Veracode offers SecurityReview for application risk management 14 April, 2009 By Liam Lahey

PromoPipeline Exclusive Channel Promotions Find Out How You Can Make Money Today! ENROLL FREE! >> Factory Direct Should Not be Cheaper William Vanderbilt - Innovative Learning Channels Cloud Ecosystem II: A Candid Conversation with Oracle Beth Vanni - Amazon Consulting Cloud Ecosystem: A Candid Conversation with Rackspace Hosting Beth Vanni - Amazon Consulting Channel Manager Compensation William Vanderbilt - Innovative Learning Channels Financial Expertise William Vanderbilt - Innovative Learning Channels

Veracode recently expanded its SecurityReview subscription service to implement a comprehensive approach to managing application security risk across a diverse enterprise application portfolio including internally developed, purchased, outsourced and open source applications. The enhanced Application Risk Management Platform enables enterprises and ISVs to implement centralized governance and controls for software security across their entire software infrastructure while simultaneously providing a continuous skills development model for internal and extended development teams.

Matt Moynahan, CEO of Veracode, said the software industry is the largest industry in the world with no uniform understanding of security quality while touting Veracode's ability to do security vulnerability analysis on binaries and not solely the source code of an application.

"We do a security assessment or a code review and find all the bad programming errors in an application without looking at source code," he said. "Most applications are a hodge-podge of code coming from a lot of different sources; we look at the binary we look at 100 percent of the code."

As an on-demand, in the cloud service, customers don't need to know anything about security, he continued. "All they need to do is send us the application they're building or buying or outsourcing to third parties and we can perform a complete assessment on that application . . . and help fix it," he said.

The on-demand platform starts with the ability to manage and track application assets all the way down to providing automated security assessments and e-learning based upon how an organization is doing.

"It's a complete, integrated solution . . . that a large enterprise or a small customer could implement without deploying any hardware or software whatsoever and start implementing best practices as it relates to application security testing," Moynahan continued. "To date, the alternative is hiring humans to look line by line at code or use a source code checker that can't look at 100 percent of the application . . . it brings application security to the mass market."

He said Veracode's is a software-as-a-service, in the cloud model and that no other vendor out there is doing it quite this way. Another aspect of the announcement is Veracode's release of an open source ratings database.

"In this economic environment, the use of open source is getting a lot of traction . . . the greatest challenge with using open source software is not knowing how secure it is," he said. "Our open source rating database allows executives and developers to go into a database and find some of the most popular and most commonly used applications and components and find a security score associated with them. This is an important step in essentially developing a rating system for software security and we're making it available to our enterprise customers."

Veracode touts two channel models: the reseller model, partnering with organizations providing manual services, reselling the subscription and wrapping value-add services around it and an OEM model, partnering with consultancies that use the infrastructure to deliver the services.

"Historically, SaaS hasn't been channel friendly . . . we've been fortunate to learn important lessons not only as a SaaS company but as a SaaS security company . . . channel partners today make money by selling software, hardware, or services," Moynahan said. "We wanted to provide them an automated platform and the ability to continue to do those manual services . . . and upload all their value-added services into the platform so they can still maintain account control.

"That was one of the things we learned to accommodate as we built out our channel program."

Veracode has partnerships with Telus, Ciber, and Accenture. Soon, a new partnership with Equaterra -- second largest outsourced advisory firm in the world -- will be announced. Equaterra advises companies on outsourcing application development and putting in place the metrics to govern the security of those contracts.

"Customers don't just want to do a one-off assessment of their applications but an on-going health approach to their application portfolio," he added. "This business was built for an in-direct and channel model."

"A lot of VARs traditionally are flocking to the security space at the network layer. They're selling Cisco, Juniper, and Fortinet," said Mike Puglia, director of product marketing, Veracode. "One of the things we've all seen is increases in data breaches . . . we did a joint survey over 200 organizations with Forrester & data breaches on the rise but what's causing it? We found over 62 percent of companies that responded said they've experienced breaches in the last 12 months but that those breaches came via vulnerabilities in software that is exploited.

"We're seeing the market forces react to that and we're seeing VARs trying to shift their businesses and services from the network layer to the application layer."

For more information, go to www.veracode.com.