Prior to using Veracode, the firm had implemented a traditional on-premises scanning tool from a major IT vendor. Success was limited because the tool was complex and required specialized expertise to configure it and interpret its results. As a result, the organization was only able to assess a fraction of the applications it should be assessing for risk in its overall portfolio of several thousand applications.
The study quotes the financial services firm’s head of application security as saying “Veracode has helped us scale our program significantly, and it also helps us set our priorities correctly. We can focus on the optimal strategy, policies and KPIs to systematically reduce enterprise risk.”
With Veracode’s cloud-based service, combined with its remediation coaching and program management services the firm was able to scale its application security program and continuously assess 400 of the firm’s business-critical application. Vulnerabilities have been reduced by 60 percent and are now found earlier in the software development lifecycle.
Specifically, the study demonstrated how the firm worked with Veracode to achieve benefits with:
- Outsourced code: Avoided costs of $1.98 million per year in identifying, tracking, and mitigating vulnerabilities in applications developed by outsourced developers.
- Internally-developed and legacy code: Avoided costs of $3 million per year in assessing and remediating internally developed and legacy applications.
- Improved time-to-market: Improved development skill, speed, and best practices leading to reduced costs and improved margins totaling $1-2 million per year.
- Reduced enterprise risk: Avoided costs of $630,000 per year related to reduced application security risk.
Reduced Cost of Ownership
Within Forrester’s Total Economic Impact (TEI) methodology, direct benefits represent only one part of the investment value. The firm also realized strategic benefits by avoiding the need to scale their previous on-premises tool to match the application coverage provided by Veracode's cloud-based service. This expansion would have required adding significant infrastructure, software and employee resources – including fifteen full-time employees – to provide the same level of benefits.
Reduced Risk from Third-Party Software
The financial services firm is now working with Veracode to develop a Vendor Application Security Testing (VAST) program. With the VAST program, Veracode works with the organization to set policies, metrics and reporting processes that third-party commercial vendors must meet in order to do business with the financial services firm. The company anticipates that the program will help significantly reduce risk associated with the use of third-party software.
For more details on how Veracode helped the financial services firm secure their critical application infrastructure while reducing and avoiding costs, read the full report here: https://info.veracode.com/forrester-case-study.html