Global 2000 Firm Achieves 192 Percent ROI Securing Critical Financial Applications with Veracode’s Cloud-Based Service

Financial services institution improved secure development processes and reduced enterprise risk, according to case study by leading analyst firm

BURLINGTON, Mass. - July 24, 2014 – Veracode, the application security company, today released a commissioned case study by Forrester Consulting describing how a Global 2000 financial services company secured its critical outsourced and internally-developed applications with Veracode. Veracode’s cloud-based service and programmatic approach generated a 3-year, risk-adjusted ROI of 192 percent for the European-based, global financial services company. To access the full July 2014 study, which was conducted by Forrester Consulting on behalf of Veracode, visit:

Prior to using Veracode, the firm had implemented a traditional on-premises scanning tool from a major IT vendor. Success was limited because the tool was complex and required specialized expertise to configure it and interpret its results. As a result, the organization was only able to assess a fraction of the applications it should be assessing for risk in its overall portfolio of several thousand applications.

The study quotes the financial services firm’s head of application security as saying “Veracode has helped us scale our program significantly, and it also helps us set our priorities correctly. We can focus on the optimal strategy, policies and KPIs to systematically reduce enterprise risk.”

With Veracode’s cloud-based service, combined with its remediation coaching and program management services the firm was able to scale its application security program and continuously assess 400 of the firm’s business-critical application. Vulnerabilities have been reduced by 60 percent and are now found earlier in the software development lifecycle.

Specifically, the study demonstrated how the firm worked with Veracode to achieve benefits with:

  • Outsourced code: Avoided costs of $1.98 million per year in identifying, tracking, and mitigating vulnerabilities in applications developed by outsourced developers.
  • Internally-developed and legacy code: Avoided costs of $3 million per year in assessing and remediating internally developed and legacy applications.
  • Improved time-to-market: Improved development skill, speed, and best practices leading to reduced costs and improved margins totaling $1-2 million per year.
  • Reduced enterprise risk: Avoided costs of $630,000 per year related to reduced application security risk.

Reduced Cost of Ownership

Within Forrester’s Total Economic Impact (TEI) methodology, direct benefits represent only one part of the investment value. The firm also realized strategic benefits by avoiding the need to scale their previous on-premises tool to match the application coverage provided by Veracode's cloud-based service. This expansion would have required adding significant infrastructure, software and employee resources – including fifteen full-time employees – to provide the same level of benefits.

Reduced Risk from Third-Party Software

The financial services firm is now working with Veracode to develop a Vendor Application Security Testing (VAST) program. With the VAST program, Veracode works with the organization to set policies, metrics and reporting processes that third-party commercial vendors must meet in order to do business with the financial services firm. The company anticipates that the program will help significantly reduce risk associated with the use of third-party software.

For more details on how Veracode helped the financial services firm secure their critical application infrastructure while reducing and avoiding costs, read the full report here: