Veracode Information Security Exhibit

March 27, 2020

Proprietary and Confidential

The information in this document is Veracode Proprietary and Confidential not for public
distribution. Only customers or prospective customers who have signed non-disclosure
agreements are permitted access to this information.
> DOCUMENT HISTORY AND SIGNOFF

DOCUMENT HISTORY
This document is reviewed and updated on an annual basis. The following table lists the previous and
current revisions to this document in chronological order. For each revision, one or more contributors
are listed and the changes to the document briefly described.

The most recent revision is the last entry of the table below and that version is printed in the footer of
each page of the document.

DATE OF
VERSION APPROVAL AUTHOR DESCRIPTION

Senior Information Security Compliance

Version 1.0 8/1/2013 Jeff Horan, CISSP & CISM
Specialist

Senior Information Security Compliance

Version 2.0 8/1/2014 Jeff Horan, CISSP & CISM
Specialist

Version 3.0 8/1/2015 Jeff Horan, CISSP & CISM Manager, Information Security & Compliance

Version 4.0 8/1/2016 Jeff Horan, CISSP & CISM Manager, Information Security & Compliance

Craig Mellin, CISA &

Version 5.0 06/21/2017 Principal Compliance Engineer
CRISC

Version 6.0 09/28/2018 Mark Seligman, CISA Principal IT Compliance Analyst

Version 6.1 12/13/2018 Mark Seligman, CISA Principal IT Compliance Analyst

Version 6.1 9/20/2019 Mark Seligman, CISA Principal IT Compliance Analyst

Version 6.2 12/20/2019 Praveen Sharma Risk and Compliance Consultant

DOCUMENT SIGNOFF
APPROVER NAME DATE

CIO / CISO Bill Brown 06/21/2017

Information Security Oversight

ISOC 09/28/2018
Committee

Information Security Oversight

ISOC 12/13/2018
Committee

Information Security Oversight

ISOC 09/27/2019
Committee

Veracode Proprietary and Confidential > 2020 Q3 < 2

> INTRODUCTION

TABLE OF CONTENTS

Document history ............................................................................................................................ 2

document signoff ............................................................................................................................. 2
Table of Contents ............................................................................................................................ 3
Introduction ....................................................................................................................................... 5
Communication ............................................................................................................................... 5
Applicability And Scope .................................................................................................................. 6
Summary ......................................................................................................................................... 6
External References........................................................................................................................ 7
Company Overview, Product and Service Summaries ................................................................. 8
Company Introduction ..................................................................................................................... 8
Veracode Application Security Platform ......................................................................................... 9
Product Offering Summaries........................................................................................................... 9
Cryptography Summary ................................................................................................................ 12
Information Security Governance ................................................................................................. 13
Individual and Functional Roles & Responsibilities ...................................................................... 13
Risk Assessment and Treatment .................................................................................................. 18
Information Risk Management Policy ........................................................................................... 18
Third-Party Service Provider Oversight ........................................................................................ 21
Information Security and Confidentiality Policy Management ...................................................... 23
Organization of Information Security ........................................................................................... 28
Individual and Functional Roles and Responsibilities ................................................................... 28
Asset Management ......................................................................................................................... 29
Information Asset Classification and Control ................................................................................ 29
Human Resources Security ........................................................................................................... 32
Personnel Security Policy ............................................................................................................. 32
Pre-employment Actions ............................................................................................................... 33
Acceptable Use of Information and Assets ................................................................................... 34
Information Confidentiality Policy Summary ................................................................................. 37
Security Awareness, Training and Education ............................................................................... 41
Post-Employment Actions ............................................................................................................. 43
Physical and Environmental Security .......................................................................................... 45
Physical Security Policy ................................................................................................................ 45
General Physical Security and Environmental Controls ............................................................... 45
Protection at the Facilities Level ................................................................................................... 47
Communications and Operations Management .......................................................................... 48
Communications and Operations Management Policy ................................................................. 48
Network Security Architecture Planning and Design .................................................................... 48
Configuration & Change Control ................................................................................................... 51
Intrusion Detection and Security Event Monitoring ....................................................................... 53
Veracode Proprietary and Confidential > 2020 Q3 < 3
> INTRODUCTION

Tele-working and Remote Access ................................................................................................ 54

Access Control ............................................................................................................................... 56
Access Control Policy ................................................................................................................... 56
Access Control Access and User ID Management ....................................................................... 56
User Password Management ........................................................................................................ 58
Information Systems Acquisition, Development and Maintenance .......................................... 60
Application Development Policy .................................................................................................... 60
General Requirements .................................................................................................................. 60
System Security Design ................................................................................................................ 62
System Build, Acquisition and Test............................................................................................... 66
Operations and Management ....................................................................................................... 70
Technical Monitoring, Vulnerability Management and Security Reviews ..................................... 79
Information Security Incident Management ................................................................................. 83
Information Security Incident Management Policy ........................................................................ 83
Business Continuity Management ................................................................................................ 97
Overview ....................................................................................................................................... 97
Business Continuity Plan .............................................................................................................. 97
Compliance ..................................................................................................................................... 99
THE VERACODE WAY (Veracode of Conduct) ........................................................................... 99
Veracode SOC 2 TYPE II REPORT ........................................................................................... 100
Privacy Policy .............................................................................................................................. 101
Privacy Shield ............................................................................................................................. 101

Veracode Proprietary and Confidential > 2020 Q3 < 4

> INTRODUCTION

Introduction
The Veracode Information Security Exhibit (Exhibit) was developed to demonstrate Veracode’s
commitment to the protection of information entrusted to Veracode and its subcontractors, and to
outline how the information security safeguards appropriately protect non-public information in
connection with those relationships and associated information systems.

The information contained in this document details the Information Security Program Veracode has
implemented to protect information assets and ensure its Information Security Program objectives
are achieved.

Information Security Program policies and standards derive from the company’s information
security risk management process, legal and regulatory requirements, industry standards, and the
nature of the company’s activities.

The Veracode Chief Information Officer (CIO) / Chief Information Security Officer (CISO) is
responsible for:

 Overall enterprise security

 Centralized oversight of security policy, administration, and operations
 Security monitoring and compliance
 Physical security design and engineering
 Information security projects and service delivery
 Technology risk management

Veracode recognizes that the information security landscape is constantly changing, and that
management must implement, interpret, and, at times, modify the control documents to reflect the
changing security landscape.

The Information Security Program policies, procedures, and exhibits provided in this document are
the basis for ensuring the security and the protection of information and related technologies.

The policies summarized in this document set forth the organizational standards and provide
direction to management and employees for achieving the following security program objectives:

Confidentiality: Ensures protection of customers and Company data against unauthorized use.

Integrity: Ensures information has not been altered in an unauthorized manner and systems are
free from unauthorized manipulation that will compromise accuracy, completeness, or reliability.

Availability: Ensures authorized users have prompt access to information and information assets
and resources are available as established.

COMMUNICATION
The Veracode Information Security Oversight Council (ISOC) is responsible for defining the
requirements for protecting information and communicating these requirements to management
through executive presentations, intranet, training, and new employee orientation. This document is
provided by Veracode’s account management or customer service organizations. Questions and/or

Veracode Proprietary and Confidential > 2020 Q3 < 5

> INTRODUCTION

comments concerning this document should be directed to the appropriate Veracode relationship
manager.

External requests to review the Information Security Program policies, procedures and standards
must be communicated to Veracode and will be considered on a case-by-case basis.

APPLICABILITY AND SCOPE

The Veracode Information Security Policy (VISP) and Veracode Information Confidentiality Policy
(VICP) provide a comprehensive set of policies related to the protection and management of non-
public information and associated processing systems, hosted with third party service providers as
well as the framework for executing those activities within Veracode. Collectively, these policies:

Convey Veracode’s philosophy and direction for information protection

Outline basic functional roles and individual responsibilities

Set forth the minimum information security requirements required for the protection of non-public
information and processing systems

These policies apply to all Veracode management, employees, and contractors (“employees”).
Compliance with the Veracode Information Security Policy, Veracode Information Confidentiality
Policy, and associated standards is mandatory. Additionally, management shall apply provisions to
agreements and contracts with business partners and service providers reflecting appropriate
elements of these policies. Failure to comply with these policies may result in disciplinary or other
adverse action including, where appropriate, termination of employment or business relationships.
Unless specifically expressed to the contrary, information and data refers to all information
processed, stored, used, or transmitted in any medium or form. Information systems refers to all
networks, computers, software, hardware, electronic messaging systems, fax or copy machines,
mobile devices, voice mail, telephones, cellular phones, and similar devices owned, operated, or
managed by Veracode.

Facilities within the Scope:

 Veracode Corporate Facilities.

 Hosted Environments at SunGard, AWS, & Markley.

 Cloud Backup Service Provider – Carbonite (Offsite backup)

SUMMARY
The Veracode Information Security Exhibit (Exhibit) is a collection of frequently requested
customer-facing documentation that outlines Veracode’s Security, Risk, and Compliance controls.
The Exhibit is reviewed and updated at minimum annually by:

The Chief Information Officer / Chief Information Security Officer

Veracode Proprietary and Confidential > 2020 Q3 < 6

> INTRODUCTION

Legal

Compliance

Human Resources

As a result, it is recommended that new Exhibit versions be obtained on an annual basis to show
the changes to Veracode’s Security, Risk, and Compliance posture.

EXTERNAL REFERENCES
Trust Services Principles, Criteria, and Illustrations -- Assurance Services Executive Committee
(AICPA)

ISO/IEC 27002:2013, Code of Practice for Information Security Management

ISO/IEC 27001, Information Security Management Systems Requirements

The Standard of Good Practice for Information Security, Information Security Forum (ISF)

Veracode Proprietary and Confidential > 2020 Q3 < 7

> COMPANY OVERVIEW, PRODUCT AND SERVICE SUMMARIES

Company Overview, Product and Service

Summaries
COMPANY INTRODUCTION
Veracode enables the secure development and deployment of the software that powers the
application economy.

With its combination of automation, process and speed, Veracode becomes a seamless part of the
software lifecycle, eliminating the friction that arises when security is detached from the
development and deployment process. As a result, enterprises can fully realize the advantages of
DevOps environments while ensuring secure code is synonymous with high quality code.

Without the need for additional staff or equipment, Veracode customers ramp up quickly, see
results and prove value on day one, and consistently see improvement over time. This is due to the
company’s combination of,

 Process: Our goal is to work with your security and development teams to create an
advanced program – one that reduces risk across your entire application landscape and
accelerates your business. By embedding into your existing software development
workflow, Veracode can ensure assessments and vulnerability remediation are completed
during logical points throughout your distinct process. This seamless integration with
legacy APIs has resulted in as much as 90% or greater reduction in remediation costs for
our customers.
 Platform: The power of the Veracode Platform is in its scalability, integrations with
development tools and its ability to ensure security policies are consistently enforced
across the enterprise. While some companies talk about scanning 10,000 applications
overall, we scanned that many applications for a single customer. Yet, the platform won’t
slow down your development cycles, 60% of all Veracode’s static assessments finish in
less than an hour, 80% in less than 4, and more than 90% are ready overnight. All our
customers benefit from the knowledge that comes with assessing 1.7 trillion lines of code.
With each new scan, the platform gains institutional knowledge which it calls-upon for
future assessments.
 People: The security industry faces a significant skills gap – there aren’t enough security
experts. Working with Veracode you gain access to some of the top security experts in the
industry. These experts can offer strategic advice for building a scalable and program, help
execute the program, and then provide remediation coaching for when flaws are found. In
2015 Veracode’s security experts helped fix 70% of all vulnerabilities found, from read-out
calls alone customers saw a 2.5X improvement in remediation.

Veracode was founded in 2006 by a world-class team of application security experts from @stake,
Guardent, Symantec, and VeriSign. The core technology of our on-demand service was developed
in 2002 at the security consultancy @stake to automate application security assessments and now
forms the backbone of application risk management from Fortune 500 organizations to mid-market
enterprises worldwide.
Veracode Proprietary and Confidential > 2020 Q3 < 8
> COMPANY OVERVIEW, PRODUCT AND SERVICE SUMMARIES

Veracode has received considerable recognition and awards in the industry including being named
a Gartner “Cool Vendor,” The Wall Street Journal’s “Technology Innovation Award,” The Banker’s
“Information Security Project of the Year” with Barclays, SC Magazine’s “Best Vulnerability
Assessment Solution,” Information Security “Readers’ Choice Award,” and Always On Northeast's
"Top 100 Private Company.”

VERACODE APPLICATION SECURITY PLATFORM

PRODUCT OFFERING SUMMARIES

Veracode Application Security Platform - Manage Your Entire Application Security Program in a
Single Platform.

Competing in business is all about speed of innovation. No matter what industry you’re in, that
innovation relies heavily on leveraging software. However, most applications were not created with
security in mind, which is why applications are the most common breach vector. Looking at a giant
backlog of insecure applications can be overwhelming. Training developers to write more secure
code, testing applications, and collaborating on remediation is very challenging because application
security expertise is very hard to find. Even worse, developers may not be cooperative if they
believe that you only point out their mistakes and delay their projects.
The Veracode Application Security Platform offers a holistic, scalable way to manage security risk
across your entire application portfolio. We offer a wide range of security testing and threat
mitigation techniques, all hosted on a central platform, so you don’t need to juggle multiple vendors
or deploy tools. Application security cannot be solved with technology alone. Our security program
managers work with you to define policies and success criteria, so you’ll have a strategic,
repeatable way to tackle your application security risk. Veracode educates developers with
actionable results, one-on-one coaching, and a variety of training, so they can effectively fix
existing flaws and code securely moving forward.

Veracode Greenlight - Get Secure Coding Feedback in Seconds – Right in Your IDE.

Veracode Greenlight finds security defects in your code and provides contextual remediation
advice to help you fix issues in seconds, right in your IDE. Leveraging our proven, and highly
accurate static engine, Veracode Greenlight offers immediate results and scales to your needs.
You do not need to provision any servers or tune the engine. It simply scans in the background and
provides accurate and actionable results, without taking up resources on your machine. With
Veracode Greenlight, find issues early, reduce development and remediation costs, and release
your code on time – at the speed of your DevOps process.

Veracode Static Analysis - Manage application security risk in a simple, strategic, scalable way.

Veracode Proprietary and Confidential > 2020 Q3 < 9

> COMPANY OVERVIEW, PRODUCT AND SERVICE SUMMARIES

Veracode Static Analysis enables your developers to quickly identify and remediate application
security flaws without having to manage a tool. Thanks to our SaaS-based model, we increase
accuracy with every application we scan. Veracode’s patented technology analyzes major
frameworks and languages without requiring source code, so you can assess the code you write,
buy or download, and measure progress in a single platform. By integrating with your SDLC tool
chain and providing one-on-one remediation advice, we enable your development team to write
secure code. The Developer Sandbox feature enables engineers to test and fix code between
releases without impacting their compliance status.

Veracode Web Application Scanning - Discover and assess risk of thousands of corporate
websites.

Veracode Web Application Scanning (WAS) offers a unified solution to find, secure, and monitor all
your web applications – not just the ones you know about. First, Veracode discovers and
inventories all your external web applications, then performs a lightweight scan on thousands of
sites in parallel to find critical vulnerabilities and helps you prioritize your biggest risks. As a second
step, you can run authenticated scans on critical applications to systematically reduce risk while
continuously monitoring your security posture as part of the SDLC. Veracode offers multiple
scanning technologies on a single platform, so you get unified results, analytics, and increased
accuracy.

Veracode Runtime Protection - Detect and block attacks against applications in real-time.

Veracode Runtime Protection defends against application-layer attacks in real-time. Unlike a WAF,
Veracode Runtime Protection is simple to deploy and does not require engineering resources to
implement and tune it because it uses a technology called runtime application self-protection
(RASP). Veracode Runtime Protection provides more effective protection, is harder for attackers to
evade, and has much higher accuracy – so you won’t be distracted by noisy false positives. You
can even deploy it in pre-production to ensure its functionality is tested as part of your QA process.
Third-party and legacy applications can be secured without requiring code changes or interrupting
engineering priorities.

Veracode Vendor Application Security Testing - Assess Security of the Software You Buy.

Veracode Vendor Application Security Testing (VAST) provides a scalable program for managing
third-party software risk. Build your program based on a decade’s worth of best practices to ensure
success and see a simple pass or fail for each vendor application. Because Veracode scans
binaries rather than source code, vendors will be more comfortable with the assessments because
they don’t have to disclose their intellectual property. With Veracode, you can scale your program
without adding specialized headcount and manage the entire program on a single platform.

Service Offering Summaries

Veracode Proprietary and Confidential > 2020 Q3 < 10

> COMPANY OVERVIEW, PRODUCT AND SERVICE SUMMARIES

Strong security means more than having powerful technology. Our services help developers rapidly
identify, understand and remediate critical vulnerabilities — and help transform decentralized, ad
hoc application security processes into ongoing, policy-based governance.

Integrations:
Veracode Security Program Management - Ensure quick successes with experienced security
program management and scale your application security program without adding headcount.

Veracode Security Program Management (SPM) helps enterprises map out their strategy and
deliver results with. Veracode has been involved with thousands of application security programs
over the past 10 years. We help you with security program readiness and execution, so you don’t
have to find and retain highly specialized talent. As a result, we see customers who use Veracode
SPM grow their application coverage by 25% each year, decrease their time to deployment and
achieve better scan and remediation metrics. Most importantly, our security program managers
ensure that your program stays on track to meet your strategic goals.

Veracode Remediation Advisory Solutions - Get an application security expert to advise your
development teams and benefit from a deeper vulnerability analysis with dedicated consultants.

Veracode Remediation Advisory Solutions (RAS) provide application security experts with a
development background that act as a “personal trainer” for your engineering team. Unlike services
that assign different resources for each vulnerability, the same Veracode RAS consultant will work
on all vulnerabilities of a specific application to provide a deeper level of analysis and so you don’t
have to start from square one on each call. Your developers will learn secure coding practices in
their environment and process, decreasing the number of flaws over time, leading to cost savings
for you and your organization.

Veracode Developer Training - Grow your developers’ skills and become more secure in the
process.

Remediate 30% more vulnerabilities with developer training and Reduce costs by trained Veracode
Developer Training empowers developers, testers and security leads to develop secure
applications, providing the critical skills they need to identify and address potential vulnerabilities.
Veracode offers three styles of teaching that reinforce each other. Instructor-led training offers real-
time training that’s tailored to your organization. On-demand training is integrated with the
Veracode Application Security Platform and allows developers to learn when and where they need
it. And just-in-time training offers refreshers and contextual recommendations to help developers fix
vulnerabilities. Development organizations that leverage Veracode eLearning see a 30 percent
higher vulnerability fix rate training developers on application security.

Veracode Proprietary and Confidential > 2020 Q3 < 11

> COMPANY OVERVIEW, PRODUCT AND SERVICE SUMMARIES

CRYPTOGRAPHY SUMMARY
For an understanding of how Veracode secures customer data in its custody please
see the Veracode Cryptography Primer dated June 30, 2020.

Veracode Proprietary and Confidential > 2020 Q3 < 12

> INFORMATION SECURITY GOVERNANCE

INFORMATION SECURITY GOVERNANCE

Effective information security governance is an ongoing commitment within Veracode and an
essential component in our efforts to help our customers secure their applications and safeguard
their sensitive information. As such, it is imperative that Veracode employees and contractors
adhere to applicable laws or regulations and ensure that their conduct preserves the interests of
both Veracode and our customers. To aid in these efforts, Veracode established measures
necessary to implement, monitor, measure, and maintain appropriate information security and
confidentiality controls including:

 Delineation of key roles & responsibilities related to information security and confidentiality

 Information security and confidentiality policies that provide organizational direction and
establish baseline information security and confidentiality controls and procedures

 An executive-level oversight group to monitor and periodically report on the state of

information security and confidentiality controls

 A process that individuals can use to report security and confidentiality defects and non-
compliant practices without fear of retribution or reprisal.

