|Headquarters||Burlington, Massachusetts, U.S.|
|Key people||Robert T. Brennan, CEO
Chris Wysopal, Co-Founder, CTO and CISO
Ed Goldfinger, CFO
Christien Rioux, Co-Founder and Chief Scientist
Ed Jennings, EVP, Sales, Marketing and Services
Greg Nicastro,EVP, Product Strategy and Development
Vivian Vitale, EVP, Human Resources
Sam King, EVP, Corporate Development
Bob Walmsley, SVP, Global Sales
Chris Eng, VP of Security Research
Mark Kriegsman, Director of Engineering
Veracode is a Burlington, Massachusetts based application security company offering a cloud-based platform for application risk management. Veracode was founded in 2006 by a team of application security practitioners from @stake, Guardent, Symantec, and VeriSign to provide an automated third party application security review service. The core technology of Veracode's service is a static code analysis engine that analyzes compiled applications for security flaws.
Veracode's core technology, originally called SmartRisk Analyzer, was created by Christien Rioux as an @stake research project to automate the identification of security flaws in compiled code. After @stake was purchased by Symantec, Rioux and Chris Wysopal worked with Jeff Fagnan from Atlas Venture and Maria Cirino from .406 Ventures to spin the technology out as an independent company. The first demonstration of the Veracode service was at the RSA Security trade show in February 2007.
Veracode has won awards from industry press and analysts, including Gartner, who named Veracode a "Cool Vendor" in 2008; SC Magazine's Best Security Solution for Financial Services in 2009 and Information Security Product of the Year for 2012; the 2009 SD Times 100; and the Wall Street Journal 2008 Technology Innovation Award for Network Security. Veracode was positioned as a Leader in the 2010 Gartner Magic Quadrant for Static Application Security Testing, and as a Visionary in the 2011 Gartner Magic Quadrant for Dynamic Application Security Testing. In January 2013 Forbes named Veracode to its list of America's Most Promising Companies at #20.
Veracode offers security assessments of applications through a variety of technologies, including static code analysis on compiled binary executables or bytecode; dynamic web application analysis; and manual penetration testing and source code review. The capabilities are delivered through a software as a service platform and are sold by subscription. Using the Veracode platform, users can detect and triage flaws, get a security rating, and review findings and metrics about their applications.
Veracode supports analysis of binaries, bytecode, and other application formats in a variety of different languages, platforms, and compilers, including C, C++, Java, .NET bytecode, PHP, ColdFusion, Ruby on Rails, Windows Mobile, BlackBerry, Android, and iOS.
Comparing Veracode's static binary analysis to other static source code analyzers, Doug Dinely in InfoWorld wrote, "Veracode has produced an offering that differs from other static security analyzers in two important respects. First, it analyzes the application binary, not the source code, allowing security testing to be done as part of the development process or even when source code is not provided or available. Second, it's provided as outsourced service: customers send Veracode the binary, then Veracode sends back a report."
Veracode provides the "VerAfied" security mark as a quality indicator for the security level of applications and software components. Veracode's ratings are based on industry accepted standards for software assessment including CWE and CVSS against vulnerability benchmarks such as the OWASP Top 10 and CWE-SANS Top 25.
Veracode's security research group maintains the blog Zero in a bit. The team has co-authored the book The Art of Software Security Testing and published research, including "Static detection of application backdoors," "Anti-Debugging, a Developer's View", "Detecting Certified Pre-Owned Software" and "BlackBerry Mobile Spyware"
- Messmer, Ellen (2007-01-09). "Start-up Veracode offers code security evaluation online". Network World. Retrieved 2010-02-16.
- "Veracode Launches Application Security Company and Secures $19.5 Million in Funding". Atlas Ventures. 2007-01-22. Retrieved 2010-02-16.
- "Veracode to Demo Service at RSA Conference 2007". 2007-01-30. Retrieved 2010-02-16.
- Denison, D.C. (2011-11-29). "Veracode hires Iron Mountain CEO". Boston Globe. pp. B5 ff.
- Wagner, Ray; Joseph Feiman, Neil MacDonald, Arabella Hallawell, Ant Allan, Gregg Kreizman (2008-04-04), Cool Vendors in Application Security and Authentication, 2008, Gartner, G00156005
Related press release: "Veracode Named "Cool Vendor" by Leading Analyst Firm". 2008-04-08. Retrieved 2010-02-16.
- Raywood, Dan (2009-04-29). "SC Magazine Awards Europe 2009 - Winners Announced". SC Magazine.
- raywood, Dan (2012-04-24). SC Magazine Awards Europe - Winners Announced. Retrieved 2012-07-24.
- "SD Times 100: 2009". 2009-06-12. Retrieved 2010-02-16.
- "Technology Innovation Winners". Wall Street Journal. Retrieved 2010-02-16.
- Feiman, Joseph; MacDonald, Neil (2010-12-13). "Magic Quadrant for Static Application Security Testing" (PDF). Retrieved 2011-01-14.
- Feiman, Joseph; MacDonald, Neil (2011-12-27). "Magic Quadrant for Dynamic Application Security Testing". Retrieved 2012-07-24.
- "Veracode on the Forbes America's Most Promising Companies List". Retrieved 2013-02-12.
- "Free Service FAQs". Veracode web site. Retrieved 2011-05-17.
- Dinely, Doug (2008-06-02). "2008 InfoWorld CTO 25: Chris Wysopal, Veracode". InfoWorld. Retrieved 2010-03-05.
- Wysopal, Chris; Lucas Nelson, Dino Dai Zovi, Elfriede Dustin (2006). The Art of Software Security Testing. Addison-Wesley. ISBN 0-321-30486-1.
- Wysopal, Chris; Chris Eng and Tyler Shields (March 2010). "Static detection of application backdoors". Datenschutz und Datensicherheit - DuD 34 (3). doi:10.1007/s11623-010-0024-4. ISSN 1862-2607.
- Shields, Tyler (2009-03-13), "Anti-Debugging, a Developer's Viewpoint" (PDF), SOURCE Boston 2009, archived from the original on 2009-03-13, retrieved 2010-02-16, lay summary
- Wysopal, Chris (2009-03-25). "Detecting Certified Pre-Owned Software" (PDF). BlackHat-Europe.
- Shields, Tyler (2010-02-07). "BlackBerry Mobile Spyware" (video). Shmoocon 2010. Retrieved 2010-02-16.