Veracode: innovation on multiple levels to outcompete HP and IBM
What looks like a great exit for the team at Fortify to HP (rumour says it's a pretty decent acquisition price) comes with a probable added benefit for Boston-based Veracode. Let's look briefly at how a company innovates on multiple levels to out-compete the 8,000-pound gorillas.
Application security in the cloud
If you don't know Veracode, it's growing into a poster child for doing "complex stuff in the cloud" or more appropriately, it's uniquely suited to cloud-delivery with a very unique technological breakthrough, the ability to audit compiled code.
“Any company is scared to death of their source code getting pirated,” says Veracode CEO Matt Moynahan. “With binary format, you don’t have that issue. We can do outsourced security testing without having any insight into the source code.” Basically, the company can check for code safety without looking at the source, and that's the secret sauce: "Moynahan, trying his best to be non-technical, explains it this way: “We create a model of the application that replicates all of the interprocedural flows, runs scans against it, and traverses all possible paths almost infinitely, looking for all of the possible ways somebody could exploit those procedures". Quotes from Xconomy.
The company is a signature Atlas Venture deal from my partner Jeff Fagnan, but that's a story for another day.
Innovating on multiple levels
What I always find interesting is that most startup companies innovates on more than one front. There usually is a core innovation but it tend to be combined with connex improvements which make the whole proposition sing.
1 : product. In the case of Veracode the breakthrough in tech initiated by Chris Wysopal and team allowed them to analyse compiled instead of source code.
2 : delivery. As a result they were able to move away from what was a services model to a native, scalable cloud application, thereby massively improving the ability to deploy the products, particularly for large entreprises with a ton of subcontracting partners providing code.
3 : ecosystem leverage: As noted by Vance, "devs receive access to Veracode’s database of security scores for enterprise-class open source projects, providing dev teams a rapid and efficient way to research risk/benefit trade-offs of integrating open source with current projects or commercially developed code". The benefit ? Much better false positive scores than on-premise solutions.
The acquisition of Fortify by HP leaves the field wide open for the cloud innovator
HP and IBM have now both acquired in the space and effectively absorbed Veracode’s primary competitors into their on-premise QA/Testing platforms. These companies were competing for share of wallet with early Veracode implementations, but the company now stands as the only cloud-based application assurance and security vendor. In the process, the acquirors have also removed confusion in the market by creating a situation where there is now a clear choice between implementation models, with Veracode the clear choice in Cloud. Clearly having IBM and HP as primary competitors comes with its own set of challenges, but that's exactly what startups do and Veracode looks set to blossom.