Your SlideShare is downloading. ×
Veracode's Security Approach to SaaS
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Veracode's Security Approach to SaaS

391
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
391
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1.   Veracode’s Security Approach to SaaS   Background In July 2007 Gartner published a research note (ID Number: G00150520) titled “Critical Security Questions to Ask a SaaS Provider”. The research note provides a checklist of questions related to security that each organization should ask their SaaS providers as part of their due diligence process (for the full report, please contact Gartner directly). Veracode fully agrees that security is a core component of a SaaS platform and embraces Gartner’s checklist as a key selection criteria for any organization evaluating application security solutions. Veracode’s specific approach and response to each Gartner requirement is outlined below: Network Gartner: Does the SaaS provider require the use of two-factor authentication for the administrative control of servers, routers, switches and firewalls? Two-factor authentication is necessary for administering the Veracode SaaS Platform. Veracode even offers customers two-factor authentication for their end users of the platform. This is provided at no extra cost for added security for commercial customers that wish to use this. Veracode’s administrative control of servers, routers, switches and firewalls is governed by a SAS70 Type II environment. Any administrative controls and procedures to this environment are fully documented by Ernst & Young and audited every six months. Gartner: Does it support Secure Sockets Layer (or other industry-standard transport security) with 128-bit or stronger encryption and two-factor authentication for connecting to the application? Yes, the service platform used both SSL with 128-bit encryption and two-factor authentication for all administrative access to the application. In addition, Veracode employees accessing the SaaS platform are also required to have two-factor authentication. Gartner: Does it provide redundancy and load balancing for firewalls, intrusion prevention and other critical security elements? Yes, Veracode provides full redundancy and load balancing for firewalls, intrusion prevention and other critical security elements. Gartner: Does it perform (or have an experienced consulting company perform) external penetration tests at least quarterly, and internal network security audits at least annually? The audits should be against International Organization for Standardization (ISO) 17799 (transitioning to ISO 27001) and in compliance with Statement on Auditing Standards No. 70, Service Organizations (SAS 70 Type II). This auditing standard, developed by the American Institute of Certified Public Accountants, enables service providers to disclose their control activities and processes to their customers and customers' auditors in a uniform reporting format. SAS 70 Type II audits are expensive and not necessarily more insightful than other audits, but all major auditing firms accept the format and structure. Veracode contracts a third-party to perform penetration tests of our service platform annually or prior to every major production release. Veracode also performs automated vulnerability scanning quarterly and an internal security audit at least annually. In addition to these technical vulnerability management and security initiatives, Veracode has completed a Systrust certification process, conducted by Ernst & Young. Furthermore, Ernst & Young performs a SAS 70 Type II audit of Veracode’s managed service enviroment every six months. Gartner: Can it show documented requirements (and audit procedures) for network security to ensure that other customers will not compromise the SaaS provider's infrastructure? Yes, Veracode network security is governed by a fully documented set of information security policies and operating procedures designed to provide the highest level of security and confidentiality for our customers’ data. The policy and procedure framework governs all aspects of network security including: auditing, monitoring, access control, change control, and incident management, and architecture. Gartner: Does it contract for, or provide protection against, denial-of-service attacks against its Internet presence? Yes. Veracode’s managed service provider provides multi-layer DOS detection and prevention. Additional layers of DOS protection are provided by the Veracode service firewalls. 4 Van de Graaff Drive Phone 781.425.6040 Burlington, MA 01803 Fax 781.425.6039 www.veracode.com 
  • 2. Platform Gartner: Can it provide a documented policy for "hardening" the operating system under the Web and other servers? Yes. The hardening of the operating system under the Web and other servers is covered by Veracode’s information security policy and hardening guidelines/procedure document. Gartner: Can it provide validated procedures for configuration management, patch installation, and malware prevention for all servers and PCs involved in SaaS delivery? Yes. These procedures are covered by Veracode’s information security policy and associated procedures which are fully documented. The procedures have been validated by the SysTrust audit performed by Ernst & Young. Gartner: If it collocates customer data storage on physical servers, then does the service provider have a documented set of controls that it uses to ensure the separation of data and security information between customer applications? Yes. Veracode employs a number of documented controls to ensure the security and segregation of customer data. These controls provide defense in depth and include data at rest encryption, method filtering at the application tier, and data access enforcement at the database tier. Applications and Data Gartner: How does the SaaS provider review the security of applications (and any supporting code, such as Ajax, ActiveX controls and Java applets) that it develops and uses? As a security company offering application security solutions, Veracode performs the most stringent security reviews which include design reviews, code reviews and penetration testing. Gartner: Does the SaaS provider use content monitoring and filtering or data leak prevention processes and controls to detect inappropriate data flows? Yes. Veracode employs a number of documented controls to protect and monitor the flow of customer data. These controls provide defense in depth and include data at rest encryption, method filtering at the application tier, and data access enforcement at the database tier. The service platform validates all requests for data at multiple layers within the application architecture. User identity is passed trough with each request down to the database tier where a final check is performed to ensure the request is allowable given assigned user roles and access control lists. Gartner: Does it have documented procedures for configuration management, including installing security patches, for all applications? Yes. These procedures are covered by Veracode’s information security policy and associated procedures which are fully documented. Gartner: If the SaaS application involves data that is covered by regulations — such as the Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act and Payment Card Industry (PCI) — then does the SaaS provider meet the regulatory requirements for data protection? For example, PCI requires certain types of data to be encrypted whenever stored. Data that Veracode processes is not covered by any regulations and therefore does not fall under any regulatory requirements for data protection, however to provide the highest degree of protection for customer data, Veracode processes, manages, and stores all customer data according to PCI Compliance guidelines.. © 2007 Veracode, Inc.    2  
