The Total Economic Impact™ Of the Veracode Application Risk Management Platform

Cost Savings And Business Benefits Enabled By Veracode

A Forrester Total Economic Impact™ Study Commissioned By Veracode, August 2024

Applications form the foundation of today’s modern enterprise. They consist of intricate first-party code as well as open-source and third-party components, and they rely on a diverse and complex supply chain of tools and services for development and deployment. In reviewing the world’s biggest data breaches and privacy abuses in 2023, Forrester found that software supply chain flaws help attackers scale.¹ To successfully secure applications and their data, collaboration between security, development, and operations is essential.²

The Veracode Application Risk Management Platform is a unified end-to-end application security (AppSec) solution that provides developers and application security professionals with a single source of all potential first-party and open-source code vulnerabilities. It helps organizations:

Detect flaws. To do so, the Veracode Platform employs static application security testing (SAST), software composition analysis (SCA), container security, dynamic application security testing (DAST), and penetration (pen) testing as a service (PTaaS).
Respond to software security flaws and vulnerabilities. The Veracode Platform utilizes Veracode Fix, a machine learning feature that generates fixes within a developer’s integrated development environment or command line instance; developers simply need to review and accept the fixes without writing code. It also offers customer success and support services to provide strategic and tactical guidance in order to further accelerate DevSecOps and application security (AppSec) programs.
Prevent further software security flaws and vulnerabilities. Veracode Platform offers eLearning and Security Labs for developers and AppSec professionals in order to shift security knowledge left to developers and empower them to write secure code and remediate security debt.

Veracode commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying the Veracode Application Risk Management Platform.³ The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of the Veracode Platform on their organizations.

Return on investment (ROI)

184%

Net present value (NPV)

$4.60M

To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed four representatives with experience using the Veracode Platform. For the purposes of this study, Forrester aggregated the interviewees’ experiences and combined the results into a single, composite organization with $2 billion in annual revenue, 1,000 managed apps, and a business goal of increasing development velocity in support of strategic revenue growth.

Interviewees said that prior to using the Veracode Platform, their organizations were vulnerable to an array of software-based attacks, yet their companies lacked the people, processes, and technologies needed to secure their software development pipelines and processes at scale. The tools and programs they had in place were riddled with false positives and occurred too late in the development lifecycle. This caused unplanned rework and delays for developers, while the lack of visibility made it difficult for AppSec managers to effectively triage testing for priority release; this was exacerbated by broad-based inefficiencies for these high-value resources. Interviewees demonstrated how their previous, ineffective AppSec environments hampered organizational agility, stymied innovation, and, at worse, led to costly material data breaches.

After the investment in the Veracode Platform, as well as in the people and processes needed to support related business and growth objectives, the interviewees reported that their organizations mitigated the risk of software-based attacks by measurably reducing security debt earlier in the development process and easing the operational burden required to use several standalone tools. The interviewees discussed how these efficiencies gave developers more time for innovation while accelerating secure software development schedules at scale.

Interviewees’ key results from the transition to the Veracode Platform included reduced costs associated with software-based attacks as well as better relationships with and a shared sense of responsibility between security professionals and developers. In addition, they unified their AppSec operations on a single platform, which helped avoid tool fatigue while enabling developers to better innovate in response to customer needs. The resulting improvements to overall application security, time to market, product-market fit, and security reporting enabled interviewees’ organizations to significantly accelerate growth revenues, win more deals, and retain more business.

Application Exploits Are The Top External Attack Vectors

Applications And Their Ecosystems Are Ideal Targets For External Attacks

In Forrester’s Security Survey, 2023, security decision-makers most commonly reported that software vulnerability exploits and software supply chain breaches were the cause of breaches from external attacks. In 2022, 52% of security decision-makers told us that application-related exploits were the external attack vector for breaches; that rose to 58% in 2023. Applications, APIs, and their infrastructure have replaced the network as the organization’s new perimeter. Applications have access to lucrative sensitive data from your customers, partners, and employees and are useful for getting a foot in the door before moving across your organization.⁴

Key Findings

Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:

A 75% reduction in the risk of a software-based attack. As the composite organization onboards developers onto the Veracode Platform, the platform’s policy-driven, automated workflows vastly reduce security debt while increasing the number of apps passing within security policies. These early successes spur the expansion of the AppSec program on the Veracode Platform, further embedding security into the design, build, and deploy phases of the software development lifecycle. Over the three-year period, the composite organization reduces breach costs associated with a software-based attack by $1.5 million.
An 80% improvement in developer productivity, resulting in 70,000 developer hours reallocated to innovative product development efforts. The Veracode Platform provides developers with better visibility into security issues much earlier in the development process. Better insights and augmented support from the platform empower developers to quickly identify and enact remediation strategies. This helps rapidly reduce risky security debt and mitigate the total cost of penetration testing. As more developers adopt the Veracode Platform, the composite organization further amplifies developer productivity, reallocating 80% of prior developer AppSec efforts to customer-centered product innovation. This results in developer productivity improvements of $3.4 million over the investment period.
An 85% reduction in manual AppSec workflows thanks to automation. The Veracode Platform is central to the composite organization’s ability to transform its AppSec program. It provides more effective tooling that automates the manual workflows that the composite organization required to prep scans in the prior environment, while also significantly reducing the false-positive rate. These process and efficacy improvements allow the reallocation of almost 25,000 hours of manual AppSec resource labor associated with the prior, unscalable AppSec program. The resulting AppSec productivity improvements help the composite organization avoid $1.3 million in excess labor costs while scaling its scanning capacity.
20% revenue growth from more secure, customer-focused product development. The composite organization leverages the Veracode Platform to effectively shift security earlier in the development process. The augmented scanning capacity also permits the composite organization to accelerate the software development lifecycle. In doing so, the composite brings features and products to market faster and allows more time for developers to respond to customer feedback. Furthermore, the high security standards that the composite organization is able to achieve opens up new markets and revenue streams in both the commercial and public sectors. With amplified development velocity and a more secure, customer-centered product offering, the composite organization wins additional profits totaling $940,000.

Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:

Augmented reporting capabilities. The Veracode Platform’s built-in access to an array of reporting capabilities leads to significant improvements in quantifying and communicating risk to developers, helping the composite organization win and retain business as well as remain compliant with regulations.

Higher levels of IT spend dedicated to security. Reports generated by the Veracode Platform provide the high level of visibility and transparency that the composite organization needs to identify and focus on the right risks, which translates to winning larger budgets for and bigger investments in application security.
Optimized technology costs. Deploying the Veracode Platform consolidates the composite organization’s AppSec efforts onto a single platform, helping limit product sprawl and the associated technology management spend.
An improved security culture. Improved tooling, developer security champion programs, and clear scanning results empower the composite organization’s developers to integrate security into their software development process at every stage, which significantly advances their security maturity.
An improved developer experience. With the Veracode Platform, developers are equipped with clear reports and tools for all their testing needs in one place. With fewer drains on their resources due to the reduction in manual processes and errors, the composite organization’s developers have more time to drive success in both security and product innovation and report an improved overall experience.

Costs. Three-year, risk-adjusted PV costs for the composite organization include:

Veracode fees for SCA, SAST, DAST, PTaaS, eLearning, and Security Labs. The composite organization deploys SCA, SAST, eLearning, and Security Labs throughout the investment period. The composite organization expands its AppSec program to include DAST and PTaaS in Years 2 and 3. Fees for the Veracode Platform fee ramp up year over year as more developers adopt it, totaling just over $2 million.
Deployment costs. The composite organization stands up the Veracode Platform in two days and reaches a steady state of testing within a three-month initial implementation period. In Years 1 and 2, it dedicates additional resource hours to supporting DAST deployment as well as final adoption efforts. Over the investment period, these three-year costs come to $250,000.
Administration and scale costs. The composite’s ongoing administrative effort to maintain the Veracode Platform is limited to approximately 2 hours a week between calibrations and monthly planning meetings with Veracode. Product scaling and administration costs during the investment period amount to more than $240,000.

The representative interviews and financial analysis found that the composite organization experiences benefits of $7.1 million over three years versus costs of $2.5 million, adding up to a net present value (NPV) of $4.6 million and an ROI of 184%.

70,000

Developer hours reallocated to customer-centered product innovation

“We saw that for all older applications, we had a few ‘very high’ and many ‘high’ vulnerabilities when they were onboarded [onto the Veracode Platform]. All applications had those findings, and [developers] realized that this was super important to get out of the way. It was very easy to prioritize with the new prioritization rules as well.”

Head of global engineering tools, professional services

Key Statistics

Return on investment (ROI)

184%

Benefits PV

$7.10M

Net present value (NPV)

$4.60M

Payback

<6 months

Benefits (Three-Year)

Reduced cost of a material breach Developer productivity improvement Application security productivity improvement Improved revenue

TEI Framework And Methodology

From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in the Veracode Application Risk Management Platform.

The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that the Veracode Platform can have on an organization.

Due Diligence

Interviewed Veracode stakeholders and Forrester analysts to gather data relative to the Veracode Platform.
Interviews

Interviewed four representatives at organizations using the Veracode Application Risk Management Platform to obtain data about costs, benefits, and risks.
Composite Organization

Designed a composite organization based on characteristics of the interviewees’ organizations.
Financial Model Framework

Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.
Case Study

Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.

Disclosures

Readers should be aware of the following:

This study is commissioned by Veracode and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.

Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in the Veracode Application Risk Management Platform.

Veracode reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.

Veracode provided the customer names for the interviews but did not participate in the interviews. The scope of the cyber security practice within Forrester is founded in industry knowledge and survey information from global organizations, updated on an annual basis. Further information is available from Forrester Business Technographics or with a Forrester analyst.

Consulting Team:

Courtenay O’Connor

Drivers leading to the Veracode Application Risk Management Platform investment

Interviews

Role	Industry	Region	Number of developers
Director of risk and security	Software	US HQ, global operations	400
Application security engineer	Mining	US HQ, global operations	30
CISO	Healthcare technology	US HQ and operations	500
Head of global engineering tools	Professional services	Europe HQ and operations	600

Key Challenges

Prior to investing in the Veracode Platform, interviewees shared a high and growing level of risk associated with their organizations’ software supply chains. Legacy apps were often weighed down with security debt, and inefficient AppSec processes underpinned by inadequate, poorly configured tools prevented interviewees’ organizations from accelerating development cycles and limited their ability to serve new and existing customers. Faced with high numbers of false positives, interviewees’ organizations spent such an overwhelming amount of time on triaging these false-positive findings that they were unable to increase development velocity in support of business needs and growth efforts.

Interviewees further lamented their organizations’ inability to quantify and communicate their risk exposure to developers, leadership, customers, or regulators. The lack of adequate reporting on baseline security debt and progress improvements meant security leaders couldn’t meet regulator or customer requirements, lowering profitability and limiting their ability to advocate for further investment in AppSec.

The interviewees noted how their organizations struggled with other common challenges, including:

Application-based attacks resulting in material breaches with extensive costs. Several interviewees indicated that their organizations had experienced at least one material data breach in their previous environment. They also reported extensive potential downsides to breach-related costs.

The head of global engineering tools at the professional services company reported that their organization had experienced an organizationwide breach that would have been preventable with the Veracode Platform. The interviewee described having difficulty advocating for expanded AppSec security budgets until their organization faced the true cost of a software-supply-chain-based security breach. The breach cost their organization nearly $3 million in internal labor and support for 27 development teams, along with further unquantified impacts: “There are a lot of costs that are not documented in [that number] as well, because it shook up the whole organization and halted a lot of development.”
A heightened risk of further software-based attacks from high-risk security debt. Interviewees divulged that their organizations’ prior environments allowed a dangerously high number of vulnerabilities to lurk unmitigated in their app stacks. An additional stream of high-risk flaws continually injected into code bases without proper remediation further compounded the risk that the interviewees’ organizations faced prior to their investment in the Veracode Platform. Coupled with a large number of flaws going unidentified across the criticality spectrum, interviewees enumerated exponential costs associated with their organizations’ total security debt.