INDIVIDUAL AND FUNCTIONAL ROLES & RESPONSIBILITIES

Key roles & responsibilities to implement, monitor, measure, and maintain information security and
confidentiality controls within Veracode promote proper decision-making by helping to ensure that
information security activities are effectively coordinated and appropriately approved.

Executive Management
Veracode Executives have a fundamental responsibility to manage business risks in a proactive
fashion consistent with the best interests of both Veracode and our customers. Consequently,
Veracode Executives have a vital role in the effective implementation and management of
safeguards necessary to address information confidentiality and security risks.

 Ensure that management has established an appropriate framework and organizational

direction for information security and confidentiality activities

 Monitor the overall state of information security and confidentiality safeguards through
regular discussion of key information security activities and exploration of significant
information security risks

 Establish and maintain a mechanism for individuals to report, without fear of retribution or
reprisal, practices that are contrary to organizational policy, laws, regulatory requirements,
or ethical business practices; renders information or associated processing systems
vulnerable to compromise; and, similar security defects

 Model and promote the highest standards of business conduct providing demonstrative
support for, and commitment to, the information security program

Veracode Proprietary and Confidential > 2020 Q3 < 13

> INFORMATION SECURITY GOVERNANCE

 Implement information security and confidentiality controls and management oversight

within their span of control consistent with the Veracode Information Security and
Confidentiality Policies and prudent operational risk management principles

 Allocate sufficient resources and staff to support information security and confidentiality
controls and approved initiatives

 Communicate and enforce information security and confidentiality policies and standards
ensuring that subordinate managers, employees, and contractors receive the direction and
guidance necessary to fulfill their individual responsibilities.

In addition to the general responsibilities outlined above, select Executives have been delegated
specific additional responsibilities related to administration and management of the information
security and confidentiality program within Veracode:

Chief Information Officer / Chief Information Security Officer

 Chair the Information Security Oversight Council (ISOC) providing supervision of

Veracode’s information security and confidentiality activities

 Serve as a senior-level advisor providing technical support, subject matter expertise, and
industry guidance related to security operations and management

 Participate in the development, review, and approval of information security and

confidentiality policies and standards

 Member of Veracode’s Information Security Assessment Team (ISAT) participating in all

security related activities

 Provide executive sponsorship and overall management of information security and

confidentiality activities directly affecting the production environment

 Serve as the primary management focal point during incident response activities resulting
from production operations

 Serve as the primary management focal point during incident response activities resulting
from customer-initiated events

 Design, implement, and manage technical, physical, and procedural controls affecting
information security and confidentiality safeguards within their span of control. Specific
areas of focus are:

o Design and control of the production infrastructure and application architecture

o Operations and maintenance of the production infrastructure
o Oversight and management of the service provider responsible for hosting the
production infrastructure (data center co-location “Hosting provider”)
o Software development
o Quality assurance
o Installation, operation, and maintenance of Veracode’s corporate IT infrastructure
o Service delivery activities
o Center for Software Assurance
o Analysis and reporting of code flaws
Veracode Proprietary and Confidential > 2020 Q3 < 14
> INFORMATION SECURITY GOVERNANCE

o Customer support
 Coordination of information security and confidentiality activities with the hosting service
provider

Chief Technology Officer

 Serve as a member of the Information Security Oversight Council (ISOC)

 Member of Veracode’s Information Security Assessment Team (ISAT) participating in all

security related activities

 Serve as a senior-level advisor providing technical support, subject matter expertise, and
industry guidance related to security operations and management

 Participate in the development, review, and approval of information security and

confidentiality policies and standards

General Counsel

 Serve as a member of the Information Security Oversight Council (ISOC)

 Provide management coordination during the development, review, and approval of

information security and confidentiality policies and standards

 Participate in the design, implementation, and management of technical, physical, and

procedural controls affecting information security safeguards within their span of control.
Specific areas of focus are:

o Legal and contract management support

o Facility management
o Human Resources management
o Enterprise policy management
o Employee learning and development

Information Security Oversight Council (ISOC)

Composition

Chief Information Officer / Chief Information Security Officer (Chair)

Chief Technology Officer

General Counsel (as necessary)

Information Security Manager

Information Security Compliance Manager

Veracode Proprietary and Confidential > 2020 Q3 < 15

> INFORMATION SECURITY GOVERNANCE

Responsibilities

Schedule and conduct quarterly meetings to address Veracode’s information security and
confidentiality program (more frequently, if required)

Provide strategic direction and oversight of the information security program

Provide leadership and management coordination during the development of information security
and confidentiality policies, standards, and guidelines

Review and approve changes to Veracode’s information security and confidentiality policies,
standards, and guidelines

Design and implement a set of key performance indicators (security metrics) to provide ongoing
monitoring of the effectiveness of information security and confidentiality controls and the overall
level of information security risk within the Veracode environment.

Information Security Assessment Team (ISAT)

The ISAT is a virtual team responsible for the following:

 Coordinating and executing incident response protocols

 Validating production changes are compliant with security and confidentiality policies

 Validating production management processes and operating procedures compliance with

security and confidentiality policies

 Processing incidents of reported security and confidentiality policy non-compliance or

breaches

 Processing results of security reviews and vulnerability assessments

 Report control weaknesses, actual or potential compromises, and recommendations for

improving Veracode’s overall information security and confidentiality posture to the ISOC

 Review and approval of new, changed, or existing production operating procedures

 The team is co-led by the Chief Information Officer / Chief Information Security Officer and
Chief Technology Officer with support drawn, as necessary, from across Veracode.

Product Security Incident Response Team (PSIRT)

Composition

 Chief Technology Officer (Chair)

 Chief Information Officer / Chief Information Security Officer

 Information Security Compliance Manager

 Information Security Manager

 Vice President of Security Research

Veracode Proprietary and Confidential > 2020 Q3 < 16

> INFORMATION SECURITY GOVERNANCE

 Principal Security Researchers

 EVP, Product Development

Responsibilities

 Tactical cross-functional product teams who assess immediate and emerging threats to
Veracode’s Products & Services Systems

 Develops direct tactical response plans (countermeasures) to secure Veracode’s Products

& Services Systems

 Provides opportunities for collaboration between Research and Engineering on new and
existing security initiatives

o Comprised of Security Champions who are sources of security expertise for their
team to embed security more deeply into the SDLC

Veracode Proprietary and Confidential > 2020 Q3 < 17

> SECURITY POLICY

Risk Assessment and Treatment

INFORMATION RISK MANAGEMENT POLICY
Veracode has a fundamental responsibility to identify, evaluate, and manage business risks related
to non-public information and associated processing systems consistent with the best interests of
both Veracode and our customers.

Determining Risk Level

Throughout this process, employees must assign a risk level to conditions that pose a financial,
regulatory, contractual, or reputational risk to Veracode. However, the determination that a specific
condition poses a risk to Veracode and subsequent assignment of that condition to a particular risk
level is subjective and often subject to healthy debate. While assignment of risk levels is
somewhat subjective, the following definitions and criteria provide a guide to assist employees in
assigning risk levels.

High Risk: A condition meeting one or more of the following criteria in which the likelihood and
severity of risk realization is generally high representing a significant risk to Veracode.

 Clearly in conflict with legal, regulatory, or contractual requirements

 Provides elevated privileges to a sensitive or critical information system

 Subjects any Veracode (or Customer) Sensitive information to potential compromise or

improper disclosure

 Subjects a large volume of Veracode (or Customer) Proprietary information to potential

compromise or improper disclosure

 Can be used to compromise additional systems or non-public data stores

 Significantly degrades the effectiveness of technical security controls or monitoring across

a group of systems

 Significantly damage the Veracode brand

Moderate Risk: A condition meeting one or more of the following criteria in which the likelihood
and severity of risk realization is generally moderate, low, or unknown representing a moderate risk
to Veracode.

 May conflict with legal, regulatory, or contractual requirements

 Does not provide elevated privileges to a sensitive or critical information system

 Is generally limited to a single information system and cannot generally be used to

compromise additional systems or non-public data stores

 Does not subject Veracode (or Customer) Sensitive information to potential compromise or
improper disclosure

Veracode Proprietary and Confidential > 2020 Q3 < 18

> SECURITY POLICY

 Limits the volume of Veracode (or Customer) Proprietary information subject to potential
compromise or improper disclosure

 Does not materially alter the effectiveness of technical security controls or monitoring
across a group of systems

Low Risk: A condition meeting one or more of the following criteria in which the likelihood and
severity of risk realization is generally low representing a minimal risk to Veracode.

 Does not conflict with legal, regulatory, or contractual requirements

 Does not provide elevated privileges to a sensitive or critical information system

 Is limited to a single information system

 Does not directly subject non-public information to compromise or improper disclosure

 Does not materially alter the effectiveness of technical security controls or monitoring
across a group of systems

 Notably, the risk levels are themselves arbitrary classifications used only to assist
employees in the selection of security controls, to establish the degree and formality
required for Management oversight, and to help employees determine and escalate risks to
the appropriate level of Management for approval or resolution.

 As such, an effective risk management process simply enables informed decision-making

at appropriate levels of Management whenever risk is present in Veracode operations.

Risk Assessment and Analysis

Veracode employees must evaluate information risk on an ongoing basis as well as when
introducing or materially changing facilities, policies, processes, projects, networks, or systems.
Such evaluations should incorporate the following considerations:

 Business requirements

 Likelihood of loss or compromise if the risk is realized

 Severity of impact if risk is realized

 Non-public information involved (sensitivity, criticality, volume)

 Associated and connected systems (existing controls, complexity)

 Supporting processes and procedures

 While the depth and formality of the risk analysis may vary significantly based on the
nature of the change, the goal is to provide Veracode Management with sufficient
information necessary to make an informed decision regarding the need for mitigating or
compensating controls, risk transference, or risk acceptance.

Veracode Proprietary and Confidential > 2020 Q3 < 19

> SECURITY POLICY

Risk Mitigation and Management

Generally, Veracode will make the necessary changes in our environment, processes, and systems
to eliminate the risk introduced or detected. Veracode Management must advise the Information
Security Assessment Team of all high risk and moderate risk issues. For any issues requiring
greater than one (1) day to correct, the ISOC must also be notified so that they appropriately
document, track, report, and follow-up on the issue.

The ISOC must formally document, track, and periodically report on the status of all information
security-related high-risk issues involving any aspect of Veracode’s operations as well as
moderate-risk issues noted in the production environment.

Risk Transfer or Acceptance

In those instances when mitigating or compensating controls fail to reduce the risk to an acceptable
level, Veracode must either transfer the risk to a third-party or accept the risk. Risk transference is
generally accomplished by shifting the risk to an insurance provider or to a service provider (for
example, Hosting provider).

When it is not feasible or cost effective to mitigate or transfer risk, Veracode may accept the risk as
outlined in Table 1 shown below.

Table 1. Information Security Risk Acceptance Actions

RISK LEVEL

ACTION(S) REQUIRED LOW MODERATE HIGH

Written Approval

Information Security Assessment Team (ISAT) No Yes Yes

Executive Management No No Yes

ISAT (Production)
Chief Information Officer / Chief Information No Yes Yes
Security Officer (Corporate)

Tracking, Reporting, and Follow Up

Information Security Oversight Council (ISOC) No Yes Yes

Veracode Proprietary and Confidential > 2020 Q3 < 20

> SECURITY POLICY

THIRD-PARTY SERVICE PROVIDER OVERSIGHT

Effective management and oversight of Veracode’s third-party service providers is necessary to
ensure that the service provider appropriately protects non-public information accessed,
processed, or disclosed in connection with that relationship. This policy outlines requirements for
the consideration, selection, use, and ongoing oversight of third-party service providers.

 Use of Third-Party Service Providers

 Service Provider Risk Assessments and Due Diligence

 Service Provider Agreements

Use of Third-Party Service Providers

Unless specifically prohibited by customer requirements and with the approval of Executive
Management, Veracode may share non-public information with third parties as long as both parties
execute appropriate non-disclosure agreements and there are reasonable assurances that the
third-party’s controls for the protection of non-public information are comparable to the protection
afforded that information within the Veracode environment. In any case, Veracode must carefully
consider the decision to provide third-party access to non-public information weighing the benefits
and risks associated with the information disclosed.

Veracode must provide the third-party with appropriate guidance related to the security
requirements applicable to the information accessed or disclosed including, if appropriate, third-
party participation in security awareness and training activities conducted by Veracode.

Service Provider Risk Assessments and Due Diligence

Veracode can generally satisfy the need for assurances concerning the third-party’s safeguarding
capabilities by including appropriate provisions within the legal agreements. However, the formality
and degree to which such assurances require verification depends on the sensitivity, criticality, and
volume of non-public information accessed or disclosed.

As a rule, Veracode would expect and hold the third-party to safeguarding standards that are
comparable to those within Veracode and outlined in this policy. In situations when the nature of
the services provided by the third-party or the sensitivity, criticality, and volume of information
warrant, Veracode may require additional assurances or independent verification of the third-
party’s safeguarding capabilities prior to disclosure and, if appropriate, at reasonable intervals
thereafter. These additional activities may include one or more of the following:

 Evaluating the scope and applicability of industry attestations and certifications (for
example, SSAE 18, SysTrust or ISO 27001)

 Reviewing recent audit and assessment reports related to the third-party’s safeguarding
capabilities

Veracode Proprietary and Confidential > 2020 Q3 < 21

> SECURITY POLICY

 Evaluating the third-party’s responses to surveys or questionnaires concerning their

safeguarding capabilities

 Reviewing third-party’s information security policies, standards, and guidelines

 Executing additional audits or assessments of the third-party’s environment conducted by

Veracode or an independent assessor.

Service Provider Agreements

Agreements that cover relevant security and confidentiality requirements are required with third
parties who access, process, or manage Veracode’s non-public information or associated
information systems. While the specific provisions of such agreements will vary depending on the
nature business relationship and the services involved, agreements will minimally include
confidentiality (non-disclosure) provisions. In addition, agreements will also include other relevant
security-related requirements necessary to convey the full range of controls applicable to the
relationship.

 Service definition and description

 Service levels
 Specific information handling requirements
 Background verification requirements for third-party employees
 Security awareness and training requirements
 Provisions for conducting initial or periodic risk assessments of the third-party’s
environment and operations

Veracode Proprietary and Confidential > 2020 Q3 < 22

> SECURITY POLICY

Security Policy

INFORMATION SECURITY AND CONFIDENTIALITY POLICY

MANAGEMENT
Veracode is committed to properly safeguarding information entrusted to us and managing related
business risks at appropriate levels. To help meet this commitment and to provide clear direction
to the organization, Veracode published and will maintain an appropriate set of information security
and confidentiality policies and standards. Collectively, these documents establish organizational
policy related to the protection of information and associated processing systems owned, operated,
or managed by Veracode.
The intent of the Veracode Information Security Policy, Veracode Information Confidentiality Policy,
and related standards is to provide direction and guidance necessary to achieve business
objectives, comply with applicable legal and regulatory requirements, and to meet or exceed
customer expectations and industry standards of good practice.

Policy Structure
Veracode’s policy structure and framework employs a hierarchical approach with a foundation of
general organizational direction applicable to all employees and functions coupled with more
detailed standards and procedures relevant to specific functional areas and processes. The policy
management framework consists of several related components that collectively comprise
organizational information security and confidentiality policy.

Figure 1. Veracode Information Security and Confidentiality Policy Framework

Veracode Proprietary and Confidential > 2020 Q3 < 23

> SECURITY POLICY

Veracode Information Security Policy (VISP) and Veracode Information

Confidentiality Policy (VICP)
The VISP and VICP convey senior management’s commitment to information security and
confidentiality, defines the underlying foundation for organizational information security and
confidentiality policies, details key roles & responsibilities, and establishes high-level requirements
and expectations applicable across the organization

The VISP and VICP serve as a bridge between high-level strategy based on analysis of applicable
statutory or regulatory requirements, business objectives, market drivers, and technical capabilities,
and granular guidance provided within Information Security and Confidentiality Standards and
Guidelines while remaining consistent with other Veracode policies

Absent an approved policy deviation, employee and contractor compliance with the VISP and VICP
is mandatory

The VISP is organized in distinct sections aligned to the key information security control areas
outlined below:

Section 1 Information Security Governance

Section 2 Information Asset Classification and Control

Section 3 Human Resources Security

Section 4 Physical Security and Environmental Controls

Section 5 Network Security Architecture, Operations, and Management

Section 6 Systems Acquisition, Development, and Management

Section 7 Logical Access Control

Section 8 Technical Monitoring, Vulnerability Testing, & Security Reviews

Section 9 Incident and Emergency Management

Section 10 Third-Party Service Provider Oversight

Section 11 Business Continuity and Disaster Recovery

Information Security and Confidentiality Standards

 Information Security and Confidentiality Standards supplement the VISP and VICP by
providing detailed requirements applicable to specific processes, functional areas, and
operating environments

 Information Security and Confidentiality Standards link back to specific sections within the
VISP and VICP

 Absent an approved policy deviation, compliance with Information Security and

Confidentiality Standards is mandatory.

Veracode Proprietary and Confidential > 2020 Q3 < 24

> SECURITY POLICY

Information Security and Confidentiality Guidelines

 Information security and confidentiality guidelines may provide one or more optional
courses of action or they may discuss concepts or provide additional context that is useful
when planning, implementing, or managing information security and confidentiality controls

 Information security and confidentiality guidelines will link back to either a section within the
VISP/VICP or a specific Information Security/Confidentiality Standard and are generally
applicable to specific processes, functional areas, and operating environments.

Operating Procedures
 Operating procedures allow for local supplementation of information security and
confidentiality policies and standards, are less formal, and narrowly apply to a single
system or process

 Any level of management responsible for a specific system or process may implement
documented operating procedures

 The ISAT is responsible for validating production related operating procedure compliance
with the security and confidentiality policies

 Operating procedures are reviewed annually by the ISAT and the results are reported to
the ISOC.

Policy and Operating Procedure Approval

 The Information Security Oversight Council must approve changes to the Veracode
Information Security Policy, Veracode Information Confidentiality Policy, and associated
standards

 The ISAT is responsible for approving production related operating procedures and
compliance with security and confidentiality policies, exceptions are reported to the ISOC.

Policy Deviations
Veracode designed the information security and confidentiality policies and standards to meet
specific business objectives and to comply with applicable legal, regulatory, and customer
requirements. As such, policy deviations require thorough investigation and analysis so that
Veracode Executive Management can make informed decisions based on the risk introduced by
the policy deviation.

Requester
Individual’s seeking a deviation from approved policy must submit a documented request through
their immediate manager to the Information Security Assessment Team for consideration.

 Describe the proposed process and identify the specific policy provision(s) for which a
deviation is required

Veracode Proprietary and Confidential > 2020 Q3 < 25

> SECURITY POLICY

 The timeframe during which the policy deviation is required

 Options available or considered to provide an alternative method of satisfying the policy

provision or otherwise providing a compensating control to eliminate or reduce the risk
introduced by the policy deviation.

Information Security Assessment Team

 The Information Security Assessment Team will take the necessary actions to investigate
and either reject or approve the deviation request.

 Review the request and verify the circumstances surrounding the deviation request

 Determine whether the deviation would result in legal or regulatory non-compliance

 Explore, identify, and coordinate options for providing alternative or compensating controls

 Assess the residual risk associated with the policy deviation after application of available
mitigating or compensating controls

 Confer with Executive Management as necessary for high risk

 Provide documented rejection or approval of the policy deviation request

o Reject the request providing a brief explanation of the rationale for the decision

o Accept the residual risk and approve the request providing a detailed explanation
of any mitigating or compensating controls required in connection with the approval
and the timeframe for which the policy deviation is authorized (not to exceed a
period of six (6) months without re-evaluation of the request)

 Re-evaluate the ongoing need for the deviation upon expiration of the authorized deviation
period or after six (6) months, whichever occurs first

 Maintain an inventory of all authorized deviations that are in effect and a record of all such
decisions for a period of two (2) years.

