Browse through the materials below to learn what the industry is saying about best practices for application security.

Analyst Reports

Forrester: Planning for Failure

The Forrester “Planning for Failure” report offers practical guidance to create a breach response plan that will help your enterprise respond quickly and appropriately to minimize damage.

Forrester predicts that in 2015 “at least 60 percent of organizations will suffer a security breach₁”

Get the full report

Gartner: Five Golden Rules for Creating Effective Security Policy

According to this Gartner report, “Policy is an important form of communication about risk, and the impact on the reader will be maximized if the text is well-crafted in organizational appropriateness and writing style.” The report also states that: “Fortunately, the use of a few best practices for the planning and writing of policy can make a big difference in its effectiveness in reducing risk.”

Get the full report

Evolve To Become the 2018 CISO or Face Extinction

Read this report to learn about Forrester's 5-step plan for seizing control of your destiny as a CISO – and why the top 3 skills required to succeed are leadership, strategic thinking, and business knowledge.

Get the full report

Case Studies

Global Industrial Manufacturer Secures its Software Supply Chain

With concern rising about the risk of advanced persistent threats from compromised supply chains, and breaches due to vulnerable third party software, a global industrial manufacturing company did an ad hoc audit of its purchased software – and found more than 90% of its purchased applications had critical security vulnerabilities. With Veracode's built-to-scale cloud platform and systematic approach for risk reduction, the company built a third party software security program that drove security requirements into contract language, onboarded 100 vendor applications in the first year of the program, and worked with vendors to fix over 10,000 vulnerabilities.

Download the case study

Global Media and Technology Company Gains Visibility into Mobile App Perimeter

A global media and technology company had little control over the quality or security of the apps published to iTunes or Playstore. Using Veracode’s cloud-based service, the company gained visibility into its mobile app perimeter, finding it had 100% more apps published than originally thought. Through finding these apps and assessing their behavior, the company ensured all published apps adhere to its app policies for security and privacy and gain tighter control of its mobile footprint.

Download the case study

Large Financial Services Firm Passes Its PCI Audit — and Implements an Ongoing Governance Program to Continuously Reduce Enterprise Risk

Learn how Veracode’s cloud-based service and policy-based approach helped a large financial services firm not only pass its PCI audit in the short term -- but also continuously reduce its enterprise risk in the long term.

Download the case study


Minimizing the Impact of a Data Breach

Forrester predicts that in 2015 “at least 60 percent of organizations will suffer a security breach (Planning for Failure, Forrester Research, Inc., February 2015),” yet most companies are not prepared to respond to a breach.

Register for the webinar

SC Magazine: Why Developers Need to Think About Security

Software developers often struggle with two competing priorities: delivering code within aggressive timelines and incorporating security into the development lifecycle. This webinar helps developers learn how to code securely without killing productivity.

View the webinar

7 Habits of Successful Supply Chain Transformations

Like “green” initiatives for reducing carbon emissions, software supply chain security has significant benefits to an organization, but is routinely avoided in pursuit of revenue-driving projects. But “green” managed to gain traction, and so can your program to secure your third-party suppliers.

View the webinar

State of Software Security

State of Software Security Report Volume 5

This report examines application security quality, remediation and policy compliance statistics and trends. Our analysis of tens of thousands of applications with Veracode's cloud-based platform found that 87% of web applications are not compliant with the OWASP Top 10, while 69% of non-web applications  are not compliant with the CWE/SANS Top 25.  

The data analyzed represents multiple security testing methodologies (including static binary, dynamic and manual pen testingl) on a wide range of application types (web, mobile and legacy/non-web) and programming languages (including Java, C/C++, .NET, PHP and ColdFusion). We also expanded our analysis of the mobile vulnerability landscape with sections on Android, iOS and Blackberry applications. The resulting intelligence is unique in the breadth and depth it offers.