The CISO at the healthcare technology company told Forrester that their organization lacked visibility into open-source code in the previous AppSec environments. Without those insights, the organization had a high, yet unquantifiable, level of risk exposure with respect to open-source software supply chain attacks. They said: “Open-source [dependencies] are a part of our [security] tech debt. In terms of our custom code base, it’s a rather large part. When I first got here three years ago, it wasn’t yet being addressed. I told [my leadership]: ‘We can’t see open source anywhere. We don’t have any idea, and I can’t report on the vulnerabilities that I can’t see. This is not a good situation.”
Impediments to developer productivity and innovation. Interviewees noted that their organizations did not furnish their developers with adequate AppSec tools and processes in their prior environments. AppSec activities tended to occur late in the development process when rework was far more disruptive to developers’ release deadlines. Legacy scanning results were often riddled with false positives and lacked the clear data paths needed to understand the root cause of findings. As a result, slow resolution times, low fix rates for security flaws, and a lack of trust in security tooling hampered AppSec efforts. Inadequate support from their legacy AppSec vendors further hindered developers’ ability to swiftly and effectively secure software before pushing it to production.
- The director of risk and security at the software company indicated that their organization’s high false-positive rate in the previous environment caused their developers to lose faith in the tooling and deprioritize resolving security debt. “[The prior solution] was plagued with a really high false-positive rate of 65% to 70%, and the engineers just really had no confidence in it. They’d get a report and [question how many] vulnerabilities were really true.”
- The CISO at the healthcare technology company shared that their development organization inherited a large amount of security debt through acquired organizations. Inheriting the debt made it difficult to instill a shared sense of accountability for security in developers. They said: “A lot of that tech debt was old, and the developers weren’t responsible for having done it in the first place. ... The hard part was getting folks to take responsibility for it. Finding owners to see that stuff got fixed by policy, etc. — that part was harder.”
Application security program challenges. Interviewees’ AppSec programs were poorly resourced and poorly understood, while their security tooling was poorly configured. The lack of structure and efficacy made it difficult for organizations to align their AppSec priorities and capabilities with business objectives. The security vendor sprawl also made it difficult for development teams to know what AppSec tools to use and when. This variability meant it was a challenge for security teams to get a clear picture of application risk.
- The application security engineer at the mining company told Forrester: “There was no program to speak of previously. The team had access to dynamic scanning, but they were only scanning three applications and they were scanning them in production, which is really risky.”
- The head of global engineering tools at the professional services company said that their organization lacked a clear program: “Before, we had about three different vendors. We had [security testing tools but adoption] was very fragmented. There was no clear guidance on what products to use.”
Limited organizational agility. Given the high levels of labor associated with previous AppSec programs, interviewees pointed out that their organizations were unable to shorten development cycles and accelerate development velocity to grow new and varied revenue streams. The lack of visibility into assessing and remediating security debt left AppSec professionals ill-equipped to respond to regulators and customers regarding application security. They also lacked the transparency necessary to achieve the higher levels of accreditation needed to do business with public entities and government agencies.
- The CISO at the healthcare technology company said that their organization’s security debt directly translated into higher business costs: “There’s huge impact in terms of how agile you can be [when you have] all these vulnerabilities that may not allow you to release, especially into a FedRAMP environment and when you’re trying to quickly develop new code and move it out to the cloud. [With our previous approach to scanning] we started at the pipeline control point, which is a bad place to do it. From the developer perspective, if you wait that long to see your vulnerability, you’re not going to [have time to fix] and deploy [on time]. Everybody’s unhappy.”
- The director of risk and security at the software company noted that, in the previous environment, their organization lacked the security and visibility required to answer their customers’ tough questions around application security. The interviewee told Forrester: “They’d ask about our security program, and we’d hem and haw … We had no confidence in the prior [testing] solution and no confidence in the reports.”
Excess costs associated with legacy technologies. Interviewees noted that their organization’s prior AppSec efforts were poorly executed and ineffective, and led to wasting money. Beyond the inefficient use of prior licensed solutions, interviewees identified inefficient AppSec spend associated with legacy, on-premises, hardware-based AppSec testing tools.
- The director of risk and security at the software company told Forrester that their legacy on-premises dynamic scanning tool required their organization to stand up physical environments to support testing. At the time, that approach aligned poorly with their organization’s annual release schedule, leading to larger issues later on: “It was versions behind, license management wasn’t correct, the knowledge was very limited. We could correct those things, but that means uninstalling, reinstalling, retraining, new environments just to execute it correctly, upgrading it to the current versions. There’s a lot of complications there.”
- The CISO at the healthcare technology company shared that their organization faced extraordinary reporting costs with their legacy AppSec vendor: “Any reporting we wanted to do came down to an additional charge for professional services hours to develop reports and whatnot. That is no way to manage a program, to be able to say, ‘I have all this stuff scanned, but I can’t tell you what my risk is.’ That’s not good.”

“[Prior to the Veracode Platform], there wasn’t even a list of applications, let alone a portfolio manager or anything sophisticated like that. There was a leftover spreadsheet from years ago … but it was really unusable."

Application security engineer, mining

Investment Objectives For The Veracode Platform

The interviewees’ organizations searched for a solution that could:

Reduce the risk of a software-based attack and mitigate the cost of a material breach. As their organizations faced the increasingly severe impacts of a software-based attack, interviewees discussed the importance of finding a solution that would minimize the potential for threat actors to exploit software vulnerabilities.

The CISO at the healthcare technology company noted the wide path for attackers to infiltrate an organization via applications if they aren’t secured: “The app stack, which is what Veracode addresses, can be about any kind of risk depending on that flaw. Regardless, the point is, don’t give them the foothold … and we had good security basics. The problem and the scary part was the tech debt. We didn’t really have visibility into it, and that was a large part of why I chose Veracode.”
Enhance developer productivity and innovation while shifting security left. Interviewees indicated that, above all, their organizations’ sought an effective AppSec solution that would integrate well with developer pipelines.

The director of risk and security at the software company shared how a main investment objective and reason for selecting the Veracode Platform was to improve accuracy: “We pursued [the Veracode Platform] for accuracy and to remove inconsistencies.”
Scale application security’s breadth and depth across the organization. Interviewees pointed to their organizational mandates for defense in depth as the main driver of their AppSec investments.

