Study reveals that Veracode customers reduce security defect resolution time by 90% saving an average of nearly $6M
BURLINGTON, Mass. – Sept. 3, 2019 – Veracode, a leading provider of application security testing (AST), today announced findings from "The Total Economic Impact™ of Veracode Application Security Platform” study. The March 2019 commissioned study conducted by Forrester Consulting on behalf of Veracode evaluates the business benefits and return on investment (ROI) of organizations using Veracode to secure their software and create robust DevSecOps environments. This Total Economic Impact (TEI) study demonstrates that organizations using Veracode as part of their DevSecOps practices save an average of $5.6 million by reducing the time required to identify and resolve security vulnerabilities.
The study found that organizations using Veracode solutions introduce significantly fewer security flaws thereby decreasing the time spent fixing security defects by as much as 90%. In addition, automated scan reporting, integration of Veracode into the CI/CD pipeline, and developer self-service tools greatly reduced manual effort and hours from the security team. With Veracode, vulnerabilities are identified earlier in the development cycle resulting in lower cost to resolve. Additionally, organizations that drive adoption across their development ranks are able to raise the bar on the overall quality of their software as developers learn and improve the efficacy of their code over time. Prior to using Veracode, customers in the study indicated they spent days chasing false positives and battling legacy processes that led to friction between security and developer teams.
“Business leaders and security and development teams realize that in today’s software driven world, it is crucial for companies to secure the software they are using to achieve their objectives. Companies need security initiatives that integrate into their software development processes but don’t slow innovation,” said Pejman Pourmousa, Vice President of Global Customer Success and Services, Veracode. “In our view, this study validates what we’ve witnessed in working with our customers to improve application security and reduce time to fix flaws. Companies using DevSecOps models and taking a programmatic, scalable approach to application security achieve a significant competitive advantage by reducing risk while saving millions of dollars.”
By integrating security tools directly into the their process and scanning frequently for flaws, developers create code that is secure from the start resulting in less time wasted on fixing issues found later in the software development cycle. The study also found that Veracode tools reduce security team effort by 80% and lower the overall risk of a security breach. On average, Veracode customers achieved payback on their investment in just 16 months.
Customers interviewed as part of the study told Forrester:
“Automation has saved a tremendous amount of time. We went from a day per app to review and now we are essentially reviewing through automation 18,000 scans a day with only 20 AppSec engineers. You do the math — 18,000 deploys a day with 20 engineers — you can’t scale that manually.”
- Senior manager application and cloud security, insurance
“If you utilize Veracode the way we do — where you run inspections often or as frequently as you need to — you are going to be able to catch and resolve vulnerabilities early, without spending an exorbitant amount of time or money later in the life cycle of the applications to address.”
- Senior application security analyst, healthcare
“We needed to figure out how to do security testing at the speed of modern-day software development and utilize preventative control instead of a detective and reactive control. That’s the top benefit that Veracode has provided us: allowing us to be a preventative control in an agile environment.”
- Senior manager of application and cloud security of an insurance firm
Veracode customers interviewed for the study indicated that Veracode Analytics are particularly impactful to their program. Veracode Analytics provides visualizations to help organizations understand the security status of their applications and provides insight into the performance of the application security program. Veracode’s Analytics enables customers to make fast data-driven decisions to improve their security posture. Earlier visibility through Veracode Analytics can reduce time and cost with audits and reporting to internal stakeholders, and helps easily demonstrate the business value of software security.
“Veracode enables companies to innovate securely. As development teams look to continuously improve, responsiveness to bugs often comes up as a metric to highlight. Analytics supports this by providing quick and intuitive data so that users can assess their current state and take action to improve their risk posture,” said Pourmousa.
Forrester used its TEI™ methodology to create an unbiased assessment of the real benefits experienced by Veracode customers. The firm found that, based on a composite organization of the interviewed customers, companies using Veracode to find and fix application security flaws in their software delivery lifecycle (SDLC) experience value across the organization. The TEI study listed unquantified benefits of Veracode as:
- Fast time-to-market and organizational agility increases. By identifying security flaws earlier in the SDLC, organizations improved their ability to meet production deadlines. Less unplanned work kept teams on track and avoided potentially lost application revenue.
- Employee morale improves and relationship between security and developers strengthens. Organizations found that Veracode’s integrations provided a less disruptive process to their developer teams than previous ad hoc tools. Furthermore, the reduction in false positives built trust between their security and development teams.
- Legal risk when using open source code lowers. With software composition analysis, organizations ensured that their developer teams did not violate open source licensing requirements.
- Risk of loss of business, fines, and sanctions from noncompliance lessens. Veracode was an integral tool for organizations in ensuring that products complied with major regulations, like HIPAA and SOX.