You are on page 1of 3

Veracode Cryptography Primer

How does Veracode protect application code?


Customers upload files to Veracode in order to conduct static analysis. As part of the upload process, the
files are encrypted using and stored in a file share. From this point forward, the files are never decrypted
to disk; decryption for the purpose of analysis is performed only in memory by the scanning process.
A unique application key is generated for
every application and stored in an Oracle
database. The keys are stored securely using
encryption and Oracle TDE (Transparent Data
Encryption). They can only be decrypted
through the use of Oracle Wallet. The Oracle
Wallet key is stored encrypted on the file
system and requires an administrator to
manually bootstrap startup by providing a
passphrase used to decrypt the Wallet key.
Backup files are encrypted before being
transported off-site for storage.
As a result of these various levels of
encryption, no one with access to the file
share or system backups can access an
unencrypted copy of sensitive customer data.
Backups of customer binaries do not leave the
SunGard hosting facility located in
Marlborough, Massachusetts. Only customer
metadata is backed up off-site. In the event of
a data center disaster, any pending scans will
require that their data be re-uploaded to the
failover data center.


How does Veracode protect data in transit?
All communications from a user-agent (web browser, IDE plug-in, customer written API script) to
Veracode are protected by SSL version 3 / TLS version 1 using a sufficiently strong cipher suite. The
following ciphers are allowed by Veracode:
Cipher Suite Length of Private Keying Material
RC4-MD5 128
RC4-SHA 128
AES128-SHA 128
AES256-SHA 256
DES-CBC3-SHA 192
DH-RSA-AES128-SHA 128
DH-RSA-AES256-SHA 256
DH-RSA-DES-CBC3-SHA 192
DHE-RSA-AES128-SHA 128
DHE-RSA-AES256-SHA 256
DHE-RSA-DES-CBC3-SHA 192

Veracode generates a private key using a pristine, non-networked host and is adequately protected
during its lifespan. Securely transferred to production system, filesystem protections, passphrase
knowledge is limited to N people (need to know).
The generated certificate signing request is sent to the Certificate Signing Authority (Go Daddy, Inc.) and
the signed certificate returned.
Private keys and the signed certificate are deployed to the SSL termination device (load balancer) and
stored encrypted on the local. Attended startup is required with the administrator manually entering a
passphrase in order to decrypt the private key and load it into memory.
How long does Veracode store application code?
Customer files are deleted from the file share within 30 days of their security account being terminated.
Files are deleted in compliance with C2/Military security standards (DoD 5220.22-M) utilizing a triple
pass/wipe strategy.


How does Veracode protect data at rest?
The following keys are used by Veracode to protect customer accounts and data:
User password hash
Oracle Wallet key
Application key
Account key
Backup key
Secret
Material
Algorithm Generation Storage Lifespan/Rotation
Policy
Accessible By
User
Password
Hash
SHA-256 PRNG used to
generate salt (Java
SecureRandom) is
combined with a
Veracode Secret
Component and the
user password. This
value is then hashed
using SHA-256.
Password hashes and
salts are stored
encrypted in the
database with AES-
128.
User passwords
have an
enforced lifespan
of 90 days.
Application
Tier
Oracle DBA
Oracle
Wallet Key
AES-128 Oracle initialization
routine is performed
that generates an
installation specific
key.
The wallet key is
stored encrypted in a
PKCS #12 file. A DBA
must provide a
passphrase upon
database startup to
decrypt the master key
which in turn decrypts
each table key.
Persistent key

Oracle DBA
Application
Key
AES-128 KeyGenerator
utilizing
SecureRandom
method.
Application keys are
stored encrypted in the
database with AES-
128.
Persists for the
lifespan of the
application.
Application
Tier
Oracle DBA
Account
Key
AES-128 KeyGenerator
utilizing
SecureRandom
method.
Application keys are
stored encrypted in the
database with AES-
128.
Persists for the
lifespan of the
account.
Application
Tier
Oracle DBA
Backup Key AES-128 Customer specific
key generated by
SunGard OSB
Transparent
(randomly
generated
encryption keys) key
generation type.
Stored by SunGard
Availability Services on
an administration
server containing host
specific key stores.
Persists for the
lifespan of the
Veracode
services
contract.
Backup
Administrator
(SunGard)