The application security engineer at the mining company reported that their organization invested in the Veracode Platform as a main part of its goal to build an effective security program. They noted that the organization’s prior partial AppSec program wasn’t actually capable of solving anything, so they leveraged the platform to start from scratch and do it correctly.
Enable secure software innovation and delivery that grew revenue opportunities. Interviewees’ organizations looked for a solution that would reduce security flaws while increasing their ability to report on their application risk. With those capabilities, they also wanted to provide more efficient responses to customer and prospect inquiries about security practices and controls. Several interviewees also pointed to the Veracode Platform’s analytics capabilities as a key driver in their organization’s ability to seek higher FedRAMP accreditation, thereby broadening their potential market share via federal contracts.

The director of risk and security at the software company indicated that their organization’s business objectives required a solution that would permit it to develop scalable and responsive SaaS-based products: “We needed something highly scalable. We wanted to be able to do fixes on demand. We wanted to push code changes as frequently as we wanted to.”

“The web app firewall is going to block most of the stuff anyway, but we don’t want to rely on another piece of technology to have confidence that our apps are written in a way that we know is secure.”

Application security engineer, mining

Composite Organization

Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the four interviewees, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:

Description of composite. The composite organization has globally distributed customers and operations. Of its 10,000 full-time employees (FTEs), 800 are developers and eight are AppSec professionals. It relies on legacy and newly developed apps for diversified revenue streams from both B2B and B2C go-to-market approaches, and its broad customer base spans the public and private sectors.

The composite generates $2 billion from all revenue streams, but it wants to accelerate the development of multiple, high-growth products to expand its market share. While revenue from these growth segments total $50 million at the start of the investment period, the composite organization determines that its legacy technology stack can only support limited organic growth.

Deployment characteristics. As part of the composite organization’s broader digital transformation efforts, it transitions its AppSec program onto the Veracode Application Risk Management Platform. In the first year, it prioritizes addressing security flaws in critical apps; it onboards apps to Veracode for SAST and SCA scanning, shifting from quarterly to daily scanning. It also deploys eLearning and Security Labs to help improve the security maturity of its developers.

In Year 2, the composite organization expands its functionality, adding monthly DAST scans for critical apps while incrementally incorporating PTaaS into its Veracode configuration in Year 3. This allows the composite organization to further reduce the number of software flaws while streamlining its AppSec tech stack.

Key Assumptions

$2 billion annual revenue
20% operating margin
10,000 employees
1,000 managed apps
800 developers

Quantified benefit data as applied to the composite

Total Benefits

Ref.	Benefit	Year 1	Year 2	Year 3	Total	Present Value
Atr	Reduced cost of a material breach	$314,654	$674,257	$842,822	$1,831,733	$1,476,511
Btr	Developer productivity improvement	$730,080	$1,557,504	$1,946,880	$4,234,464	$3,413,622
Ctr	Application security productivity improvement	$272,204	$578,433	$723,041	$1,573,678	$1,268,733
Dtr	Improved revenue	$211,200	$422,400	$528,000	$1,161,600	$937,785
	Total benefits (risk-adjusted)	$1,528,138	$3,232,594	$4,040,743	$8,801,475	$7,096,651

Reduced Cost Of A Material Breach

Evidence and data. Interviewees reported a significant increase in application security indicators after their organizations’ investments in the Veracode Platform. They reported that their organizations effectively eliminated lingering security debt by adopting the Veracode Platform while mitigating the risks associated with software security flaws. Interviewees also shared that their organizations were able to accelerate their fix rate and reduce the overall time it took to remediate flaws. As a result, they:

Avoided breaches and associated remediation costs due to software attacks during the investment period. Despite the high prevalence of both direct and third-party software-based attacks that interviewees faced in previous environments, they noted that their organizations did not experience any such breaches when using Veracode to secure their application development.
- After deploying the Veracode Platform, the CISO at the healthcare technology company reported zero downtime incidents due to software supply attacks, particularly following the log4j incident. The CISO indicated that their organization was protected from the open-source vulnerability and that the platform made it easy to report to critical stakeholders following the threat event. Furthermore, they said that their organization didn’t register any application-based incidents following deployment of the Veracode Platform.
- The head of global engineering tools at the professional services company shared that before adopting Veracode, their organization experienced a breach based on a software flaw that cost their organization nearly $3 million in internal remediation labor and support costs across 27 development teams. While that cost estimate was for just one exploit, the interviewee noted that the Veracode Platform allowed their organization to clear 6,000 security flaws, each of which could have wrought the same level of havoc as their previous breach. They further alluded to cascading, unquantified impacts: “There are a lot of costs that are not documented in that $3 million as well because it shook up the whole organization. It halted a lot of development.”
- The director of risk and security at the software company mentioned that the Veracode Platform’s Peer Benchmarking analytics capability offered important insights into their path toward more advanced security maturity: “Our suppliers, our reputation, our trust, and our customers’ reputation is on the line, so we try to stay ahead of the industry. When we do benchmarks, we always find where [we are] definitely ahead of our peers.”
Reduced the number of high-risk flaws and volume of security debt. Interviewees explained that their organizations were able to significantly and measurably reduce high-risk security debt and deliver more apps that met their organization’s security policy, thereby reducing the opportunity for threat actors to exploit flaws.
- The CISO at the healthcare technology company estimated that their organization was able to reduce their exposure to an open-source supply chain attack by eliminating 60% of their open-source security debt with the Veracode Platform: “We started scanning about a year ago and have worked through [approximately] 60% of the outstanding open-source [software flaws]. That’s 20 years of tech debt we’ve worked through in that time, largely because we were able to have the controls in place for software releases with Veracode.”
- The same interviewee also indicated that the Veracode Platform helped increase the percentage of apps that comply with policies. Before Veracode, the CISO estimated that approximately 5% of their organization’s apps were within policy, compared to more than 60% (and growing) today on the Veracode Platform.
- The head of global engineering tools at the professional services company shared that their organization eliminated critical flaws and vulnerabilities, noting, “Today, I’m very happy to say that we have no very high or high vulnerabilities for all 113 applications.”
- The application security engineer at the mining company discussed how their organization reduced the risk associated with a software-based attack by eliminating high-risk and very high-risk vulnerabilities and keeping them out. Once it achieved that target, it moved on to reducing the number of medium-risk vulnerabilities by 75%. “We have managed to eliminate all high and very high vulnerabilities across all of the apps now for two months. We run the reports and scans every day, and for two months we have not seen a single high- or very high-severity vulnerability show up. So they’re not just fixing them; they’re preventing them by [the] reuse of known secure functions and modules across the code base.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

