Skip to main content

Help us improve the Digital Marketplace - send your feedback

tmc3 Limited

Veracode Application Security Testing

Veracode is an enterprise-class application security solution, which allows DevOps teams to shift-left in their security approach. Veracode provides Static Analysis, Dynamic Analysis, Software Composition Analysis API Scanning solutions. SaaS platform helps automate security feedback and aligns with development technologies, providing the highest accuracy and broadest coverage in the industry.

Features

  • Veracode Static Application Security Testing (SAST): identify and remediate vulnerabilities
  • Veracode Pipeline Scanning: SAST for build pipeline
  • Veracode IDE Scanning: integrated continuous flaw feedback and education solution
  • WebApp Dynamic Application Security Testing (DAST): scalability, speed, and accuracy
  • Veracode Software Composition Analysis (SCA) - for Open Source/Third-Party code
  • Veracode Discovery – quickly inventory Internet-facing applications
  • Interactive Developer Training – Help developers write secure code
  • 9-Time Leader in the Gartner Magic-Quadrant for application security scanning
  • Provides visibility into application status across all testing types
  • Automated security feedback to developers in the IDE and pipeline

Benefits

  • Shift-left in your Secure Software Development Lifecycle (SSDLC)
  • Develop better quality and more secure software, faster
  • Manage risks of using open source / third party code
  • Industry Leading Accuracy: Veracode’s false positive rate is around 1%
  • Veracode is the only native SaaS application security solution
  • Reduce remediation time by up to 90%
  • Manage risk and satisfy compliance requirements, without interrupting developer workflows
  • Comply with Cyber Security Frameworks and reduce security incidents
  • Comprehensive integrations with Development, Security and Operations
  • Remove development re-work, reducing cost and improving output

Pricing

£76 to £7,754 a unit a year

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Frameworks@tmc3.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

8 7 7 1 9 8 8 4 9 4 7 5 5 4 0

Contact

tmc3 Limited Nathan Tittensor
Telephone: 0113 8730449
Email: Frameworks@tmc3.co.uk

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
Veracode is a Cloud service that does not require the installation of hardware. Maintenance windows are advised in advance to users. Uptime can be monitored here: http://status.veracode.com/

Supported integrations are detailed at https://help.veracode.com
System requirements
  • Web browser
  • Veracode.com whitelisting e.g. https://analysiscenter.veracode.com or https://api.veracode.com
  • Software packaged in accordance to our compilation guide at https://help.veracode.com
  • Supported languages and frameworks listed at https://help.veracode.com for technologies
  • Full list of requirements for tool chain support at https://help.veracode.com

User support

Email or online ticketing support
Yes, at extra cost
Support response times
Technical Support response times are details here: https://www.veracode.com/resources/datasheets/technical-support
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Without purchase of a designated customer success bundle, the buyer will receive entry-level support to address any issues that relate to service disruption and necessary bug fixes and service restoration. Service levels for entry-level support is detailed at the following address: https://www.veracode.com/resources/datasheets/technical-support. We recommend to all buyers that they include an appropriate Customer Success Bundle, based on licence requirements to meet their likely needs. Scanning software with Veracode is easy. A user can receive results within minutes, and in some cases seconds. Application security though is hard. Helping to instil a secure-by-design culture, that embraces continuous feedback is not easy. Software and technical environments may be complex. We support over 100 languages and frameworks. From time-to-time, the buyer organisation's engineers will most likely need guidance about which configuration is optimal. Developers often need to challenge and be listened to. A tool alone cannot meet the need of development teams to engage in dialogue and receive coaching on best practice. Veracode offers different tiers of service packages to match the number of applications that are being assessed. These cover 'Advanced Technical Support', 'Remediation Coaching' and 'Security Programme Management'.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
As Veracode offers a SaaS platform, there is limited setup. Customers can scan their applications through several integrations, including automated pipelines. https://www.veracode.com/integrations

The Veracode Security Programme Manager (SPM) can provide on-boarding assistance. The SPM will schedule an on-boarding call to give the development team a demo of the Veracode platform and make sure that platform accounts are created. An Upload Call is highly encouraged for an application’s first scan. Veracode Security Consultants will provide advice on how to configure and submit binaries for scanning to ensure full coverage and quality. Contact support@veracode.com for scheduling with your availability. Online training and help materials are available to assist on-boarding of users and applications. Onsite training and consultation is available subject to prior agreement.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Customers can download all their previous scan data and reports from the Veracode browser console, or via the API at the end of the contract. This is the responsibility of the customer.