Emergency Policy Deviations

Veracode Management may approve policy deviations, on an interim basis, in those instances
when it is not possible or practical to adhere to the standard policy deviation process. In such
cases, the Manager must document the circumstances surrounding the policy deviation and
forward that information to the ISAT as soon as practical. Once notified of the emergency policy
deviation, the ISAT must expeditiously investigate, review, and approve or reject the deviation.

Veracode Proprietary and Confidential > 2020 Q3 < 26

> SECURITY POLICY

Policy Maintenance
Veracode will periodically review, and if necessary, update information security and confidentiality
policies and standards to help ensure that they remain useful, continue to accurately reflect
Veracode’s business and technical environment, and incorporate all applicable statutory and
regulatory requirements.

 At a minimum, the Information Security Oversight Council will initiate and coordinate an
annual review of and, if appropriate, update to information security policies and standards
 The ISAT will perform an annual review all production related operating procedures for
compliance with security and confidentiality policies
 Additionally, the Information Security Oversight Council is responsible for initiating policy
reviews and updates based upon ongoing analysis of employee-suggested policy changes,
policy deviation requests, or in the event of major changes in the technical infrastructure,
operating processes, legal or regulatory landscape, customer requirements, or Veracode’s
risk tolerance
 If substantive updates are required, the Information Security Oversight Council will
coordinate changes with Executive Management and will reissue the affected information
security policies and standards along with appropriate organizational communications
outlining the changes
 The Information Security Oversight Council may make non-substantive changes (such as
spelling and grammar changes that do not change the meaning or intent of the document)
without collaborative review or notification.

Veracode Proprietary and Confidential > 2020 Q3 < 27

> ORGANIZATION OF INFORMATION SECURITY

Organization of Information Security

INDIVIDUAL AND FUNCTIONAL ROLES AND RESPONSIBILITIES
Management
Veracode Managers have enormous influence on the effectiveness of our information security and
confidentiality efforts and, as such, an important role in ensuring that controls are consistent with
the best interests of both Veracode and our customers.

 Safeguards are prudently applied, managed, and monitored across their span of control

 Subordinate staff understand their information security and confidentiality responsibilities

and have the resources necessary to meet those obligations

o Ensure staff are provided an initial orientation that encompasses security and
confidentiality related requirements
o Ensure that staff receive periodic updates when significant changes occur in the
regulatory requirements, policy content, technical environment, or supporting
processes
o Ensure that staff are reminded of their security and confidentiality responsibilities
during performance management activities
 Appropriate actions are taken upon a significant change in an individual’s security-related
responsibilities or termination of the employment relationship.

Employees
 Become familiar with the information security and confidentiality policies, standards, and
guidelines applicable to the individual’s organizational responsibilities and specific job
function(s)

 Comply with the requirements outlined in Veracode’s information security and

confidentiality policies and standards as well as any management direction or local
procedures established within the individual’s specific functional area.

 Report control weaknesses, non-compliant practices, actual or potential compromises, and

recommendations for improving Veracode’s overall information security and confidentiality
posture to Veracode Management, the Information Security Oversight Council, CEO, or
Board of Directors.

Veracode Proprietary and Confidential > 2020 Q3 < 28

> ASSET MANAGEMENT

Asset Management
INFORMATION ASSET CLASSIFICATION AND CONTROL
Classifying critical or sensitive information and the systems that process that information
(“information assets”) provides a means to assign and manage safeguards appropriate for that
classification level or protection profile. Proper classification and handling of information assets
also helps to preserve Veracode’s legal rights related to intellectual property, satisfy customer
expectations and contractual obligations related to the protection of their sensitive information, and
meet legal and regulatory requirements related to the protection of personally identifiable
information and certain types of business information.

The Veracode Information Confidentiality Policy (VICP) provides rules for information classification
and associated handling guidelines to ensure confidentiality of information belonging to Veracode
as well as information belonging to third parties.

This policy provides a security classification framework and guidance for information systems
managing confidential information.

 Asset Management
o Asset Ownership and Inventory
o Asset Protection Profiles
 Acceptable Use of Information and Assets

Asset Management
An accurate inventory and assigned ownership of important information assets is necessary in
order to proactively monitor, manage, and oversee safeguards associated with non-public
information and related processing systems.

Asset Ownership and Inventory

Information asset owners will maintain an inventory of information repositories and processing
systems in sufficient detail to identify, locate, and effectively apply safeguards to the information or
system.

 Owner Contact Information

 Name of Information or System

 Brief Description of the Information or System

 Type and Classification of Information Stored or Processed

Asset Protection Profiles
Veracode assigns all information assets to a protection profile based on their usage, sensitivity,
criticality, and value. These profiles provide a means of managing information assets in distinct
groups each with its own set of safeguards and monitoring actions so that the robustness,
formality, and degree of oversight of security controls is appropriate for the risks associated with
the information asset.

Veracode Proprietary and Confidential > 2020 Q3 < 29

> ASSET MANAGEMENT

Protection Profile 1 (PP1)

Encompasses those systems comprising or integral to the security of the production environment
including:

 All Production Systems/Devices

o Production infrastructure devices managed by Hosting provider
o Production application servers
o Production database servers
o External Firewall
o Active Directory servers
o Security monitoring and control systems (intrusion detection systems, anti-virus
servers, host log aggregators, etc.)
 Corporate/Center for Software Assurance (CSA)
o CSA Workstations
o CSA Remote Desktop Servers
o Corporate Active Directory
o Corporate VPN Server, Firewalls, and key routers/switches.

Protection Profile 2 (PP2)

Encompasses information systems that play an important role in the protection of the corporate
environment or whose sensitivity or criticality warrant more robust controls including:

 Corporate
 Internet-accessible hosts/devices
 CRM Application
 Corporate Email Server
 Code repository file servers
 QA and Staging
 Employee, Contractor and Customer Personally Identifiable Information
o Personally Identifiable Information (PII) means an individual’s first name and last
name or first initial and last name in combination with any one or more of the
following data elements that relate to such individual:
 Social Security Number or similar government identifying number;
 Driver’s license number or other government-issued identification card
number.
 A financial account number, or credit or debit card number, with or without
any required security code, access code, personal identification number or
password, that would permit access to such individual’s financial account
for which Veracode has developed, implemented, and maintains a
comprehensive information security program reasonably designed to
comply with the provisions of Massachusetts 201 CMR 17.00: Standard for
the Protection of Personal Information of Residents of the Commonwealth.

Veracode Proprietary and Confidential > 2020 Q3 < 30

> ASSET MANAGEMENT

Protection Profile 3 (PP3)

Encompasses all Veracode owned or operated systems not otherwise assigned to PP1 or PP2
including:

 Corporate
 All other application servers
 File and printer servers
 Desktops and workstations.

Veracode Proprietary and Confidential > 2020 Q3 < 31

> HUMAN RESOURCES SECURITY

Human Resources Security

PERSONNEL SECURITY POLICY
Veracode applies a management process that helps to ensure that employees, contractors, and
third-party users understand and are suitable for their specific initial roles, continue to meet their
security and confidentiality obligations throughout their period of employment or access, and that
they are appropriately processed when changing roles or terminating employment. This process
commences prior to their arrival, continues throughout their association with Veracode, and finally
comes to an orderly conclusion when the individual changes roles or their working relationship with
Veracode ends.

 Pre-employment processing
o Security responsibilities in role/position descriptions
o Pre-employment screening (background investigation)
o Terms and conditions of employment

 Throughout the employment relationship

o Compliance with Veracode policies
o Addressing security within the performance management framework
o Security awareness, training, and education

 Significant change in or termination of the employment relationship

o Processing changes in responsibilities
o Termination of employment.

Veracode Proprietary and Confidential > 2020 Q3 < 32

> HUMAN RESOURCES SECURITY

PRE-EMPLOYMENT ACTIONS
Clear Definition and Communication of Security Responsibilities
Veracode will define and communicate the nature of an individual’s role and responsibilities, with
particular emphasis on security-related aspects of the position, prior to the actual hire or start date.
This information will serve not only to frame interviews so that the prospective employee’s
knowledge, skills, and abilities can be properly evaluated, but will also guide the depth of
investigative research required during pre-employment screening. These responsibilities will be
incorporated into performance management discussions during the period of employment.

Terms and Conditions Associated with Employment

As part of their hiring process, employees must agree to and sign an employment agreement
outlining the terms and conditions of their employment including their responsibilities related to the
appropriation and use of Veracode owned or controlled assets, and the safeguarding of non-public
information.
Pre-Employment Screening
Supplemented by appropriately qualified third-party firms, Veracode will conduct pre-employment
screening including background investigations on all prospective employees prior to allowing the
individual access to non-public information. In addition, Veracode will apply the same investigative
screening process for contractors or third-party users if their respective employers cannot provide
written verification of an identical or substantially similar screening conducted within one (1) year of
the proposed start date.

Veracode reserves the right to tailor the scope and depth of the pre-screening verification process
based on the individual’s specific role, degree of access to non-public data and sensitive
processing facilities, and the perceived risk posed by an individual in that position.

Background verification checks will focus on verifying criminal, credit, and employment history for
the preceding seven (7) year period except that such checks will not extend earlier than the
individual’s 16th birthday.

Veracode Proprietary and Confidential > 2020 Q3 < 33

> HUMAN RESOURCES SECURITY

ACCEPTABLE USE OF INFORMATION AND ASSETS

Clear expectations concerning the use of Veracode information and assets is necessary in order to
maintain a safe, sound, and legally compliant environment within Veracode.
Exercising Care with Non-Public Information and Systems
Employees, contractors, and third parties must take particular care when working with non-public
data to prevent inadvertent distribution of this information to unauthorized individuals or using
insecure communications:

 Ensure that unattended equipment is appropriately protected and, specifically, that

password-protected screen savers are enabled on user workstations

 Adopt a “clear desk” policy to ensure that documents and removable media containing
non-public information is not inadvertently left unsecured in user work areas

 Off-site removal of devices containing customer Information (PCs, laptops, removable

media) without appropriate authorization and approval is prohibited.

Additionally, employees must also exercise care to reduce the possibility that malicious logic or
unauthorized mobile code is introduced into the Veracode environment (particularly when
attachments or links to external sites are included in unsolicited email from unknown sources.
The Introduction and Use of Hardware
Unless specifically approved to the contrary, Veracode prohibits the installation and use of
hardware not owned by or under the control of Veracode. However, access to the corporate
network from home office environments under the control of Veracode employees is permissible
provided the connection method is approved by Veracode Management and the user
acknowledges and agrees to their obligations for safeguarding information accessed in that
manner.

Intellectual Property Rights

Veracode employees must not reproduce, display, perform, or distribute any materials owned by,
licensed to, or subject to the copyright of others without first obtaining the written permission or an
appropriate license. Executive Management must approve any exceptions to this requirement.

Examples include:

 Printed materials, photographs, graphics, software programs, diagrams, designs, logos,

musical arrangements

 Any other materials, whether found on the Internet in other electronic formats, or in
traditional media, that were not produced or developed by Veracode

 Material that may require permission or license from the owner before they can be
reproduced, displayed, performed or distributed.

Veracode Proprietary and Confidential > 2020 Q3 < 34

> HUMAN RESOURCES SECURITY

Acceptable Use of Software

The installation or use of certain software components, can overlay critical workstation files causing
immediate and future workstation instability, introduce viruses or malicious logic into the
environment, violate software licensing agreements, and/or impact workstation, network, and
server capacity and/or performance. Accordingly, Veracode only permits software into the
Veracode environment meeting the criteria outlined below:

 The use of the software is consistent with applicable licensing requirements

 The software is not prohibited by Veracode Management

 The software is obtained through trusted distribution methods

 The software is properly scanned or evaluated for the presence of malicious logic prior to
or at the point of introduction into the Veracode environment

Veracode employees and contractors with remote access privileges must ensure that their
Veracode-owned workstation remains secure, free of malware and remains in compliance with all
applicable corporate policies.

Personal Use of Veracode Assets

Unless specified to the contrary, Veracode allows limited non-business use of information assets
providing that:

 The use does not interfere with the employee's work performance, or pre-empt Veracode
business activity

 The use does not interfere with another employee's work performance

 The use does not have undue impact on the operation of the information asset

 The use is not for the purpose of operating a side-business or similar venture primarily
focused on providing personal gain (reasonable levels of equity trading and similar activity
is permissible at the discretion of Veracode Management)

 The use does not violate any other provision of Veracode policies.

Introduction of Offensive Materials

Users of Veracode information assets must not introduce offensive materials, information, or
communications into the work environment including any that are sexually explicit, obscene,
harassing, hate-oriented, political, illegal, or otherwise inappropriate except where such activities
are within the official duties of the employee. Examples of prohibited actions include:

 Internet (for example, accessing sexually explicit web sites)

 Email (for example, sending or forwarding harassing email messages)

 Telephone (for example, making obscene phone calls)

 Other means of distributing offensive material.

Veracode Proprietary and Confidential > 2020 Q3 < 35

> HUMAN RESOURCES SECURITY

Right to Monitor
While Veracode permits the limited non-business use of company information assets, the company
retains ownership and control of the information assets and users have no right to or expectation of
privacy. Veracode reserves the right to monitor, access, and review any aspect of its information
asset usage.
Reporting Security and Confidentiality Incidents
Employees are responsible for ensuring that they promptly report security and confidentiality
incidents to the Information Security Assessment Team (ISAT) by emailing to sg-isat or Veracode
Management.

Unless Veracode Management instructs otherwise, employees must treat information related to
security incidents as sensitive information and restrict disclosure of that information to only those
Veracode employees with appropriate need-to-know.

Under no circumstances should employees attempt to counter or otherwise respond to incidents if

the initial information suggests that a malicious breach or other unauthorized access to information
or systems has occurred.
Password Practices
To the extent technically possible, users should follow sound security practices in the selection and
protection of passwords and similar credentials (think in terms of a “passphrase” rather than
password).

Whenever possible and supported by the information system, select passwords of appropriate
length (preferably, 8 or more characters) and complexity (using a combination of upper and lower
case characters, special characters, and numbers).

As a general rule, passphrases should not be written down or printed unless they are stored in
appropriately secured desks and file cabinets.

Users must handle passwords, PINs, tokens, and similar identification & authentication credentials
at the highest classification level accessible using them.

Users must adhere to more stringent password policies if required by separate networks, systems,
and applications.

As a general rule, all devices used for company business need to be password protected. This
includes smart phones, laptops and desktops. Passwords should conform to the guidelines
provided above in this section.

Treatment of Violations
Violations will be treated as a performance issue and may result in disciplinary action, up to and
including termination of employment in accordance with applicable corporate policies or, in the
case of Contractors, termination of the contractual or other business relationship.

Veracode Proprietary and Confidential > 2020 Q3 < 36

> HUMAN RESOURCES SECURITY

INFORMATION CONFIDENTIALITY POLICY SUMMARY

Introduction
The Veracode Information Confidentiality Policy (VICP) establishes rules and provides guidance
concerning the handling and confidentiality of Veracode’s information, as well as information
belonging to third parties.

Applicability and Scope

This Policy applies to all Employees. It also applies to all Contractors to the extent such
Contractors are responsible for dealing with Veracode information or third-party confidential
information in connection with their services to Veracode.

Information Confidentiality Policy

General Standard for Treatment of Corporate Information
Personnel must use Corporate Information only for the benefit of Veracode and not as a basis for
personal gain for themselves or any third-party.

Except as otherwise provided by this Policy, Personnel must treat Corporate Information as
confidential. Personnel may disclose Corporate Information only in accordance with this Policy.
Personnel must maintain the confidentiality of Corporate Information even after they no longer work
for Veracode.

Corporate Information that constitutes Confidential Information requires a particularly high standard
of care, as discussed below.

Disclosure of Non-public Corporate Information

Personnel may disclose Non-public Corporate Information (i) if there is a Veracode business-
related need for a particular disclosure, but only to the extent necessary to serve that business-
related need, (ii) as required by other Veracode policies or procedures, or (iii) as required by
applicable law. In addition, Personnel may disclose Corporate Information (including Confidential
Information) to the extent they are given the right to do so under applicable law or Veracode
policies or procedures, and nothing in this Policy will be interpreted as prohibiting or interfering with
the exercise of any such right.

Veracode Proprietary and Confidential > 2020 Q3 < 37

> HUMAN RESOURCES SECURITY

Disclosure of Public Corporate Information

Except as set forth in the remainder of this section, Personnel may disclose Public Corporate
Information freely within and outside Veracode.

Databases and similar collections of Corporate Information constitute Confidential Information even
if they include or consist of Public Corporate Information. As a result, while Personnel may freely
disclose publicly available data elements from a database for Veracode business purposes (to the
extent legally permissible), the database itself and any material aggregations of data from the
database should be treated as Confidential Information.

Note: Certain information that is publicly available (such as certain publicly available personal
information concerning clients and other individuals) constitutes Confidential Information, rather
than Public Corporate Information, because its disclosure is restricted under applicable law.
Personnel must comply with all applicable laws and corporate policies.

General Standard for Treatment of Confidential Information

Personnel must handle Confidential Information in a manner designed to ensure that it remains
confidential. The following portions of this section describe minimum measures that apply to the
handling of Confidential Information. Depending on the sensitivity of particular Confidential
Information, additional measures may be required. Employees must consult with their supervisor
or an officer or supervisor in their business area when in doubt about appropriate measures to be
taken to protect particular Confidential Information. When in doubt, Contractors must consult with
their primary Employee contact within Veracode.

When dealing with Confidential Information, Personnel must:

 Clearly mark all written and electronic Confidential Information

“CONFIDENTIAL.” If the document contains legal advice or constitutes a
communication to an attorney for purposes of seeking or aiding in the
rendering of legal advic e, the document should be marked “PRIVILEGED
AND CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION.” E-mail
containing Confidential Information should be marked with the appropriate
label, both in the body of the E-mail and in any attachment containing
Confidential Information. In the case of electronically stored data, this
labeling should appear in the metadata. Personnel may apply additional
restrictive legends to the information, such as “DO NOT COPY OR
FORWARD,” if deemed advisable.

Note: The lack of a “CONFIDENTIAL” label does not relieve Personnel of the
responsibility to treat Confidential Information as such.

 Password protect particularly sensitive electronic documents, including e-

mail attachments. When the password is communicated to the recipient of
the documents that communication also should be done in a secure manner.
(Note: Personnel who password protect Corporate Information must ensure
Veracode Proprietary and Confidential > 2020 Q3 < 38
> HUMAN RESOURCES SECURITY

that their Veracode manager or another appropriate authority at Veracode

has the password to open the documents. All such passwords constitute
Confidential Information belonging to Veracode.

 For particularly sensitive information, use additional confidentiality features

that may be made available by Veracode, such as encryption. (Note:
Personnel who encrypt Corporate Information must ensure that the
encryption device is provided through Veracode and the appropriate authority
at Veracode has the key to de-crypt the document. All such encryption keys
constitute Confidential Information belonging to Veracode.)

 Disclose Confidential Information (whether in writing, electronically or orally)

only to those who have a Veracode business-related need to know the
information. Any disclosures should take place within an appropriately
secure environment.

 Ensure that agreements with third parties contain appropriate protection for
any Confidential Information that may be disclosed under the agreements.
(See Non-Disclosure Agreements, below.)

 Comply with any restrictive legends (e.g., “Do Not Reproduce”) appearing on
any documents and databases that contain Confidential Information.

 Limit the number of copies made of Confidential Information to those that are
necessary to accomplish the business purpose.

 Secure written Confidential Information in locked file cabinets.