It has an 89% likelihood of experiencing one or more breaches per year, with 49% of breaches originating from external attacks. The cost of a software-based attack for the composite organization is $3 million.⁵
The composite organization reduces the likelihood of a data breach caused by a software-based attack by 70% in Year 1. This increases to 75% in Years 2 and 3 of the investment with the addition of DAST scanning with Veracode.
In Year 1, the composite organization’s material breach risk reduction savings total $925,000, increasing 5% to $992,000 in Years 2 and 3 due to the addition to DAST to the testing portfolio.
In Year 1, the composite onboards 40% of developers to the Veracode Platform. This grows to 80% in Year 2, with 100% of developers on the Veracode Platform by the end of Year 3.

Risks. Results may differ from those presented in the financial model due to an organization’s:

Likelihood of experiencing one or more breaches from external attacks per year.
Cost of a software-based attack.
Reduced likelihood of a data breach with Veracode.
Percentage of developers onboarded to the Veracode Platform.
Ability to adopt the security platform across the organization.
Breadth of customer-facing applications.

Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.5 million.

75%

Reduced risk of a software supply chain-based attack

“Now we have a lot less chance of having incidents [related to the app stack] because of the thorough view of that risk we have. That’s why we bought Veracode, and it’s doing that job.”

CISO, healthcare technology

“We have now fixed 6,000 errors that were potential vulnerabilities, and every one of them [could have] cost us [another] $3 million [in a breach], so this is a cheap investment.”

Head of global engineering tools, professional services

Reduced Cost Of A Material Breach

Ref.	Metric	Source	Year 1	Year 2	Year 3
A1	Likelihood of experiencing one or more breaches per year	Forrester Research	89%	89%	89%
A2	Cost of a software-based attack	Interviews	$3,031,584	$3,031,584	$3,031,584
A3	Percentage of breaches originating from external attacks	Composite	49%	49%	49%
A4	Reduced likelihood of a data breach with Veracode	Interviews	70%	75%	75%
A5	Material breach risk reduction savings	A1A2A3*A4	$925,452	$991,555	$991,555
A6	Percentage of developers onboarded to the Veracode Platform	Composite	40%	80%	100%
At	Reduced cost of a material breach	A5*A6	$370,181	$793,244	$991,555
	Risk adjustment	↓15%
Atr	Reduced cost of a material breach (risk-adjusted)		$314,654	$674,257	$842,822
Three-year total: $1,831,733			Three-year present value: $1,476,511

Developer Productivity Improvement

Evidence and data. Interviewees shared how the Veracode Platform allowed their organizations to better support their developers’ AppSec efforts in terms of both efficacy and efficiency. Rather than expend valuable resources on ineffective testing efforts, their organizations were able to transform their software delivery to be more dynamic and responsive to customer needs. Clear, compelling, and rapid results from AppSec scans empowered developers to secure code with confidence and within schedules and policy guidelines. Interviewees credited these improvements to the Veracode Platform’s functionality, automations, and ease of use. This led to:

A lower false-positive rate. The Veracode Platform allowed organizations to greatly reduce the prevalence of false positives in scans, which in turn cut down excess labor for developers and AppSec managers alike.

The director of risk and security at the software company reported that their organization was able to significantly reduce the false-positive rate for dynamic scanning, which was extraordinarily high in the previous environment: “We evaluated the accuracy of our dynamic scans, and the false-positive rate was probably 3% [on the Veracode Platform] compared to 35% to 40% [with our legacy DAST tool].”
More rapid AppSec scans. Interviewees discussed how much faster their organizations could conduct scans with automation via the Veracode Platform, compared with their previous manual processes.

The application security engineer at the mining company emphasized how much faster their organization was able to scan apps compared with historical approaches: “The speed of the scans in some cases [was] almost instantaneous for uncomplicated apps. It was really quite amazing how quickly it produced results compared with where things started out back in the early 2000s.”
Higher-quality and more effective AppSec tools for developers. Interviewees discussed how their organizations achieved deeper scanning capabilities with the Veracode Platform, resulting in fewer security flaws being identified over time.

The director of risk and security at the software company noted how the improved insights from Veracode scans made it easier for developers to quickly identify and enact remediation strategies: “The information it provided to us was very clear, including data paths and lines of code. We had a visibility to the scan path that we never had before.”
Faster resolution of security debt. Interviewees demonstrated multiple ways in which their organizations were able to resolve security flaws faster and achieve a higher fix rate than in their previous environment.
- The application security engineer at the mining company noted that without the Veracode Platform, their organization would have dedicated 40 hours of labor across three months to remediate a serious software flaw. With the Veracode Platform, however, it dedicated only 4 hours of labor across 24 hours. They said: “The mean time to remediate from when Veracode identifies a flaw to the time that it’s fixed nowadays is about 24 hours. ... [Developers] keep getting better and better at remediation. I review new flaws every day, and one day they’re there, the next day they’re gone, which is amazing to me. It’s astounding.”
- The director of risk and security at the software company said that their organization reduced the time to remediate flaws identified by Veracode to 10 days, down from 90 days in the previous environment. They said: “In the beginning, it was about a 90-day mean time to repair, and then we kept seeing improvements. The last measurement [… indicated a] 10-day mean time to repair if an issue surfaced. Back in the early days, when it was 90 days, there were thousands of [flaws]. Today, we don’t really worry about 10 days because we don’t have vulnerabilities to repair. But if we did have one, we can resolve it in 10 days, which is well between the biweekly releases.”
- The head of global engineering tools at the professional services company said that Veracode’s premium support allowed them to cut the effort and time to remediate flaws by 85%, from 20 hours to 3 hours. They shared that with premium support that explained the impact of the flaw and discussed best practices for resolving it: “You can have the error fixed within an hour. To figure it out yourself without them, you use 20 hours; instead, you can have a 1-hour session and fix it within 2 to 3. That would then again increase the fix rate and also help us to release products faster.”
Improved developer support. Interviewees also noted that both Veracode directly and the Veracode user community provided prompt, helpful responses to technical questions, further contributing to the faster resolution of flaws.

