Browse through the materials below to learn what the industry is saying about best practices for application security.

Analyst Reports

Gartner Application Security Testing Magic Quadrant

Released on 1 July 2014

Veracode is a Leader in the Magic Quadrant

Read the "Magic Quadrant for Application Security Testing" (July 2014) to find out why there is a critical need to reduce risk in Web, cloud and mobile applications.

Gartner, Inc. 2014 “Magic Quadrant for Application Security Testing” by Neil MacDonald, Joseph Feiman. July 1, 2014

Get the full report

Gartner Technology Overview: Mobile Application Security Testing for BYOD Strategies

Released on 30 August 2013

According to Gartner, enterprises that embrace a BYOD strategy are vulnerable to security breaches unless they adopt methods and technologies for mobile application security testing and risk assurance. This research explains how to select and implement these new tools and practices.

Get the full report

451 Research: Veracode Eyes a VAST Opportunity in Third-Party Application Security Testing

Released on October 16th, 2012

Former CISO Wendy Nather explains how Veracode's SaaS offering "takes both effort and cost away from the enterprise CISO" and "lowers the barriers to appsec testing."

This independent report details the unique advantages of Veracode's binary static analysis technology for testing third-party applications. It describes how Veracode's cloud-based platform and program management service address the scale and complexity challenges of reducing third-party software risk enterprise-wide, and provides a SWOT analysis of the Veracode VAST Program.

Get the full report


Atlas Venture Explains Why You Need to Be a Secure Supplier

To sell your software to enterprises, your product needs to be scalable, reliable, and – above all – secure. If you are not prepared to address questions about the security of your software, you are not going to land substantial deals with Fortune 500 companies. However, security isn’t rocket science and software vendors everywhere, especially start-ups like those backed by Atlas Venture, can benefit from becoming the “secure choice” in the market.

Register for the webinar

Gartner Session - Boeing Case Study: How to Secure the Software Supply Chain

During this presentation from the Gartner Security and Risk Management Summit, John Martin of Boeing outlines the steps Boeing took to implement a governance program for assessing the security of its third-party applications. In this presentation, John describes how Boeing’s structured approach holds vendor-supplied software to the same security standards for minimal acceptable risk as internally developed applications. He also discusses how the global manufacturer worked with Veracode to create a successful vendor application security testing program and how the program continues to evolve.

View the session

Boeing Case Study: How We Secure 300 Third-Party Applications

Boeing found that many successful attacks were linked to basic security vulnerabilities in vendor-supplied software, and over 90% of the software they tested had significant, compromising flaws. These vulnerabilities introduced unnecessary risk into critical applications — yet as the world's leading aerospace company and largest manufacturer of commercial jetliners and military aircraft, Boeing needs to rely on its third-party software as a means of speeding up innovation.

View the webinar

State of Software Security

State of Software Security Report Volume 5

This report examines application security quality, remediation and policy compliance statistics and trends. Our analysis of tens of thousands of applications with Veracode's cloud-based platform found that 87% of web applications are not compliant with the OWASP Top 10, while 69% of non-web applications  are not compliant with the CWE/SANS Top 25.  

The data analyzed represents multiple security testing methodologies (including static binary, dynamic and manual pen testingl) on a wide range of application types (web, mobile and legacy/non-web) and programming languages (including Java, C/C++, .NET, PHP and ColdFusion). We also expanded our analysis of the mobile vulnerability landscape with sections on Android, iOS and Blackberry applications. The resulting intelligence is unique in the breadth and depth it offers.

Volume 5 (40 Pages)
April 8th, 2013

Get the full report

Veracode State of Software Security Report – Feature Supplement on Public Companies

Veracode has been publishing a semi-annual State of Software Security (SOSS) report since 2010. Over time we have received significant interest in our findings and numerous requests to investigate the dataset from many different perspectives that may not be routinely covered in our semi-annual reports. To satisfy the curiosity of our readers and to allow us to extend our investigation to topical areas, we are moving to a new reporting format in 2012. This year we are publishing shorter feature supplements that are designed to address a particular, focused topic, and only release the full SOSS report once a year. This report is the first feature supplement for 2012.

Get the full report

State of Software Security Report - Feature Supplement on Software Supply Chain

This featured supplement focuses on the state of enterprise programs that assess the security of software purchased from vendors. Veracode can uniquely report on how program practices evolve because our analysis is based on data aggregated from companies as they test real applications. The data represents intelligence gleaned from over 900 application builds submitted by software vendors to Veracode's cloud-based platform in an 18 month time-frame.

Get the full report


8 Patterns of Secure Agile Teams

Developing secure products in an agile environment can be challenging. Application vulnerabilities and coding issues are typically time-consuming to find, document, and fix with traditional testing tools. Short agile sprints don’t lend themselves to these long processes; however, there are ways to effectively integrate secure development with agile methods.

View now

Hacking Exposed 7 - Chapter 10: Web and Database Hacking

The prerequisite for dealing with cyber-security is knowledge. Download this critical chapter to learn about web application vulnerabilities and hacking techniques; freely-available crawling tools; and countermeasures to protect your web application infrastructure.

Download the PDF

Forrester CISO Handbook - Presenting to the Board

Written by a former CISO, this white paper describes strategies for effectively articulating your risk posture and security strategy to business executives.

Download now


Mobile Application Security

Veracode’s cloud-based solution helps mobile teams achieve the correct balance between innovation and control. We help manage the security risk posed by the mobile apps that your organization builds, buys or downloads.

Download now

Agile Integration SDK

The Agile Integration SDK enables full integration between our cloud-based service and widely-used development toolchains.

Download now

Veracode Corporate Overview

Learn how we help the world's largest enterprises reduce global application risk across web, mobile and third-party applications.

Download now

Developer Research

Anti-Debugging – A Developers View

Anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target binary. Within this paper we will present a number of the known methods of antidebugging in a fashion that is easy to implement for a developer of moderate expertise.

Download now

Protecting Your Organization from Application Backdoors

Backdoors and malicious code pose significant operational risk to software that is too significant for organizations to ignore. This whitepaper discusses how binary (compiled code) analysis is the ideal platform for detecting backdoors and conducting the most complete independent security test, validation and verification of applications.

Download now

A New Taxonomy for Application Backdoors | Veracode

This technical whitepaper describes a new way to classify backdoor vulnerabilities in applications and discusses static detection of backdoors.          

Download now


Veracode: Preparing and Submitting Your Application (05:43)

View the demo of Veracode's Platform. Learn how to create an Application Profile and Submit your application for analysis.

View the demo

Veracode: Understanding and Interpreting Your Results (11:34)

View the demo of Veracode's Platform. Learn how to access and understand your results once the scan has completed. You will see how to access the summary and detailed results and also how to use Veracode's developer tools.

View the demo

eLearning Demo (06:49)

View this demo of Veracode eLearning. Veracode eLearning integrates a security knowledge base and web-based secure programming training courses for developers and security personnel to meet formal training and testing requirements. 

View the demo