|Founder||Chris Wysopal, Co-Founder, CTO and CISO
Christien Rioux, Co-Founder and Chief Scientist
|Headquarters||Burlington, Massachusetts, United States|
Veracode is an application security company based in Burlington, Massachusetts. Founded in 2006, the company offers an automated cloud-based service for securing web, mobile and third-party enterprise applications. Veracode provides multiple security analysis technologies on a single platform, including static analysis, dynamic analysis, mobile application behavioral analysis and software composition analysis.
Major investors include .406 Ventures, Atlas Venture, STARVest Partners and Meritech Capital Partners. In its most recent funding round, announced September 11, 2014, the firm raised US$40 million in a late-stage investment led by Wellington Management Company with participation from existing investors.
Gartner recognized Veracode as a Leader in the 2014 Gartner Magic Quadrant for Application Security Testing.
- 1 History
- 2 Products
- 2.1 Cloud-Based Platform
- 2.2 Binary Static Analysis (SAST)
- 2.3 Software Composition Analysis
- 2.4 Dynamic Application Security Testing (DAST)
- 2.5 Web Application Perimeter Monitoring
- 2.6 Vendor Application Security Testing (VAST)
- 2.7 Mobile Application Security
- 2.8 Services
- 3 Recognition
- 4 See also
- 5 References
- 6 External links
Veracode was founded by Chris Wysopal and Christien Rioux, former engineers from @stake, a Cambridge, Massachusetts-based security consulting firm known for employing well-known security experts including former “white hat” hackers from L0pht Heavy Industries.
Veracode's core technology, originally called SmartRisk Analyzer, was created by Rioux as an @stake research project to automate the identification of security vulnerabilities in compiled code. After @stake was purchased by Symantec in 2004, Rioux and Wysopal worked with Jeff Fagnan from Atlas Venture and Maria Cirino from .406 Ventures to spin the technology out as an independent company, with key patents on binary static analysis. The company was formally launched at the RSA Conference in February 2007.
On November 29, 2011, the company announced that it had appointed Robert T. Brennan, former CEO of Iron Mountain Incorporated, as its new chief executive officer.
Veracode customers are enterprises from diverse industries including banking, insurance, manufacturing, health care, energy, retail and technology. As of 2014, the company’s cloud-based service safeguards more than 600 organizations worldwide, including three of the top four banks in the Fortune 100 and more than 25 of the world’s top 100 brands.
Veracode claims to offer a simpler and more scalable way to reduce application-layer risk without slowing innovation. Its cloud-based service is used to identify and remediate common vulnerabilities exploited by cyber-attackers such as SQL injection and Cross-Site Scripting (XSS).
The Veracode platform aggregates security information from multiple analysis techniques, providing increased accuracy and coverage of application-layer security vulnerabilities. The platform provides centralized policies, metrics and reports and aids in information sharing across global teams and multiple stakeholders including development, security, IT operations and audit/compliance teams. It also provides automated compliance workflows for remediating and mitigating vulnerabilities, and integrates with agile development toolchains (e.g., Eclipse, Microsoft Visual Studio, JIRA, Jenkins) via APIs and plug-ins.
Binary Static Analysis (SAST)
Static Application Security Testing (SAST), or “white-box” testing, finds common vulnerabilities by performing a deep analysis of applications without actually executing them. SAST supplements threat modeling and code reviews performed by developers, finding coding errors and omissions more quickly and at lower cost via automation. It’s typically run in the early phases of the Software Development Lifecycle (before going into production deployment) when it’s easier and less expensive to fix problems.
Veracode’s patented binary static analysis technology analyzes binary code to create a detailed model of the application’s data and control paths. The model is then searched for all paths through the application that represent a potential weakness. For example, if a data path through the application originates from an HTTP Request and flows through the application without validation or sanitization to reach a database query, then this would represent a SQL Injection flaw.
Veracode’s binary static analysis technology analyzes all application code without requiring access to source code. This makes it well-suited to analyzing applications developed in-house as well as those developed by third-party developers -- such as SaaS-based applications, commercial off-the-shelf software (COTS) and outsourced applications -- without exposing their intellectual property in the form of source code.
Veracode holds or has exclusive license to two patents on binary static application security testing that have been validated in court. In a recent jury verdict against mobile application security company Appthority, both patents were upheld as valid, and Appthority was found to have infringed on one patent.
Software Composition Analysis
In October 2014, Veracode announced the addition of a software composition analysis capability to its product portfolio. Software Composition Analysis reduces risk from third-party and open source components. It provides an overview of all components in the application portfolio – including versions, frequency of usage, and license information -- and identifies components with known vulnerabilities. It also Includes information about the newest versions of a given component to aid developers in upgrading to versions that contain fewer vulnerabilities. In its October 2014 announcement, Veracode indicated that its data open source and commercial third party software components introduced an average of 24 known vulnerabilities per application.
Dynamic Application Security Testing (DAST)
Dynamic Application Security Testing (DAST) — also known as “black-box” testing — identifies architectural weaknesses and vulnerabilities in running web applications before cyber-criminals find and exploit them. DAST uses the same approach used by attackers when probing the attack surface, such as deliberately supplying malicious input to web forms and shopping carts.
Web Application Perimeter Monitoring
Veracode’s Web Application Perimeter Monitoring solution is a DAST technology that catalogs all web applications and analyzes them for vulnerabilities via a massively parallel, auto-scaling cloud infrastructure that is claimed to baseline risk across tens of thousands of sites in days or weeks.
