Browse through the materials below to learn what the industry is saying about best practices for application security.

Analyst Reports

Gartner Application Security Testing Magic Quadrant

Released on 2 July 2013

Veracode is positioned as a “Leader” in Gartner’s 2013 Application Security Testing Magic Quadrant.

In this report, Gartner examines the application security testing market and evaluates its vendors according to their business and technology vision, as well as their ability to execute against that vision in their products and services.

Get the full report

Gartner Technology Overview: Mobile Application Security Testing for BYOD Strategies

Released on 30 August 2013

According to Gartner, enterprises that embrace a BYOD strategy are vulnerable to security breaches unless they adopt methods and technologies for mobile application security testing and risk assurance. This research explains how to select and implement these new tools and practices.

Get the full report

451 Research: Veracode Eyes a VAST Opportunity in Third-Party Application Security Testing

Released on October 16th, 2012

Former CISO Wendy Nather explains how Veracode's SaaS offering "takes both effort and cost away from the enterprise CISO" and "lowers the barriers to appsec testing."

This independent report details the unique advantages of Veracode's binary static analysis technology for testing third-party applications. It describes how Veracode's cloud-based platform and program management service address the scale and complexity challenges of reducing third-party software risk enterprise-wide, and provides a SWOT analysis of the Veracode VAST Program.

Get the full report


Secure Agile Through An Automated Toolchain: How Veracode R&D Does It

Security testing is essential. But it’s only embraced when it doesn’t slow down your developers. Veracode's software engineers understand the challenge of building security into the Agile SDLC. We live and breathe that challenge. We use our own application security technology to secure our platform so our developers can go further faster. Automation is key to streamlining our end-to-end process — because manual testing can't keep up with our Agile development velocity (and it doesn't scale).

View the webinar

PCI 3.0: How Third-Party Security Impacts Your Enterprise Risk

Recent breaches show that “doing just enough to comply with PCI” doesn't address your third-party risks. In this webinar you have a chance to learn from two experts who have helped organizations design and build enterprise-wide programs that address risks from both internal and third-party applications.

View the webinar

Building Security into the Agile SDLC: View from the Trenches

To speed time-to-market, most enterprises have adopted agile development in the SDLC. Join Veracode's security and development experts to learn how we've embedded security into our own Agile Scrum processes – to rapidly deliver new applications without exposing them to critical vulnerabilities.

View the webinar

State of Software Security

State of Software Security Report Volume 5

This report examines application security quality, remediation and policy compliance statistics and trends. Our analysis of tens of thousands of applications with Veracode's cloud-based platform found that 87% of web applications are not compliant with the OWASP Top 10, while 69% of non-web applications  are not compliant with the CWE/SANS Top 25.  

The data analyzed represents multiple security testing methodologies (including static binary, dynamic and manual pen testingl) on a wide range of application types (web, mobile and legacy/non-web) and programming languages (including Java, C/C++, .NET, PHP and ColdFusion). We also expanded our analysis of the mobile vulnerability landscape with sections on Android, iOS and Blackberry applications. The resulting intelligence is unique in the breadth and depth it offers.

Volume 5 (40 Pages)
April 8th, 2013

Get the full report

Veracode State of Software Security Report – Feature Supplement on Public Companies

Veracode has been publishing a semi-annual State of Software Security (SOSS) report since 2010. Over time we have received significant interest in our findings and numerous requests to investigate the dataset from many different perspectives that may not be routinely covered in our semi-annual reports. To satisfy the curiosity of our readers and to allow us to extend our investigation to topical areas, we are moving to a new reporting format in 2012. This year we are publishing shorter feature supplements that are designed to address a particular, focused topic, and only release the full SOSS report once a year. This report is the first feature supplement for 2012.

Get the full report

State of Software Security Report - Feature Supplement on Software Supply Chain

This featured supplement focuses on the state of enterprise programs that assess the security of software purchased from vendors. Veracode can uniquely report on how program practices evolve because our analysis is based on data aggregated from companies as they test real applications. The data represents intelligence gleaned from over 900 application builds submitted by software vendors to Veracode's cloud-based platform in an 18 month time-frame.

Get the full report


Hacking Exposed 7 Chapter 10: Web and Database Hacking

The prerequisite for dealing with cyber-security is knowledge. Download this critical chapter to learn about web application vulnerabilities and hacking techniques; freely-available crawling tools; and countermeasures to protect your web application infrastructure.

Download the PDF

FS-ISAC Third Party Software Security Working Group Recommended Guidance

Download the whitepaper authored by the FS-ISAC Third Party Software Security Working Group to understand the recommended controls for addressing third party software risk.

This independent paper analyzes control options and offers specific recommendations on control types for financial services to add to their vendor governance programs

Download now

Shining a Light on the False Security of 1000s of Mobile Apps

Enterprises are still experiencing the paradigm shift towards mobile computing and still struggling to implement both their mobility strategies and Bring-Your-Own-Device (BYOD) programs. While IT understands the enterprise benefits of this shift, there is a gap between mobility eagerness and its readiness to deal with the new types of application security risks inherent with all mobile platforms.  

Download now


Veracode Corporate Overview

Learn how we help the world's largest enterprises reduce global application risk across web, mobile and third-party applications.

Download now

Application Perimeter Monitoring Datasheet

The Veracode Application Perimeter Monitoring (APM) solution enables enterprises to reduce the risk of data breaches by providing a rapid and massively scalable approach for gathering vulnerability intelligence across every enterprise web application.

Download now

VAST Program for the Enterprise

The Veracode Vendor Application Security Testing (VAST) program helps enterprises better understand and reduce the security risks associated with the use of vendor-supplied software, while strengthening vendor compliance with enterprise application security policy.

Download now

Developer Research

Anti-Debugging – A Developers View

Anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target binary. Within this paper we will present a number of the known methods of antidebugging in a fashion that is easy to implement for a developer of moderate expertise.

Download now

Protecting Your Organization from Application Backdoors

Backdoors and malicious code pose significant operational risk to software that is too significant for organizations to ignore. This whitepaper discusses how binary (compiled code) analysis is the ideal platform for detecting backdoors and conducting the most complete independent security test, validation and verification of applications.

Download now

A New Taxonomy for Application Backdoors | Veracode

This technical whitepaper describes a new way to classify backdoor vulnerabilities in applications and discusses static detection of backdoors.          

Download now


Veracode: Preparing and Submitting Your Application (05:43)

View the demo of Veracode's Platform. Learn how to create an Application Profile and Submit your application for analysis.

View the demo

Veracode: Understanding and Interpreting Your Results (11:34)

View the demo of Veracode's Platform. Learn how to access and understand your results once the scan has completed. You will see how to access the summary and detailed results and also how to use Veracode's developer tools.

View the demo

eLearning Demo (06:49)

View this demo of Veracode eLearning. Veracode eLearning integrates a security knowledge base and web-based secure programming training courses for developers and security personnel to meet formal training and testing requirements. 

View the demo