Manhattan Associates Turns Software Security into Competitive Advantage

Executive Summary

Manhattan Associates creates industry-leading software solutions that enable its customers to optimize their supply chain and omnichannel commerce pipelines. Over its 25+ years in the industry, Manhattan evolved from delivering traditional on-premise software to becoming a cloud-native SaaS solutions provider.

Having rearchitected its solutions portfolio to be cloud-native, Manhattan sought a security solution that was also cloud-native to assure customers their data is protected. Indranath Chunder, Manhattan’s director of engineering, notes, “The reputation of what we do as software developers is very heavily dependent on security. If somebody discovers a security hole and compromises it, that puts a big dent in the reputation of our product as well as our company.”

After evaluating the marketplace, Manhattan partnered with Veracode and deployed the Veracode security platform for cloud-native application development. One of the most important benefits Veracode brought was speed—the Manhattan team was scanning within days of contracting with Veracode, and by the end of the first month they were fixing bugs across its software development life cycle. Moreover, the company has maintained its goal of zero security breaches for its cloud-native offerings.

George Garza, director of risk and security for active hosted solutions at Manhattan Associates, says, “Veracode enables us to ensure our systems are protected operationally and that the applications delivered to production are safe and secure.”

The Challenge

Protecting cloud-native application environments

Rearchitecting its solutions to be cloud-native required Manhattan to reassess how it assures the safety of customer data in the cloud. With the focus now on delivering a service rather than just software, changes were needed to its security approach.

Traditionally, Manhattan had a centralized security team and a handful of “security champions” embedded with each development team. But as Garza says, the program “wasn’t getting enough traction.” He elaborates, “We wanted to make it easier for our developers to think about security and produce more secure code without distracting them from their primary role.”

Rob Thomas, executive vice president, research and development and cloud operations at Manhattan Associates, adds, “We needed to be better from a software security perspective. That includes increasing developer awareness about security but also having a way to verify that the code we've built is, in fact, secure.”

After evaluating the market, Thomas says Manhattan quickly landed on Veracode. “A key reason we focused on Veracode was their cloud-based model. To me, Veracode’s tenure in the industry and the fact that they are cloud-based means they can continually deliver new innovation to meet our changing needs.”

The Solution

End-to-end cloud-based security automation

As the Manhattan Associates team embarked on their cloud journey, they met for an executive meeting at Veracode headquarters. Garza notes, “We felt confident consulting with Veracode because they had been cloud-native for some time. That is where our relationship matured into a true partnership.”

In partnership with Veracode, Manhattan built a comprehensive application security program for its cloud-native solutions, automating security scanning into the software development life cycle from end to end. The complete solution includes Veracode Static Analysis, Dynamic Analysis, Software Composition Analysis, and Manual Penetration Testing.

Today, code is automatically scanned multiple times throughout the day, every day—totaling more than 20,000 scans in a year. For each new build, code is then released into production only when the development team has verified in the Veracode application center that it meets the company’s security criteria to be free of high or very high flaws.

Ganesan Natarajan, director of R&D at Manhattan Associates, says, “From my perspective, Veracode has done so much with automation that the developers feel like security is just part of their daily work. There is an advantage to having everything in a single pane of glass.”

Thomas adds, “Veracode has been such a great partner for us and is so well integrated into our continuous build and delivery process, there’s no reason for us to waste time looking at some new company that popped up a few years ago.”

Results

Making intelligent software security a competitive advantage

One vital benefit Manhattan Associates gained from the Veracode solution is speed. Garza explains, “You want security feedback to go to a developer as quickly as possible. We signed a deal on the 31st of December, we were scanning on the fifth, and we were fixing bugs by the end of the month. That’s speed.”

Manhattan continues to roll out its cloud-native solution, currently serving more than 180 customers on a global scale, including some of the largest retailers in the world. Thomas points out that having a security solution like Veracode is key to further scaling its solution with confidence. “We regularly share a reputation scorecard with our executive team, and the first thing they want to see is the number of security breaches. So far, it’s been zero, and it needs to stay zero. That’s the most important metric our developers need to focus on and Veracode plays a key role in helping us do that.”

Working in partnership with Veracode, Manhattan also gains the value of professional support to help the company continually improve and scale its cloud-native security program. Natarajan says, “We click a button on the platform when we see a remediation challenge and directly schedule a call with a Veracode Application Security Consultant to solve the issue.”

Additionally, Veracode conducted an onsite peer benchmarking workshop to help Manhattan better understand where it stands in the industry. Veracode’s self-service peer benchmarking provides data for Manhattan to measure the performance and efficiency of its application security program against peer organizations by identifying strengths and weaknesses, tracking KPIs, and quantify strengths to use security as a competitive advantage.

Garza notes, “Peer benchmarking tells us where we need to be, and where we need to improve to be out in front of everyone else and provide more value.” Moreover, Natarajan adds that partnering with Veracode is helping Manhattan strengthen its competitive position: “Our security practices are one of the key differentiators of Manhattan among competitors.”

Thomas concludes, “Our cloud-native model means we’re delivering new software continuously. Having a cloud-native partner like Veracode enables us to scan our software continuously so we have real-time confidence that our solution is as safe as possible.”