Please see the following document regarding our secure coding practices observed: https://communities.ca.com/community/product-vulnerability-response/ca-technologies-secure-software-development-lifecycle-ssdlc
Securability Assessment of CA Service Virtualization 10.4 CA Service Virtualization 10.4 has been developed using CA’s standard securability strategies and tactics described in CA Technologies Customer Statement Regarding Secure Development Best Practices . The strategies and tactics used while developing CA Service Virtualization 10.4 include but are not limited to: Architectural Risk Analysis (Threat Modelling) performed by CA’s Securability Center of Excellence, static application security testing using Veracode and penetration testing using IBM AppScan, Veracode and FlexNet Code Insight. When applicable, our tools and processes use the Common Vulnerability Scoring System (CVSS) that calculates the score for each identified vulnerability based on multiple factors. Each identified vulnerability is classified as High risk if the CVSS score is 7.0 or higher and Medium risk if the CVSS score is in the range between 4.0-6.9. The final Penetration Test of CA Service Virtualization 10.4 was performed on 9/3/2018 on build 10.4.0.325 the product has remediated all issues that were identified with a classification of High or Medium risk (CVSS score above 4.0) during this test.
Customer Statement Regarding Secure Development Best Practices While the development, release and timing of any CA product remains at the sole discretion of CA, CA product development operates under an internal Product Securability Procedure (the “Procedure”) which provides for guidelines and objectives for secure development of CA products. Among other things, the Procedure provides for securability standards minimum requirements as well as implementation of securability strategies and tactics during each phase of CA’s product development lifecycle. Such strategies and tactics include, but are not limited to: ● product classification based on risk rankings ● application of static application security testing (SAST) tool ● penetration testing. The Product Vulnerability Response Team (PVRT) works with CA product development teams on the identification, reporting and remediation of vulnerabilities associated with CA products. The PVRT also provides information and updates regarding reported vulnerabilities for CA products and makes that information available to all CA enterprise customers on CA’s support website. Finally, through collaboration between CA Education, CA’s Securability Center of Excellence and CA’s Council for Technical Excellence, CA offers numerous education courses to its developers on secure coding best practices.