Secure Verification

Do you know if the source code you have deposited in escrow is free from security vulnerabilities?

 

Secure verification provides independent assurance that the source code and associated files deposited in escrow have been scanned to identify any security vulnerabilities which exist in the application’s source code.

A Secure Verification provides independent assurance that the source code and associated files deposited in escrow have been scanned to identify any security vulnerabilities which exist in the application source code.

As the service is focused on the ‘building blocks’ of the application, code analysis should be done early in the development lifecycle and repeated throughout the life of the application. Code analysis provides immediate feedback to developers on issues and vulnerabilities that have been introduced into the source code during development, allowing them to identify and potentially remediate any vulnerabilities identified during the scan.

 

Secure Verification benefits

  • Fully managed service: A Secure Verification is fully managed by one of our skilled and experienced Security Consultants. As part of the service we will produce a comprehensive report of the scan results allowing a developer to carry out any remediation work.
  • Market-leading technologies: We utilise market-leading enterprise code verification and analysis tools to perform code analysis on a wide variety of programming languages. The tests provide accurate and valuable results which are reviewed before being made available.
  • Result validation: We will assign a Security Consultant with the appropriate experience and exposure to carry out a Secure Verification. Manual validation will follow, along with the removal of any false positives to ensure that the test results are of maximum benefit.

 

Types of Secure Verification

What level of secure verification testing is best for you?

Whether you want to verify and document the end-to-end build processes within the environment of the software vendor, licensee or an alternative third party, all of our secure verification services include a Static Application Security Test (SAST) along with manual result validation performed by an NCC Group expert.

 

Entry Level Secure Verification

Entry Level Secure Verification provides all the benefits of an Entry Level Verification by ensuring that the material deposited in escrow is correct, complete and can be built into the working system either remotely or at the software vendor’s site.

For additional assurance, a SAST is carried out on the deposit to scan the code base for the presence of any security vulnerabilities.

 

Independent Secure Build Verification

Independent Secure Build Verification provides all the benefits of an Independent Build Verification, allowing source code maintenance to be undertaken by a third party on behalf of the licensee. 

It provides assurance that the build can be completed in an independent secure location by a third party, that it can be fully tested by the licensee at their site and that a SAST has been carried out on the source code base to identify any security vulnerabilities.

 

Secure User Assured Verification

Secure User Assured Verification provides all the benefits of a User Assured Verification where source code maintenance will be undertaken by the licensee in the event of a release.

It provides total reassurance that the application can be rebuilt in the licensee’s environment in addition to the software vendor’s and that a SAST has been carried out on the source code base to identify any security vulnerabilities.