The application security engineer at the mining company highlighted the importance of the broader Veracode user community in promoting platform adoption: “The Veracode community has been tremendous value. If we run into a problem, chances are somebody else has already seen it. Ninety percent of the time, somebody has [already] figured it out, so we can get answers to questions about anomalies, weirdness, or corner cases pretty quickly if we ask the right questions.”
Reduced internal AppSec costs associated with penetration testing. One interviewee had deployed the Veracode Platform’s PTaaS capabilities, which further reduced the number of findings and amount of rework that developers had to remediate; it also reduced application risk.

The head of global engineering tools at the professional services company reported: “We reduced the [internal] cost of pen testing because now everyone needs to run through Veracode. We have a lot less findings from the pen test [now that] it’s mandatory that everyone is scanned before doing the pen tests. [This results in] 15% or 20% less labor now [because] it’s very seldom that we get high findings from the pen testers.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

In the prior environment, 800 developers dedicated 5% of their time to application security, totaling 83,200 developer hours annually.
In Year 1, the composite onboards 40% of developers to the Veracode Platform. This grows to 80% in Year 2, with 100% of developers on the Veracode Platform by the end of Year 3.
With the Veracode Platform, the composite reduces the amount of time that developers dedicate to application security by 75% in Year 1 and 80% in Years 2 and 3 with the introduction of DAST.
Developers recapture 50% of these time savings and apply them to higher-value development activities.
The fully burdened hourly rate of a developer is $65.

Risks. Results may differ from those presented in the financial model due to an organization’s:

Size and scope of application portfolio and associated developer teams.
Percentage of developers onboarded to the Veracode Platform and ability to adopt security across the organization.
Fully burdened hourly rate of a developer and the prevalence of offshore or contractor developers.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $3.4 million.

80%

Developer productivity improvement

“We’re building upon good clean code and when [developers] add new code, they know what they’re doing now, it doesn’t have flaws, and [the scan] is really just confirmation.”

Director of risk and security, software

Developer Productivity Improvement

Ref.	Metric	Source	Year 1	Year 2	Year 3
B1	Total developers	Composite	800	800	800
B2	Percentage of developer time dedicated to application security in the prior environment	Composite	5%	5%	5%
B3	Total developer hours dedicated to application security in the prior environment	B1B22,080	83,200	83,200	83,200
B4	Percentage of developers onboarded to the Veracode Platform	Composite	40%	80%	100%
B5	Percentage reduction in developer hours dedicated to application security	Interviews	75%	80%	80%
B6	Productivity recapture	TEI standard	50%	50%	50%
B7	Average fully burdened hourly rate for a developer	Composite	$65	$65	$65
Bt	Developer productivity improvement	B3B4B5B6B7	$811,200	$1,730,560	$2,163,200
	Risk adjustment	↓10%
Btr	Developer productivity improvement (risk-adjusted)		$730,080	$1,557,504	$1,946,880
Three-year total: $4,234,464		Three-year present value: $3,413,622

Application Security Productivity Improvement

Evidence and data. Interviewees shared that their organizations overhauled their AppSec programs with the Veracode Platform; they greatly reduced the labor associated with scanning efforts and improved the efficacy of the program. They:

Gained better application security tooling capabilities. Interviewees shared how the Veracode Platform provided a more effective set of tools than they had previously. This allowed their AppSec resources and developers to eliminate manual processes while amplifying the effectiveness and impact of their security scanning efforts. In some cases, the organizations were able to avoid product sprawl and growing their organizations’ AppSec headcount in order to meet business goals.
- The head of global engineering tools at the professional services company said that the Veracode Platform was able to manage a workload that would have required more than a dozen additional resources in their previous environment: “I [told my leadership that] if I’m not getting Veracode … I would need 13 FTEs to have a proper security team just to service [my business unit].”
- The same interviewee also reported that their organization vastly improved its AppSec managers’ ability to triage testing for optimal release schedules. Prior to their Veracode investment, their organization had limited ability to triage scans due to the level of manual labor required: “I would say we weren’t able to [triage] efficiently enough. … To do that properly then, you would spend at least 10 hours to evaluate [which scans to triage], and now you can do it by a glance.”
Used automation to reduce manual labor and errors. Interviewees discussed how reductions in manual efforts enabled their organizations to scale their AppSec program with the same headcount.

The director of risk and security at the software company shared how the Veracode Platform helped their organization achieve the desired levels of speed and consistency for application security: “If you look at the 20,000 scans a year, it takes about 2 hours to prepare each scan if you do it manually. That’s 40,000 [employee] hours a year. ... If we were still doing it manually, we would not be doing 20,000 scans a year; we would not be able to keep pace with biweekly drops.”
Shifted AppSec further left in the software development lifecycle. Two of the four interviewees discussed how their organizations leveraged the Veracode Platform as a tool to empower developers to fully lead AppSec efforts.
- The application security engineer at the mining company shared how their organization’s use of Veracode served developers: “The way I see it, it is great for security people, but it’s not a security tool; it’s a developer’s tool. … Once they understand how it works and that it’s there to help them become better developers, they embrace it, they want to use it. And they want to learn more … rather than hiring new people to do a particular activity related to security, people on the team have stepped up to do it … which is amazing.”
- The director of risk and security at the software company discussed how using the Veracode Platform enabled their organization to effectively shift AppSec fully left with the developers. Their organization was able to swiftly eliminate critical security debt, which vastly reduced the number of findings that developers needed to review, even as it greatly amplified its scanning volumes. This allowed their organization to reallocate two of its three AppSec resources to higher-value activities. At the same time, it cultivated a “security champions” program: On average, one in seven developers served as an application security champion who took on part of the developer relations activities that were formerly conducted by AppSec managers.
- The same interviewee revealed how using the Veracode Platform enabled their organization’s security champions program. From a developer labor perspective, this program entailed leading optional monthly meetings for developers to discuss and advance their AppSec efforts. They said: “Right now, my [application] security team is one person. That’s me. But I have 70 to 80 security champions throughout the R&D and the engineering teams who read the reports, who drive the business, who I have periodic meetings with, and [who are] speeding things up.”