Data can be extracted via XML, PDF, and XLS files. This can be retrieved via the user interface or by API calls.
End-of-contract process
No additional costs.

Except for the Statistical Data, Veracode shall destroy data using industry standard methods (i) all copies of each Customer Application within sixty (60) days following the availability of the Report related thereto or earlier if requested by Customer and (ii) all copies of the results of the Assessments of each Customer Application (excluding the Statistical Data), Customer Confidential Information, and all associated documentation and related materials provided by Customer within sixty (60) days following any termination or expiration of this Agreement or earlier if requested by Customer; and upon request, Veracode shall confirm such destruction in writing. Upon the expiration or termination of any Order Form granting Customer access to On-Site Software, Customer shall promptly destroy such On-Site Software.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
Application to install
No
Designed for use on mobile devices
No
Service interface
No
User support accessibility
WCAG 2.1 AA or EN 301 549
API
Yes
What users can and can't do using the API
API calls and supported integrations in general are described at https://help.veracode.com , or specifically here: https://help.veracode.com/reader/QJgoLlv~uqsO6Zvu9jG9pw/h2NG_xyaRqXJtAUioBS2SA The user does not need to login to the Veracode Platform via a web browser to interact with scanning services - this can be automated by the API. In terms of limitations on API calls, a fair use policy applies which should not restrict normal reasonable scan operations or platform requests.
API documentation
Yes
API documentation formats
  • HTML
  • Other
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Branding options exist within the Veracode Platform. Role-based access control (RBAC) - covering a wide variety or user types and group allocations. Communication preferences. Login via Single Sign-on (SSO) Additional customisations may be considered on request.

Scaling

Independence of resources
The Veracode Platform uses auto-scaling compute resources provided by AWS.

The Veracode platform is an auto-scaling SaaS offering. As demand increases, more resources are provisioned to handle the extra scanning demand. Veracode handles hundreds of thousands of scans per month across thousands of customers.

Analytics

Service usage metrics
Yes
Metrics types
Customisable service metrics dashboards can be define within the Analytics package. Default dashboards are provided. Information about Analytics is provided here: https://help.veracode.com Default Dashboards: Policy Compliance Overview, Scan Activity, Sandbox Scan Activity, Scan Times, Findings Details, Findings Status and History, Resolution and Mitigation Details, Security Consultation. If you want to view data differently than the predefined dashboards, you can modify existing dashboards and visualizations to suit your own needs. You have the ability to customize dashboards and visualizations to view your data in different ways.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Reseller providing extra support
Organisation whose services are being resold
Veracode

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Application data can be uploaded manually through the Veracode browser console, or automated via the API. When working at scale with several applications, application data is typically uploaded via the API in a CI/CD pipeline.

Via the Veracode Platform through the UX or via API Data formats in main Veracode Platform: CSV, XML, PDF Within analytics module: TXT, XLSX, CSV, JSON, HTML or PNG for dashboard views
Data export formats
  • CSV
  • Other
Other data export formats
  • XML
  • PDF
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Service Level: Veracode shall maintain the Availability Percentage (as defined below) of the automated Solution (the “Automated Solution”) at or above ninety-nine percent (99%) during any calendar month. “Availability Percentage” is expressed as the percentage defined as (i) the Availability (as defined below) less any Unavailability (as defined below) during any particular calendar month divided by (ii) the total number of minutes during such calendar month. “Unavailable” or “Unavailability” consists of the number of minutes during a particular calendar month that the Automated Solution was not Available to Customer, but expressly excludes any time the Automated Solution was not Available as a result of (i) any planned maintenance and support, not to exceed 8 hours per calendar month, which shall generally occur on average twice per calendar month during maintenance windows between the hours of 9PM ET and 4AM ET or on non-business days (which Veracode shall endeavour to notice on the Veracode platform at least three Business Days in advance) or such other mutually convenient time as agreed upon between the parties; or (ii) an event of Force Majeure as described in the Agreement.
Approach to resilience
This information is defined in the Veracode Information Security Exhibit and is available with a mutual non-disclosure agreement.
Outage reporting
API, email alerts and public dashboard Information is available here: http://status.veracode.com/

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Source IP Address can be restricted. Accounts may be restricted for 2FA-only access (recommended). Account access can be restricted to be accessed by SAML 2.0 trust contract only.