 Secure Confidential Information stored on Veracode systems and grant

access only in compliance with corporate policies and procedures.

 Maintain the confidentiality of passwords, access codes and identification

numbers in accordance with corporate policies.

 Retrieve Confidential Information immediately from printers and fax

machines.

 Hand-deliver Confidential Information within Veracode or send it in a

confidential envelope.

 Dispose of Confidential Information only in a manner reasonably intended to

protect against unauthorized access or use. The term “dispose” includes the
discarding of information and also the transfer or sale of computer equipment
on which Confidential Information is stored. Paper containing Confidential
Information should be shredded, and electronic media containing this
information should be erased or destroyed. (Note: the general rule in this
bullet does not override any directive Personnel may receive, related to
litigation or otherwise, to retain copies of information or not to shred, erase
or destroy them.)

When dealing with Confidential Information, Personnel must not:

Veracode Proprietary and Confidential > 2020 Q3 < 39

> HUMAN RESOURCES SECURITY

 Leave Confidential Information unattended on computer monitors, desks,

copiers, printers or fax machines or in conference rooms.

 Store or permit storage of Confidential Information on any system operated

by a third party, unless it is done pursuant to a written agreement between
Veracode and the third party that includes appropriate protection for the
information.

 Transmit Confidential Information over third party communication systems,

such as the Internet, unless deemed appropriate by Management for a given
circumstance, considering the sensitivity of the information, the security
measures in effect on the system and other pertinent factors.

 Use external email accounts (i.e., Hotmail, Yahoo, AOL), Instant Messengers
(i.e. AIM, Yahoo IM), or other external resources to store or transmit
Confidential Information.

 Leave Confidential Information on a third party voice message system unless

appropriate under the circumstances, considering the sensitivity of the
information, whether individuals other than the intended recipient can access
the voice message and other pertinent factors.

 Discuss Confidential Information or review documents containing Confidential

Information in public places unless appropriate under the circumstances,
considering the sensitivity of the information, the proximity of third parties
who could overhear or see the information and other pertinent factors.

General Standard for Treatment of Client Information

Client information is considered Confidential Information, whether or not it is marked as such.
Personnel must handle Client Information in a manner designed to ensure it remains confidential.
Examples of Client Information includes, but is not limited to:

 Information about customers, including customer lists

 All customer application and vulnerability data
 All reports or findings relating to a customer
 All communications between Veracode and a customer.

Veracode Proprietary and Confidential > 2020 Q3 < 40

> HUMAN RESOURCES SECURITY

SECURITY AWARENESS, TRAINING AND EDUCATION

While security awareness activities are most effective when embedded and collectively
emphasized in day-to-day operations, employees, contractors, and third-party users with access to
non-public information will receive supplemental security awareness guidance during their initial
orientation and periodically thereafter.

 Within the first fifteen (15) business days of their employment or engagement, all new
employees and contractors will receive an orientation that includes relevant aspects of their
security and confidentiality responsibilities

 At least once a year, employees and contractors must also participate in awareness
activities sponsored by the ISOC periodically throughout the year including monthly online
security awareness training relevant to the evolving information security threat landscape

 Employee and contractor participation in such events shall be recorded by their Manager
and noted, as appropriate, during performance appraisals

 Allocations will be made for key employees to receive specialized external training as
necessary in order to support the security and confidentiality policies.

Veracode Management must also ensure that employees and, if appropriate, contractors and third
parties, receive relevant security updates throughout the year. The objective of these activities is
to provide employees with current information necessary for them to understand and comply with
their security responsibilities.

 Provide regular communication that reinforces key security concepts, outlines current
threats, and discusses strategies to mitigate or eliminate those threats

 Introduce and highlight recent or proposed changes in the legal and regulatory
environment as well as changes in Veracode’s security and confidentiality policies,
practices, or supporting infrastructure

 Promote uniform implementation of security safeguards throughout the Veracode

environment

 Monitor the performance of key employees and identify instances where additional
specialized training may be required.

Veracode Proprietary and Confidential > 2020 Q3 < 41

> HUMAN RESOURCES SECURITY

While the specific security awareness content will vary depending on the audience, objectives, and
content delivery mechanism used, security awareness activities will include and reinforce the
following key security concepts:

 Information security policy

 Confidentiality policy
 Information classification
 Risk management principles
 Acceptable use of information & systems
 Access requests & authorization
 Change control
 Malicious Software/Mobile Code
 Reporting breaches in confidentiality and security
 Information Handling
o Storage
o Disclosure
o Transmission
o Retention
o Destruction.

Veracode Proprietary and Confidential > 2020 Q3 < 42

> HUMAN RESOURCES SECURITY

POST-EMPLOYMENT ACTIONS
When the nature of an employee, contractor, or third-party user’s responsibilities significantly
change or when the employment/working relationship is terminated, Veracode must take prompt
action to ensure that individual access authorizations to facilities, networks, systems, and
information are appropriately modified or revoked, and, if applicable, that company-owned assets
are returned.
Responsibilities
Manager

Initiate action upon determination or notification that an employee or contractor’s employment

relationship will terminate OR when significant changes in the individual’s responsibilities require
modification of their access authorization to facilities, systems, and information

 Request changes or revocation of access authorizations to facilities, networks, and

systems, as appropriate

 Determine and communicate the requirements for transfer, storage, archival, or deletion of
electronic files and records

 If applicable, coordinate the recovery of company property including company assets

provided in connection with the employee or contractor’s work in a home office or similar
external location

 If applicable, schedule exit interview(s)

 For job changes, the gaining Manager is responsible for outlining the security-related
responsibilities and obligations of the new role or position and requesting access to
facilities and systems, as appropriate.

HR/Finance/Facilities/Administration

 Provide guidance, management, and oversight of the employee change/termination

process

 Coordinate or conduct the exit interview reminding the individual of their continuing
obligation to safeguard non-public information for which they had access during their
employment with Veracode

 Serve as the primary point of contact with the individual until all required actions are
completed.

Network/Application/System Administration

 Revoke or modify access to Veracode processing facilities, networks, and systems

including Veracode’s corporate environment, production infrastructure, and production
applications

 Take actions necessary to transfer, store, archive, or delete electronic accounts, files, and
records.

Veracode Proprietary and Confidential > 2020 Q3 < 43

> HUMAN RESOURCES SECURITY

Employee/Contractor

 Promptly return all company assets provided in connection with their work at Veracode

 Continue to safeguard, and to treat as confidential, all non-public information for which they
had access during their tenure at Veracode.

Return of Assets
If applicable, employees and contractors must return all company-owned assets provided in
connection with their work at Veracode. Managers or their designated representatives are
responsible for collecting all company-owned property provided to, or under the control of, the
terminating employee or contractor.

 Laptop computers and accessories  PDAs

 Authentication mechanism token(s)  Pagers

 Facility badges and credentials  Portable media (diskettes, CDs,

DVDs, flash drives) and associated
 Desktop printers
manuals and systems
 Building/Desk keys documentation
 Non-public documents and materials  Credit cards
 Home office equipment  Telephone calling cards
 Smart/Cellular phones  Conference call authorizations

 Office Supplies

Revocation or Modification of Access Rights

The appropriate technical or administrative employees are responsible for ensuring that
authorization and access to facilities, networks, systems, and financial instruments are
appropriately modified or revoked.

 Production Facilities  Company-provided Credit Cards

 Corporate Facilities  Telephone Calling Cards

 Production Systems  Teleconference Access

 Corporate IT Systems

Veracode Proprietary and Confidential > 2020 Q3 < 44

> PHYSICAL AND ENVIRONMENTAL SECURITY

Physical and Environmental Security

PHYSICAL SECURITY POLICY
Physical security measures and environmental controls are necessary to ensure that access to
sensitive information, systems, and facilities is limited to only those individuals with authorized
access and to protect those resources from natural and man-made hazards.

Veracode uses facilities of appropriate physical construction and employ physical security and
environmental control measures at its Corporate facility, to provide a safe work environment and
reasonably preclude unauthorized access to, damage of, or interference with Veracode operations,
property, systems, and information.

 General Physical Security and Environmental Controls

 Supplemental Controls for Secure Areas and Sensitive Processing Facilities.

GENERAL PHYSICAL SECURITY AND ENVIRONMENTAL

CONTROLS
Veracode facilities provides a safe work environment for employees, contractors, and visitors with
reasonable protection against hazards, unauthorized access, and damage or interference with our
operations, property, systems, and information. For all production environment that are hosted at
third party datacenters, (SunGard, AWS, Markley) the company leverages their existing Physical &
environmental controls.

Facility Planning, Design, Construction, and Operations

Facility planning considers and incorporates appropriate security and environmental controls in the
design, construction, operation, and maintenance of Veracode facilities.

 Veracode facilities makes use of commercial or industry-grade materials that provide a

physical barrier at the external perimeter (demarcation between areas under the control of
Veracode and those accessible to third parties or the public)

 Veracode facilities incorporates successively more substantial materials and restrictive

controls for areas in which Veracode accesses, processes, or stores non-public information

 Veracode facilities, to the extent practical, physically isolates publicly-accessible, delivery,

and loading areas from areas in which Veracode accesses, processes, or stores non-
public information

 Information sent / received via fax, postal / courier mail are processed / stored in a secured
environment

o Fax, postal / courier mail containing non-public / customer information is tracked to

ensure no one intercepts it; and secured to make sure no one can take it.

Veracode Proprietary and Confidential > 2020 Q3 < 45

> PHYSICAL AND ENVIRONMENTAL SECURITY

Facility Access Controls

Veracode facilities employ access control measures to prevent, deter, or detect unauthorized
access. In addition to physical barriers, such measures will include one or more of the following:

 Receptionist or other Veracode staff to physically monitor and control access

 Maintain visitor logbook in reception area, require all visitors to sign-in, and retain visitor
logbooks for one year

 Issue temporary badges to visitors, with either an “Escort Required” or “No Escort
Required” designation on the visitor badge

 Visitors are not authorized to admit any person (including persons with Veracode photo
identification badges) into any facility. Visitors are to use only authorized entrances and
exits

 Require visitors to return their badge to Veracode personnel at the conclusion of the visit

 All employees, contractors, and third parties are expected to wear the identification badges
issued to them. Anyone without a visible badge will be politely requested to produce it and
wear it

 Lost badges are to be reported immediately to your host and receptionist

 Commercial-grade mechanical locking devices with appropriate control of keys and

combinations

 UL-approved electro-mechanical locking mechanisms with appropriate management and

control of combinations, access cards, and if used in the future, biometric information.
Retain access card logs for one year

 UL-approved remote-controlled, electro-mechanical locking mechanisms in combination

with video surveillance. Retain CCTV recordings for 90 days.

General Equipment Security Controls

Veracode uses a combination of safeguards and controls to prevent the loss, damage, theft, or
compromise of assets.

 Locate and protect equipment in a manner that minimizes risks from environmental threats
and hazards and reasonably precludes opportunities for unauthorized access

 Route and protect power and telecommunications cabling carrying non-public data or
supporting information services in a manner that minimizes the likelihood of damage or
unauthorized interception

 Properly maintain equipment to ensure its continued safe operation and the availability and
integrity of critical or sensitive information

 Check all equipment containing storage media to ensure that non-public information and
licensed software has been removed or securely overwritten prior to disposal

Veracode Proprietary and Confidential > 2020 Q3 < 46

> PHYSICAL AND ENVIRONMENTAL SECURITY

 Use secure storage containers provided for the disposal of documents that contain non-
public information

 Apply appropriate security safeguards to equipment and information when Management

authorizes the removal and use of those materials at offsite locations (for example, a home
office).

PROTECTION AT THE FACILITIES LEVEL

Our production infrastructure resides in a world-class SOC2 certified and audited datacenters.
These facilities implement 24/7/365 monitoring and surveillance and on-site security staff. Only
authorized personnel are allowed physical access to the hardware which is protected by a strict
access controls including two-factor cryptographic cards, biometric systems and mantraps.

Continuous datacenter operation is ensured by multiple power feeds, UPS devices and backup
generators. Backups of database customer metadata are performed incrementally throughout the
day and encrypted with 128-bit AES before being transmitted to off-site storage daily. In the event
of a datacenter disaster, any pending scans will require that their binaries be re-uploaded to the
failover datacenter. As a result no one with access to the backup systems can access an
unencrypted copy of sensitive customer data.

All systems within the service system are set up and managed by experts according to industry
best practices where hardened configurations are used to limit unnecessary attack vectors. All
configuration activity follows a formal process that encompasses documentation, testing, and
approval. Only authorized personnel are allowed to set up and manage systems. Operating system
patches are monitored and applied as necessary to maintain the highest level of security.

Veracode Proprietary and Confidential > 2020 Q3 < 47

> COMMUNICATIONS AND OPERATIONS MANAGEMENT

Communications and Operations Management

COMMUNICATIONS AND OPERATIONS MANAGEMENT POLICY
The design, installation, configuration, operation, and modification of Veracode networks must be
sufficiently robust and appropriately managed to ensure the protection of information traversing the
networks as well as to safeguard the supporting infrastructure. This section outlines basic
requirements for Veracode networks including all cabled and wireless networks and access points
that provide connectivity to the corporate or production networks.

 General requirements

 Network change control

 Protection against malicious logic and mobile code

 Intrusion detection and security event monitoring.

NETWORK SECURITY ARCHITECTURE PLANNING AND DESIGN

Veracode’s network security architecture encompasses the security-relevant components,
functions, connections, and features used in the corporate or production network infrastructures.

Responsibilities
Veracode distributes responsibility for managing the network security architecture depending on
the environment involved.

 Corporate Network: Management and oversight of the corporate network rests with the
Veracode’s Chief Information Officer / Chief Information Security Officer

 Production Infrastructure: Day-to-day operation, management, and oversight of the

production data center co-location infrastructure are the responsibility of Hosting provider
under the direction of Veracode’s Chief Information Officer / Chief Information Security
Officer

 Day-to-day operation, management, and oversight of the production IT infrastructure is the

responsibility of Veracode technical staff under the direction of Veracode’s Chief
Information Officer / Chief Information Security Officer

 Production Application Architecture: Management and oversight of security aspects of

the production application architecture rests with ISAT.
Network Security Architecture Planning
When planning or evaluating changes in the design of the network security architecture, the points
outlined below must be considered.

 Consider the legal, regulatory, and business requirements related to the network design
 Consider the type, function, configuration, assigned protection profile, and associated
baseline controls for the systems and devices affected by the network design
 Technical controls
Veracode Proprietary and Confidential > 2020 Q3 < 48
> COMMUNICATIONS AND OPERATIONS MANAGEMENT

 Management and oversight mechanisms

 Supporting processes and procedures.
Consider the risks involved in the network design

 Non-public information processed in or traversing through the network (sensitivity,

criticality, and volume)
 Sensitivity and criticality of systems, devices, and services affected by the network design
 The capabilities of existing controls and the availability of compensating controls
 Likelihood of loss or compromise if the risk is realized
 Severity of impact if the risk is realized
 Consider whether supplemental training and communication is required for users,
technicians, administrators, or managers in connection with the network design.

Network Security Architecture Design

Network security design will consider and, if appropriate, implement the requirements outlined
below in addition to incorporating required elements of logical access control, malicious logic &
mobile code controls, and intrusion detection & security event monitoring addressed in subsequent
sections.

 Interoperability: Network designs must consider and, if necessary, compensate for the
affect the network design has on existing network management, security, and audit
capabilities

 Reliability: Network designs must consider the criticality of systems and devices affected
by the network design and provide redundancy, where appropriate, to reduce the likelihood
of a single point of failure

 Perimeter Protection: Network designs will include a firewall to control communications

between internal and external networks and will strictly limit and control remote access
through other means (for example, modems, terminal servers, and VPNs)

 Segregation of Duties:

o An individual or organization will not be assigned duties that could potentially

cause a conflict of interest or present an undetectable opportunity for malicious
wrongdoing, fraud, or collusion

o The process of acquiring, distributing, disposing of, or providing access to sensitive

or critical Veracode systems or processes will require the interaction of two or
more individuals and, whenever possible, the initiation of an event will be
separated from its authorization

o Veracode must implement proper segregation of duties or responsibilities including

taking measures such as restricting access or altering work flows to reduce or
eliminate potential conflicts of interest, and to assist in the enforcement of proper
accountability

Veracode Proprietary and Confidential > 2020 Q3 < 49

> COMMUNICATIONS AND OPERATIONS MANAGEMENT

o When it is not possible for Veracode to assign duties to separate individuals, the
role performed will be clearly defined, associated activities logged, security-related
functions audited, and compensating controls identified and implemented.

Separation of Development, Test, and Production Facilities:

 To the extent possible, Veracode must separate the development, test, and production
environments to reduce the risk of unauthorized access or adverse changes to the
production environment

 Veracode must implement compensating controls and/or additional oversight if logical or

physical separation of the development, test, and production environments is not possible.

User, Service, and System Segregation: To the extent practical, Veracode must segregate
groups of users, services, and systems on networks

Network Access Points: The number of network access points must be kept to a minimum and
each network access point must have appropriate safeguards to restrict access to authorized users
and the capability to monitor access and usage of the access point

Network Connection Controls: Veracode must restrict the capability of users to connect to the
network in accordance with the access control policy and business requirements

Network Routing Controls: Veracode will implement network segmentation and associated
routing controls to ensure that computer connections and information flows comply with applicable
access control requirements

Network Services:

 Veracode will disable or otherwise restrict unnecessary network and host services
including, for example, telnet, ftp, and http

 Technical staff will maintain a list of required and authorized services that Management will
regularly review to ensure its continued appropriateness.

Network Equipment Identification: Whenever practical, Veracode will use automated equipment
identification as a means to provide supplemental authentication of connections from specific
locations and equipment

Remote Diagnostic and Port Configuration Protection: Veracode must restrict physical and
logical access to diagnostic and configuration ports to authorized employees, contractors, and third
parties

Critical/Sensitive System Isolation: When feasible, Veracode will isolate critical/sensitive

systems within a dedicated computing environment (subnet, DMZ, or enclave)

Veracode Proprietary and Confidential > 2020 Q3 < 50

> COMMUNICATIONS AND OPERATIONS MANAGEMENT

CONFIGURATION & CHANGE CONTROL

Configuration management and change control procedures are deployed and maintained to reduce
the risk introduced by undocumented and untested changes. Changes include the introduction of
new services, addition or deletion of network nodes, upgrades to equipment or software, and
configuration changes.

 All change requests must be processed in accordance with Corporate and/or Production
change management procedures

 Prior to making any changes affecting the security of systems or devices assigned to PP1
or PP2, Veracode must evaluate the security risks associated with the change and take
appropriate risk management actions

 Where appropriate, acceptance criteria will be developed, and suitable tests of the
system(s) carried out during development and prior to acceptance

 The procurement of network components will consider using only proven or tested
products and ensuring key network components can be readily replaced

 All changes to the network architecture will be reflected in network documentation,

including diagrams, inventories, and descriptions.

Corporate Network Environment

The following applies to changes in the corporate network environment including the introduction of
new network systems & devices, hardware upgrades, software updates, addition or modification of
external connections, and changes in firewall rules.

Routine Change Request

Submit corporate network architecture change requests to appropriate email.

Technical staff must use the Ticketing System to manage and monitor network changes in
accordance with guidance provided by the Chief Information Officer / Chief Information Security
Officer.

The Chief Information Officer / Chief Information Security Officer will ensure that requested
changes are properly evaluated to determine their effect on network security and performance.

 Involve others, as required, to fully evaluate the requested change

 Assess risk level associated with the requested change and handle in accordance with
guidelines

 If applicable, perform functional and security testing activities commensurate with the
sensitivity & criticality of affected systems.