Improved the skills of their AppSec resources. The CISO at the healthcare technology company shared how their organization was able to improve the skills of two AppSec resources by leveraging the Veracode Platform’s customer support and consultations function.

In the previous environment, their organization dedicated skilled senior resources to AppSec, but those high-value FTEs were inefficiently deployed. The Veracode Platform allowed their organization to dedicate junior resources to tactical developer remediation strategies. That allowed the more senior resources, whose time cost up to 50% more than the junior resources, to spend more time on strategic activities and resolving complex security findings. They explained, “As we shift left and those developers are now calling in more and more for AppSec resources, we will be able to refer them out to consults, which will allow us to scale without hiring additional AppSec resources.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

It dedicated 16,640 total hours to application security efforts in its prior environment.
In Year 1, the composite onboards 40% of developers to the Veracode Platform. This grows to 80% in Year 2, with 100% of developers on the Veracode Platform by the end of Year 3.
Veracode automations reduce the effort related to AppSec workflows by 80% in Year 1, increasing to 85% in Years 2 and 3 with DAST testing and further economies of scale.
The resources dedicated to AppSec recapture 80% of these time savings and apply them to higher-value activities.
The fully burdened hourly rate of an AppSec engineer is $71.

Risks. Results may differ from those presented in the financial model due to an organization’s:

Total application security effort in the prior environment.
Percentage of developers onboarded to the Veracode Platform.
Percentage of AppSec workflows that are automated with Veracode.
Productivity recapture.
Size and scope of application portfolio and associated developer teams.
Fully burdened hourly rate of an AppSec engineer developer and the prevalence of offshore or contractor developers.

Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.27 million.

Application Security Productivity Improvement

Ref.	Metric	Source	Year 1	Year 2	Year 3
C1	Total application security effort in the prior environment (hours)	Composite	16,640	16,640	16,640
C2	Percentage of developers onboarded to the Veracode Platform	Composite	40%	80%	100%
C3	Percentage reduction in AppSec workflows with Veracode automation	Interviews	80%	85%	85%
C4	Productivity recapture	TEI standard	80%	80%	80%
C5	Average fully burdened hourly rate for an AppSec engineer	Composite	$71	$71	$71
Ct	Application security productivity improvement	C1C2C3C4C5	$302,449	$642,703	$803,379
	Risk adjustment	↓10%
Ctr	Application security productivity improvement (risk-adjusted)		$272,204	$578,433	$723,041
Three-year total: $1,573,678		Three-year present value: $1,268,733

85%

Reduction in manual AppSec workflows

“[Before] I had a fantastic application security team. They were, and are, doing a great job, but it was all manual reviews, so it did not scale. The Veracode Platform allowed us to scale it up and make a much better use of their time.”

CISO, healthcare technology

Improved Revenue

Evidence and data. Several interviewees described how the improved productivity and reduced security debt described above permitted resources to focus on product innovation efforts. The interviewees enumerated the ways in which the Veracode Platform directly impacted their organizations’ revenue growth for existing offerings and newly developed products. Interviewees shared how the platform allowed them to:

Develop new products, engagement models, and go-to-market approaches. Several interviewees pointed to the pivotal role that the Veracode Platform played in helping address their organizations’ digital transformation goals. In particular, the platform provided powerful and reliable tools to supercharge their secure software development programs for business agility as well as to develop new go-to-market approaches.
- The director of risk and security at the software company described how their developers leveraged the Veracode Platform to transform their products. Their organization pivoted its sprawling, license-based product suite to a consolidated, subscription-based offering, which required significant development effort performed under high levels of scrutiny. Accounting for the revenues cannibalized from the existing licensed product, the organization grew overall topline revenue by 20% following the organization’s go-to-market model shift in 2016 — and by 32% in the past three years. They told Forrester: “The [company’s] future was based on revenue from the subscriptions versus the licenses, which was a risk [but] … that change is going extremely well. … The market loves it. Our revenue stream is just beautiful.”
- The CISO at the healthcare technology company indicated that, uniquely by moving to the Veracode Platform, their organization would meet more-stringent public sector guidelines, thereby opening up a much larger public sector market opportunity for their organization: “[The Veracode Platform] is vital to our getting FedRAMP because FedRAMP cannot have medium [vulnerabilities] and above, and Veracode quite explicitly tells us what’s medium and above by standard scoring. [Our revenues in this segment] start at about $25 million in annual revenue. I don’t know where it grows [from there, but] it’s going to be huge.”
- The director of risk and security at the software company shared how their organization massively scaled its testing frequency with the platform to increase their delivery of new features to market: “In the past, if we scanned five times a release over 12 months, that might be adequate. [Whereas now] we’re releasing every two weeks, so we’re scanning hundreds of times before the biweekly release. So, today, if you include agent-based scanning for the SCA, we’re about 10,000 to 15,000 scans a week now. We just sped things up. When you have automation, you just turn the volume up and start running the cycles much more rapidly.”
Improve product-market fit. Interviewees detailed how AppSec automations and process improvements gave developers more time to focus on product innovation and customer feedback. Developers were able to deliver new features faster, within a shorter timeline, and with the confidence that security had been embedded into the process.

The director of risk and security at the software company said that moving to Veracode’s SaaS-based testing platform helped their organization consolidate and modernize its products. The software company was able to retire and consolidate its legacy, license-based portfolio of 35 products and avoid the associated opex, capex, standalone tools, and on-premises equipment. With Veracode, the interviewee said that their organization was able to pivot to a hosted product offering with just four products. According to the interviewee, in addition to being a more cost-effective set of SKUs for the organization, the new model enabled by the Veracode Platform also streamlined and improved their customers’ experience, resulting in more customers upgrading to their hosted offering and further increasing the profitability of their new products.
Bring products to market faster. With rapid, comprehensive application security testing through the Veracode Platform, interviewees reported accelerated software delivery schedules with improved time to value.