Veracode defines access control objectives to manage access to information; prevent unauthorized access to information systems; ensure the protection of networked services; prevent unauthorized computer access; detect unauthorized activities; and ensure information security when mobile computing network facilities are used. This section provides standards that are required to comply with Veracode’s Access Control objectives.

Please see the Veracode Information Security Exhibit (VISE) Section titled “Access Control” for more information.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Cyber essentials
No
Cyber essentials plus
No
Other security certifications
Yes
Any other security certifications
SOC II Type 2 Report

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
Other
Other security governance standards
SOC II TYPE 2 (Audited)
Information security policies and processes
These are articulated with the Veracode Information Security Exhibit which is available under mutual non-disclosure agreement.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Veracode has a formal change management process in place.

Our change management tools (e.g., code-versioning software and online ticketing system) maintain a record of all changes, including the implementer’s name, approvers’ names, implemented solution, roll-back plans, and any issues arising from the change.

Role-based Access Control is applied to ensure segregation of duties and prevent unauthorized changes.

See also the Veracode SOC 2 report for validation of testing.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
All systems within the platform are set up and managed by experts according to industry best practices where hardened configurations are used to limit unnecessary attack vectors. All configuration activity follows a formal process that encompasses documentation, testing and approval. Only authorized personnel are allowed to set up and manage systems. Operating system patches are monitored and applied as necessary to maintain the highest level of security.

Critical and severe patches are handled on a case-by-case basis and resolved as soon as possible.

High-severity patches are patched within 30 days.

Timeframes for patches categorized based on severity
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Operational and security logs are forwarded and consolidated into Veracode’s Splunk instance. Veracode’s 3rd party Managed Security Services Provider (MISP) ingests these files and other files sent directly to them for monitoring. Based on industry standard alert types and Veracode specific monitoring requests the MISP will notify Veracode’s Internal Information Security team of alerts requiring their attention based on severity.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Veracode has a dedicated Product Security Incident Response Team (PSIRT)
Their responsibilities include:

• Tactical cross-functional product teams who assess immediate and emerging threats to Veracode’s Products & Services Systems

• Develops direct tactical response plans (countermeasures) to secure Veracode’s Products & Services Systems

• Provides opportunities for collaboration between Research and Engineering on new and existing security initiatives

• Comprised of Security Champions who are sources of security expertise for their team to embed security more deeply into the SDLC

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Social Value

Social Value

Social Value

Fighting climate change

Fighting climate change

In 2024, tmc3 has achieved Net Zero emissions.

tmc3 has implemented a documented Environmental Management System to reduce our environmental impacts. We will continue to focus on further reductions and our sights remain firmly set on exceeding all elements of our Science-Based Target on a long-term basis.

Actions we take include, but are not limited to: establishing environmentally sensitive purchasing policies (buying recycled or long-life products; favouring products derived from natural/sustainable sources) and monitoring the environmental performance of our suppliers; ensuring that all decisions regarding working practices and purchasing take environmental considerations into account. We measure, monitor and minimise our usage of resources and consumables, and our greenhouse gas emissions. We actively look for ways to reduce waste and recycling, and encourage the use of sustainable modes of transport. We encourage home working and the use of virtual collaboration tools.

tmc3's Carbon Reduction Plan has been completed in accordance with PPN 06/21 and associated guidance and reporting standard for Carbon Reduction Plans. This is available on the tmc3 website.

For the provision of these services, we commit to offsetting the carbon footprint for the development of the tmc3 deliverables and, if requested, will provide certification verifying this action has been completed within a month of project completion. We will measure the ‘As-is’ state of the contract to give us an accurate benchmark to work from, and how we need to progress throughout the contract lifecycle. This will include measuring against Scope 1,2&3 emissions, for example: Water use, electricity use, conducting a materiality checklist, measuring business travel, working from Home, business travel accommodation, employee commuting etc. We will gather data across all scope of emissions and utilise carbon calculator tooling to give an accurate and transparent measurement. We will then present these findings back to you and key stakeholders.

Pricing

Price
£76 to £7,754 a unit a year
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
Typical trial is 10 days in duration. 5 SAST Licences (including Pipeline and IDE scanning), 5 DAST Licences, 5 Software Composition Analysis Licences, 1 eLearning Licence. Granting of a free trial is subject to the buyer disclosing objectives or success factors for the trial.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Frameworks@tmc3.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.