Enterprise devs win with Veracode's SaaS security spinout

Independent once again, Veracode will focus on its cloud-based test services that enable developers to add security to the software development lifecycle.

Veracode users could ultimately benefit as the company sets its own course to develop and support its application security products.

Broadcom, a massive provider of semiconductor and IT infrastructure technologies, closed its acquisition of CA Technologies this week, and immediately jettisoned cybersecurity software provider Veracode to private equity firm Thoma Bravo for $950 million. The application security testing (AST) firm did not fit in with Broadcom's mainframe infrastructure software vision, said Mike McGuinness, executive vice president of sales at Veracode.

But for enterprise developers, Veracode's return to independence reflects the commoditization and utility of application security, particularly in a cloud-native world.

"In almost every way this is good news for the dev community that relies on Veracode's testing tools to manage and automate the non-trivial task of finding vulnerabilities and mitigating risks in development cycles that are moving faster than ever," said Chris Gonsalves, the Boston-based VP of research at The 2112 Group, a Port Washington, N.Y., consultancy. "Veracode now gets to carry on being among the top forces in app security testing -- integrated across a variety of environments -- without being shoehorned into the Broadcom structure."

Veracode's app security finds a new home

Veracode's Application Security Platform provides cloud-based threat mitigation techniques and application security services that enable developers to apply security testing early in the software development life cycle (SDLC) and extend DevSecOps processes.

Chris Gonsalves, The 2112 GroupChris Gonsalves

The company recently added support for programming languages, including Scala, TypeScript, Perl, Play, React.js and Koa.js, as well as support for single-page applications. Veracode also improved its SDLC integrations and static engine to reduce turnaround times, according to a recent Gartner report.

AST once meant static analysis scans were triggered from within an integrated development environment, but that has evolved due to the speed and delivery requirements of modern application development.

"[This] means working with DevOps toolchains, including the ability to automatically trigger application security testing tools using build tools," said Daniel Kennedy, an analyst at New York-based 451 Research.

In almost every way this is good news for the dev community that relies on Veracode's testing tools [for] finding vulnerabilities and mitigating risks in development cycles that are moving faster than ever.
Chris Gonsalvesvice president of research, The 2112 Group

Upfront security testing will see major adoption over the next several years, analysts predict. Gartner forecasts the AST tools market will grow 14% annually through 2021.

The market is set to "really take off" in the next three to five years, agreed Melinda Ballou, an analyst at Gartner rival IDC.

Moreover, enterprises continue to migrate to cloud-native and serverless apps, where cloud providers secure the infrastructure, networking and operating systems, and users focus on the application layer.

"Application security as a service makes even more sense in a cloud-native world, where it is much easier to integrate continuous security testing into the CI/CD process," said Ory Segal, CTO of PureSec, a serverless security provider in Tel Aviv, Israel.

Veracode is a bigger name in AST than CA, so the move back to independence is positive, said Thomas Murphy, a Gartner analyst. Under the Thoma Bravo umbrella, Veracode's product and technology roadmap will be unchanged, McGuinness said. Veracode acquired SourceClear, a software composition analysis systems provider, in April, and those assets remain with Veracode.

Thoma Bravo also is a proven security software investor -- companies in its portfolio include SailPoint, Barracuda Networks, LogRhythm, Bomgar, Blue Coat Systems, SonicWall and Entrust -- so Veracode should find itself well nurtured under its tutelage, said The 2112 Group's Gonsalves. Veracode's product development and roadmaps will almost certainly get a boost from the capital infusion and a return to an agnostic approach to the development world.

Broadcom's CA plans remain unclear

The sale to Thoma Bravo might be a boon to Veracode and its customers, but it's less clear why Broadcom and CA were unwilling or unable to make room for it. The Broadcom-CA deal already puzzled many industry watchers from the start, and this muddies the waters even more around complementary technologies and strategies.

"It is strange to buy CA and then sell off some of its best assets," said Gartner's Murphy. "Security also has a tie into what I would say should be important to Broadcom -- so I don't get it. I think the acquisition is a disaster."

Anticipated customer adoption of upfront security testing would seem to have been an attractive strategic piece for Broadcom, added IDC's Ballou. 451 Research's Kennedy agreed that there were synergies with Veracode's software security element in Broadcom's portfolio.

Nevertheless, Broadcom has a history of acquisitions where it keeps pieces of the businesses that fit into its longer-term plans and divests those that don't. And the speed with which Broadcom flipped the Veracode business to Thoma Bravo underscores that Veracode wasn't a great fit in the CA portfolio, said The 2112 Group's Gonsalves.

"That's not a knock on Veracode -- it's more an acknowledgement that CA is a place where goodly acquisitions oft go to wither on the vine," he said. "Broadcom understood that, and got something like a 55% premium for their troubles."

Ed Scannell, senior executive editor, contributed to this story.

Dig Deeper on Agile, DevOps and software development methodologies

Cloud Computing
App Architecture