/veracode-policy-examples

A collection of example application security "policies as code" that can be added to your Veracode organization account using the process below.

MIT LicenseMIT

Veracode Community Policy Examples

A collection of example application security "policies as code" that can be added to your Veracode organization account using the process below.

Adding a policy to your Veracode organization

To add one of these policies to your organization in Veracode, use the Veracode Policy API. This example uses httpie with the Veracode API Signing tool.

Before you start

  1. You must use a user with the Policy Manager role.
  2. Generate your API credentials and store them in a Veracode credentials file (or use environment variables).
  3. Install the Veracode Python Authentication Library.
  4. Install HTTPie. (You can use other API tools, but HTTPie is used for the command line examples below.)

Add a policy

  1. Download the policy JSON file to your local system (e.g. example.json).
  2. Execute the following command at the command line:

http --auth-type=veracode_hmac POST "https://api.veracode.com/appsec/v1/policies" < example.json

Example policies

  • FISMA - NVD cross-section mappings of CWEs. DIACAP/FEDRAMP based off of the same requirements.
  • HIPAA - Example policy to act as a guide for those attempting to comply with HIPAA + Omnibus/HITECH/HITRUST.
  • OWASP API Security Top 10 2019 - Policy based on the CWE mappings in the (preview version of the) OWASP API Security Top 10 list for 2019. (Note: In some cases, child or parent CWEs of the ones mentioned in the standard have been used depending on how Veracode categorizes the vulnerabilities.)
  • Veracode Verified Policies