Vendor Application Security Testing (VAST)
Veracode works directly with third-party vendors to assess and remediate their code and implement a governance process for reducing risk from third-party software based on industry best practices, using the same policies, metrics and reports used to govern in-house software. The Financial Services Information Sharing and Analysis Center described Veracode's VAST capability as "[managing] the process of collecting binary static analysis artifacts, while working with software vendors to embed software security in the development process. Additionally, the VAST program incorporates a shift of responsibility and cost burden onto the third party software vendors over time while also increasing the amount of software in scope for this control type for the financial intuition."
Mobile Application Security
Veracode’s behavioral analysis dynamically analyzes an application’s real-time behavior — in a sandbox — to identify risky actions such as data exfiltration to suspicious locations. Veracode’s cloud-based service then utilizes an advanced machine learning algorithm to compare the behavior of the app to a vast database of known malware and generate a risk rating for each application. This security intelligence is also integrated with MDM solutions such as MobileIron and IBM Fiberlink to enable enforcement of corporate BYOD policies.
Static analysis is also to identify code vulnerabilities in mobile applications such as buffer overflows and cryptographic flaws.
Remediation Advisory Services
These on-demand services help developers understand the results of Veracode’s assessments as well as prioritize and implement remediation and mitigation efforts. They also help developers efficiently incorporate secure coding skills and practices into existing development processes, including agile processes, without slowing down development.
Veracode security program managers (SPMs) augment customers’ staff by acting as outsourced program managers for the application security program, including providing best practices for implementing the program, on-demand expertise for development teams and a single point of contact for services and support. SPMs help companies define their application security program, policies and success criteria. They also work with customers to create appropriate engagement strategies for development teams and third-party vendors. Finally, they help with identifying opportunities for process improvements, automation and integration and with evaluating and revising the program.
Manual Penetration Testing
Veracode offers manual penetration testing services which add specialized human expertise to automated binary static and dynamic analysis. Manual testing is often required to identify vulnerabilities not easily found via automated testing, such as business logic flaws.
Veracode’s eLearning service helps developers become proficient in secure coding practices. It also helps organizations comply with PCI-DSS (Requirement 6.5) and other compliance requirements.
- Veracode was listed as a “Leader” in the Gartner Magic Quadrant for Application Security Testing.
- Analyst firm The 451 Group stated that “HP and IBM have long led the code/binary assessment category via prior acquisitions, but Veracode is poised to become a threat to its supremacy.”
- Veracode was named one of the 20 Coolest Cloud Security Vendors of the 2014 Cloud 100 by CRN Magazine, based on Veracode's cloud-based platform and SaaS solution for identifying vulnerabilities in internally developed and third-party applications. The publication also cites the company's expansion into securing mobile applications (in addition to previous support for web and legacy applications).
- Veracode is No. 20 on the Forbes Top 100 Most Promising Companies in America. Forbes uses metrics including revenue, valuation, hiring, quality of management team, investors, margins, market size and key partnerships to create this list.
- Veracode was listed as a Red Herring Top 100 North America winner for 2013. The Red Herring Top 100 award recognizes the leading private companies from the Americas, celebrating these startups’ innovations and technologies across their respective industries.
- The Veracode Vendor Application Security Testing (VAST) program won the 2013 Financial World Innovation Award in recognition of its solution to the complex problem of third-party application security.
- The Veracode Platform was chosen as SC Magazine’s Information Security Product of the Year. The award was in recognition of the company’s innovative Veracode Platform and the significant business and technical advantages it has brought to companies investing in the technology.
- Nusca, Andrew (2014-09-11). "Veracode raises $40 million, preps for an IPO". Fortune.com. Retrieved 2014-09-12.
- "About Veracode: Management". Retrieved 2014-12-10.
- Feiman, Joseph; MacDonald, Neil (2013-07-06). "Magic Quadrant for Application Security Testing". Retrieved 2014-07-16.
- Messmer, Ellen (2007-01-09). "Start-up Veracode offers code security evaluation online". Network World. Retrieved 2010-02-16.
- "Veracode Launches Application Security Company and Secures $19.5 Million in Funding". Veracode corporate page. 2007-01-22. Archived from the original on 2007-02-09. Retrieved 2015-01-09.
- "Veracode to Demo Service at RSA Conference 2007". 2007-01-30. Retrieved 2010-02-16.
- Denison, D.C. (2011-11-29). "Veracode hires Iron Mountain CEO". Boston Globe. pp. B5 ff.
- "Cybersecurity firm Veracode to hire 100 next year, readies for IPO". Boston Business Journal. 2014-12-09. Retrieved 2014-12-10.
- Nather, Wendy (2014-09-15). "Veracode v. Appthority jury returns split verdict but finds Appthority infringed on patent". 451 Research. Retrieved 2014-12-10.
- Rockwell, Mark (2014-10-23). "Is open source really a security concern?". FCW. Retrieved 2014-12-10.
- Financial Services Information Sharing and Analysis Center Third Party Software Security Working Group. "Appropriate Software Security Control Types for Third Party Service and Product Providers" (PDF). Retrieved 2014-12-10.
- Kennedy, Daniel (2014-01-27). "Market Dynamics - Information Security Wave 16". 451 Research. Retrieved 2014-12-04.
- "The 20 Coolest Cloud Security Vendors of the 2014 Cloud 100". CRN Magazine. 2014-01-29. Retrieved 2014-12-04.
- "Veracode - in Photos: America's Most Promising Companies: Top 25". Forbes Magazine. 2013-02-06. Retrieved 2014-12-04.
- "America's Most Promising Companies: The Top 25". Forbes Magazine. 2013-02-06. Retrieved 2014-12-04.
- "2013 Top 100 North America Finalists". Red Herring. Retrieved 2014-12-04.
- "Financial World Innovation Awards". Archived from the original on 2013-12-07. Retrieved 2014-12-04.
- "406 Ventures". 2012-04-27. Retrieved 2014-12-10.