessary bug fixes and service restoration. Service levels for entry-level support is detailed at the following address: https://www.veracode.com/resources/datasheets/technical-support. We recommend to all buyers that they include an appropriate Customer Success Bundle, based on licence requirements to meet their likely needs. Scanning software with Veracode is easy. A user can receive results within minutes, and in some cases seconds. Application security though is hard. Helping to instil a secure-by-design culture, that embraces continuous feedback is not easy. Software and technical environments may be complex. We support over 100 languages and frameworks. From time-to-time, the buyer organisation's engineers will most likely need guidance about which configuration is optimal. Developers often need to challenge and be listened to. A tool alone cannot meet the need of development teams to engage in dialogue and receive coaching on best practice. Veracode offers different tiers of service packages to match the number of applications that are being assessed. These cover 'Advanced Technical Support', 'Remediation Coaching' and 'Security Programme Management'.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: As Veracode offers a SaaS platform, there is limited setup. Customers can scan their applications through several integrations, including automated pipelines. https://www.veracode.com/integrations ; ; The Veracode Security Programme Manager (SPM) can provide on-boarding assistance. The SPM will schedule an on-boarding call to give the development team a demo of the Veracode platform and make sure that platform accounts are created. An Upload Call is highly encouraged for an application’s first scan. Veracode Security Consultants will provide advice on how to configure and submit binaries for scanning to ensure full coverage and quality. Contact support@veracode.com for scheduling with your availability. Online training and help materials are available to assist on-boarding of users and applications. Onsite training and consultation is available subject to prior agreement.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Customers can download all their previous scan data and reports from the Veracode browser console, or via the API at the end of the contract. This is the responsibility of the customer.; ; Data can be extracted via XML, PDF, and XLS files. This can be retrieved via the user interface or by API calls.
• End-of-contract process: No additional costs.; ; Except for the Statistical Data, Veracode shall destroy data using industry standard methods (i) all copies of each Customer Application within sixty (60) days following the availability of the Report related thereto or earlier if requested by Customer and (ii) all copies of the results of the Assessments of each Customer Application (excluding the Statistical Data), Customer Confidential Information, and all associated documentation and related materials provided by Customer within sixty (60) days following any termination or expiration of this Agreement or earlier if requested by Customer; and upon request, Veracode shall confirm such destruction in writing. Upon the expiration or termination of any Order Form granting Customer access to On-Site Software, Customer shall promptly destroy such On-Site Software.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: API calls and supported integrations in general are described at https://help.veracode.com , or specifically here: https://help.veracode.com/reader/QJgoLlv~uqsO6Zvu9jG9pw/h2NG_xyaRqXJtAUioBS2SA The user does not need to login to the Veracode Platform via a web browser to interact with scanning services - this can be automated by the API. In terms of limitations on API calls, a fair use policy applies which should not restrict normal reasonable scan operations or platform requests.
• API documentation: Yes
• API documentation formats:
  • HTML
  • Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Branding options exist within the Veracode Platform. Role-based access control (RBAC) - covering a wide variety or user types and group allocations. Communication preferences. Login via Single Sign-on (SSO) Additional customisations may be considered on request.

Scaling

• Independence of resources: The Veracode Platform uses auto-scaling compute resources provided by AWS.; ; The Veracode platform is an auto-scaling SaaS offering. As demand increases, more resources are provisioned to handle the extra scanning demand. Veracode handles hundreds of thousands of scans per month across thousands of customers.

Analytics

• Service usage metrics: Yes
• Metrics types: Customisable service metrics dashboards can be define within the Analytics package. Default dashboards are provided. Information about Analytics is provided here: https://help.veracode.com Default Dashboards: Policy Compliance Overview, Scan Activity, Sandbox Scan Activity, Scan Times, Findings Details, Findings Status and History, Resolution and Mitigation Details, Security Consultation. If you want to view data differently than the predefined dashboards, you can modify existing dashboards and visualizations to suit your own needs. You have the ability to customize dashboards and visualizations to view your data in different ways.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Veracode

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Application data can be uploaded manually through the Veracode browser console, or automated via the API. When working at scale with several applications, application data is typically uploaded via the API in a CI/CD pipeline. ; ; Via the Veracode Platform through the UX or via API Data formats in main Veracode Platform: CSV, XML, PDF Within analytics module: TXT, XLSX, CSV, JSON, HTML or PNG for dashboard views
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • XML
  • PDF
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Service Level: Veracode shall maintain the Availability Percentage (as defined below) of the automated Solution (the “Automated Solution”) at or above ninety-nine percent (99%) during any calendar month. “Availability Percentage” is expressed as the percentage defined as (i) the Availability (as defined below) less any Unavailability (as defined below) during any particular calendar month divided by (ii) the total number of minutes during such calendar month. “Unavailable” or “Unavailability” consists of the number of minutes during a particular calendar month that the Automated Solution was not Available to Customer, but expressly excludes any time the Automated Solution was not Available as a result of (i) any planned maintenance and support, not to exceed 8 hours per calendar month, which shall generally occur on average twice per calendar month during maintenance windows between the hours of 9PM ET and 4AM ET or on non-business days (which Veracode shall endeavour to notice on the Veracode platform at least three Business Days in advance) or such other mutually convenient time as agreed upon between the parties; or (ii) an event of Force Majeure as described in the Agreement.
• Approach to resilience: This information is defined in the Veracode Information Security Exhibit and is available with a mutual non-disclosure agreement.
• Outage reporting: API, email alerts and public dashboard Information is available here: http://status.veracode.com/

