Browse through the materials below to learn what the industry is saying about best practices for application security.

Analyst Reports

Gartner Application Security Testing Magic Quadrant

Released on 6 August 2015

Veracode is a Leader in the Magic Quadrant

Read the "Magic Quadrant For Application Security Testing" (August 2015) to learn whether your organization has the right technologies and processes to effectively reduce application-layer risk across the enterprise.

Gartner, Inc. 2015 “Magic Quadrant for Application Security Testing” by Neil MacDonald, Joseph Feiman. 6 August 2015

Get the full report

Business and Economic Consequences of Inadequate Cybersecurity

Cyberattacks cost UK businesses £18 billion in lost revenue and £16 billion in increased IT spending per year as a result of breaches. And the issue is widespread — 81 percent of UK businesses reported a breach in 2014.

Get the full report

Third-Party Application Security Risk: The Elephant in the Room Is Finally Getting Talked About

Awareness is growing around the importance of application security, particularly when the software comes from third parties. At the same time, CISOs trying to address that risk are facing a maze of technical, legal and organizational constraints.

Get the full report

Case Studies

A State Government Protects Citizen Data by Securing Applications

State government rolls out application testing across 14 state agencies, fixing 28,000 flaws in the first year of the program.

Download the case study

Global Industrial Manufacturer Secures its Software Supply Chain

With concern rising about the risk of advanced persistent threats from compromised supply chains, and breaches due to vulnerable third party software, a global industrial manufacturing company did an ad hoc audit of its purchased software – and found more than 90% of its purchased applications had critical security vulnerabilities. With Veracode's built-to-scale cloud platform and systematic approach for risk reduction, the company built a third party software security program that drove security requirements into contract language, onboarded 100 vendor applications in the first year of the program, and worked with vendors to fix over 10,000 vulnerabilities.

Download the case study

Global Media and Technology Company Gains Visibility into Mobile App Perimeter

A global media and technology company had little control over the quality or security of the apps published to iTunes or Playstore. Using Veracode’s cloud-based service, the company gained visibility into its mobile app perimeter, finding it had 100% more apps published than originally thought. Through finding these apps and assessing their behavior, the company ensured all published apps adhere to its app policies for security and privacy and gain tighter control of its mobile footprint.

Download the case study


SANS - What You Need To Know About Stagefright

Veracode’s director of solutions enablement, Brian LaFlamme and Frank Kim, CISO for SANS, discuss new details regarding the Stagefright vulnerability and why vulnerabilities in graphic libraries keep cropping up.

View the Webinar

The Fantastic Four: Metrics You Can’t Ignore When Reducing Application-Layer Risk

This webinar provides an overview of the state of software security across different industry verticals. It also features a discussion with security experts from some of the world’s leading organizations on the four metrics they use to benchmark their performance, measure success, report up to the board, and motivate development teams to fix vulnerabilities.

View the Webinar

NYSE Survey: Understanding Cybersecurity in the Boardroom

CISOs can become more effective, strategic leaders by understanding prevailing perceptions about cybersecurity before stepping foot into the boardroom. Listen to this webinar to gain strategic insights from NYSE’s survey of nearly 200 board members about how they perceive and prioritize cybersecurity. Chris Wysopal, Veracode co-founder, CTO and CISO, will also share his recommendations based on his own experience presenting to boards and his ongoing conversations with fellow CISOs.

View the Webinar

State of Software Security

State of Software Security Volume 6: Focus on Industry Verticals

The Veracode State of Software Security Report helps CISOs and application security professionals make informed decisions about their application risk. We are often asked by our customers to benchmark their performance. They ask questions such as, “Do I have more serious security vulnerabilities than my peers?” and “What percentage of vulnerabilities do my peers remediate?” In this report, we present data that can help you answer those questions for your organization.

Volume 6 (20 Pages)

June 23, 2015

Get the full report

State of Software Security Report Volume 5

This report examines application security quality, remediation and policy compliance statistics and trends. Our analysis of tens of thousands of applications with Veracode's cloud-based platform found that 87% of web applications are not compliant with the OWASP Top 10, while 69% of non-web applications  are not compliant with the CWE/SANS Top 25.  

