Recently Veracode announced that I had left my position as a Research VP and Fellow at Gartner to join the company in its pursuit of securing the world’s software. Some may ask, “why after almost two decades of helping shape the security market, have I decided to leave Gartner and work with a vendor?” I did not take the decision lightly, and wouldn’t have left the top analyst firm in its space for anything other than the top vendor in its space. The decision came after weeks of reflection regarding my personal and professional goals as well as how I could best influence the market.
After studying the application securing market since its inception in the early 2000s, advising security vendors and working with companies searching for ways to reduce risk, one thing has become abundantly apparent - Application-layer breaches are damaging businesses. Proliferation of vulnerable software is having a direct impact on innovation and economic growth.
As my colleague and I wrote in the 2015 Gartner Magic Quadrant for Application Security Testing:
“Highly publicized breaches in the past 12 months have raised awareness of the need to identify and remediate vulnerabilities at the application layer. Enterprise application security testing solutions for Web, native, cloud and mobile applications are key to this strategy.”
Veracode has the most comprehensive solution that combines capabilities such as SAST, DAST and Software Composition Analysis into a single platform. I joined Veracode because I believe that an integrated approach to application security, a combination of multiple assessment techniques, a proven cloud-based security service, and implementation of highly-scalable application security programs is the way to reduce application-layer risk. I also recognize that software development and security practices are continually evolving, so I am excited at the potential to influence and shape new standards of excellence for the application security market in my role as Chief Innovation Officer.
One of these innovations is to bring my dream of making Runtime Application Self-Protection (RASP) a standard part of an application security. RASP is a security technology that is built into an application runtime engines and can detect and then prevent real-time application attacks without human intervention.
For the past almost three years I’ve spoken to security vendors and Gartner clients about the need for RASP, and for at least first two years I’ve seen little progress in this space. By working with a leading vendor in the application security space, I have the opportunity to help influence the evolution of this technology in a way that I couldn’t have as an analyst.
In the role of Chief Innovation Officer at Veracode I can influence the way RASP is brought to market and facilitate its adoption within enterprises, helping them increase their application security posture.
Gartner has been a home to me for almost 20 years. The idea of leaving my colleagues was difficult and sad. However, the culture at Veracode was difficult to resist. As an analyst, I had met and collaborated with many of the company’s senior leaders. I already had a great respect for Veracode’s founders, CEO, product strategy, and services teams. However, once I began discussions to come to Veracode my impression of the people moved beyond respect to fondness. In addition to Veracode’s culture of excellence and hard work, Veracode has a welcoming culture based on kindness and driven by a passion for securing the world’s software. Since joining the company, I have been welcomed and embraced. I am excited to work with such a committed and friendly group of people.
So, what will I do in this new role? My main focus will be on advanced technologies that drive innovative detection and protection strategies to further extend what is already the most comprehensive end-to-end platform for application security in the industry.
As I stated earlier, one of the first areas I will focus on is RASP. But I will also investigate and research other areas of innovation that help its customers advance their application security programs. I am looking forward to this challenge and seeing how we can change the way companies think about securing applications.