Veracode, Inc. - Experts & Thought Leaders

Veracode, a global pioneer in application risk management announced the acquisition of Longbow Security, a pioneer in security risk management for cloud-native environments. The acquisition marks the next exciting phase of Veracode, underscoring the company’s commitment to helping organisations effectively manage and reduce application risk across the growing attack surface. Automated issue investigation The integration of Longbow into Veracode enables security teams to discover cloud and application assets quickly and easily assess their threat exposure using automated issue investigation and root cause analysis. Longbow provides a centralised view of risk for cloud assets and applications, thereby simplifying complex workflows, enabling faster and more effective remediation, and improving overall security posture. The result is reduced risk and fewer vulnerabilities in applications and cloud infrastructures. Operational complexity Organisations require a deeper understanding of their risk profile within changing environments Increased adoption of cloud infrastructure, combined with developers taking on more responsibility for the creation, deployment, and security of software, has introduced operational complexity. Organisations require a deeper understanding of their risk profile within changing environments and a continuous security feedback loop throughout the software development life cycle. Comprehensive risk viewing “Security teams are drowning in alerts that lack sufficient detail on the level of business risk, degree of exploitability of a flaw, and specific code-level insight to keep pace with remediation requirements. As a result, risk continues to accumulate,” said Brian Roche, Chief Product Officer at Veracode. “With the combination of Veracode and Longbow, teams can get a comprehensive view of their risk, automate prioritisation of what matters most, and, with Veracode Fix, automate remediation of code security flaws.” Simplifying Cloud Application Security With 71 percent of organisations shouldering the burden of “security debt” (flaws in applications that remain unfixed for one year), teams must act quickly to reduce their threat exposure. Yet, sufficient visibility and alert fatigue continue to plague cloud and application security professionals. With Longbow, Veracode customers can address these challenges in four ways: Unified visibility of risk across applications, code, and cloud. This gives teams insight into tackling significant issues that matter most to the business. Orchestrated remediation from code to cloud, enabling teams to prioritise and remediate with Veracode’s AI-driven fix capabilities. Actionable insights with ‘Best Next Action’ advice, so customers can conduct a root cause analysis and pinpoint the best path to remediation. Continuous monitoring and assessment via real-time vulnerability discovery across application portfolios and runtime environments, meaning customers know exactly what is running and where. Visibility, automation, and remediation capability Derek Maki, Co-Founder & Chief Product Officer at Longbow said, “We founded Longbow with a mission to simplify an increasingly complex application security risk management process and help organisations reduce risk at scale." "By joining forces with Veracode, our combined solutions provide unmatched visibility, automation, and remediation capability for security and engineering teams. We are excited to take cloud-native application security to the next level.” Application security posture management “This is the perfect fit for Longbow,” said Dayne Myers, Co-founder & Chief Executive Officer of Longbow. “After careful consideration, we believe that our technology and team align seamlessly with Veracode's vision, making this the best choice for Longbow’s future." “We’re thrilled to welcome Longbow to Veracode and expand our platform capabilities with industry-pioneering application security posture management for today’s enterprise requirements,” closed Sam King, Chief Executive Officer at Veracode. Holistic application risk management platform “The integration of our solutions provides organisations with a holistic application risk management platform that spans code to cloud." "Veracode combined with Longbow advances the field of application security and enables customers to secure their increasingly complex application landscape more efficiently.” Longbow is available immediately.