Veracode Proprietary and Confidential > 2020 Q3 < 51

> COMMUNICATIONS AND OPERATIONS MANAGEMENT

Emergency Change Request

Designated Veracode technical staff may approve the installation of emergency fixes/patches
without necessarily undergoing requisite testing or obtaining appropriate management approvals
when time-critical installation of the patch/fix is necessary to prevent key system outages or
compromise of non-public information.

In such cases, the Veracode Manager must document and forward the circumstances surrounding
the emergency fix to the appropriate email and must introduce the patch into the standard patch
management process as soon as practical so that, if required, Veracode can conduct appropriately
rigorous testing and evaluation of the patch.

Production Network Environment

The following applies to changes in the production network environment including the introduction
of new network systems & devices, hardware upgrades, software updates, addition or modification
of external connections, and changes in firewall rules.

Routine Change Request

Track ticket for change issued to IT

Submit change requests for the production environment to appropriate email

Technical staff must use the Ticketing System to manage and monitor network changes in
accordance with guidance provided by the Chief Information Officer / Chief Information Security
Officer

The Chief Information Officer / Chief Information Security Officer will ensure that requested
changes are properly evaluated to determine their effect on network security and confidentiality and
performance

Involve others, as required, to fully evaluate the requested change

Assess risk level associated with the requested change and handle in accordance with
guidelines

If applicable, perform functional and security testing activities commensurate with the sensitivity &
criticality of affected systems

Request routed to dl-prod-change distribution list

Notification of change must be communicated at least one (1) hour prior to change.

Emergency Change Request

Authority to approve the installation of emergency fixes/patches without first undergoing requisite
testing or obtaining appropriate management approvals is restricted to the following individuals:

Chief Information Officer / Chief Information Security Officer (primary contact)

Chief Technology Officer (secondary contact)

Veracode Proprietary and Confidential > 2020 Q3 < 52

> COMMUNICATIONS AND OPERATIONS MANAGEMENT

INTRUSION DETECTION AND SECURITY EVENT MONITORING

Veracode provides basic network intrusion detection functionality through a combination of
collection and analysis of system logs and application audit records for key systems, the use of file
integrity utilities to detect unauthorized changes to systems and files, and when appropriate and
specifically approved, the use of network intrusion detection systems (NIDS).

To the extent possible, Veracode uses dedicated and centrally monitored and managed servers to
collect, aggregate, and analyze security-relevant network logs, preferably using automated means.

Data Collection
Event Log or IDS Record Content

Type of event

 When the event occurred (timestamp, including time zone)

 User ID associated with the event

 Program or command used to initiate the event

Event Log or IDS Record Protection and Retention

Veracode employees must handle event logs and IDS records as Veracode Sensitive information
in accordance with Information Classification and Handling section

Veracode must restrict access to online logs to only specifically authorized individuals

Veracode must retain off-line storage of logs and network trace logs in accordance with Veracode
data retention practices

To the extent possible, Veracode will employ mechanisms so that systems are not halted when
logs become full and that logging continues without disruption

Veracode technical staff must implement controls to protect logs against unauthorized changes
such as disabling the logging function, inadvertent modification or deletion of records, unauthorized
access to removable media containing security-related logs and records

Whenever possible, Veracode must segregate the duties associated with individuals administering
the access controls, performing the log collection and analysis, and performing incident response

NIDS Configuration
Signatures and attack characteristics used by NIDS to detect unauthorized activity must be
regularly updated.

Technical staff will configure the NIDS to provide an alert concerning suspicious activity to a
designated point(s) of contact.

Designated technical staff will document IDS configuration settings and will assist, as necessary, to
periodically review those configurations to ensure that unauthorized or undocumented changes
have not occurred.

Veracode Proprietary and Confidential > 2020 Q3 < 53

> COMMUNICATIONS AND OPERATIONS MANAGEMENT

Log/Record Analysis and Alerting

Designated Veracode technical staff must review and analyze alerts and security-relevant logs
based on the following schedule:

PP1: Real-time alerting, whenever possible, otherwise daily analysis of key logs/records

PP2: Real-time alerting, whenever possible, otherwise weekly analysis of key log/records

PP3: Log analysis is not specifically mandated

When logs, event records, or NIDS indicate suspicious activity, Incident and Emergency
Management procedures will be promptly initiated.

TELE-WORKING AND REMOTE ACCESS

It is the responsibility of Veracode employees, contractors, vendors and agents with remote access
privileges to Veracode's corporate network to ensure that their remote access connection is given
the same consideration as the user's on-site connection to Veracode.

Each Veracode employee is responsible to ensure that they abide by all corporate policies and that
the remote information asset is used only for approved business purposes. The Veracode
employee bears responsibility for the consequences should remote access be misused. The
following must be adhered to:

 Secure remote access must be strictly controlled. Control will be enforced via one-time
password authentication or public/private keys with strong pass-phrases. For information
on creating a strong pass-phrase see the Password Policy

 At no time should any Veracode employee provide their login or email password to anyone,
not even family members

 Veracode employees and contractors with remote access privileges must ensure that their
Veracode-owned workstation remains secure, free of malware and remains in compliance
with all applicable corporate policies

 Veracode employees and contractors must not use non-Veracode email accounts (i.e.,
Gmail, Hotmail, Yahoo, AOL), or other external resources to conduct Veracode business.

 Veracode employees may not use automated means to copy or forward internal Veracode
business email from their corporate Veracode mail account to any external mail systems

 Non-standard hardware configurations must be approved by ISAT and must approve

security configurations for access to hardware

 All hosts that are connected to Veracode internal networks via remote access technologies
must use the most up-to-date anti-virus software this includes personal computers
purchased and authorized by Veracode for business use. Third party connections must
comply with requirements as stated in the Third Party Agreement

 Use of personal equipment to connect to Veracode's networks is forbidden

 Use of personal equipment to provide services to Veracode customers is forbidden

Veracode Proprietary and Confidential > 2020 Q3 < 54
> COMMUNICATIONS AND OPERATIONS MANAGEMENT

 Organizations or individuals who wish to implement non-standard Remote Access

solutions to the Veracode production network must obtain prior approval from ISAT.

Veracode Proprietary and Confidential > 2020 Q3 < 55

> ACCESS CONTROL

Access Control
ACCESS CONTROL POLICY
Veracode defines access control objectives to manage access to information; prevent unauthorized
access to information systems; ensure the protection of networked services; prevent unauthorized
computer access; detect unauthorized activities; and ensure information security when mobile
computing network facilities are used. This section provides standards that are required to comply
with Veracode’s Access Control objectives.

ACCESS CONTROL ACCESS AND USER ID MANAGEMENT

Access to, or modification of, access privileges to Veracode’s information assets is obtained by
completing an Information Access Request (IAR).

The IAR system captures information about the person making the request, the person for whom
access is being requested or modified, and the resources to which the individual will be granted
access. The Veracode resource owner approves each IAR and then the designated security
administrator for the system processes the request. Any Veracode employee may submit an IAR,
but the resource owner or their designee must approve it.

User access will be reviewed at least every six (6) months, but may be reviewed more frequently at
the company’s discretion. Individual user access will be reviewed upon transfers, terminations or
other changes in role or function of Veracode employees, contractors or other third parties.
Data/Resource Ownership and Access to Information Assets
All corporate data must be owned and is identified in the IAR as a resource. A resource is defined
as a collection of data, a set of directories, or an application used in Veracode daily operations.

Data ownership is defined at three levels:

 Primary
 Secondary
 Temporary

Primary data owners are those company employees who are responsible for maintaining the data
on a day-to-day basis and are responsible for granting or denying access to the data resources
under his/her control. Since access to Veracode’s information assets is granted only on a “need to
know” basis, it is the responsibility of the primary data owner to determine if the requesting party
has a legitimate need to access the particular information asset.

Secondary data owners take control of the data assets in the event that the primary data owner is
incapable of performing this duty. Examples would include the transfer, termination or a change in
responsibilities of the primary data owner.

Temporary data owners take control of data assets in the absence of both primary and secondary
data owners. As the name states, the temporary data owner possesses control over the data
assets for only short periods of time. An example would be a “red scenario” during a business

Veracode Proprietary and Confidential > 2020 Q3 < 56

> ACCESS CONTROL

continuity event. For the period of time it takes for regular company employees to report to work
and take control, a temporary data owner may fill in.

Only Veracode full time employees are permitted to be resource owners. Non Veracode
employees are authorized to be temporary data owners only under extreme circumstances, as
evidenced above. Temporary data owners are never allowed to grant new user access to
Veracode’s information assets nor are they permitted to change data classification.

Resource owners are responsible for investigating and understanding what is contained in the
resources they own. Resource owners will act as protectors of corporate data and must carefully
review all access that is requested prior to approval.

Resource owners will be responsible for understanding all newly created data within the owned
resource.

When resource ownership changes, the manager or current resource owner will notify Information
Security by submitting an IAR with the ownership change information.

Multiple Access
A multiple access request is a request for one or more users to have access to one or more system
or application resources. During the course of business it may be necessary to request an IAR for
various individuals at the same time. This standard deals with that eventuality.

One IAR can be submitted for a multiple user request only when identical access is being
requested for all of the individuals.

If an individual requires access to multiple servers from the same user ID with the same privileges,
the additional servers may be requested through the same IAR.

User ID Management
Each Veracode employee, contractor or third-party is assigned a unique user ID which is used in
conjunction with a password to access Veracode’s information assets.

A personal user ID is the responsibility of the individual and must not be shared with anyone.

Group, generic, or temporary user IDs are the responsibility of the owner or custodian of the
information asset and must be terminated when they are no longer required.

The length of Veracode user IDs will be a minimum of 8 characters.

User IDs are permanent and remain tied to a particular employee, contractor or third-party for the
length of service of the individual and are stored in the IAR and user provisioning system. Only
under extreme circumstances can a user ID be changed while the individual continues to perform
services for the company. Maintaining unique user IDs allows for continuity in audit logs.

User IDs are created in such a manner that they do not reveal the access level assigned to the
user (e.g., Admin, Tester, etc.).

Veracode Proprietary and Confidential > 2020 Q3 < 57

> ACCESS CONTROL

USER PASSWORD MANAGEMENT

Each individual user is responsible to safeguard their passwords and they must not be revealed to
anyone. The password will not be written down because this may lead to the compromise of
information assets.

Absolutely no logins are allowed to Veracode’s information system without a valid password

Users are required to change their passwords every 90 days (passwords to production systems
may require changing more often).

Passwords for user accounts must be both easy to remember as well as difficult to guess. Users
should think in terms of “pass phrases” instead of “passwords”. Password creation must follow the
following Veracode standards:

 passwords must not be words that appear in English or foreign language dictionaries;
 passwords may not be the same as the user ID;
 passwords must be a minimum of eight (8) characters in length;
 passwords must contain a mix of at least two (2) of: upper case letters, lower case letters,
numbers and special characters.
Business owners of applications that are used by external customers to access Veracode’s
information assets or business applications must obtain written acceptance (i.e., third-party
contracts, electronic acceptance forms, digital signatures, etc.) from the external customer for any
risks associated with the use of passwords that do not comply with Veracode’s policy.

All passwords required for access to Veracode’s information assets are stored on a central server
either encrypted (using strong encryption) or hashed (using a strong, one-way hash function).
Smart Phones
All Veracode smart phone users are required to password protect their devices. Passwords must
conform to the guidelines outlined in the section above.

System Account and Password Management

System IDs, System passwords and Utility passwords must adhere to the following standards:

 System accounts and system utilities must have passwords of at least eight (8) characters
in length

 System IDs, system utilities and system accounts must have passwords that expire every
ninety (90) days

 System IDs and account passwords must not be written down

 All system IDs and accounts must have defined ownership

 All system IDs and accounts must be requested using the IAR system and must be
approved by the appropriate resource owner as well as upper level Management

 Once the IAR request has been approved and confirmed, the system ID and account
owner will be provided with a unique system ID and account and password

Veracode Proprietary and Confidential > 2020 Q3 < 58

> ACCESS CONTROL

 All system IDs and account passwords must have an associated expiration date. Any
exception to this standard must be justified in writing to the information asset owner

 System IDs and accounts must not be shared unless other compensating controls are in
place

 The business process owners are responsible for maintaining the security of their system
IDs and accounts All activity that occurs using these IDs and accounts is the sole charge of
the process owner

 System IDs and accounts will be issued and authorized by their respective Divisions

 After a maximum of five unsuccessful login attempts, the system IDs and accounts will be
locked

 Only the authorized user may have access to the system ID and account. A user is
authorized to use a system ID and account if he or she is approved by the owner of the
system ID or the account holder

 A system ID and account holder will not authorize or allow the use of the system ID or
account by any other person unless such use has been documented through appropriate
control channels

 The user of a system ID or account must not circumvent the security mechanisms of any
computer system or application.

The System Administrator may decide to disable or remove a system ID or account if any of the
following events occurs:

 the account is no longer required by the account holder;

 the account holder ceases to have an association with the area or group (due to a transfer
or termination of employment);

 the account is inactive for 90 days;

 the account is used for non-approved activities

When an employee, contractor or third-party suspects that a system ID and account password has
been compromised, they must notify the owner of the effected system, change the password if
possible, and must report all details of the suspected breach to the ISAT.

System ID and account passwords are not to be stored in clear text or stored in an insecure
location. Storage of passwords must adhere to Veracode standards.

Transmission of system level login credentials must be encrypted.

Veracode Proprietary and Confidential > 2020 Q3 < 59

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

Information Systems Acquisition, Development and

Maintenance
APPLICATION DEVELOPMENT POLICY
Veracode must ensure that the design, build, test, introduction, operation, and retirement of
systems within is accomplished in a controlled manner to ensure that requisite security controls are
addressed prior to introducing systems into a production network and that the impact of that
change is both predictable and properly managed.

Common Requirements
 General Requirements
 System Design & Build
 Security Testing & Quality Assurance

Requirements Management & Operations

 Veracode Corporate Network

 Production Infrastructure
 Production Application Architecture

Responsibilities
Veracode distributes responsibility for managing the design, acquisition or build, test, migration,
management, and retirement of systems based on the environment involved.

Veracode Corporate Network: Management and oversight of corporate networked systems, both
corporate as well as hosted service providers, resides with Veracode’s Chief Information Officer /
Chief Information Security Officer.

Production Application Architecture: Veracode’s Chief Information Officer / Chief Information

Security Officer is responsible for Development/QA/Testing while all other security and
confidentiality aspects of the production application architecture rests with ISAT.

GENERAL REQUIREMENTS
Veracode employees must consider information security and confidentiality requirements when
planning or designing new or modified systems to ensure the operational system incorporates
sound design principles and appropriate security functionality.
Planning Considerations
Consider the legal, regulatory, and business requirements related to the system or application
design.

Consider the type, function, configuration, assigned protection profile, required safeguards, and
range of security controls available for the system or application:

Veracode Proprietary and Confidential > 2020 Q3 < 60

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

 Technical controls
 Management and oversight mechanisms
 Supporting processes and procedures

Consider the sensitivity and criticality of systems, devices, and services affected by the system or
application considering how individual security controls (manual and automated) work together to
produce an integrated system of controls.

Consider whether supplemental training and communication is required for users, technicians,
administrators, or managers in connection with the network design.

Control Design Principles, Concepts, & Attributes

While specific control design will vary based on the benefits and risks involved, Veracode
employees should consider and, whenever possible, incorporate the principles, concepts, and
attributes outlined below whenever planning, designing, or evaluating technical security controls.
General
Assume input from external systems is insecure.

Provide ‘defense in depth’ to eliminate single points of failure and reduce the likelihood of
compromise.

Use secure defaults in software installation and configuration

 Ensure all default passwords are changed prior to installation including network, server,
application and database technologies.

Ensure that key components ‘fail securely’ — that is, when an application fails it does not disclose
any information that would not be disclosed ordinarily, and that non-public information and system
files remain protected from unauthorized access or modification.

Employ the principle of ‘least privilege’ at the system, application, and user levels

 Applications do not run with high-level privileges (for example, ‘root’ in UNIX systems or
‘Administrator’ in Windows systems)
 Employ role-based access control (RBAC) at the user level

Veracode Proprietary and Confidential > 2020 Q3 < 61

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

Use a consistent, defined process to design, acquire, build, test, manage, and retire information
systems

 Guidelines for selecting hardware/software

 Method of complying with software licensing obligations
 Process related to changes to the base code of software packages
 Review and approval mechanisms.

System- or Application-Specific
Identify specific security and confidentiality controls required by particular business processes
supported by the system or application (for example, access controls, encryption, connectivity, and
logging or monitoring)

Consider the full range of available security controls

Within the system or application as well as the integrated system of controls available within the
networked environment

Controls designed to detect or respond to unauthorized activity as well as those designed to

prevent such activity

Controls provided within policies and operating procedures as well as technical controls

Specify a system architecture that can support the business and technical requirements

Identify the set of controls and requirements applicable to the system or application (placement,
function, source)

Identify and document security and confidentiality controls that do not fully meet requirements

Identify significant trade-offs between security and performance

If necessary, obtain appropriate approval to accept the residual risks associated with the system or
application architecture

Conduct a formal design review to ensure that security and confidentiality requirements are
properly addressed before coding or acquisition work begins for particularly critical, sensitive, or
complex systems

SYSTEM SECURITY DESIGN

Veracode will apply system security and confidentiality controls appropriate for the risks associated
with the system or application and will use vendors’ recommended secure configurations with any
major patches or fixes applied as the baseline for system security and confidentiality controls.
System Security Controls
In addition to using the vendor’s recommended secure configuration, Veracode must also consider
the following security-relevant aspects of the system or application when evaluating or selecting
controls.

Veracode Proprietary and Confidential > 2020 Q3 < 62

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

Security Controls Associated with User Management

 Users are categorized into groups and given group permissions based on their
administrative functions, but always following the rule of least privilege

 User access approvals

 Unique user ID

 Privileged access approvals

 Method for ensuring segregation of duties

 Technical access control functionality

Cryptographic Security Controls Associated with Ensuring Confidentiality
 Veracode is committed to using the strongest and most secure encryption algorithms that
are technically feasible to implement

 Encryption of key files and data stores

 Encryption of data in transit

Security Controls Associated with Ensuring Integrity

Veracode maintains all necessary precautions to ensure the integrity of data under its control,
including but not limited to hardware, software as well as human means

Security Controls Associated with Ensuring Availability

 Designs that minimize single-points-of-failure

 Sufficient capacity to cope with normal/peak volumes of work

 Back-up arrangements (for both business information and software)

 Contingency plans
Security Controls Associated with System Recovery Software and Utilities
Veracode will maintain a copy of installation software and system images in a secure offsite
location. Veracode employees must not use these copies for ordinary business activities and will
reserve them for recovery from computer virus infections, hard disk crashes, and similar system
corruption or failures.

Application Security Controls

Veracode will apply application layer security controls appropriate for the risks associated with the
system and will use vendors’ recommended secure configurations with any major patches or fixes
applied as the baseline for application security controls.

General
In addition to using the vendor’s recommended secure configuration, Veracode must also consider
the following security-relevant aspects of the application when evaluating or selecting controls.

Veracode Proprietary and Confidential > 2020 Q3 < 63

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

Information input controls including the use of range checks, mandatory key fields, or control
balances.

Automated process controls including record hashes/counts, and session, batch or balancing
totals.

Information output controls including reconciliation of control counts to ensure all data is processed,
using plausibility checks to ensure output is reasonable, or restriction of output to specific systems
or devices.

Controls to ensure the completeness, accuracy, and validity of information including file integrity
utilities and comparing record contents before and after changes.

 Detection of unauthorized or incorrect changes to information (for example, inspection of

change logs, use of automated ‘checksum’ tools, or reconciliation back to source)

 Protection of information from being accidentally overwritten (for example, write-protecting

key fields or files).

Controls to prevent information leakage (for example, within application responses or error
messages).

Controls to restrict distribution of output to authorized users.

Availability of error and exception reports.

Availability and management of audit trails.

