Veracode Launches World’s First Automated, Subscription-Based Security Audit for COTS Software and Outsourced Code Development

Based on breakthrough patented binary technology, Veracode delivers the only independent security audit for externally sourced code

Burlington, Mass., April 22, 2008 – Veracode Inc., the leading provider of on-demand application security testing solutions, today announced the first portfolio of subscription-based services to provide a clear and independent assessment of an organization’s external application security risk. Based on its on-demand code assurance platform, the Veracode SecurityReview® service now includes the ability for organizations to obtain a single view of security risks in their applications, whether those applications are purchased as commercial off-the-shelf software (COTS) or developed offshore.

Application security has risen to the top of the agenda for security professionals striving to control their company’s overall risk profile. According to the Computer Emergency Response Team (CERT), more than 7,000 new vulnerabilities were discovered over the last year, with 92 percent of vulnerabilities found in software according to the National Institute of Standards and Technology. With organizations deploying an increasing number of complex applications – some developed internally, some offshore, some purchased off-the-shelf – the effort needed to manage risk becomes greater. Traditional approaches have focused on conducting costly and time-consuming manual penetration tests or using tools that typically require source code which usually isn’t available in mixed-code base environments or commercial applications.

“Veracode offers a unique method for testing commercial-off-the-shelf software that fills an essential gap in our software security program enabling a more effective understanding of risk from commercial software along with information to manage this risk with our software vendors,” said Jim Routh, CISO of Depository Trust & Clearing Corporation, who is participating in the “Five Keys to Effective Application Security and Secure Coding” keynote panel on April 22nd at Infosecurity Europe being held this week in London.

Rhonda MacLean, Global Information Security Officer, Global Retail and Commercial Banking, Barclays Bank, who is also participating on the panel, further commented on the benefits of the Veracode service:

“In a rapidly changing threat environment, Veracode’s technology and its software-as-a-service model have given us the flexibility to conduct rapid code review cycles, which is an obvious benefit for our customers.”

“Enterprises are increasingly outsourcing the development of their applications and leveraging commercial software to run their business operations, but can’t outsource the security risk and liability associated with those applications,” said Diana Kelley, Partner at SecurityCurve. “Enterprises need effective ways to test and audit the risk associated with COTS and outsourced software when source code isn’t available.”

Based on patented, static binary testing technology and dynamic web scanning analysis, Veracode’s SecurityReview is the industry’s first solution specifically designed to overcome the limitations of traditional tools and manual penetration tests:

* Veracode’s comprehensive portfolio of services covers all testing needs – including internal security reviews, PCI compliance, COTS security audits and outsourced secure code acceptance. * Veracode is the only organization to scan code using automated techniques which mirror the way a machine executes code or a hacker’s approach to an attack – accurately assessing the root of the problem as no other tool can do. * It is the only company to offer organizations application code reviews on a software-as-a-service subscription basis, eliminating the need to install or maintain costly software, hardware or train personnel. * Veracode helps users keep in lockstep with new threats by leveraging its on-demand security platform, pooling the learning from every scan across all customers * No one else can identify and remedy the security flaws in binary code, the very foundation of all today’s software applications. * Veracode is the first provider to help organizations improve their application security without asking them to hand over the intellectual property represented in source code. * Veracode alone deals with scanning mixed-code-based applications as it can tackle both dynamic and static testing of code, reducing fear, uncertainty and doubt in software procurement.

The Veracode SecurityReview service portfolio is now comprised of the following on-demand services:

* Outsourcing SecurityReview Provides simple, cost-effective, and automated security audits that ensures enterprises receive secure code from offshore development partners * COTS SecurityReview Helps enterprises and government agencies quantify and manage security risks of commercial off-the-shelf software * SDLC SecurityReview Enables security teams to conduct security assessments on mission-critical internally developed applications before they ship * PCI SecurityReview Automates and shortens the process for achieving compliance with the application security requirements of PCI-DSS, Visa PABP and PA-DSS in a simple and cost-effective way

“With applications being the weakest link in the corporate security chain, organizations are increasingly demanding independent verification and validation of applications as part of their software release and acceptance criteria,” said Matt Moynahan, CEO at Veracode. “With Veracode, customers can now count on a single vendor delivering a comprehensive portfolio of on-demand services that delivers independent security audits for applications whether they are developed offshore or purchased off-the-shelf.”

Availability
All four SecurityReview products are available immediately.

About Veracode

Veracode is the world’s leader for on-demand application security testing solutions. Veracode SecurityReview is the industry’s first solution to use patented binary code analysis and dynamic web analysis to uniquely assess any application security threats, including vulnerabilities and malicious code. SecurityReview performs the only complete and independent security audit across any internally developed applications, third-party commercial off-the-shelf software and offshore code without exposing a company’s source code. Delivered as an on-demand service, Veracode delivers the simplest and most-cost effective way to implement security best practices, reduce operational cost and achieve compliance without requiring any hardware, software or training.

Veracode has established a position as the market visionary and leader with awards that include recognition as a Gartner “Cool Vendor” 2008, Info Security Product Guide’s “Tomorrow’s Technology Today Award 2008,” Information Security “Readers’ Choice Award 2008,” AlwaysOn Northeast’s “Top 100 Private Company 2008”, NetworkWorld “Top 10 Security Company to Watch 2007,” and Dark Reading’s “Top 10 Hot Security Startups 2007.”

Based in Burlington, Mass., Veracode is backed by .406 Ventures, Atlas Venture and Polaris Venture Partners. For more information, visit www.veracode.com.

Contacts:
Rachel Labas
Lois Paul & Partners
781.782.5783
rachel_labas@lpp.com