Recently Veracode announced that I had left my position as a Research VP and Fellow at Gartner to join the company in its pursuit of securing the world’s software.  Some may ask, “why after almost two decades of helping shape the security market, have I decided to leave Gartner and work with a vendor?” I did not take the decision lightly, and wouldn’t have left the top analyst firm in its space for anything other than the top vendor in its space. The decision came after weeks of reflection regarding my personal and professional goals as well as how I could best influence the market.

Taking the Lead in Application Security

After studying the application securing market since its inception in the early 2000s, advising security vendors and working with companies searching for ways to reduce risk, one thing has become abundantly apparent - Application-layer breaches are damaging businesses. Proliferation of vulnerable software is having a direct impact on innovation and economic growth.

As my colleague and I wrote in the 2015 Gartner Magic Quadrant for Application Security Testing:

Highly publicized breaches in the past 12 months have raised awareness of the need to identify and remediate vulnerabilities at the application layer. Enterprise application security testing solutions for Web, native, cloud and mobile applications are key to this strategy.”

Veracode has the most comprehensive solution that combines capabilities such as SAST, DAST and Software Composition Analysis into a single platform.  I joined Veracode because I believe that an integrated approach to application security, a combination of multiple assessment techniques, a proven cloud-based security service, and implementation of highly-scalable application security programs is the way to reduce application-layer risk. I also recognize that software development and security practices are continually evolving, so I am excited at the potential to influence and shape new standards of excellence for the application security market in my role as Chief Innovation Officer.

Following a Dream

One of these innovations is to bring my dream of making Runtime Application Self-Protection (RASP) a standard part of an application security. RASP is a security technology that is built into an application runtime engines and can detect and then prevent real-time application attacks without human intervention.

For the past almost three years I’ve spoken to security vendors and Gartner clients about the need for RASP, and for at least first two years I’ve seen little progress in this space. By working with a leading vendor in the application security space, I have the opportunity to help influence the evolution of this technology in a way that I couldn’t have as an analyst. 

In the role of Chief Innovation Officer at Veracode I can influence the way RASP is brought to market and facilitate its adoption within enterprises, helping them increase their application security posture.

The People

Gartner has been a home to me for almost 20 years. The idea of leaving my colleagues was difficult and sad. However, the culture at Veracode was difficult to resist. As an analyst, I had met and collaborated with many of the company’s senior leaders. I already had a great respect for Veracode’s founders, CEO, product strategy, and services teams.  However, once I began discussions to come to Veracode my impression of the people moved beyond respect to fondness. In addition to Veracode’s culture of excellence and hard work, Veracode has a welcoming culture based on kindness and driven by a passion for securing the world’s software.  Since joining the company, I have been welcomed and embraced. I am excited to work with such a committed and friendly group of people. 

What does a Chief Innovation Officer Do?

So, what will I do in this new role? My main focus will be on advanced technologies that drive innovative detection and protection strategies to further extend what is already the most comprehensive end-to-end platform for application security in the industry.

As I stated earlier, one of the first areas I will focus on is RASP. But I will also investigate and research other areas of innovation that help its customers advance their application security programs. I am looking forward to this challenge and seeing how we can change the way companies think about securing applications.

¹ Gartner, Inc. 2015 “Magic Quadrant for Application Security Testing” by Neil MacDonald, Joseph Feiman, 6 August, 2015.

About Joseph Feiman

Joseph Feiman is Chief Innovation Officer at Veracode. In this role, Joseph is responsible for advanced technologies that drive innovative detection and protection strategies. Joseph is a recognized industry leader with nearly two decades’ experience in application development and security, analyzing the market for Gartner Research.

Comments (3)

Neil Tickerie | January 7, 2016 4:28 am

I respect your drive to improve technology but isn't it a bit unethical to become CIO of a company which is in competition with other vendors who have trusted you over the past 20 years with a lot of their technology and vision?

Sven Johnson | January 8, 2016 10:25 am

It's not just that companies have trusted you and Gartner for 20 years with their technology and vision, but secrets. Would clients reveal so much to analysts if they realized there was no non-compete clause and at any point in time, the analyst could take all this intelligence to a competitor? I think not.

Joseph Feiman | January 8, 2016 10:32 am

@Neil Tickerie

Yes, it is ethical and customary. It would have been unethical and illegal to chain a person to a job without a right to change it. It is customary for analytical firms, as well as for other research institutions and academia, to allow employees go back to a field work (and then admit them back).

When confidentiality is involved, then it is obeyed, pure and simple. Obviously, my new employer fully respects this.

I am engaged in field work with a vendor that gives me a chance to implement my vision: RASP and, potentially, others. I am absolutely sure that it will positively contribute to security of all of us – application users. I invite you to join me in focusing on just that: application security.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.