Veracode’s Security Approach to SaaS
In July 2007 Gartner published a research note (ID Number: G00150520) titled “Critical Security Questions to Ask a SaaS Provider”. The
research note provides a checklist of questions related to security that each organization should ask their SaaS providers as part of their due
diligence process (for the full report, please contact Gartner directly). Veracode fully agrees that security is a core component of a SaaS
platform and embraces Gartner’s checklist as a key selection criteria for any organization evaluating application security solutions. Veracode’s
specific approach and response to each Gartner requirement is outlined below:
Gartner: Does the SaaS provider require the use of two-factor authentication for the administrative control of servers, routers, switches and
Two-factor authentication is necessary for administering the Veracode SaaS Platform. Veracode even offers customers two-factor
authentication for their end users of the platform. This is provided at no extra cost for added security for commercial customers that wish to use
this. Veracode’s administrative control of servers, routers, switches and firewalls is governed by a SAS70 Type II environment. Any
administrative controls and procedures to this environment are fully documented by Ernst & Young and audited every six months.
Gartner: Does it support Secure Sockets Layer (or other industry-standard transport security) with 128-bit or stronger encryption and two-factor
authentication for connecting to the application?
Yes, the service platform used both SSL with 128-bit encryption and two-factor authentication for all administrative access to the application. In
addition, Veracode employees accessing the SaaS platform are also required to have two-factor authentication.
Gartner: Does it provide redundancy and load balancing for firewalls, intrusion prevention and other critical security elements?
Yes, Veracode provides full redundancy and load balancing for firewalls, intrusion prevention and other critical security elements.
Gartner: Does it perform (or have an experienced consulting company perform) external penetration tests at least quarterly, and internal
network security audits at least annually? The audits should be against International Organization for Standardization (ISO) 17799 (transitioning
to ISO 27001) and in compliance with Statement on Auditing Standards No. 70, Service Organizations (SAS 70 Type II). This auditing standard,
developed by the American Institute of Certified Public Accountants, enables service providers to disclose their control activities and processes
to their customers and customers' auditors in a uniform reporting format. SAS 70 Type II audits are expensive and not necessarily more
insightful than other audits, but all major auditing firms accept the format and structure.
Veracode contracts a third-party to perform penetration tests of our service platform annually or prior to every major production release.
Veracode also performs automated vulnerability scanning quarterly and an internal security audit at least annually. In addition to these technical
vulnerability management and security initiatives, Veracode has completed a Systrust certification process, conducted by Ernst & Young.
Furthermore, Ernst & Young performs a SAS 70 Type II audit of Veracode’s managed service enviroment every six months.
Gartner: Can it show documented requirements (and audit procedures) for network security to ensure that other customers will not compromise
the SaaS provider's infrastructure?
Yes, Veracode network security is governed by a fully documented set of information security policies and operating procedures designed to
provide the highest level of security and confidentiality for our customers’ data. The policy and procedure framework governs all aspects of
network security including: auditing, monitoring, access control, change control, and incident management, and architecture.
Gartner: Does it contract for, or provide protection against, denial-of-service attacks against its Internet presence?
Yes. Veracode’s managed service provider provides multi-layer DOS detection and prevention. Additional layers of DOS protection are
provided by the Veracode service firewalls.
4 Van de Graaff Drive Phone 781.425.6040
Burlington, MA 01803 Fax 781.425.6039