Veracode Inc. CEO Bob Brennan knows what it takes to ensure a company is cut out for the long term: Before joining the Burlington-based security software firm a year ago, he had been CEO of Boston-based records storage giant Iron Mountain Inc., a company founded in 1951.
Brennan’s assessment of the opportunity at his current company: “Veracode could be Veracode for a very long time, if not forever.”
That optimism has helped fuel job growth at the company. The firm employs 225 full-time workers, or twice the number employed a year ago, Brennan said. Veracode plans to hire another 50 in the next year, he said.
In 2012, the firm collected nearly $40 million in revenue — roughly double its 2011 sales — for its software and services, which help large companies and software vendors find and fix security vulnerabilities in their application codes. Ten of the Fortune 50 are customers, the firm said, though specific names were not disclosed.
Web applications were the source of 54 percent of data breaches worldwide in 2011, according to a report from Verizon. And almost all applications fail basic security tests when first scanned by Veracode’s technology, Brennan said.
Meanwhile, companies increasingly depend on third-party software vendors for their Web applications. Veracode helps these companies by scanning the third-party vendors’ codes for vulnerabilities and suggesting ways to plug those holes.
The firm’s core technology — known as binary static analysis — distinguishes the company from other application security firms.
“They are pretty much the only ones that do that,” said Wendy Nather, research director for security at New York-based 451 Research. “Veracode is definitely defining their space.”
Veracode uses its technology to find security vulnerabilities in applications even without access to the application source code — something many companies are unwilling to provide. Veracode has been granted two patents to date, making it the only firm capable of doing application security scans without source code, Brennan said.
Veracode had initially been focused on helping companies to uncover vulnerabilities inside internally developed applications. While that still makes up a significant part of the company’s business, using the technology to scan third-party applications is the fastest-growing revenue segment, Brennan said.
The firm was already able to do third-party application scans when Brennan arrived at the company in November 2011, but hadn’t been making it a focus, he noted.
“It was something (Veracode) did with a few customers. And I’m like, ‘No, everybody needs this.’ Because the world increasingly runs on a hyper-connected basis between and amongst software applications,” Brennan said.
Ed Jennings, executive vice president for sales at Veracode, said companies face a substantial amount of pressure to quickly innovate in their technology offerings.
“This balance, between the need for speed and innovation with security, is a tension,” Jennings said. “And that’s fundamentally the tension we’re trying to help our customers figure out.”
Putting more focus on third-party application vendors also gives Veracode a natural path to gaining new customers, Brennan said.
When Veracode works with a large customer now, that company will often inform its vendors that they need to pass a security test with Veracode in order to continue getting that company’s business, he said.
After doubling its revenue in 2012, the firm expects another year of substantial growth in 2013, with a major focus ahead on expanding internationally. Veracode plans to open new offices in France and Germany next year, and is considering an office in South America as well, Brennan said.
In October, the company made its first acquisition, of California-based Marvin Mobile Security, to extend its offerings into mobile applications.
Veracode has raised $72 million in venture capital to date, with the most recent funding a $30 million round in April led by Meritech Capital Partners. Other investors include .406 Ventures, Atlas Venture and StarVest Partners. A goal for the firm in coming years is to go public, though the company hasn’t offered details around timing.
Veracode was founded in 2006, and its core technology was invented by chief scientist Christien Rioux
Rioux initially developed binary static analysis at security consulting firm @stake. That firm was acquired by security software company Symantec in 2004, but Symantec “didn’t see what we were trying to do” with the technology, Rioux said.
Rioux left Symantec to launch Veracode with Chris Wysopal, who also left Symantec as its director of development, and Maria Cirino, who had sold her security service firm Guardent to VeriSign the year before. Cirino would go on to co-found .406 Ventures in 2006.