Secure Coding Practices by CA when developing SV

Document ID : KB000125147
Last Modified Date : 23/01/2019
Show Technical Document Details
Introduction:
Large organisations often have a security risk assessment team that need to asses the security risk of the software tools being used.
Question:
Our security risk assessment team wants to know if in the development of products like Service Virtualization, CA  observes secure coding practices. 
Answer:
Please see the following document regarding our secure coding practices observed:
https://communities.ca.com/community/product-vulnerability-response/ca-technologies-secure-software-development-lifecycle-ssdlc

Securability Assessment of CA Service Virtualization 10.4
CA Service Virtualization 10.4 has been developed using CA’s standard securability strategies and
tactics described in CA Technologies Customer Statement Regarding Secure Development Best
Practices . The strategies and tactics used while developing CA Service Virtualization 10.4 include but
are not limited to: Architectural Risk Analysis (Threat Modelling) performed by CA’s Securability
Center of Excellence, static application security testing using Veracode and penetration testing using
IBM AppScan, Veracode and FlexNet Code Insight.
When applicable, our tools and processes use the Common Vulnerability Scoring System (CVSS) that
calculates the score for each identified vulnerability based on multiple factors. Each identified
vulnerability is classified as High risk if the CVSS score is 7.0 or higher and Medium risk if the CVSS
score is in the range between 4.0-6.9.
The final Penetration Test of CA Service Virtualization 10.4 was performed on 9/3/2018 on build
10.4.0.325 the product has remediated all issues that were identified with a classification of High or
Medium risk (CVSS score above 4.0) during this test.

Customer Statement Regarding Secure Development Best Practices
While the development, release and timing of any CA product remains at the sole discretion of CA, CA
product development operates under an internal Product Securability Procedure (the “Procedure”)
which provides for guidelines and objectives for secure development of CA products. Among other
things, the Procedure provides for securability standards minimum requirements as well as
implementation of securability strategies and tactics during each phase of CA’s product development
lifecycle. Such strategies and tactics include, but are not limited to:
● product classification based on risk rankings
● application of static application security testing (SAST) tool
● penetration testing.
The Product Vulnerability Response Team (PVRT) works with CA product development teams on the
identification, reporting and remediation of vulnerabilities associated with CA products. The PVRT also
provides information and updates regarding reported vulnerabilities for CA products and makes that
information available to all CA enterprise customers on CA’s support website. Finally, through
collaboration between CA Education, CA’s Securability Center of Excellence and CA’s Council for
Technical Excellence, CA offers numerous education courses to its developers on secure coding best
practices.