When Christien Rioux and I started Veracode more than ten years ago, we did so with the mission of securing the world’s software. We believe all software should undergo some level of security testing. Throughout our history that mission remained constant despite the rapid evolution of how software was built, bought and deployed. You see, though the world was changing, it changed in such a way that the need for application security only grew. Applications play a central role in how and why businesses operate, and in our daily lives, and companies are producing them in unprecedented numbers.
The shift to an application economy increases the need for better application security. However, as the demand for applications increased, we have not improved the security posture of our applications. Back in 2010 when we published our very first State of Software Security (SoSS) report, 58% of applications failed the OWASP Top 10 when first assessed for vulnerabilities. But rather than improve, this percentage has only gotten worse. Our most SoSS recent report, published in 2016, showed that 61.4% of applications failed the OWASP Top 10 when first assessed. That’s a higher percentage of failure on a much larger number of applications. The world simply isn’t keeping up with the demand for software security.
We are on the precipice of the next phase in the evolution of software production. Developers are integrating more open source components into their software, components that proliferate risk at an alarming rate. And as DevOps moves from theoretical to practical to the standard development process, we have an opportunity to build security into a system that values cross-team collaboration, continuous improvements and quality.
That is what’s so exciting about the combination of Veracode and CA. The way in which software will be developed is once again changing, and this acquisition creates an opportunity to shape that change. We have a chance to get in on the ground floor and make the future of software development DevSecOps.
By adding the power of Veracode’s ten-plus years of application security expertise, more than 2 trillion lines of code scanned and more than 30,000 flaws fixed, CA is improving its DevOps portfolio with the best defense against the rapidly changing threat landscape. CA now has the capacity to truly shape the way software is developed – identifying and mitigating risk early in the development process with secure application testing. With Veracode, CA can meet the urgent need for an end-to-end solution across development, testing and production – making security and compliance transparent and automated. This means developers can focus on writing high-quality, secure code and getting to market faster, not manually running tests or handing software and results back and forth to a security team. We believe when we publish future SoSS report the number of applications failing upon first assessment will have decreased due to early integration of security practices into the development process.
I’m excited to be a part of the next chapter in Veracode’s history. Becoming part of CA not only helps us serve our customers better, it means that together we can really make a difference in how software is created. Modern paradigms like DevSecOps bring security into the development process sooner. This helps to ensure that security is built into digital applications from the outset. CA is going to lead the way in this transformation.