System Services
Veracode will disable or otherwise restrict unnecessary network, system, and application services
including, for example, telnet, ftp, and http.

Technical staff will maintain a list of required and authorized services that Management will
regularly review to ensure its continued appropriateness.
Special Considerations for Web-enabled Applications
To help address the increased risks associated with the development and operation of web-
enabled applications, Veracode employees must consider the use of the supplemental controls
outlined below.
Web Server Controls
Run on dedicated systems located in a 'Demilitarized Zone' (DMZ), meaning a logical location that
is protected by firewalls and isolated from both external and internal networks.

Configured so that scripts can only be run by authorized users.

Configured with all unnecessary software, network services, and applications removed or disabled.

Configured to prevent web servers from initiating network connections to the Internet.

Configured to perform input validation at the server rather than just the client application.

Veracode Proprietary and Confidential > 2020 Q3 < 64

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

Configured to log activity on the web site including actions performed by server-side executables
and scripts, such as Common Gateway Interface (CGI) scripts.

Configured to run with 'least privilege'.

Web Server Connections

Restricted to those services that are required by the application

Connections between web servers and back-office systems are be restricted to connections
initiated by the web server denying egress access to any connection attempts by corporate
computer assets

Based on documented application programming interfaces (APIs)

Supported by mutual authentication

Use encryption to protect sensitive data against disclosure in transit (for example, TLS or HTTPS)

Using HTTP PUT rather than GET operations

Use Session IDs that are difficult to predict to help protect against session cloning or high-jacking
(for example, by configuring the security parameters in cookies used to hold session information or
including a random element)

Web Site Content

Stored on a separate partition/disk from the operating system

Protected by setting file permissions

Updated by specific individuals and using approved methods (for example, using a CD at the web
server console or using secure SSH from a pre-defined IP address or from specified users)

Monitored by automated as well as manual processes, web content is checked regularly to ensure
accuracy, integrity and completeness. Furthermore, Veracode runs testing software against its
own website to discover and remediate any vulnerabilities

Systems must display a notice warning ('log-on banner'), before access is granted, that systems
may only be accessed by authorized users, and that unauthorized access might be considered a
criminal act in certain jurisdictions

Information Leakage
Suppress the server field in HTTP headers that identify the web server's brand and version

Disable file indexing for web server directories

Ensure that the source code of server-side executables and scripts cannot be viewed by a browser
(for example, Common Gateway Interface (CGI) scripts)

Ensure that the source of HTML, JavaScript and other client-side scripting languages does not
contain unnecessary information (for example, details of web CGI functions)

Veracode Proprietary and Confidential > 2020 Q3 < 65

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

SYSTEM BUILD, ACQUISITION AND TEST

System Build
In addition to the general requirements and controls outlined above, Veracode employees must
consider the security aspects unique to system development to ensure that Veracode eliminates or
minimizes the introduction of security weaknesses during the development process (including
coding and package customization) and that those systems conform to established security
requirements.

Build Process

 Governed by industry standards of good practice and, where appropriate, documented

build standards

 Performed by individuals provided with adequate skills and tools.

Modification of the Base Code of Software Packages (third-party software)

 Considers risk of suppliers refusing to support or maintain modified software

 Considers risk of built-in security controls being compromised

 Considers risk of incompatibility with updated versions of the base software package

 Restricts modifications to a copy of the original code only.

Review, Inspection, and Approval of System Build

 Veracode developers should document system build procedures and activities using
standard documentation and revision controls typically used during application
development efforts (for example, documented business requirements, system description,
design specifications, change controls, and code revision controls)

 If warranted based on the sensitivity and criticality of the system under development, the
system build activities may be inspected to identify unauthorized modifications or changes
which may compromise security and confidentiality controls; to ensure that individual
components of the system function as intended (for example, by reviewing and testing
program code); and, to confirm that security weaknesses have not been introduced (for
example as a result of package customization)

 The system owner, environment owner, and the QA staff will jointly determine whether, and
to what extent, system build activities will be inspected.

System Acquisition
In addition to the general requirements and controls outlined above, Veracode employees must
consider security and confidentiality aspects unique to system acquisition to ensure that hardware
and software acquired from third parties is sufficiently robust, properly licensed, and provides the
required functionality.

Veracode Proprietary and Confidential > 2020 Q3 < 66

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

Selection of Hardware/Software
Select from approved suppliers

Considers security requirements throughout the selection process

Places priority on confidentiality in the selection process

Includes appropriate security-related terms in agreements with suppliers

Reduction in the Likelihood of Unknown Security Weaknesses
Consider external security ratings of third-party products (for example, auditor’s opinions, product
evaluations, industry certifications, and published security ratings such as the ‘Common Criteria’)

Identify known security deficiencies and consider alternative methods of providing required level of
security

Compliance with Software Licensing Requirements

Obtain sufficient software licenses for planned use

Maintain proof of ownership or right-to-use (for example, through the use of ‘blanket’ license
agreements or retention of master disks/manuals)

Security Testing and Quality Assurance

Systems deemed sensitive and/or critical to Veracode’s operation will undergo security and
acceptance testing prior to releasing new or changed systems into the production environments.

Testing Process
Well-planned and correctly executed security testing is a fundamental element of sound systems
development practices. Security testing helps to provide assurance that systems, including
security controls, function as intended.

Such testing should assess the design and build of the system including general security and
confidentiality controls as well as application-specific controls.

While the depth and breadth of testing activities should be commensurate with the sensitivity &
criticality of the system, testing activities generally fall into one of four broad categories:

Functional Testing: Testing primarily focused on exercising the logical functions of the system or
application that may or may not involve security-related capabilities

Vulnerability Testing: Testing primarily focused on identifying known vulnerabilities in the

software and basic system/application configurations

Penetration Testing: Testing focused on identifying different methods of breaching system

security exploiting known vulnerabilities, misconfigurations in the system or application software,
and surreptitious entry points that allow an attacker to compromise system security

Security Code Review: A security review focused on identifying insecure coding techniques and
vulnerabilities that could lead to security issues including insecure coding and implementations of
file access permissions, libraries, system calls, logging, etc.

Veracode Proprietary and Confidential > 2020 Q3 < 67

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

Regardless of the nature of the specific test, leverage automated tools whenever possible to
improve the testing process (for example, to check the validity of system interfaces or simulate
loading from multiple clients).

Test Standards

Veracode employees must execute testing using industry standards of good practice and, where
appropriate, documented testing standards that address:

Types of hardware, software, and services subject to testing

Use of test plans that identify key components of the testing process cross-referenced to the
system design or specification and, if applicable, include user involvement

Required documentation, reviews, and management approvals

Test Parameters

Veracode technical and QA staff must establish parameters that provide sufficient detail to ensure
that testing activities cover the appropriate range of controls for the system or application including:

Full functionality of business requirements

Effectiveness of security controls

Use under normal and exceptional business conditions

Vulnerability to attack

Response to bad data

Error situations

Interfaces with other systems (for example, program calls and hyperlink references)

Compatibility with the range of possible system configurations that will interact with the system or
application including different operating systems, web browsers, and third-party software

System performance when handling planned volumes of working (that is, load testing with realistic
numbers of users/volumes of transactions)

Fall-back arrangement (that is, reversion to previous versions or installations)

Test Results

Provide documentation describing the test activities, results, and any gaps noted between actual
and expected results to the development, QA, and Management staff responsible for the
system/application development initiative.
Acceptance Testing
Critical and essential systems will undergo acceptance testing in an isolated area that simulates
the live environment to ensure that only systems that have been appropriately tested and
determined to satisfy both security and user requirements. While QA will determine specific test

Veracode Proprietary and Confidential > 2020 Q3 < 68

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

parameters and acceptance criteria, acceptance testing should generally include the following
whenever possible:

 Involve business users

 Simulate the live environment

 Involve running the full suite of system components, including application functionality,
database management utilities and the underlying operating system

 Feature full integration testing, to ensure there will be no adverse effects on existing
systems

 Involve independent security assessments of critical code to detect vulnerabilities and

insecure use of programming features

 Include attempts to breach the security of the system, for example by performing
penetration tests.

Veracode must protect business and personal information copied from the production environment
for the purposes of conducting acceptance tests using appropriate techniques including:

 Depersonalization of business information

 Requiring separate authorization each time business information is copied from the
production environment into the testing environment

 Restricting access to business information in the testing environment

 Logging the use of business information

 Securely erasing copies of business information at the conclusion of testing.

Veracode Proprietary and Confidential > 2020 Q3 < 69

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

OPERATIONS AND MANAGEMENT

Operations and Management in the Corporate Environment
Veracode employees must control the introduction of and changes to systems to help ensure that
those systems meet appropriate security requirements and do not introduce unnecessary or
unmanaged risks within the corporate environment.

Accordingly, this section covers general requirements for introducing new or changed systems into
the corporate environment, managing system and application patches, managing system
configurations including the use of security-related software and utilities, managing information
backups, and finally, retiring systems in an orderly and secure fashion.

Regardless of the specific activity, Veracode employees must incorporate appropriate management
approvals and, whenever possible, enforce segregation of duties (for example, the separation of
responsibilities between developers, QA, and technical operations staff or the need to separate the
responsibilities of the requestor-implementer and the tester-approver).
System Configuration Change Control
Change management controls ensure that modifications to control options or major security file
changes are properly communicated, planned, coordinated, tested, and implemented. The goal is
to successfully implement changes to correct problems, or to introduce new process improvements
or interfaces without causing disruption to critical system or business production processes.

Major security configuration changes should be accompanied Change Implementation Plan

The Change Implementation Plan must:

 indicate what will be done prior to, during, and after the change;

 Include all instructions for testing and implementation such that another reasonably
qualified security administrator could complete the change, if necessary. The testing
portion should detail activities that will demonstrate the successful completion of functional
and business tests;

 Detail back out instructions in the event of an abort;

 Detail the business impact of the change and list the customers, internal or otherwise, who
should be notified of the change.

Submit requests to change system configurations for approval to the appropriate email.

Technical staff must use the Ticketing System to manage and monitor system changes in
accordance with guidance provided by the Chief Information Officer./ Chief Information Security
Officer

Release to Corporate Network Environment

The authority to determine system promotion criteria and to approve the release-to-production of a
new or changed system or application within the corporate environment rests with Veracode’s
Chief Information Officer / Chief Information Security Officer or their designated representative(s)

Veracode Proprietary and Confidential > 2020 Q3 < 70

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

Veracode technical staff must install systems and applications using the approved configurations
and installation procedures

In the event of significant difficulties or failures during the installation process, Veracode’s Chief
Information Officer / Chief Information Security Officer or their designated representative must
conduct a post-implementation review to determine the circumstances surrounding the difficulties
or failure and changes necessary to avoid similar installation problems in the future

Veracode technical staff must promptly adjust asset inventories to reflect the addition of or, if
applicable, change to the system

Emergency Fixes

Designated Veracode technical staff may approve the installation of emergency fixes/patches
without necessarily undergoing requisite testing or obtaining appropriate management approvals
when time-critical installation of the patch/fix is necessary to prevent key system outages or
compromise of non-public information.

In such cases, the Manager must document and forward the circumstances surrounding the
emergency fix to the appropriate email and must introduce the patch into the standard patch
management process as soon as practical so that, if required, Veracode can conduct appropriately
rigorous testing and evaluation of the patch.
Malicious Software (Malware)
Malicious software (malware) is introduced into a corporate network for the purpose of altering,
destroying or stealing information assets. Malicious software currently includes items such as
viruses, Trojan horses, trap doors, keystroke loggers, root kits, worms, as well as others.

Veracode technical staff will implement all measures technically possible to detect and prevent
malware from entering Veracode’s protected networking environment.

Veracode technical staff will regularly monitor vendor bulletins, security forums, and similar
information sources for relevant information concerning virus outbreaks and similar issues related
to malicious software.

Veracode uses a combination of anti-malware software products along with prudent configuration
of networked systems to control the introduction of malware into the Veracode network.

All computers owned by Veracode but residing off company premises must have installed, and
must maintain current updates, for anti-malware software. Access to Veracode’s trusted network
resources depends on keeping this software updated.

All storage media obtained from sources external to Veracode, or previously used with external
systems, must be scanned for malware prior to use in the Veracode environment.

Veracode updates its anti-malware signature files at least weekly, but may update more frequently
should threats warrant it.

Veracode scans for malware at all firewalls, servers, mail servers, intranet servers, workstations,
laptops, and other information systems.

Veracode Proprietary and Confidential > 2020 Q3 < 71

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

Veracode employees, contractors or third parties who have access to Veracode’s production,
development, or testing environments, must immediately report any detected malware.

Should the ISAT determine that the infection warrants, the employee, contractor or third-party may
be directed to isolate the effected machine from Veracode’s network.

Treatment, disinfection or re-imaging of the effected machine is at the sole discretion of the ISAT,
with input and advice from appropriate Management personnel.

Malware elimination will be accomplished in a way that minimizes impact to Veracode’s assets
while also limiting system downtime.
Security Event Monitoring
General

For key systems, Veracode will provide ongoing intrusion detection functionality through a
combination of collection and analysis of system logs and application audit records, the use of file
integrity utilities to detect unauthorized changes to systems and files, and when appropriate and
specifically approved, the use of host intrusion detection systems (HIDS).

To the extent possible, dedicated and centrally monitored and managed servers will be used to
collect, aggregate, and analyze security-relevant network logs, preferably using automated means.

Data Collection, Protection, and Retention

Event or System Log Content

 Type of event

 When the event occurred (timestamp, including time zone)

 User ID associated with the event

 Program or command used to initiate the event

Event or System Log Record Protection and Retention

 Veracode employees must handle event and system logs as Veracode Sensitive
information in accordance with the Information Classification and Handling section

 Veracode must restrict access to online logs to only specifically authorized individuals

 Veracode must retain off-line storage of logs and network trace logs in accordance with
Veracode data retention practices

 To the extent possible, Veracode will employ mechanisms so that systems are not halted
when logs become full and that logging continues without disruption

 Veracode technical staff must implement controls to protect logs against unauthorized
changes such as disabling the logging function, inadvertent modification or deletion of
records, unauthorized access to removable media containing security-related logs and
records

Veracode Proprietary and Confidential > 2020 Q3 < 72

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

 Whenever possible, Veracode must segregate the duties associated with individuals
administering the access controls, performing the log collection and analysis, and
performing incident response

Event or System Log Analysis and Alerting

Designated Veracode technical staff must review and analyze alerts and security-relevant logs
based on the following schedule:

 PP1: Real-time alerting, whenever possible, otherwise daily analysis of key logs/records

 PP2: Real-time alerting, whenever possible, otherwise weekly analysis of key log/records
(except firewall logs which must be reviewed daily)

 PP3: Log analysis is not specifically mandated

When logs, event records, or other intrusion detection capabilities indicate suspicious activity,
Incident and Emergency Management procedures will be promptly initiated in accordance with
Incident and Emergency Management procedures.

Data Breach
Many states and the District of Columbia have legislation regarding data breaches. Veracode will
comply to the best of its ability with these state laws, but in the event of conflicting legislation (and
lacking superseding federal legislation) Veracode must give precedence to the laws in the state in
which the corporation was incorporated (Massachusetts).

When a notification is made that data has been potentially disclosed inappropriately, the manager
receiving the notification must contact Veracode’s ISAT. At its sole discretion, the ISAT will
determine if the incident necessitates being escalated to the ISOC who will then meet and choose
appropriate action. Of utmost importance during the time of a data breach will be notifying
appropriate authorities and any affected customers (external users) as well as maintaining
sufficient forensic evidence for possible future legal action.

Keeping an accurate record of Veracode’s business activities is paramount and therefore backups
are made, checked and retained. Veracode’s employees, contractors and third-party vendors must
adhere to the corporate standards outlined in this section:

 Backups are performed on information assets currently defined as: production databases,
production servers and corporate business assets

 Backups of database customer metadata are performed incrementally throughout the day
and encrypted with 128-bit AES before being transmitted to off-site storage daily

 Backups of corporate business assets/systems are performed daily.

Accuracy of the backup is verified at the end of the backup process and before the backup media is
prepared for storage or transmitted off-site.

The backup media are retained at the secure storage facility for a minimum period of one (1) year
but end of year archives are retained indefinitely.

Veracode Proprietary and Confidential > 2020 Q3 < 73

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

Version Control
Version control is a means to identify and manage configuration items as they change over time,
usually provided by a software tool designed for configuration management. Project artifacts, such
as source code and documentation, are checked into the Change Management (CM) Version tool
to be stored until future use. Version control activities cover the entire life cycle, from initiation to
retirement of the application.

All configuration items must be identified in the CM Tool and placed under version control in a CM
approved version control tool. This includes all source code, architecture, and design documents,
requirements, build, test, and deploy scripts, and other artifacts that may be identified by the SDLC
methodology.

Commercial off-the-shelf (COTS) product binaries and executables are maintained in a Veracode
approved archive location.

Defects identified during the development process must be documented in a CM supported

tracking tool.

All production builds and deployments must be from an established baseline in a CM approved
system or via a build promotion through the test environment.

At a minimum, there must be a baseline for applications created at the milestones specified in the
Configuration Management Plan.

All changes shall have an assigned impact level of routine (operational low), minor (low), moderate
(medium), or major (high).

Non-routine and non-emergency production changes must be scheduled during designated Low
Impact periods. Non-routine and non-emergency implementations scheduled outside the
designated release periods require waiver approvals from Change Management.

All Moderate and Major Impact infrastructure and application changes must be represented to
ISAT.

Security Auditing and Monitoring

Veracode relies on the integrity and quality of its critical applications, systems, and data,
collectively known as information assets. Monitoring critical information assets helps to ensure the
integrity, confidentiality, and availability of these assets. Monitoring involves identification, logging,
analysis, and review of system-based events against predetermined minimum-baseline standards.

Auditing must be enabled on all Veracode computers, servers and network hardware. Contracted
third parties and hosted solution providers must also abide by this corporate standard.

Access to log files is restricted to privileged accounts.

Security audit logs must be retained according to applicable legal and regulatory requirements, but
or for a minimum of one (1) month.

Information Security will maintain an active incident response plan and test this plan at least once
per year or as changes in the plan may necessitate.

Veracode Proprietary and Confidential > 2020 Q3 < 74

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

Threat and vulnerability information from internal and external sources will reviewed and analyzed
to maintain awareness of active threats and vulnerabilities to information processing assets and
known industry-identified security threats.

System Retirement
This procedure applies to all employees of the Corporation, which includes full-time and part-time
Veracode employees, contract workers, third parties as well as any individual using Veracode’s
corporate information assets.

The procedure pertains to all PC Technology (e.g., personal computer equipment, attached
peripheral devices and software) that were purchased or authorized by Veracode for business use.

Veracode technical staff must appropriately securely delete all information resident on storage
media and hardware prior to releasing it from Veracode/Hosting provider control using approved
overwrite, degaussing, or destruction methods.

Submit notification of system retirement to the appropriate email.

Veracode technical staff must promptly adjust asset inventories to reflect the retirement of the
system.

Operations & Management in the Production Infrastructure

System Configuration Change Control
Change Management (CM) is a discipline that applies technical and administrative direction and
surveillance to identify and document the functional and physical characteristics of configuration
items for the development, production, and support of the lifecycle of a system or infrastructure.
Change Management is applicable to hardware, software, databases, and related documentation.
The goal of CM activities and processes is to ensure the integrity, availability, and security of the
production environment and to protect the information assets of Veracode.

All changes to Veracode's server applications, distributed applications, infrastructure, or databases

must be managed using approved Change Management processes and tools.

A project, system, or account level Change Implementation Plan is required for all development
and maintenance activities.

Changes to Veracode’s production applications, distributed applications, infrastructure, or

databases must have documented implementation, test, and contingency back-out plans under CM
approved version control prior to approval and migration, deployment, or implementation as
required by the change process being followed.

