“We create solutions to secure the software that organizations develop”. In this way it describes the activity of Veracode his Country Manager for Italy Massimo Tripodi. “From large banks to software houses, anyone who develops software to do their business can use our solutions”.
Application testing as a service
Founded in 2006, Veracode has always had application testing as its reference market and from the beginning has focused on a service delivery model based on software as a service. “This gave us some advantages – Tripodi underlines –. First, we built a knowledge base on the cases that our customers encounter”. At this moment I am circa 3.000 of the world, of which thirty in Italy: “However, we have only been present since August 2022 and acquire at least one new customer every month”, specifies Tripodi. The distribution is quite transversal compared to verticals.
First of all, awareness
The second advantage that Tripodi cites is the fact of “be very effective”. Over time, Veracode has built a platform based on a series of services that digitize the entire application security management process. The starting point is the awareness: to identify any flaws present in the information systems or software, a scan must be carried out. “We have different types of scanning – says Tripodi –. It goes fromstatic analysis all’dynamic analysis, fromthird party analysisprincipalmente open source, all’container analysis, therefore docker and the scripts used to make Kubernetes work. All these tools are completely integrated”.
Digitized remediation
The second phase of the process is that of answer. “Once you realize that you have a delicate situation on the software side, you should remedy or at least prioritize the problems and fix the riskiest ones. Veracode is the only vendor it has the remediation process has been digitized”. It is a project that began two and a half years ago, with a pilot involving some selected customers, and then saw general availability in July 2023. “And his bass an open source GPT version 2.5 algorithm which we have trained on our knowledge base with our security experts – highlights Tripodi –. It is a system capable of acknowledge vulnerability, understands the context in which the customer falls and, therefore, automatically produces the fix appropriate”.
The human factor
Technology is essential to ensure both protection and remediation, but the human factor. “If you want a secure and resilient software development process, yes they have to train people. Our system is fully integrated with the development platform and are the data from this platform That guide learning paths of users”.
An annual report on the state of security
The software as a service approach allows Veracode to have enough data to analyze the state of software security. “Every year in January we draw up a report that outlines an overview of our customer base, highlights the trends of the main problems, which areas have improved compared to the previous year and what has not changed, which areas are worsening and so on. Every year, in autumn, we create a version of the report targeted at certain verticals, such as finance, manufacturing and public administration”.
70% of companies have security debt
Among the main trends that Veracode has highlighted for 2024, the fact that stands out is that 70% of organizations have security debt, or at least one vulnerability. And the accumulation of vulnerabilities, whatever their state remains, unresolved for more than 12 months.
“This debt is endemic in the organization of companies – states Tripodi –, but the most serious thing is that the 46% of our customers have critical security debti.e. a high-risk vulnerability”.
There are two elements which, according to Veracode, have a direct impact on this result. First of all the technological progress. Over time, in fact, creating an application has become increasingly simple: there are frameworks that facilitate the developer’s activity, such as tecnologie low code – no codewhich allow you to create an application extremely quickly, or the generative AI tools which allow you to produce code at a speed never experienced before. Since the business is digitizingmore and more you have to build applications and you go to one exponential speed. However, resources employedintended as developers, to remedy vulnerabilities they are always the same. So, they have to spend part of their time not writing new features but fixing code that has vulnerabilities.
The risks of third-party code
Regarding the security debt, in 90% of cases consist of code developed by the organization, but if you consider the critical security debt, for 65% it is consisting of code produced by third parties. This is an important element because, despite adopting best practices and quality processes, once you procure software from outside you bring an attack vehicle inside the company.
“Vericode can enable software composition analysis – concludes Tripodi – that is, it offers tools capable of scanning third-party code to identify any vulnerabilities and propose related fixes”.