The Total Economic Impact™ Of the Veracode Application Risk Management Platform

Cost Savings And Business Benefits Enabled By Veracode

A Forrester Total Economic Impact Study Commissioned By Veracode, August 2024

Applications form the foundation of today’s modern enterprise. They consist of intricate first-party code as well as open-source and third-party components, and they rely on a diverse and complex supply chain of tools and services for development and deployment. In reviewing the world’s biggest data breaches and privacy abuses in 2023, Forrester found that software supply chain flaws help attackers scale.1 To successfully secure applications and their data, collaboration between security, development, and operations is essential.2

The Veracode Application Risk Management Platform is a unified end-to-end application security (AppSec) solution that provides developers and application security professionals with a single source of all potential first-party and open-source code vulnerabilities. It helps organizations:

  • Detect flaws. To do so, the Veracode Platform employs static application security testing (SAST), software composition analysis (SCA), container security, dynamic application security testing (DAST), and penetration (pen) testing as a service (PTaaS).
  • Respond to software security flaws and vulnerabilities. The Veracode Platform utilizes Veracode Fix, a machine learning feature that generates fixes within a developer’s integrated development environment or command line instance; developers simply need to review and accept the fixes without writing code. It also offers customer success and support services to provide strategic and tactical guidance in order to further accelerate DevSecOps and application security (AppSec) programs.
  • Prevent further software security flaws and vulnerabilities. Veracode Platform offers eLearning and Security Labs for developers and AppSec professionals in order to shift security knowledge left to developers and empower them to write secure code and remediate security debt.

Veracode commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying the Veracode Application Risk Management Platform.3 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of the Veracode Platform on their organizations.

icon

Return on investment (ROI)

184%

icon

Net present value (NPV)

$4.60M

To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed four representatives with experience using the Veracode Platform. For the purposes of this study, Forrester aggregated the interviewees’ experiences and combined the results into a single, composite organization with $2 billion in annual revenue, 1,000 managed apps, and a business goal of increasing development velocity in support of strategic revenue growth.

Interviewees said that prior to using the Veracode Platform, their organizations were vulnerable to an array of software-based attacks, yet their companies lacked the people, processes, and technologies needed to secure their software development pipelines and processes at scale. The tools and programs they had in place were riddled with false positives and occurred too late in the development lifecycle. This caused unplanned rework and delays for developers, while the lack of visibility made it difficult for AppSec managers to effectively triage testing for priority release; this was exacerbated by broad-based inefficiencies for these high-value resources. Interviewees demonstrated how their previous, ineffective AppSec environments hampered organizational agility, stymied innovation, and, at worse, led to costly material data breaches.

After the investment in the Veracode Platform, as well as in the people and processes needed to support related business and growth objectives, the interviewees reported that their organizations mitigated the risk of software-based attacks by measurably reducing security debt earlier in the development process and easing the operational burden required to use several standalone tools. The interviewees discussed how these efficiencies gave developers more time for innovation while accelerating secure software development schedules at scale.

Interviewees’ key results from the transition to the Veracode Platform included reduced costs associated with software-based attacks as well as better relationships with and a shared sense of responsibility between security professionals and developers. In addition, they unified their AppSec operations on a single platform, which helped avoid tool fatigue while enabling developers to better innovate in response to customer needs. The resulting improvements to overall application security, time to market, product-market fit, and security reporting enabled interviewees’ organizations to significantly accelerate growth revenues, win more deals, and retain more business.

Application Exploits Are The Top External Attack Vectors

Application Exploits Chart

Applications And Their Ecosystems Are Ideal Targets For External Attacks

In Forrester’s Security Survey, 2023, security decision-makers most commonly reported that software vulnerability exploits and software supply chain breaches were the cause of breaches from external attacks. In 2022, 52% of security decision-makers told us that application-related exploits were the external attack vector for breaches; that rose to 58% in 2023. Applications, APIs, and their infrastructure have replaced the network as the organization’s new perimeter. Applications have access to lucrative sensitive data from your customers, partners, and employees and are useful for getting a foot in the door before moving across your organization.4

Key Findings

Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:

  • A 75% reduction in the risk of a software-based attack. As the composite organization onboards developers onto the Veracode Platform, the platform’s policy-driven, automated workflows vastly reduce security debt while increasing the number of apps passing within security policies. These early successes spur the expansion of the AppSec program on the Veracode Platform, further embedding security into the design, build, and deploy phases of the software development lifecycle. Over the three-year period, the composite organization reduces breach costs associated with a software-based attack by $1.5 million.
  • An 80% improvement in developer productivity, resulting in 70,000 developer hours reallocated to innovative product development efforts. The Veracode Platform provides developers with better visibility into security issues much earlier in the development process. Better insights and augmented support from the platform empower developers to quickly identify and enact remediation strategies. This helps rapidly reduce risky security debt and mitigate the total cost of penetration testing. As more developers adopt the Veracode Platform, the composite organization further amplifies developer productivity, reallocating 80% of prior developer AppSec efforts to customer-centered product innovation. This results in developer productivity improvements of $3.4 million over the investment period.
  • An 85% reduction in manual AppSec workflows thanks to automation. The Veracode Platform is central to the composite organization’s ability to transform its AppSec program. It provides more effective tooling that automates the manual workflows that the composite organization required to prep scans in the prior environment, while also significantly reducing the false-positive rate. These process and efficacy improvements allow the reallocation of almost 25,000 hours of manual AppSec resource labor associated with the prior, unscalable AppSec program. The resulting AppSec productivity improvements help the composite organization avoid $1.3 million in excess labor costs while scaling its scanning capacity.
  • 20% revenue growth from more secure, customer-focused product development. The composite organization leverages the Veracode Platform to effectively shift security earlier in the development process. The augmented scanning capacity also permits the composite organization to accelerate the software development lifecycle. In doing so, the composite brings features and products to market faster and allows more time for developers to respond to customer feedback. Furthermore, the high security standards that the composite organization is able to achieve opens up new markets and revenue streams in both the commercial and public sectors. With amplified development velocity and a more secure, customer-centered product offering, the composite organization wins additional profits totaling $940,000.

Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:

  • Augmented reporting capabilities. The Veracode Platform’s built-in access to an array of reporting capabilities leads to significant improvements in quantifying and communicating risk to developers, helping the composite organization win and retain business as well as remain compliant with regulations.
  • Higher levels of IT spend dedicated to security. Reports generated by the Veracode Platform provide the high level of visibility and transparency that the composite organization needs to identify and focus on the right risks, which translates to winning larger budgets for and bigger investments in application security.
  • Optimized technology costs. Deploying the Veracode Platform consolidates the composite organization’s AppSec efforts onto a single platform, helping limit product sprawl and the associated technology management spend.
  • An improved security culture. Improved tooling, developer security champion programs, and clear scanning results empower the composite organization’s developers to integrate security into their software development process at every stage, which significantly advances their security maturity.
  • An improved developer experience. With the Veracode Platform, developers are equipped with clear reports and tools for all their testing needs in one place. With fewer drains on their resources due to the reduction in manual processes and errors, the composite organization’s developers have more time to drive success in both security and product innovation and report an improved overall experience.

Costs. Three-year, risk-adjusted PV costs for the composite organization include:

  • Veracode fees for SCA, SAST, DAST, PTaaS, eLearning, and Security Labs. The composite organization deploys SCA, SAST, eLearning, and Security Labs throughout the investment period. The composite organization expands its AppSec program to include DAST and PTaaS in Years 2 and 3. Fees for the Veracode Platform fee ramp up year over year as more developers adopt it, totaling just over $2 million.
  • Deployment costs. The composite organization stands up the Veracode Platform in two days and reaches a steady state of testing within a three-month initial implementation period. In Years 1 and 2, it dedicates additional resource hours to supporting DAST deployment as well as final adoption efforts. Over the investment period, these three-year costs come to $250,000.
  • Administration and scale costs. The composite’s ongoing administrative effort to maintain the Veracode Platform is limited to approximately 2 hours a week between calibrations and monthly planning meetings with Veracode. Product scaling and administration costs during the investment period amount to more than $240,000.

The representative interviews and financial analysis found that the composite organization experiences benefits of $7.1 million over three years versus costs of $2.5 million, adding up to a net present value (NPV) of $4.6 million and an ROI of 184%.

70,000

Developer hours reallocated to customer-centered product innovation

“We saw that for all older applications, we had a few ‘very high’ and many ‘high’ vulnerabilities when they were onboarded [onto the Veracode Platform]. All applications had those findings, and [developers] realized that this was super important to get out of the way. It was very easy to prioritize with the new prioritization rules as well.”

Head of global engineering tools, professional services

Key Statistics

  • icon icon

    Return on investment (ROI)

    184%
  • icon icon

    Benefits PV

    $7.10M
  • icon icon

    Net present value (NPV)

    $4.60M
  • icon icon

    Payback

    <6 months
  • icon icon
  • icon icon
  • icon icon
  • icon icon

Benefits (Three-Year)

Reduced cost of a material breach Developer productivity improvement Application security productivity improvement Improved revenue

TEI Framework And Methodology

From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in the Veracode Application Risk Management Platform.

The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that the Veracode Platform can have on an organization.

  1. Due Diligence

    Interviewed Veracode stakeholders and Forrester analysts to gather data relative to the Veracode Platform.

  2. Interviews

    Interviewed four representatives at organizations using the Veracode Application Risk Management Platform to obtain data about costs, benefits, and risks.

  3. Composite Organization

    Designed a composite organization based on characteristics of the interviewees’ organizations.

  4. Financial Model Framework

    Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.

  5. Case Study

    Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.

Disclosures

Readers should be aware of the following:

This study is commissioned by Veracode and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.

Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in the Veracode Application Risk Management Platform.

Veracode reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.

Veracode provided the customer names for the interviews but did not participate in the interviews. The scope of the cyber security practice within Forrester is founded in industry knowledge and survey information from global organizations, updated on an annual basis. Further information is available from Forrester Business Technographics or with a Forrester analyst.

Consulting Team:

Courtenay O’Connor

Cookie Preferences

Accept Cookies

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions (data inputs, website navigation), so you don’t have to re-enter data when you come back to the site or browse from one page to another.

Behavioral information collected by our web analytics vendor is used to analyze data pertaining to visitor trends, plan website enhancements, and measure overall website effectiveness. We may also use cookies or web beacons to help us offer you products, programs, or services that may be of interest to you and to deliver relevant advertising. We may use third-party advertising companies to help tailor website content to users or to serve ads on our behalf. These companies may also employ cookies and web beacons to measure advertising effectiveness.

Please accept cookies and the collection of behavioral information to receive full functionality and enhance your experience. If you decline cookies, some features of the website may not function normally.

Please see our Privacy Policy for more information.