Ensure that major patches of key components undergo appropriate testing and evaluation in a test
environment.

Ensure that application of patches on systems in the production infrastructure environment are
approved at appropriate management levels.

Veracode Proprietary and Confidential > 2020 Q3 < 75

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

Release to Production

The authority to determine system promotion criteria and to approve the release-to-production of a
new or changed system or application within the production infrastructure environment rests with
Veracode’s Chief Information Officer / Chief Information Security Officer or their designated
representative(s).

Veracode technical staff must install systems and applications using tested and approved
configurations and installation procedures.

Veracode technical staff must promptly adjust asset inventories to reflect the addition of or, if
applicable, change to the system.

Emergency Fixes

Veracode’s Chief Information Officer / Chief Information Security Officer is delegated authority to
approve the installation of emergency fixes/patches without necessarily undergoing requisite
testing or obtaining appropriate management approvals when time-critical installation of the
patch/fix is necessary to prevent key system outages or compromise of non-public information.

Such cases must be documented (including the circumstances surrounding the emergency fix) and
forwarded to the appropriate email. The patch must be introduced into the standard patch
management process as soon as practical so that, if required, Veracode can conduct appropriately
rigorous testing and evaluation of the patch.

Protection against Malicious Software and Mobile Code

Malicious logic is harmful software introduced into an application, file, or network environment for
the purpose of contaminating, damaging, or destroying information resources. Malicious logic
includes viruses, Trojan horses, trap doors, and worms, as well as many other forms of malicious
logic.

Computer viruses, worms, and other malicious programs represent a unique threat to the overall
integrity of Veracode information assets. Computer viruses can be particularly difficult to detect or
protect against using conventional security equipment such as firewalls and intrusion detection and
specialized measures are necessary to help counter the threat posed by computer viruses and
other malicious payload content.

Veracode technical staff will implement appropriate measures to prevent, detect, and recover from
the introduction of malicious logic into the Veracode environment. Where systems and applications
use mobile code, the configuration of those systems and applications must ensure that the
authorized mobile code operates according to clearly defined security parameters, and prevents
execution of unauthorized mobile code.

Veracode technical staff will regularly monitor vendor bulletins, security forums, and similar
information sources for relevant information concerning virus outbreaks and similar issues related
to malicious software.

Veracode Proprietary and Confidential > 2020 Q3 < 76

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

Veracode technical staff will use a combination of anti-virus software installed on workstations and
servers along with prudent configuration of networked systems to control the introduction of
malicious logic and mobile code in the production infrastructure environment.

All storage media obtained from sources other than Veracode or Hosting provider, or previously
used with external systems, must be scanned for viruses prior to (re-)use in the production
infrastructure environment.

Veracode technical staff must ensure that anti-virus software and signature files are updated at
least weekly, or more frequently if the threat warrants.

Veracode technical staff will implement scans for malicious logic on all servers within the
production infrastructure environment.

Veracode technical staff will, to the extent possible, perform anti-virus scanning in real-time or in a
timely manner consistent with the threat.

Hosting provider and Veracode technical staff must promptly report any viruses detected in the
production infrastructure environment to their ISAT point of contact.

Veracode technical staff must disconnect any systems suspected of being infected from the
production infrastructure environment.

Veracode technical staff must not use electronic storage media used with the infected computer on
any other computer until the virus has been eradicated.

Veracode technical staff will accomplish virus eradication in a manner that minimizes both data
destruction and system downtime.

Event or System Log Analysis and Alerting

Designated technical staff must regularly review and analyze alerts and security-relevant logs using
real-time alerting, whenever possible, otherwise daily analysis of key logs/records.

When logs, event records, or other intrusion detection capabilities indicate suspicious activity,
Hosting provider and Veracode technical staff must appropriately escalate the situation to
designated Veracode staff in accordance with Hosting provider’s document procedure entitled
“Problem Management Process” and other applicable agreements between the two companies.

Veracode staff will initiative appropriate response protocols in accordance with Incident and
Emergency Management procedures.
Information Backup
Keeping an accurate record of Veracode’s business activities is paramount and therefore backups
are made, checked and retained. Veracode’s employees, contractors and third-party vendors must
adhere to the corporate standards outlined in this section.

Veracode performs backups of the production and corporate systems on a daily basis. As part of
the server build process, backup software is installed on production servers, unless the server is
exempt as determined by Management. The following system components are included within the
backup process:

Veracode Proprietary and Confidential > 2020 Q3 < 77

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

• Production Databases (primary location of production data)

• Production Servers

• Corporate Business Assets

The backups of the components above are encrypted to prevent anyone without authorized access
to the encryption keys from being able to access the content of the backups. Veracode receives
and reviews a daily status report, highlighting the status of each backup.

Any backup failures would be documented and escalated to the incident management process.
Upon determining that all daily backup jobs were successful, backup media is encrypted and
transmitted to an offsite 3rd party. The backup media is retained offsite for a minimum period of
one (1) year.

Access to request and make changes to the backup schedules is restricted to authorized and
appropriate personnel. Any changes to the schedule would follow the Change Management
process, as described above.

System Retirement
Veracode technical staff must appropriately securely delete information resident on media and
hardware prior to releasing it from Veracode/Hosting provider control using approved overwrite,
degaussing, or destruction methods.

Submit notification of system retirement to the appropriate email.

Veracode technical staff must promptly adjust asset inventories to reflect the retirement of the
system.
Change Control, Standards and Policy Compliance
Testing functions must be performed by different individuals or groups other than those who
completed the development functions.

Individuals who deploy development code must not have write access to the source code.

Developers must not have write access to production systems.

Only the individual designated to deploy development code may execute that deployment,
migration, or implementation.

Any exceptions must be approved by management/ISAT, documented, and recorded in the email
archive.

All application and infrastructure changes must be reviewed by ISAT to verify compliance security
and confidentiality policies, standards, and procedures.

Enforcement and Exception Handling

Failure to comply with the Security Auditing Standards and other associated standards, guidelines,
policies, and procedures can result in disciplinary actions up to and including termination of
employment for employees or termination of contracts for contractors, partners, consultants, and
other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Veracode Proprietary and Confidential > 2020 Q3 < 78

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

Requests for exceptions to the Security Auditing Standards must be submitted to the ISOC for
approval.

TECHNICAL MONITORING, VULNERABILITY MANAGEMENT AND

SECURITY REVIEWS
Veracode will use various techniques to detect unauthorized activity, monitor the presence of
technical vulnerabilities within Veracode’s networked environment, and periodically obtain an
objective review of key security controls.

Technical Monitoring
 Log Aggregation, Protection, and Analysis
 System Clock Synchronization

Technical Vulnerability Management

 Monitoring Vendor Software Updates
 Technical Vulnerability Scanning
 Independent Security Reviews

Technical Monitoring
The following requirements apply to technical monitoring of the Veracode environment in addition
to intrusion detection and security event monitoring requirements specified elsewhere in this policy.
Monitoring efforts will focus on particularly sensitive information systems and the actions of
privileged users and administrators.

Data Collection, Protection, and Retention

Event or System Log Content
 Type of event
 When the event occurred (timestamp, including time zone)
 User ID associated with the event
 Program or command used to initiate the event

Event or System Log Record Protection and Retention

 Veracode employees must handle event and system logs as Veracode Sensitive
information in accordance with Information Classification and Handling

 Veracode must restrict access to online logs to only specifically authorized individuals

 Veracode must retain off-line storage of logs and network trace logs in accordance with
Veracode data retention practices

 To the extent possible, Veracode will employ mechanisms so that systems are not halted
when logs become full and that logging continues without disruption

 Veracode technical staff must implement controls to protect logs against unauthorized
changes such as disabling the logging function, inadvertent modification or deletion of

Veracode Proprietary and Confidential > 2020 Q3 < 79

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

records, unauthorized access to removable media containing security-related logs and

records

 Whenever possible, Veracode must segregate the duties associated with individuals
administering the access controls, performing the log collection and analysis, and
performing incident response.
Event or System Log Analysis and Alerting
Designated Veracode technical staff must review and analyze alerts and security-relevant logs
based on the following schedule:
 PP1: Real-time alerting, whenever possible, otherwise daily analysis of key logs/records
 PP2: Real-time alerting, whenever possible, otherwise weekly analysis of key log/records
 PP3: Log analysis is not specifically mandated

When logs, event records, or other intrusion detection capabilities indicate suspicious activity,
Incident and Emergency Management procedures will be promptly initiated in accordance with
Incident and Emergency Management policy.
Clock Synchronization
To facilitate the accurate reconstruction of events surrounding an actual or potential compromise,
information systems assigned a protection profile of PP1 or PP2 will synchronize their system
clocks using a single, accurate time source.
Technical Vulnerability Management
To reduce risks resulting from exploitation of published technical vulnerabilities, Veracode will
continuously monitor and periodically test for the presence of technical vulnerabilities within the
Veracode environment.

When vulnerabilities applicable to Veracode information systems are noted, technical staff will
evaluate the risk associated with the vulnerability in light of the systems’ usage, configuration, and
the presence of compensating controls in the networked environment. If the vulnerability
represents a moderate- or high-level risk, technical staff must notify ISAT and Chief Information
Officer / Chief Information Security Officer so that Veracode can respond appropriately to address
the vulnerability and oversee corrective actions.

Monitoring Vendor Updates

Veracode technical staff must monitor vendor bulletins and industry portals to keep apprised of
known technical vulnerabilities applicable to information systems used within the Veracode
environment.

Technical Vulnerability and Security Testing

Regular testing of key systems for the presence of technical vulnerabilities is an integral
component of a robust security program. Accordingly, Veracode will also perform technical
security testing of key systems using industry-accepted automated tools executed after significant
change in the environment or as outlined in Table 3. Technical Vulnerability and Security Testing.

Veracode Proprietary and Confidential > 2020 Q3 < 80

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

Table 3. Technical Vulnerability and Security Testing

PROTECTION PROFILE

TEST TYPE/TRIGGER OR FREQUENCY PP1 PP2 PP3

Vulnerability Scanning

Prior to production release  O ---

Ongoing — Monthly O --- ---

Ongoing — Quarterly   ---

Ongoing — Annually --- --- O

Penetration Testing

Prior to production release  O ---

Ongoing — Monthly --- --- ---

Ongoing — Quarterly O --- ---

Ongoing — Annually  O ---

Security Code Review

Prior to production release O O ---

After significant change O O ---

 Recommended Control O Optional Control --- Not Recommended/Required

Independent Security Review

At planned intervals, Veracode will obtain the services of an independent assessor to conduct a
technical vulnerability assessment of systems assigned to protection profile PP1 or PP2 along with
a review of key security practices. Veracode Management must evaluate the results and respond
appropriately to address the vulnerability or deficiency and oversee corrective actions.

Veracode Proprietary and Confidential > 2020 Q3 < 81

> INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

Independent Security Review Attestation – Annual

Please see Sentry Cyber Security - 2020 Veracode Pen Test Executive Summary
Letter under separate cover.

Veracode Proprietary and Confidential > 2020 Q3 < 82

> INFORMATION SECURITY INCIDENT MANAGEMENT

Information Security Incident Management

INFORMATION SECURITY INCIDENT MANAGEMENT POLICY
Quickly and effectively responding to an information security incident is essential to minimize damage,
reduce recovery costs, and to maintain external relationships. This incident management policy
establishes a framework for identifying, containing, eradicating, and recovering from an information
security incident.

OVERVIEW
This standard establishes guidelines for effective management and response of information security
incidents including but not limited to, detecting, responding, investigating, monitoring, and logging.
Despite the best controls, no organization can be invulnerable to all security threats. To address this,
a response process will minimize the damage created by a realized event or threat, and help identify
improvements to Veracode’s security posture. The following are benefits of having an incident
response capability:

Responding to incidents systematically so that the appropriate steps are taken

Helping personnel to recover quickly and efficiently from security incidents, minimizing loss or theft
of information and disruption of services

Using information gained during incident handling to better prepare for handling future incidents
and to provide stronger protection for systems and data

Dealing properly with legal issues that may arise during incidents. Failure to abide by this standard
may result in:

– Financial loss

– Criminal/civil penalties

– Non-compliance with compliance requirements and therefore risk losing certifications (i.e. ISO
27001, FedRAMP)

– Impact to market perception and loss of brand value.

SCOPE
This standard applies to all regular and temporary employees, contractors, consultants, and other
personnel at Veracode, including all personnel affiliated with third parties who may be subject to one
or more policies or agreements regarding the use of, or access to, the relevant Veracode
environments, including applications, servers, databases, network services, middleware, data centers,
and infrastructure changes that have the potential to impact Veracode business. This standard applies
to all equipment and resources that are owned or leased by Veracode and all service providers
providing service to Veracode.

Veracode Proprietary and Confidential > 2020 Q3 < 83

> INFORMATION SECURITY INCIDENT MANAGEMENT

REVIEW CYCLE
This standard may be reviewed more frequently, but not less, than annually .

STATEMENT OF REQUIREMENTS
Management shall implement systems and processes to ensure information security weaknesses
associated with information processing facilities are communicated in a manner allowing timely
corrective action to be taken.

Management should ensure a consistent, effective, and timely approach is applied to the management
of information security incidents through the assignment of responsibilities and development of
procedures.

Management should learn from incidents to continuously improve the response process and quantify
the types, volume, and costs associated with events and incidents.

Where a follow-up action against a person or organization after an information security event or
incident involves legal action, evidence shall be collected, retained, and presented to conform to the
rules for evidence in relevant jurisdiction(s).

This plan will further detail requirements and procedures for incident management as follows:

 Security Incidents Defined

 Incident Response Roles and Responsibilities
 Incident Management Process
 Incident Closure and Root Cause Analysis
 Incident Response Process Improvement
 Incident Response Metrics
 Incident Response Reporting
 Incident Response Testing and Exercises
 Incident Response Training
 Customer Incident Notification Requirements

An incident response team should be available for contact by anyone who discovers or suspects that
an incident involving Veracode has occurred. Security and Compliance shall make everyone aware of
when and how to report incidents through regular security awareness training.

INCIDENT MANAGEMENT PROCESS

The nature of Veracode operations requires that incidents be approached differently depending on the
information and systems involved.
Production Incidents:
 Incidents directly affecting or related to the production environment and Veracode’s Code

 Assurance Service Platform.

Veracode Proprietary and Confidential > 2020 Q3 < 84

> INFORMATION SECURITY INCIDENT MANAGEMENT

 Requires a high degree of coordination and collaboration with the production infrastructure

 hosting facility (Hosting provider) and Veracode technical staff.

 Initial discovery of the incident and initiation of response protocols is primarily accomplished
by the Hosting provider Network Operations Center (NOC) and Veracode technical staff
based on criteria specified in the associated service level agreement (SLA) or similar
arrangement and internal Hosting provider/Veracode procedures.

Non-Production (Corporate) Incidents:

 Any incident other than those directly affecting or related to the production environment and
Veracode’s Code Assurance Service Platform.

 Initial discovery of the incident will likely occur through various and sundry means including
audits, assessments, technical testing, and during the course of routine operations.

 Initial incident reporting may be initiated by employees, customers, law enforcement and
security organizations, or by the general public.

 Veracode will receive notification of a potential incident by telephone, email, letter, or face-to-
face communication.

Despite these differences, Veracode will manage the incident response process using a common
framework. As such, the direction provided in this policy applies to all incidents unless specifically
stated to the contrary.

Veracode Proprietary and Confidential > 2020 Q3 < 85

> INFORMATION SECURITY INCIDENT MANAGEMENT

Incident Stages
Veracode organizes incident management activities around distinct stages commonly associated with
information security incidents.

Figure 2. Incident Management Process Flow

Discovery: This stage includes initial actions taken upon notification or realization that an incident has
occurred or may be in progress

Classification: During this stage, the ISAT or other responder(s) gather sufficient information to
classify the incident based on its nature or type, severity of impact, extent of compromise, and
problem persistence

Notification and Escalation: Based on the affected environment and severity level, the ISAT or other
responder(s) will notify specified individuals or entities

Assessment and Investigation: The ISAT coordinates and executes an investigation of the incident
to identify the affected systems, vulnerable information, root cause(s), responsible parties, and the
corrective or compensating actions required to recover from the incident and return to normal
operations

Recovery: Depending on the nature of the incident and the systems affected, designated Veracode
staff will perform specific tasks to recover from the incident in an effective, secure manner

Closure: Identification of “lessons learned” and validation that all corrective actions have been
accomplished

Discovery
This stage includes initial actions taken upon notification or realization that an incident has occurred or
may be in progress. Because Veracode will become aware of incidents in a variety of ways, all
employees must possess a clear understanding of how to recognize and report a potential incident.

Veracode Proprietary and Confidential > 2020 Q3 < 86

> INFORMATION SECURITY INCIDENT MANAGEMENT

Regardless of the source, employees should route all initial event notifications through Veracode’s
Information Security Assessment Team (ISAT). The ISAT will then perform a preliminary analysis of
the incident and will initiate appropriate response actions.

Individuals reporting potential security incidents should use direct or telephonic communication as the
preferred means of notification

If the incident does not involve the corporate email system, Veracode employees may report incidents
through internal email only

Veracode prohibits employees from using external mail systems to report, acknowledge, or discuss
potential incidents

Submit incident notification to the appropriate email

Classification
Veracode classifies incidents based on their nature or type, severity of impact, extent of compromise,
and persistence of the problem or issue resulting in a determination that the incident falls into a
particular type and severity level. This determination is necessary in order to help properly guide the
actions of incident responders and is subject to change during the course of a response since
subsequent investigation may reveal previously unknown information that affects initial conclusions
concerning the nature and severity of the incident. This section defines and describes the general
types of incidents, the levels associated with a system outage or degradation in system performance,
and the (overall) severity levels based on the degree to which the incident can adversely affect
Veracode and our customers.
Incident Types
Incidents will generally fall into one of the following broad categories:

System Outage/Performance Degradation

Unauthorized Information Access/Modification

Malicious Software/Code

Security or Confidentiality Breach

Noncompliance with security and confidentiality policies

Physical intrusion

In many cases, the presence of one type of incident may actually be a symptom of the problem rather
than the root cause (for example, the introduction of certain malicious software may well lead to
service degradation, unauthorized information or system access, and the propagation of the code
across other connected systems). Understanding and communicating the primary nature of an
incident will aid Veracode in determining the most effective course of action to take in response.

Veracode Proprietary and Confidential > 2020 Q3 < 87

> INFORMATION SECURITY INCIDENT MANAGEMENT

Severity Levels
Veracode defined four levels to classify incidents involving an outage or degradation of service
affecting systems with an assigned protection profile of PP1 or PP2.

Level 1—Failure or breach in the production operation of Veracode Service causing severe impact
on ability to access the Veracode platform and/or run business critical reports from the Veracode
platform. No Customer-acceptable workaround in place. Problem persists for greater than 60
minutes.

Level 2—Intermittent failure or breach in the production operation of Veracode Service that causes
moderate degradation in performance or functionality, resulting in a major operational impact on
ability to access the Veracode platform and/or run business critical reports from the Veracode
platform. No acceptable workaround in place. Problem persists for between 30 minutes to 60
minutes.

Level 3 —Minor impact in the production operation of Veracode Service where the solution is
operational, but a technical issue exists that may need resolution. This includes issues where an
acceptable workaround is usually available and/or a documentation issue exists. Problem persists
for between 5 and 30 minutes.

Level 4—Low or no impact in the production operation of Veracode Service where the issue(s) do
not impede operations and are limited to user questions and enhancement requests. Problem
persists for less than 5 minutes.