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Source IP Address can be restricted. Accounts may be restricted for 2FA-only access (recommended). Account access can be restricted to be accessed by SAML 2.0 trust contract only.; ; Veracode defines access control objectives to manage access to information; prevent unauthorized access to information systems; ensure the protection of networked services; prevent unauthorized computer access; detect unauthorized activities; and ensure information security when mobile computing network facilities are used. This section provides standards that are required to comply with Veracode’s Access Control objectives. ; ; Please see the Veracode Information Security Exhibit (VISE) Section titled “Access Control” for more information.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: SOC II Type 2 Report

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: SOC II TYPE 2 (Audited)
• Information security policies and processes: These are articulated with the Veracode Information Security Exhibit which is available under mutual non-disclosure agreement.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Veracode has a formal change management process in place.; ; Our change management tools (e.g., code-versioning software and online ticketing system) maintain a record of all changes, including the implementer’s name, approvers’ names, implemented solution, roll-back plans, and any issues arising from the change.; ; Role-based Access Control is applied to ensure segregation of duties and prevent unauthorized changes.; ; See also the Veracode SOC 2 report for validation of testing.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: All systems within the platform are set up and managed by experts according to industry best practices where hardened configurations are used to limit unnecessary attack vectors. All configuration activity follows a formal process that encompasses documentation, testing and approval. Only authorized personnel are allowed to set up and manage systems. Operating system patches are monitored and applied as necessary to maintain the highest level of security.; ; Critical and severe patches are handled on a case-by-case basis and resolved as soon as possible.; ; High-severity patches are patched within 30 days.; ; Timeframes for patches categorized based on severity
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Operational and security logs are forwarded and consolidated into Veracode’s Splunk instance. Veracode’s 3rd party Managed Security Services Provider (MISP) ingests these files and other files sent directly to them for monitoring. Based on industry standard alert types and Veracode specific monitoring requests the MISP will notify Veracode’s Internal Information Security team of alerts requiring their attention based on severity.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Veracode has a dedicated Product Security Incident Response Team (PSIRT) ; Their responsibilities include:; ; • Tactical cross-functional product teams who assess immediate and emerging threats to Veracode’s Products & Services Systems ; ; • Develops direct tactical response plans (countermeasures) to secure Veracode’s Products & Services Systems ; ; • Provides opportunities for collaboration between Research and Engineering on new and existing security initiatives ; ; • Comprised of Security Champions who are sources of security expertise for their team to embed security more deeply into the SDLC

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  In 2024, tmc3 has achieved Net Zero emissions.; ; tmc3 has implemented a documented Environmental Management System to reduce our environmental impacts. We will continue to focus on further reductions and our sights remain firmly set on exceeding all elements of our Science-Based Target on a long-term basis.; ; Actions we take include, but are not limited to: establishing environmentally sensitive purchasing policies (buying recycled or long-life products; favouring products derived from natural/sustainable sources) and monitoring the environmental performance of our suppliers; ensuring that all decisions regarding working practices and purchasing take environmental considerations into account. We measure, monitor and minimise our usage of resources and consumables, and our greenhouse gas emissions. We actively look for ways to reduce waste and recycling, and encourage the use of sustainable modes of transport. We encourage home working and the use of virtual collaboration tools.; ; tmc3's Carbon Reduction Plan has been completed in accordance with PPN 06/21 and associated guidance and reporting standard for Carbon Reduction Plans. This is available on the tmc3 website.; ; For the provision of these services, we commit to offsetting the carbon footprint for the development of the tmc3 deliverables and, if requested, will provide certification verifying this action has been completed within a month of project completion. We will measure the ‘As-is’ state of the contract to give us an accurate benchmark to work from, and how we need to progress throughout the contract lifecycle. This will include measuring against Scope 1,2&3 emissions, for example: Water use, electricity use, conducting a materiality checklist, measuring business travel, working from Home, business travel accommodation, employee commuting etc. We will gather data across all scope of emissions and utilise carbon calculator tooling to give an accurate and transparent measurement. We will then present these findings back to you and key stakeholders.

Pricing

• Price: £76 to £7,754 a unit a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Typical trial is 10 days in duration. 5 SAST Licences (including Pipeline and IDE scanning), 5 DAST Licences, 5 Software Composition Analysis Licences, 1 eLearning Licence. Granting of a free trial is subject to the buyer disclosing objectives or success factors for the trial.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Frameworks@tmc3.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.