The data analyzed represents multiple security testing methodologies (including static binary, dynamic and manual pen testingl) on a wide range of application types (web, mobile and legacy/non-web) and programming languages (including Java, C/C++, .NET, PHP and ColdFusion). We also expanded our analysis of the mobile vulnerability landscape with sections on Android, iOS and Blackberry applications. The resulting intelligence is unique in the breadth and depth it offers.

Volume 5 (40 Pages)
April 8th, 2013

Get the full report

Veracode State of Software Security Report – Feature Supplement on Public Companies

Veracode has been publishing a semi-annual State of Software Security (SOSS) report since 2010. Over time we have received significant interest in our findings and numerous requests to investigate the dataset from many different perspectives that may not be routinely covered in our semi-annual reports. To satisfy the curiosity of our readers and to allow us to extend our investigation to topical areas, we are moving to a new reporting format in 2012. This year we are publishing shorter feature supplements that are designed to address a particular, focused topic, and only release the full SOSS report once a year. This report is the first feature supplement for 2012.

Get the full report


Cybersecurity in the Boardroom

The connection between cybersecurity and a company’s bottom line is crystal clear to board members – and they’re worried. In fact, more than 80 percent of respondents discuss cybersecurity at most or all boardroom meetings. CISOs can become more effective, strategic leaders by understanding prevailing thought before stepping foot into the boardroom.

Get the whitepaper

2014: The Year of the Application Layer Breach

The rise of the digital economy means the world now runs on applications. As a result, every company is becoming a software company. Yet, research done by IDG revealed that almost two-thirds of applications are not assessed for security.  

Get the ebook

Five Steps for Preparing for a Vulnerability Disclosure

This whitepaper provides guidance on preparing for a high-profile vulnerability disclosure so risk-management or security teams can respond with the appropriate level of urgency. Teams can use it as a starting point to formulate a strategy for vulnerability responses and be prepared for the eventual disclosure.

Download now


Web Application Discovery

Cyber-attackers look for the paths of least resistance — such as obscure or out-of-date websites — to gain access to critical corporate and customer data. Our massively parallel, AWS-based, auto-scaling cloud infrastructure uses advanced search techniques to rapidly discover all public-facing applications so that you can create an inventory of your web presence, monitor the effectiveness of change control processes, quickly assess risk after an organizational change such as a merger or acquisition, and identify easy wins such as obsolete servers to quickly address risk from potentially vulnerable applications.

Download the Datasheet

Application Security and Security Awareness Training

Veracode’s course-based eLearning empowers software developers, testers and security leads to develop secure applications from inception to deployment, providing the critical skills they need to identify and address potential vulnerabilities. By using Veracode’s turnkey eLearning program customers can quickly onboard all employees, including geographically diverse development teams, with the security knowledge needed to prevent a potential breach and meet compliance requirements.

Download the Datasheet

Mobile App Reputation and Risk Management for IBM Fiberlink

Veracode’s cloud-based app reputation service provides behavioral intelligence about mobile apps to help you determine which apps violate corporate policies for security and privacy. Our integration with IBM Fiberlink MaaS360 uses automated workflows and centralized policies to give IT full visibility and control of app risks in a scalable way.

Download the datasheet

Developer Research

Anti-Debugging – A Developers View

Anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target binary. Within this paper we will present a number of the known methods of antidebugging in a fashion that is easy to implement for a developer of moderate expertise.

Download now


Application Perimeter Monitoring Calculator

Your application threat surface is constantly growing, and you probably don’t realize the extent of it. Using data from the thousands of web applications we’ve assessed, our customized tool will help you estimate how many websites you actually have, and how many vulnerabilities they contain.

Get the Facts

Veracode: Preparing and Submitting Your Application

View the demo of Veracode's Platform. Learn how to create an Application Profile and Submit your application for analysis.

View the demo

Veracode: Understanding and Interpreting Your Results

View the demo of Veracode's Platform. Learn how to access and understand your results once the scan has completed. You will see how to access the summary and detailed results and also how to use Veracode's developer tools.

View the demo