Notification and Escalation

General Notification Requirements
Based on the affected environment and severity level, the ISAT or other responder(s) will notify
individuals and entities specified in Table 4

The preferred communications method is in-person or over a landline telephone and avoid using
communications channels when there is reason to believe they were compromised in connection with
the incident

Refer any inquiries from the media or other third parties, without comment, to the Chief Information
Officer / Chief Information Security Officer

Veracode Proprietary and Confidential > 2020 Q3 < 88

> INFORMATION SECURITY INCIDENT MANAGEMENT

Table 4. Notification & Escalation by Severity/Outage Level

RISK LEVEL

CORPORATE ENVIRONMENT PRODUCTION ENVIRONMENT

SEVERITY OR OUTAGE LEVEL S1/L1 S2/L2 S3/L3 S4/L4 S1/L1 S2/L2 S3/L3 S4/L4

Outage Escalation/Notification * = Immediate # = 4 hours

Chief Information Officer / Chief

* * # # * * * #
Information Security Officer

Executive Management Team # # --- --- * # --- ---

All Employees TBD TBD --- --- TBD --- --- ---

Affected Customers --- --- --- --- TBD TBD --- ---

Law Enforcement or Other

TBD TBD TBD TBD TBD TBD TBD TBD
Authorities

Severity Escalation/Notification * = Immediate # = 4 hours

Chief Information Officer / Chief

* * # # * * * #
Information Security Officer

Executive Management Team # # --- --- * # --- ---

All Employees TBD TBD --- --- TBD --- --- ---

Affected Customers --- --- --- --- TBD TBD TBD ---

Law Enforcement or Other

TBD TBD TBD TBD TBD TBD TBD TBD
Authorities

Tracking, Reporting, and Follow-up * = Immediate # = 4 hours

Information Security
* --- --- --- * * --- ---
Oversight Council (ISOC)

 Notification Required --- Notification Not Required TBD To Be Determined (case-by-case)

Notification Process in the Production Environment

Veracode technical staff will provide first-line support in accordance with Veracode’s problem and
change management policies. If necessary to assist in problem management or to approve required
changes, Hosting provider will engage Veracode resources using the escalation path depicted:

Veracode Proprietary and Confidential > 2020 Q3 < 89

> INFORMATION SECURITY INCIDENT MANAGEMENT

Figure 3. Incident Response Notification Process (Production Environment)

Hosting provider will use the associated event handler and event routing rules to determine proper
escalation path and Veracode notification.

Regardless of source, all event notifications will initially be routed through Veracode’s Information
Security Assessment Team (ISAT).

The ISAT or other designated responder will promptly notify the Chief Information Officer / Chief
Information Security Officer of any Severity Level 1,2, or 3 incidents.

The ISAT or other designated responder will immediately notify Executive Management of any
Severity Level 1 incidents.
Veracode Proprietary and Confidential > 2020 Q3 < 90
> INFORMATION SECURITY INCIDENT MANAGEMENT

For incidents requiring authority beyond that of the ISAT (including certain security and confidentiality
related incidents), executive management will be the primary governing body.

The ISAT or other designated responder will immediately notify ISOC of some Severity level 1
incidents that are deemed critical enough in their collective assessment such that immediate
notification of ISOC is warranted. The ISOC may choose to convene an emergency session (upon
request of ISAT or independently) to review incident and status as related to current policy and
operating procedures.

The Chief Information Officer / Chief Information Security Officer is responsible for coordinating
resolution of software issues with the on-call engineer.

The Chief Information Officer / Chief Information Security Officer or designated representative is
responsible for coordinating resolution of infrastructure issues with Hosting provider.
Assessment and Investigation
During this stage, the ISAT takes those actions necessary to contain and investigate the incident to
identify the affected systems, vulnerable information, root cause, responsible parties, and the
corrective or compensating actions required to recover from the incident and return to normal
operations.

Executive Management and the ISAT will use the following considerations to guide their actions in
connection with incident investigations:

Containment: The ISAT will immediately take necessary actions to halt or limit the damage to
systems, or the compromise of non-public information, resulting from the incident

Investigative Priority: Investigative activities for incidents classified as Severity Level 1 or 2 will, to
the extent possible, take priority over other work assigned to the team members

Evidence Preservation: For incidents classified as Severity Level 1 or 2, the ISAT will:

 Collect and securely store all logs, records, journals, documentation, and media containing
relevant information

 Refrain from taking actions that corrupt or otherwise degrade the value and quality of
information retrievable through cyber forensics

 Maintain a journal and associated field notes related to the incident response activities.

Third-Party Involvement: With the approval of appropriate Executive Management, the ISAT will
engage third parties or law enforcement personnel for the purpose of forensic examination, criminal
prosecution, or civil litigation

Additionally, the ISOC will maintain a record containing essential information regarding each incident
classified as Severity Level 1 or 2.

Veracode Proprietary and Confidential > 2020 Q3 < 91

> INFORMATION SECURITY INCIDENT MANAGEMENT

Recovery
Based on the information obtained during the course of the investigation, the ISAT will develop an
incident corrective action plan in connection with incidents classified as Severity Level 1 or 2. The
ISAT will verify that appropriate individuals are aware of and approve the implementation of corrective
or compensating actions required to recover from the incident. The corrective action plan will address
and document all relevant changes including:

 Changes to the network infrastructure

 Changes in system configurations

 Changes in system functionality

 Changes in related policies, practices, processes, and procedures

 Changes to training materials used to support user or employee awareness activities

Depending on the nature of the incident and the systems affected, and at the direction of the ISAT,
designated Veracode staff will perform specific tasks to recover from the incident in an effective,
secure manner. These individuals will:

Maintain a journal and associated field notes related to the incident recovery activities

Use software from a trusted source to reinstall applications and operating systems.

Incident Closure and Root Cause Analysis

The purpose of this final incident response stage is to; verify that relevant documentation is securely
stored, document the lessons learned from post-incident reviews, determine root cause, and to ensure
that Executive Management receives a final report that summarizes the incident as well as the
corrective actions, lessons learned, outstanding actions, and changes to Veracode business
operations associated with the incident.

Incident Response Metrics

The following metrics are used to gauge the effectiveness of the incident response capability:

 Meantime to Repair or Resolve - how fast the incident is resolved

 Number of incidents handled

 Objective assessment of each incident - Reviewing logs, forms, reports, and other incident
documentation for adherence to established incident response policies and procedures

 Subjective assessment of each incident - Incident response team members may be asked to
assess their own performance, as well as that of other team members and of the entire team.

Veracode Proprietary and Confidential > 2020 Q3 < 92

> INFORMATION SECURITY INCIDENT MANAGEMENT

Incident Response Reporting

External Reporting
In the event of an incident that requires reporting to a government agency, the ISOC team will support
the reporting guidelines in the US CERT - Federal Incident Reporting Guidelines for reporting times
(http://www.us-cert.gov/government-users/reporting-requirements.html).

As per Federal Incident Reporting Guidelines, reports of computer incidents will include a description
of the incident or event, using the appropriate taxonomy, and as much of the following information as
possible:

 Agency name
 Point of contact information including name, telephone, and email address
 Incident Category Type (e.g., CAT 1, CAT 2, etc., see table below)
 Incident date and time, including time zone
 Source IP, Destination IP, port, and protocol
 Operating System, including version, patches, etc.
 System Function (e.g., DNS/web server, workstation, etc.)
 Antivirus software installed, including version, and latest updates
 Location of the system(s) involved in the incident (e.g., Washington DC, Los Angeles, CA)
 Method used to identify the incident (e.g., IDS, audit log analysis, system administrator)
 Impact to agency
 Resolution.

Category Name Description Reporting Timeframe

CAT 0 Exercise / Network This category is used during Not Applicable; this
Defense Testing state, federal, national, category is for each
international exercises and agency's internal use
approved activity testing of during exercises.
internal/external network
defenses or responses.

CAT 1 Unauthorized In this category an individual Within one (1) hour of

Access gains logical or physical discovery/detection.
access without permission to a
federal agency network,
system, application, data, or
other resource

CAT 2 Denial of Service An attack Within two (2) hours of

(DDoS) that successfully prevents or discovery/detection if
impairs the normal authorized the successful attack
functionality of networks, is still ongoing and the
systems or applications by agency is unable to
exhausting resources. This

Veracode Proprietary and Confidential > 2020 Q3 < 93

> INFORMATION SECURITY INCIDENT MANAGEMENT

activity includes being the successfully mitigate

victim or participating in the activity.
DDoS.

CAT 3 Malicious Code Successful installation of Daily

malicious software (e.g., virus, Note: Within one (1)
worm, Trojan horse, or other hour of
code-based malicious entity) discovery/detection if
that infects an operating widespread across
system or application. agency.
Agencies are NOT required to
report malicious logic that has
been successfully
quarantined by antivirus (AV)
software.

CAT 4 Improper Usage A person violates acceptable Weekly

computing use policies.

CAT 5 Scans/Probes/Atte This category includes any Monthly

mpted Access activity that seeks to access or Note: If system is
identify a federal agency classified, report within
computer, open ports, one (1) hour of
protocols, service, or any discovery.
combination for later exploit.
This activity does not directly
result in a compromise or
denial of service.

CAT 6 Investigation Unconfirmed incidents that are Not Applicable; this

potentially malicious or category is for each
anomalous activity deemed by agency's use to
the reporting entity to warrant categorize a potential
further review. incident that is
currently being
investigated.

Internal Reporting
All Veracode personnel have a responsibility to report events that they believe indicate a security
incident has occurred. Examples of such events include, but are not limited to:

 Alerts, notifications, error messages, or other automated warnings that indicate a security
incident may have occurred;
 Reports of security incidents received from external parties, including customers,
members of the press, or the general public;
Veracode Proprietary and Confidential > 2020 Q3 < 94
> INFORMATION SECURITY INCIDENT MANAGEMENT

 Personal observations of anomalies or unexpected events that might indicate a security

incident has occurred; or
 Indication of virus, malicious software or hacker activity.
 Events must be reported to the ISAT in accordance with standard procedures.
 Incident Reporting also includes but is not limited to:
 Recurrence of certain type of event or any pattern is identified
 Quantification of disruption in the services or loss of assets
 “Lessons Learned” meeting summaries
 Quantification of resources it took to resolve the incident
 Recommendations for corrective actions, if necessary.

Incident Response Testing and Exercises

On a regular basis, Veracode performs testing of the incident response infrastructure through the use
of regularly scheduled Table Top Exercises. Employees within the Incident Response Teams perform
simulated incident events to ensure personnel understand their role and responsibilities and ensure
the plan is updated to reflect new risks or gaps. The incident response testing process covers the
following:

 All components: IDS, Event Analysis (EA), and Forensics.

 Documents and procedures.
 Response time to incidents.
 Response time to events.
 Team expertise.

Additionally, the QC test procedure ensure that the ISAT team successfully completes the following
steps:

 Verifying the event report (did the incident actually occur)

 Interpretation (what actually happened)
 Determining the scope of the incident.
 Correct classification of the incident.
 Prioritization of the incident.

After each test is performed, there is a thorough review of the process that was followed. The test
results are reviewed to determine what was successful and where mistakes were made. As such,
there are three outcomes for any test performed as follows:

PASS All objectives met, without reservation.

PASS + Remediation Objectives met, but areas for improvement/remediation
FAIL Objectives not met.

Processes are then identified to be improved and modified accordingly. Veracode documents
the effectiveness of the incident response capability by documenting the results, exercise
outcome, a summary, and recommendations of incident response tests.
Veracode Proprietary and Confidential > 2020 Q3 < 95
> INFORMATION SECURITY INCIDENT MANAGEMENT

Incident Response Training

Veracode requires that all employees within the Incident Response Teams to be trained in their
information system incident response roles and responsibilities. The training incorporates simulated
events, through regularly scheduled tabletop exercises, to facilitate effective response by personnel in
crisis situations. Additionally, through training Veracode ensures that everyone is aware of when and
how to report incidents through regular security awareness training.

Additionally, Veracode’s incident response guidelines and procedures are outlined in the Company’
Information Security Policy (VISP), which all Veracode employees are required to read, sign and
comply with upon employment with Veracode.

ISAT members are required to participate in b-annual incident handling and response tests that are
necessary to fulfill compliance and audit requirements. This provides on job training to perform
incident management activities. Additionally, annual security awareness training that includes
specifics on incident response is provided to all Veracode personnel.

Customer Incident Notification Requirements

Veracode customers can submit incidents and suspicious activities notification to sg-
[email protected]. Veracode will publicly disclose security vulnerability information under one or
more of the following conditions:

 The VOSP has completed the incident response process and determined that enough software
patches and/or workarounds exist to address the vulnerability, or subsequent public disclosure
of code fixes is planned to address high-severity vulnerabilities.

 If Veracode has observed active exploitation of a vulnerability that could lead to increased risk
for Veracode customers. For this condition, Veracode will accelerate the publication of a
security announcement describing the vulnerability that may or may not include a complete set
of patches or workarounds.

 There is the potential for increased public awareness of a vulnerability affecting Veracode
products that could lead to increased risk for Veracode customers. For this condition, Veracode
will accelerate the publication of a security announcement describing the vulnerability that may
or may not include a complete set of patches or workarounds .

Veracode uses a well-defined process for vulnerability handling and disclosure.

Veracode Proprietary and Confidential > 2020 Q3 < 96

> BUSINESS CONTINUITY MANAGEMENT

Business Continuity Management

OVERVIEW
Veracode’s Business Continuity and IT Disaster Recovery plans provide structure and guidance to
ensure that all departments and business functions have in place robust and current continuity and
recovery plans that are regularly reviewed and tested.

The plans provide for the prompt and effective continuation of all business critical functions and
service offerings in the event of a disruption of service.

Veracode will take all reasonable steps to ensure that in the event of a service interruption,
essential services will be maintained, and normal services restored as soon as possible.

Each department and business function within Veracode generally perform risk assessments and
business impact analyses to determine the criticality of their department and business function, and
document the risk their loss would pose to the company.

BUSINESS CONTINUITY PLAN

Overview
Veracode’s business operations are performed at our Corporate Offices in Burlington, MA.
However, Veracode personnel routinely work remote due to personal or weather related reasons.
This remote-work capability is the foundation of our Continuity Plan in the event of a business
interruption at the Corporate Offices.

Infrastructure
Veracode uses Send Word Now as our critical Incident alerting and messaging system to notify
employees of business interruptions.

Critical elements of the infrastructure supporting the corporate office is located in the Lowell and
Somerville facility. This includes email and messaging systems as well as a VPN for remote
connectivity.

Veracode’s phone system is provided as a service from 8x8 communications and is accessible to
employees anywhere they are located.

Backup/Recovery and Data Protection Plans

Overview
Veracode has a comprehensive data protection plan and the Veracode platform has multiple levels
of protection to ensure service continuity. The platform is redundant at each level and critical data
backed up and maintained offsite. A warm backup site is in place for or the unlikely extended
outage requiring restoration of services in an alternative location.

Veracode Proprietary and Confidential > 2020 Q3 < 97

> BUSINESS CONTINUITY MANAGEMENT

Redundant Infrastructure
The Veracode platform has built-in redundancies at each level of its service infrastructure that is
hosted at third party service providers and that includes network, web, application & database tiers.

Veracode protects data required for the Veracode Application Security Platform (VASP) to function,
including system data and infrastructure data.

Backups of customer metadata are performed incrementally throughout the day and encrypted with
128-bit AES before being transmitted to off-site storage daily.

For security reasons customer binaries are not backed up. In the event of a disaster occurring to
the hosting facility, customers will only have to re-upload their binaries for any scans that were in
process.

Warm Backup Site

If the primary hosting site is no longer operational, the Veracode services will be restored at our
warm backup site. The fail-over location is at Veracode’s alternate processing site.

Equipment to support all tiers of operations are maintained and kept up to date in the alternate
facility. Such an arrangement would be temporary and provide for the restoration of a reduced
scale of service. Full resumption of services can be achieved at the primary facility if available; or
relocated to an alternate processing location when available.

This includes redundant firewalls, switches, load balancers, web servers, application servers,
database servers, engine hosts, and data storage clusters. Operations can be resumed once the
current data is restored from a backup and the external DNS entry is changed to point to the new
location.

Disaster Recovery Preparedness

Disaster recovery testing and exercises are conducted to demonstrate the recoverability of services
with a defined RTO (72 Hours) and RPO (24 Hours).

Throughout the year the Veracode IT organization undertakes a number of tests and drills to
enhance its preparedness in case of a disaster.

Service Incident Reporting

In addition to formal DR testing procedures, a Service Incident Report (SIR) Process exists to
review and document any significant issues in our production environment. This can result in
changes to the Business Continuity and IT Disaster Recovery Plan throughout the balance of the
year, with an improved posture relative to the identification of incidents as well as incident
response.

Veracode Proprietary and Confidential > 2020 Q3 < 98

> COMPLIANCE

Compliance
THE VERACODE WAY (VERACODE OF CONDUCT)
The Veracode Way is the foundation of our culture. It guides our behavior, decisions and actions
toward our stakeholders; employees, customers, investors and the broader community.
Security is job one
We are trustworthy and uphold a higher standard. Customers trust us with their data. We
preserve that trust.
Help our customers be heroes
We offer solutions and instill confidence to help our customers win. We are the “Monster” in
their corner.
Be transparent, with discretion
We share expectations, priorities and status. We give and solicit honest feedback.

Measure, learn, and improve

We focus on results and follow through on commitments. We foster innovation and creativity,
and learn from our mistakes.

Treat everyone with respect

We are direct and constructive. We assume everyone acts in good faith.

Share our vision for the future

We secure the world’s software. Our emphasis is on “we” and making Veracode successful.
Be proud to be Veracode
We create an environment to bring out the best in one another. We cheerlead and celebrate
victories.

Veracode Proprietary and Confidential > 2020 Q3 < 99

> COMPLIANCE

VERACODE SOC 2 TYPE II REPORT

Please see Veracode SOC 2 Report 04-01-2019 - 03-31-2020 under separate cover

Veracode Proprietary and Confidential > 2020 Q3 < 100

> COMPLIANCE

PRIVACY POLICY
Veracode’s Privacy Policy may be reviewed at: https://www.veracode.com/privacy-policy

PRIVACY SHIELD
Organization Information:
Veracode, Inc.
65 Network Drive
Burlington, Massachusetts 01803
Phone: 339-674-2500
Fax: 339-674-2502
www.veracode.com

Organization Contact:
Contact Office: Chief Information Security Officer
Name: Chris Wysopal
Phone: 339-674-2703
Fax: 339-674-2502
Email: [email protected]

Privacy Policy Effective: 09/24/2018

Location: http://www.veracode.com/privacy-policy

Regulated By: Federal Trade Commission

Privacy Programs: NONE

Verification: In-house

Personal Data Covered: Human resources, business/customer and supplier/vendor information in

all formats, including electronically stored and manually processed information.

Organization Human Resource Data Covered: Yes

Agrees to Cooperate and Comply with the EU and/or Swiss Data Protection Authorities? Yes

Relevant Countries from which Personal Information is received:

Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France,
Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg,
Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden,
Switzerland, United Kingdom

Industry Sectors:
Computer Services - (CSV)
Computer Software - (CSF)
Information Services - (INF)

Veracode Proprietary and Confidential > 2020 Q3 < 101

> COMPLIANCE

Security & Safety Equipment - (SEC)

Corporate Headquarters

Veracode, Inc.
65 Network Drive
Burlington, Massachusetts 01803 USA
Tel +1.339.674.2500 Fax +1.339.674.2502
Email: [email protected]

EMEA Headquarters

Veracode, Ltd.
36 Queen Street,
London, EC4R 1BN UK
Tel: +44 (0) 203 427 6025

Email: [email protected]
policies and metrics across disparate development teams, no matter where they’re located.

For more information, visit www.veracode.com, follow on Twitter: @Veracode or read the Veracode
Blog at www/veracode.com/blog.

© 2020 Veracode, Inc. All rights reserved. All other brand names, product names, or trademarks
belong to their respective holders.

Veracode Proprietary and Confidential > 2020 Q3 < 102