Veracode, a global provider of intelligent software security, has released research indicating applications developed by organisations in Europe, Middle East and Africa tend to contain more security flaws than those created by their U.S. counterparts.  Across all regions analysed, EMEA also has the highest percentage of ‘high severity’ flaws, meaning they would cause a critical issue for the business if exploited. High numbers of flaws and vulnerabilities in applications correlate with increased levels of risk, which is particularly notable as software supply chain cyberattacks dominate headlines in 2023. Application lifecycle Researchers found that just over 80 percent of applications developed by EMEA organisations had at least one security flaw detected in their most recent scan over the last 12 months, compared to just under 73 percent of U.S. organisations. In addition, the percentage of applications containing ‘high severity’ flaws was the highest of all regions, at almost 20 percent. Percentage of applications containing ‘high severity’ flaws was the highest of all regions, at almost 20%  "Our data shows that organisations globally are continuing to deploy a worrying number of applications with a high number of flaws in the CWE Top 25,” said Chris Eng, Chief Research Officer at Veracode, adding “We did, however, identify interesting regional differences, particularly in terms of third-party or open-source code usage and the ways in which vulnerabilities are introduced across the application lifecycle.” EMEA-specific findings Analysis of data collected from more than 27 million scans across 750,000 applications helped to produce Veracode’s latest annual report on the State of Software Security. This new report showcases the EMEA-specific findings from those scans and applications, including results from UK, Germany, France, Italy and across the Middle East and Africa. Numbers alone don’t convey the consequences of hackers exploiting software vulnerabilities. With organisations across EMEA utilising an ever more complex mix of third-party software to deliver their services, the exploitation of a serious vulnerability can impact thousands of victims at once. Earlier this year, a vulnerability affecting printing software tools PaperCut MF and PaperCut NG was actively abused by threat actors. Up to 70,000 organisations in 200 countries became potential victims, and law enforcement reports found threat actors successfully compromised vulnerable entities in the education sector.  Java and Third-party Code Introduce Significant Security Flaws  Java usage is key factor in higher percentage of vulnerabilities introduced into applications in region The research identified notable regional differences in preferred language usage, with Java revealed to be the preferred language for developers in EMEA. Teams using Java were found to remediate flaws at a slower rate than those using .NET or JavaScript, causing many of these flaws to persist or remain undiscovered for significantly longer.  Moreover, as over 95 percent of Java applications are comprised of third-party or open-source code, Java usage is a key factor in the higher percentage of vulnerabilities introduced into applications in the region. This highlights the importance of software composition analysis (SCA), which picks up flaws in open-source code, and the research found a higher proportion of flaws reported by SCA in EMEA than in other regions. Public GitHub repositories As generative AI continues to gain strong traction in software development, the risk of vulnerabilities from external sources increases. A study, presented at Black Hat in 2022, showed vulnerabilities in 40 percent of code that had been written by large language models trained on vast troves of unrefined data, including millions of public GitHub repositories. It is, therefore, vital organisations leverage SCA tools to find and fix flaws, empowering developers to take advantage of AI without compromising the security of applications.  Applications Become More Vulnerable Over Time  Overall, the baseline chance that a flaw will be introduced in any given month was 27 percent The research also showed new flaws continue to be introduced into EMEA applications at a far higher rate across the entire application lifecycle than in other regions. While EMEA organisations kept updating applications, there was less of a focus on quality. After a five-year timespan, 50 percent of applications in EMEA continue to introduce new flaws, compared to just over 30 percent for the rest of the world. Overall, the baseline chance that a flaw will be introduced in any given month was 27 percent.   As such, EMEA organisations would benefit from paying more attention to the latter portion of the application lifecycle and scanning applications more regularly. They should also prioritise security training for developers, with the research finding completion of 10 interactive security labs reduces the probability of flaw introduction from 27 percent to about 25 percent in any given month. State of Software Security report “This year’s State of Software Security report shines a light on the importance of security across the entire software lifecycle, as well as the urgent need to address risks posed by third-party and AI-generated code,” said Chris Eng, adding “Whilst across the board globally we are still seeing a concerning volume of vulnerabilities, these figures are higher in EMEA across almost all measurements. Development teams in this region must take the opportunity to automate software security for regular scanning, and carefully consider their use of AI tools, both to increase security and empower developers.”  The Veracode State of Software Security EMEA 2023 recommends four actions software development teams can take to improve their cybersecurity posture.

Veracode, a global provider of intelligent software security solutions, announced it has been named a Leader in The Forrester Wave™: Static Application Security Testing, Q3 2023. The annual report, which evaluates 11 top vendors in the market against 26 criteria, helps security professionals select a static application security testing (SAST) vendor that best fits their needs. In this evaluation, Veracode received the highest score ahead of all competitors included in the report. The report notes, “Veracode is a great fit for enterprises looking to roll out and scale a comprehensive application security programme.” FedRAMP and StateRAMP Veracode’s SAST analysis is part of a software-as-a-service (SaaS) platform that includes dynamic application security testing, software composition analysis, container and infrastructure-as-code (IaC) scanning and developer training. StateRAMP provides a wide security framework created to enhance cloud security for state government Veracode is the only vendor evaluated by Forrester Wave to achieve the Federal Risk and Authorisation Management Programme (FedRAMP) and State Risk and Authorisation Management Programme certification (StateRAMP). FedRAMP is a government-wide programme that provides a standardised approach to security assessment, authorisation, and continuous monitoring for cloud products and services. StateRAMP provides a comprehensive security framework designed to improve cloud security for state and local governments.  Veracode’s future vision The Forrester Wave™ report states, “Veracode differentiates with reporting, remediation, and a programmatic approach.” Veracode offers a wide range of metrics and KPIs to meet customer needs, including fixed rate, security trends and policy compliance, all in a digestible format. The report also highlighted Veracode’s future vision, which aims to “lower the development burden while providing security with a 360-degree view of the application risk landscape.” This vision includes “an exciting roadmap with AI-powered features for flaw prevention, automated remediation, intelligent prioritisation, and cross-correlation of application security testing (AST) scans."  The report notes, “Veracode Fix is a noteworthy innovation that utilises generative AI to automatically generate fixes for a finding. Veracode introduced Veracode Fix earlier this year, which utilises generative AI to automatically suggest remediations for security flaws found in first-party code."