Security as a Service

CA Snaps Up Code-Testing Firm Veracode for $614 Million

Software Giant Plans Enterprise Product Makeover via SaaS
CA Snaps Up Code-Testing Firm Veracode for $614 Million
Picture: Marcio Fontana (Flickr/CC)

CA Technologies has announced plans to snap up application security testing vendor Veracode.

The terms of the deal, announced March 6, would see CA paying approximately $614 million in cash for Veracode.

Veracode offers software and services to help organizations secure their web, mobile and third-party applications at all stages of the software development lifecycle. That includes tools - including software-as-a-service testing - for in-development code, as well as static testing services designed to analyze third-party applications and open-source components. The firm has offices in Burlington, Mass. and London, and more than 500 employees worldwide.

CA says Veracode will feature in its security and DevOps product portfolios, and plans to offer it as a software-as-a-service product.

The deal follows CA in January announcing that it had completed its acquisition of cloud-enabled business automation software vendor Automic for 600 million euros ($635 million), as part of what seems to have been a DevOps acquisition spree. Indeed, CA also bolstered its DevOps portfolio via the acquisition of Israeli application performance testing firm BlazeMeter in 2016. In 2015, it purchased agile solution - and DevOps - vendor Rally Software, enterprise test data management firm Grid-Tools, and identity management application vendor IdMlogic.

Veracode: L0pht Roots

Veracode was founded in 2006 by Chris Wysopal and Christien Rioux, both former members of the L0pht, a hacker think tank, and later part of influential security research firm @Stake, which was later acquired by Symantec. Wysopal has remained Veracode's CTO and Rioux, who's credited with writing much of the code in Veracode's products, its chief scientist.

Information security experts have long advocated that organizations that build software - from consumer applications used on desktops and laptops, to the apps that run on mobile devices, to the firmware that gets embedded in hardware and internet of things devices - ensure that their code is as free from bugs as possible before it gets shipped. Numerous studies continue to highlight the relatively low cost required to fix code early in the development stage, as well as the massive spike in costs that occur if bugs must be fixed during testing or after products have been shipped to market.

The Rise of DevOps

The practice of ensuring that code is as free from bugs as as possible is called secure development, although the concept has been supplanted by DevOps or SecDevOps, which combines security, software development and IT operations. The nomenclature reflects the embrace of agile development practices in which complete software iterations can be designed - from conception to working software - in "sprints" of as little as two weeks.

In the previous age of so-called waterfall development, software applications were specified in full, coded over a period of months, then delivered to market - by which time they were out of date, and software testing often an afterthought. Agile, by contrast, prioritizes getting working software into the hands of whoever needs it, quickly. To accomplish that, agile development teams typically include not just coders but also embedded customers.

Many software development teams have begun incorporating security checks into their DevOps practices as a mandatory part of any sprint. "Just like they fail a build when there's a functionality problem or a performance problem that's unacceptable ... have them fail the build when there are security defects found that can't go into production," Wysopal said recently, summarizing the SecDevOps mindset (see Better Bug Eradication in the Age of Agile Development).

CA Seeks Stronger DevOps Offerings

In announcing the Veracode deal, Ayman Sayed, CA's president and chief product officer, says a big impetus for the move is to bolster the company's DevOps offerings, which aim to help customers apply secure application testing to nuke code flaws as early in the development process as possible.

"For most organizations, implementing software security controls has been inconsistent and un-scalable. Embedding security into the software development lifecycle and making it an automated part of the continuous delivery process means that developers can write code without the hassles of a manual and fragmented approach to security," Sayed says in a blog post. "In turn, end users experience better apps with better code and fewer bugs and false positives. As a result, organizations save time in their remediation efforts and resolution - and consequently, innovation - is sped up.

CA says the deal is also a move to find new sources of revenue, and by 2019 expects sales from new SaaS services acquired with Veracode and Automic to outpace its existing suite of "enterprise solutions."

Gartner is bullish on the application security testing market, reporting last month that the segment "is growing faster than any other security market, as [application security testing] solutions adapt to new development methodologies and increased application complexity." The research firm also called on "security and risk management leaders [to] integrate AST into their application security programs."

Our Uncertain IoT Future

What remains to be seen, however, is how quickly businesses will take such advice to heart, especially when it comes to the millions of internet of things devices that continue to get churned out. Too often, these low-cost products are designed with security as an afterthought, if there's any security at all.

Speaking at last year's Black Hat Europe in London, Veracode's Wysopal predicted a waning consumer appetite for poorly secured internet of things devices.

"I learned when I gave a talk in Chile that the word for security and safety is the same in Spanish," he said, and urged others to adopt that mindset.

In the past, however, many vendors have given themselves a legal out for any poorly secured code or devices they may have rushed to market, by forcing consumers to accept a license before they begin using the software.

But with IoT, "I don't think the consumers are going to be down with the shrink-wrap software license," Wysopol said. "With the internet of things, the technology isn't at arms distance anymore. It's intertwined with their life now."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network