  • 3. Operations Gartner: Does the service provider perform background checks on personnel with administrative access to servers, applications and customer data? Yes, Veracode performs background checks on all employees and employment agreements are contingent on clean background checks. Checks that are performed by an independent third-party include verification of citizenship, criminal background, credit history, employment history, professional references, education, professional credentials, personal references and residency/domicile. Additionally, background checks are performed by Veracode’s managed service provider for any personnel with administrative access to Veracode’s IT infrastructure. Veracode has further ensured that none of the personnel of our service provider has access to any customer data. Gartner: Can it show a documented process for evaluating security alerts from operating system and application vendors, shielding systems from attack until patched, and installing security patches and service packs? Yes. These procedures are covered by Veracode’s information security policy and associated procedures which are fully documented and validated by Ernst & Young’s Systrust certification. Gartner: Does it use write-once technology for storing audit trails and security logs? Veracode does not use write-once technology. Instead Veracode maintains a centralized copy of all audit trails and security logs that is backed up regularly. Gartner: Can it demonstrate procedures for vulnerability management, intrusion prevention, incident response, and incident escalation and investigation? Yes. These procedures are covered by Veracode’s information security policy and associated procedures which are fully documented and validated by Ernst & Young’s Systrust Certification. Vulnerability Management: Veracode contracts a third-party to perform penetration tests of our service platform annually or prior to every major production release. Veracode also performs automated vulnerability scanning quarterly and an internal security audit at least annually. In addition to these technical vulnerability management and security initiatives, Veracode has also completed a Systrust certification process by Ernst & Young. Furthermore, Ernst & Young performs a SAS 70 Type II audit of Veracode’s managed service environment every six months. Intrustion Detection: Veracode provides intrusion detection through a combination of technologies including advanced firewall features and aggregated event monitoring framework. Incident Response, Incident Escalation and Investigation: Our incident management and response plan and procedures are formally documented in our information security policy and associated procedures. Veracode has also constituted an executive level body referred to as the Information Security Assessment Team (ISAT) that is responsible for investigating, coordinating and responding to security and confidentiality events. The ISAT is a virtual team responsible for the following: • Coordinating and executing incident response protocols • Validating production changes are compliant with security and confidentiality policies • Validating production management processes and operating procedures compliance with security and confidentiality policies • Processing incidents of reported security and confidentiality policy non-compliance or breaches • Processing results of security reviews and vulnerability assessments • Report control weaknesses, actual or potential compromises, and recommendations for improving Veracode’s overall information security and confidentiality posture to the ISOC • Review and approval of new, changed, or existing production operating procedures © 2007 Veracode, Inc.    3  
  • 4. Gartner: Can it provide procedures for business continuity and disaster recovery that include your applications and data, as well as evidence that it has tested those procedures during the past 12 months? Veracode has a formal disaster recovery plan to ensure business continuity in the event of an extended primary data center outage. Elements of the plan (specifically database backup and restore) are tested regularly; however the entire plan has not been tested end to end. End Services Gartner: Does the service provider's security staff average more than four years' experience in information and network security? The Veracode team has deep security and industry expertise from industry-leading security and services companies such as @stake, Symantec, Guardent, VeriSign and Salesforce.com. The management team is comprised of industry veterans representing the application security space providing a full understanding of what it takes to secure today’s software. Veracode’s extended security staff and members of the Information Security Assessment Team (ISAT) average well above four years of security experience. Many of Veracode’s employees have been recognized as security thought leaders in the industry. Gartner: Does more than 75% of its security staff have security industry certification, such as from the Certified Information Systems Security Professional (CISSP) certification program (www.isc2.org) or Global Information Assurance Certification (GIAC; www.giac.org/)? Although passing a CISSP exam does not guarantee performance, it establishes a minimum body of knowledge. GIAC puts candidates through a standard series of briefings, courses and tasks that demonstrate a more detailed technical body of knowledge. The service provide also should have vendor certification for the firewall equipment that it will manage. As a security provider, Veracode has among the most experienced security staff in the industry. Veracode’s staff has worked at security companies such as @stake, Symantec, Guardent and Verisign and other security-related organizations prior to joining the company. In addition, Veracode’s managed service provider maintains an experienced staff of CISSP-certified staff to maintain Veracode’s IT assets. Gartner: Can it show documented identity management and help-desk procedures for authenticating callers and resetting access controls, as well as establishing and deleting accounts (if that is part of the SaaS offering)? Yes, Veracode has documented procedures for creating, deleting and resetting accounts. We only offer named accounts and that go through a formal request/approval and creation process. There are only a select few individuals that have the ability to create administrative accounts. All platform accounts are also reviewed on a periodic basis for privileges and to identify any issues of non-compliance with procedures. Out-of-Country SaaS Providers Other issues to address when finding a SaaS provider include: Gartner: Can it show documented procedures for cooperating with local government and law enforcement agencies that might demand access to its customers' systems? Veracode is currently working on documenting these procedures. Gartner: Will the SaaS provider limit the countries in which your data will be stored? Currently, all data is stored in the United States. Gartner: Will it accept contractual language that prohibits exposing your data or system without your prior approval for any reason? Yes, Veracode will accept contractual language that prohibits exposing customer data or system without the customer’s prior approval for any reason. © 2007 Veracode, Inc.    4  
  • 5. For More Information For information on software security services, best practices, and methodologies, contact us at. Veracode, Inc. 4 Van de Graaff Drive Burlington, MA 01803 Phone: +1.781.425.6040 Email: contact@veracode.com www.veracode.com SecurityReview is a registered trademark of Veracode, Inc. © 2007 Veracode, Inc.    5  

×