Volume 5 (40 Pages)
April 8th, 2013

Get the full report

Veracode State of Software Security Report – Feature Supplement on Public Companies

Veracode has been publishing a semi-annual State of Software Security (SOSS) report since 2010. Over time we have received significant interest in our findings and numerous requests to investigate the dataset from many different perspectives that may not be routinely covered in our semi-annual reports. To satisfy the curiosity of our readers and to allow us to extend our investigation to topical areas, we are moving to a new reporting format in 2012. This year we are publishing shorter feature supplements that are designed to address a particular, focused topic, and only release the full SOSS report once a year. This report is the first feature supplement for 2012.

Get the full report

State of Software Security Report - Feature Supplement on Software Supply Chain

This featured supplement focuses on the state of enterprise programs that assess the security of software purchased from vendors. Veracode can uniquely report on how program practices evolve because our analysis is based on data aggregated from companies as they test real applications. The data represents intelligence gleaned from over 900 application builds submitted by software vendors to Veracode's cloud-based platform in an 18 month time-frame.

Get the full report


7 Habits of Successful Supply Chain Transformations

Most enterprises today do not build all the applications they use. In fact, the majority of a typical enterprise’s application portfolio is developed by outside vendors. How can enterprises ensure the security of these outsourced or “third-party” applications? Simply assuming these apps are safe is no longer an option. 

Download now

Forrester CISO Handbook - Presenting to the Board

Written by a former CISO, this white paper describes strategies for effectively articulating your risk posture and security strategy to business executives.

Download now

Addressing the Scalability Challenge with Cloud-Based Application Security

Every enterprise is now a digital business. This whitepaper provides a detailed overview of Veracode's cloud-based service for protecting against application-layer threats and addressing compliance requirements.

Download now


Automated App Blacklisting for AirWatch MDM

Veracode’s cloud-based app reputation service provides the AirWatch enterprise mobility platform with an instant on, continuously updated intelligence source that evaluates all mobile applications on enterprise managed devices against policies designed to keep corporate information secure. The service taps information about hundreds of thousands of mobile applications that have been assessed using Veracode’s unique behavioral analysis technology. Using the app reputation service, organizations can roll out a BYOD program that includes both preventative and detective controls to keep corporate data safe from risky mobile applications.

Download the datasheet

Veracode Corporate Overview

Learn how we help the world's largest enterprises reduce global application risk across web, mobile and third-party applications.

Download now

Binary Static Analysis (SAST)

Learn how Veracode’s binary static technology identifies security issues without actually executing the application, while it minimizes false positives. With this datasheet you'll learn how Veracode empowers customers to identify and fix security issues earlier in the software development lifecycle with detailed, actionable, and accurate information.

Download now

Developer Research

Anti-Debugging – A Developers View

Anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target binary. Within this paper we will present a number of the known methods of antidebugging in a fashion that is easy to implement for a developer of moderate expertise.

Download now

Protecting Your Organization from Application Backdoors

Backdoors and malicious code pose significant operational risk to software that is too significant for organizations to ignore. This whitepaper discusses how binary (compiled code) analysis is the ideal platform for detecting backdoors and conducting the most complete independent security test, validation and verification of applications.

Download now

A New Taxonomy for Application Backdoors | Veracode

This technical whitepaper describes a new way to classify backdoor vulnerabilities in applications and discusses static detection of backdoors.          

Download now


Veracode: Preparing and Submitting Your Application (05:43)

View the demo of Veracode's Platform. Learn how to create an Application Profile and Submit your application for analysis.

View the demo

Veracode: Understanding and Interpreting Your Results (11:34)

View the demo of Veracode's Platform. Learn how to access and understand your results once the scan has completed. You will see how to access the summary and detailed results and also how to use Veracode's developer tools.

View the demo

eLearning Demo (06:49)

View this demo of Veracode eLearning. Veracode eLearning integrates a security knowledge base and web-based secure programming training courses for developers and security personnel to meet formal training and testing requirements. 

View the demo