US flag signifying that this is a United States Federal Government website An official website of the United States Government This site is currently in alpha. Learn More.
All Products Veracode Application Security Services System

Veracode Application Security Services System

Veracode Application Security Services System

The Veracode Application Security Services System (VASSS) is designed to assist organizations in verifying an application’s security state and in determining acceptable levels of risk before the software is deployed for business use. In conjunction with providing these services, Veracode relies upon its Center for Software Assurance (CSA) function to perform quality review procedures over the results generated by the Platform System prior to delivering them to its clients.

Enterprise-grade Security

The Veracode cloud-based platform provides customers a centralized way to secure web, mobile and third-party applications across their global infrastructure, from development to production, without slowing innovation.

White Box Testing / Binary Static Analysis (SAST)

Static Application Security Testing (SAST), or “white-box” testing, finds common vulnerabilities by performing a deep analysis of customer applications without executing them. Using Veracode patented binary SAST technology, all code is analyzed, including open source and third-party components, without requiring access to source code.

SAST supplements threat modeling and code reviews performed by developers, finding coding errors and omissions more quickly and at lower cost via automation. It’s typically run in the early phases of the Software Development Lifecycle when it’s easier and less expensive to fix problems prior to production deployment.

Black Box Testing / Dynamic Analysis (DAST)

Dynamic Application Security Testing (DAST), or “black-box” testing, identifies architectural weaknesses and vulnerabilities in customer running web applications. DAST allows customers to test and secure applications prior to and after shipping.

Web Application Perimeter Monitoring

Most enterprises don’t even know how many public-facing applications they have. To reduce customers’ global application threat surface, Veracode’s parallel cloud infrastructure rapidly discovers public-facing applications and identifies the potential exploitable vulnerabilities.

As enterprises spin-up new websites for new marketing campaigns or geographies, create web portals for customers and partners, and acquire companies, web application perimeters are constantly expanding. Additionally, legacy and aging marketing sites may exist unknowingly. The Veracode platform allows customers to quickly identify risks and take immediate action by shutting down legacy sites. Customers can also feed security intelligence about specific vulnerabilities from the Veracode cloud-based platform to your existing WAFs, for rapid mitigation via virtual patching.

Vendor Application Security Testing

Driving innovation to market usually means trusting the resilience of third-party software. The VAST program leaves less to chance. It baselines the risk posed by third-party applications and components, and then works directly with vendors to ensure your software supply chain is in compliance with your corporate policies.

Mobile Application Security System

Veracode’s cloud-based solution helps mobile teams achieve the correct balance between innovation and control. Veracode helps effectively manage the security risk posed by the mobile apps that customer organizations build, buy or download. Veracode’s solution provides the intelligence to protect against attacks and verify compliance with corporate risk and privacy policies.

Veracode’s mobile application security solution combines automated code assessments with expert remediation services that enable IT teams to rapidly secure mobile applications in agile development environments, without slowing innovation.


  • Federally-Compatible TOS

  • Privacy Threshold Analysis (PTA)

  • Privacy Impact Assessment (PIA)

  • System of Records Notice (SORN)

Authority to Operate (ATO)

  • FedRAMP (JAB)

  • FedRAMP (Agency) (link)

  • FedRAMP (CSP Package)

  • Agency Approval

Procurement Options

  • POC:

    NASA Solutions for Enterprise Wide Procurement (SEWP) is a multi-award Government-wide Acquisition Contract focused on commercial Information Technology (IT) products and product-based services. There are 147 pre-competed Contract Holders, many of them small businesses, which serve as resellers of these IT technologies and product-based services. If new to NASA SEWP then please follow the steps below to acquire guidance to create quotes for purchasing using the NASA SEWP contract vehicle:

    • Send an email to titled 'Apps.Gov RFQ request' to include your name, email, agency, contracting officer info (if required), and the product description.
    • A member of the SEWP Customer Care team will contact you within one business day to assist you with creating your RFQ using the SEWP Quote Request Tool (QRT).
    • Upon receipt of an RFQ, the NASA SEWP Contract Holders will add the provider and selected products to their catalog. Reponses to your RFQ can be expected within a few days. At that point, the Contracting Officer will be able to purchase the product.