Joost de JongJanuary, 2017

Veracode Introduction

2

The world is under attack from cybercrime and nation states

3

DescriptionVeracode is a U.S.-based, well-established and rapidly growing provider of SAST and DAST cloud services, software supply chain testing and mobile AST. For SAST, Veracode has been a pioneer in the analysis of binary code, not requiring the source code for testing. Its 2012 acquisition of Marvin security accelerated its mobile AST capabilities where it was also an early innovator. In 2014, Veracode added integrated software composition analysis capabilities into its AST services for the identification of vulnerable open source components. Veracode's AST services will meet the requirements of organizations looking for a broad set of AST services — SAST, DAST and mobile AST — that want to delegate their AST and SCA to a third-party expert with a strong reputation for the quality of its services and demonstrated innovation in application security.

The analyst view: Gartner

4

of breaches are through by web applications

Applications are insecure

40%

61%

of apps do not pass OWASP top 10 on first assessment

of Java applications contain a known vulnerability in a third party component

97%

Sources::Verizon Data Breech and Incident Report 2016Veracode State of Software Security 2016

5

And companies aren’t equipped to address it

of the top 10 computer science universities require students to take a cybersecurity class for their degree in computer science

0

of developers could correctly answer what helps to protect against cross-site scripting in a recent survey by Denim Group

11%

is the ratio of InfoSec professionals to InfoSec jobs on LinkedIn4:3

Sources::Dark ReadingDenim Group

6

The Questions We Hear From Customers

How Can We…

Build and deploy applications faster while reducing business risk?

Reduce our risk even as we build, buy and integrate more software than ever?

Defend applications in production while traditional security erodes in effectiveness?

Spend our security budget most efficiently so we can focus more on adding business value?

Shorten time to value for the investments we make?

Improve capabilities without new hiring for hard-to-find skillsets?

7

A Lifecycle Approach Reduces Cost, Risk

$15.4 million*Verizon Breach Report, 2015

Cost

to R

emed

iate

Develop QA Operate

$

$$

Application Lifecycle

Exploit

8

Application Lifecycle

Application Security Transforms to Meet These Needs

Unified Platform

Strong Ecosystem

Speed Productivity

Seamlessness

Accuracy Stability

Integration

Develop QASpeed

ActionabilityCoverage

Operate

10

Automate & Integrate Throughout App Lifecycle

Code Commit Build Test Release Deploy Operate

Veracode Greenlight

Veracode Static Analysis

Veracode Web Application Scanning

Veracode Runtime Protection

Veracode Software Composition Analysis

Veracode APIs for Custom Integrations

IDEs GRCs

SIEMs

WAFs

Build or Buy Test Operate

Bug TrackingCI/CD Systems

Build Tools

DevOpsCI/CDAgile

Security AssuranceContinuous Testing & Integration Continuous Scanning & Protection

11

Covering Your Entire SDLC

OPERATETEST DEVELOP

SDLC

Veracode Runtime Protection

Veracode eLearning

Green Light

Veracode Static Analysis

Veracode Software Composition Analysis

Veracode DAST

VC/Partner Manual Penetration Testing

Veracode Web Application Perimeter Monitoring

VC/Partner Mitigation Proposal Review

VC/Partner Vendor Application Security Testing

Veracode Support Services

VC/Partner Program Management

VC/Partner Remediation Advisory Services

Automation

Services

12

END-TO-ENDSingle central platform

+ Central policies & metrics for consistent controls across global BUs & dev teams

+ Best solution for reducing software supply chain risk

+ Easiest way to embed appsec across dev, security,ops

+ Broad coverage via multiple techniques (SAST, DAST, behavioral, web perimeter & SCA) across web, mobile and legacy apps

BUILT FOR SCALE

+ Shortest time to risk reduction at scale

+ Purpose-built as automated cloud-based service

+ Platform is continuously learning to address new threats & reduce false positives

+ Fast turnaround & tight integration with agile developmentworkflows via APis

SYSTEMATICReduced enterprise risk

+ Transform de-centralized processes into structured governance programs

+ Security development experts to help fix security issues

+ Best practices learned from securing the world’s largest global enterprises

+ Single point of accountability & focus on successful outcomes

How we’re different

Cloud-based automation

13

MARKET LANDSCAPE

14

The analyst view: 451 Group

• 14

• Source: 451 Research, Voice of the Enterprise: Information Security, Q3 2015

60 65 70 75 80 8560

65

70

75

80

85

Veracode Application Security Software

WhiteHat Security Sentinel

Tenable Nessus

Qualys Web Application Scanning (WAS)

HP FortifyIBM Application Security

Open Source Solution

Other Vendors

Promise

Fulfi

llmen

t

Circle Size Reflects Market Adoption

451 Research Vendor Window Dynamic/Static Application Security Tools (DAST/SAST)

The Vendor Window plots enterprise adoption as well as Promise and Fulfillment Indices that compare a measure of perceptions of vendor’s promise prior to actual product/service delivery with a measure of execution effectiveness. It is based on large sample surveys of existing customers that are currently using each vendors’ product. A vendor located in the upper right quadrant — under-promising and over-delivering — is rated highly for both its promise and ability to fulfill relative to its peers. Conversely, a vendor in the lower left quadrant rates lower than its peers on the same criteria. The Vendor Promise Index is designed as a measure of perceptions of vendor’s promise prior to actual product/service delivery and use. The Vendor Fulfillment Index is designed as a measure of execution effectiveness criteria which are related to the physical product/service delivery and customer experience of using the product or service.The intersecting lines indicate the average vendor score.Source: 451 Research, Voice of the Enterprise: Information Security, Q3 2015 

Veracode Application Security Software, n=14; Whitehat Security Sentinel, n=11; Qualys Web Application Scanning (WAS), n=16; Tenable Nessus, n=32; IBM Application Security, n=34; HP Fortify, n=31; Open Source Solution (OpenVAS, Burp Suite, etc.), n=29; Other Vendors, n=35; Total Respondents, n=202.

 Vendor Promise Score Fulfillment ScoreAverage 73 72

Veracode Application Security Software 80 77

WhiteHat Security Sentinel 73 75

Qualys Web Application Scanning (WAS) 72 73

Tenable Nessus 72 73

IBM Application Security 73 69

HP Fortify 72 69

Open Source Solution (OpenVAS, Burp Suite, etc.) 65 67

Other Vendors 77 77

Low Promise, High Fulfillment

High Promise, High Fulfillment

Low Promise, Low Fulfillment

High Promise, Low Fulfillment

Non-listed Vendors: Checkmarx CxSASTRapid7 AppSpiderTrustwave App Scanner Family (formerly Cenzic)

THANK YOU