This email address is being protected from spambots. You need JavaScript enabled to view it. 601.427.0152

Trusted Code Initiative (update 2017) - Code Analysis and Vulnerability Monitoriing

6. Code Analysis and Vulnerability Monitoring

Regular Code Review, Scoring and Update

Purpose: Develop and administer methodologies and practices that scan, analyze and measure security, vulnerability, administrative/license compliance and status of Trusted Code assets and resources and provide customized/unique reports, updates and vulnerability scoring on the status of each elements as defined within each deployed environment.

Objectives: To leverage existing scanning, analysis and vulnerability processes and products in order to provide customized results for subscribing clients and general information for public access consumption.

Participants: The primary objective of the Trusted Code Initiative is to serve the broadest needs of the Government's enterprise technology network.  This will require close participation by Government representatives to identify the specific problem sets, challenges and solution models that will address their needs.  Likewise, commercial stakeholders will serve to help formulate solutions to address these needs.  The Trusted Code Foundation will serve as the “common table” from which discussion and collaboration will occur.

Managed by:  Administration of activities will be managed by Trusted Code staff in conjunction with public and private-sector stakeholders.

Outcome/Deliverables:  Key to the Trusted Code Analysis and Monitoring solution is to clearly identify the needs of targeted Government and industry consumers.  This focus will initiate from a needs analysis and solution set with Trusted Code Foundation's Government and Commercial participating members.  As the Trusted Code solutions grow, solutions as a service will be offered to non-member entities.

The intention is to identify categories of common needs within Federal, state and local government entities and provide the updates to this primary audience through a Blanket Purchase Agreement (BPA) or similar mechanism.

Funding: Initial funding will be provided by Government and commercial stakeholders. The model must clearly identify a value and viable business model so the activities can become self-sustainable.

Time Line: TBD

Analysis & Vulnerability Scanning Model Example 1: FAIL

Software component is submitted to Trusted Code Foundation for analysis.

There is a nominal fee to off-set expense of scanning code against variety of commercial (and government) scanning engines.

Upon completion of scan, a report is generated and provided only to the Submitter.  The report identifies all vulnerabilities and provides a cumulative score for the code package.

The Submitter is encouraged to correct the flaws and resubmit the code for (one) additional scan at no charge. 

Objective is to identify vulnerabilities and provide incentive for Submitter to correct flaws and resubmit code for review.  By providing the report only to the Submitter, corrections can be addressed to enhance the quality of the code without initial stigma. However, code fails to qualify after additional scans, a report will be post to the Trusted Code Repository so the presence of vulnerabilities will be available to anyone using Trusted Code system.

Analysis & Vulnerability Scanning Example 2: PASS

Software component is submitted to Trusted Code Foundation for analysis.

There is a nominal fee to off-set expense of scanning code against variety of commercial (and government) scanning engines.


Upon completion of scan, a report is generated and provided only to the Submitter.  The report identifies all vulnerabilities and provides a cumulative score for the code package.

If the code package is scored above a pre-determined level, and additional documentation and support requirements are met, then code is included in Trusted Code Repository and available for download by public and private sector adopters.

Additional requirements for code to receive Trusted Code designation are listed in graphic.