There are four possible states for verification status:
- No status: No verification status is available.
- Fail: If a vulnerability was identified; therefore, the task has not been completed correctly.
- Pass: If the scanning solution or manual test did not identify any vulnerabilities and there is a low likelihood of a false negative with supported technologies.
- Partial pass: If the scanning solution or manual test did not identify any vulnerabilities and there is some likelihood of a false negative. Alternatively, the scanning solution or manual test can only test a portion of the vulnerability. You may wish to supplement these tasks with additional manual testing.
For example, using an automated scanning solution (i.e. Veracode) to check/verify that the application binds variables in SQL statements to prevent against SQL injection.
Each verification tool leaves a note in the system with the following fields:
- Status: Fail, pass or partial pass.
- Date: When the test results were imported.
- Details: Information about the verification result(s).
- History: If you have previously imported other scanner results, the previous results will appear in the history. Results are grouped by the specific scanning tool you use (e.g. Fortify, Veracode, AppScan, etc.), and sorted in chronological order from newest to oldest.