A collection of example application security "policies as code" that can be added to your Veracode organization account using the process below.
To add one of these policies to your organization in Veracode, use the Veracode Policy API. This example uses httpie with the Veracode API Signing tool.
- You must use a user with the Policy Manager role.
- Generate your API credentials and store them in a Veracode credentials file (or use environment variables).
- Install the Veracode Python Authentication Library.
- Install HTTPie. (You can use other API tools, but HTTPie is used for the command line examples below.)
- Download the policy JSON file to your local system (e.g.
example.json). - Execute the following command at the command line:
http --auth-type=veracode_hmac POST "https://api.veracode.com/appsec/v1/policies" < example.json
- FISMA - NVD cross-section mappings of CWEs. DIACAP/FEDRAMP based off of the same requirements.
- HIPAA - Example policy to act as a guide for those attempting to comply with HIPAA + Omnibus/HITECH/HITRUST.
- OWASP API Security Top 10 2019 - Policy based on the CWE mappings in the (preview version of the) OWASP API Security Top 10 list for 2019. (Note: In some cases, child or parent CWEs of the ones mentioned in the standard have been used depending on how Veracode categorizes the vulnerabilities.)
- Veracode Verified Policies
- Verified Standard - initial level of Veracode Verified
- Verified Team - second level of Veracode Verified
- Verified Continuous - highest level of Veracode Verified