The director of risk and security at the software company explained how the Veracode Platform accelerated their development teams’ speed to market by permitting the organization to shift from an annual to a biweekly release schedule. They said: “We’re constantly delivering new feature functions every two weeks. Back in the day, a customer might be sitting on a version for three years with no feature function improvement and then go through an upgrade that takes six or eight months [to get it], whereas now we’re deploying new features and functions every two weeks.”
Demonstrate alignment with increasingly strict customer security requirements. Interviewees explained how today’s breach-laden business landscape has prompted more stringent terms of engagement. They noted that customers require more information on application security as part of their RFPs. As they transitioned to the Veracode Platform and mitigated security debt, interviewees noted that their organizations were more inherently secure and transparent. They leveraged the reporting capabilities built into the platform to communicate their security posture to customers better, more clearly, and faster than in their previous environment. Interviewees also indicated that merely mentioning that their organization used the Veracode Platform was enough to assure customers of their commitment to application security and protecting customers’ data.
- The CISO at the healthcare technology company noted that as a result of their ability to serve more public sector customers and differentiate from competitors by achieving a higher FedRAMP level, all of their customer segments were going to benefit from this commitment to a higher order of security. They shared: “If you’re [a] commercial [organization] and you’re not government, you’re still benefiting from all the security that [achieving this level of] FedRAMP precludes. So it becomes another selling point for those [commercial] customers, and we will be the only company that can say that [in our market].”
- The director of risk and security at the software company described Veracode as enabling them to address customer security inquiries. By highlighting Veracode as a key driver of their organization’s AppSec program, the interviewee said that they were able to quickly satisfy customers’ AppSec concerns. The interviewee also told Forrester that the Veracode Platform was a vital part of why their organization had the security and visibility required to uplevel its FedRAMP authorization. They also noted the halo effect that the higher level of security would have on their private sector customer segments, with compelling reports that demonstrated their organization’s mature security posture. The interviewee shared that having the Veracode Platform as part of their stack, they were able to quickly signal in meetings with customers that the organization’s AppSec program would properly care for the prospective customers’ data: “When we started using Veracode, we could provide statistics on scan frequency and bugs fixed. … We would talk about Veracode, and those that knew [AppSec] would say ‘Ok, done with security. What’s next?’”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

In the prior environment, the composite organization generated $50 million in annual revenue from growth segments.
With the investment in the Veracode Platform and the people and processes to support it, the composite organization enters new markets and develops new products. This new go-to-market approach increases the annual revenue from growth segments by 20% each year. The composite attributes one-third of this 20% growth to its investment in the Veracode platform, equating to 6.6% of total revenues from growth segments.
In Year 1, the composite onboards 40% of developers to the Veracode Platform. This grows to 80% in Year 2, with 100% of developers on the Veracode Platform by the end of Year 3.
The composite attributes 33% of this revenue impact to Veracode, due to faster developer time to market, the opening up of new markets and products, and the improved ability to meet customers’ AppSec security requirements.
The operating margin is 20%.

Risks. Results may differ from those presented in the financial model due to an organization’s:

Annual revenue from growth segments in the prior environment.
People, process, or technology factors that could account for improved revenue in the growth segment.
Size and scope of application portfolio and associated developer teams.
Percentage of developers onboarded to the Veracode Platform and ability to adopt the platform across organization.
Breadth of customer-facing applications.
Operating margin.

Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $940,000.

Improved Revenue

Ref.	Metric	Source	Year 1	Year 2	Year 3
D1	Annual revenue from growth segments in the prior environment	Composite	$50,000,000	$50,000,000	$50,000,000
D2	Increase in annual revenue from growth segments in the Veracode environment	Interviews	6.6%	6.6%	6.6%
D3	Percentage of developers onboarded to the Veracode Platform	TEI standard	40%	80%	100%
D4	Operating margin	Composite	20%	20%	20%
Dt	Improved revenue	D1D2D3*D4	$264,000	$528,000	$660,000
	Risk adjustment	↓20%
Dtr	Improved revenue (risk-adjusted)		$211,200	$422,400	$528,000
Three-year total: $1,161,600			Three-year present value: $937,785

6.6%

Revenue from growth segments attributed to Veracode

“Our responsiveness to the market is unbelievable now. We can pivot and change and move fast.”

Director of risk and security, software

Unquantified Benefits

Interviewees mentioned the following additional benefits that their organizations experienced but were not able to quantify:

Augmented reporting capabilities. Before investing in the Veracode Platform, interviewees noted that their organizations lacked any visibility into their risk or security debt, and they couldn’t report on it to developers, leadership, customers, and regulators. With the Veracode Platform, however, interviewees described the value of having on-demand, built-in access to clear and actionable insights. They were also able to expend fewer resources on compliance preparation and follow-up, and they helped assure prospective customers that their organizations were safe data partners.
- The head of global engineering tools at the professional services company noted: “The biggest benefit that I have today is the reporting. I really enjoy it. It’s very easy for me to use, and I have also given my CTO access to just go and look the reports.”
- The CISO at the healthcare technology company indicated that the Veracode Platform helped their organization avoid vendor fees, estimated at tens of thousands of dollars annually. This built-in, native reporting capability also vastly improved the clarity and quality of insights compared with the reports they had to pay for in the prior environment. They said, “I’m always in Veracode creating a dashboard to tell one story or another, and when I can’t create it, I reach out to Veracode to help me do it and they don’t charge me.”
Higher levels of IT spend dedicated to security. Some interviewees mentioned that the reports generated by the Veracode Platform provided the high level of visibility and transparency they needed to win larger budgets and bigger investments in application security.

The CISO at the healthcare technology company noted that the efficacy and clarity of the platform’s scanning results gave their leadership enough evidence to support expanded investment in AppSec: “When I’m reporting to the C-suite or to the board, it’s about two things: improvements [to date] and about how much further we need to go, [and now] we can show both. That ultimately means that we get resources to continue our work.”
Optimized technology costs. Most interviewees indicated that their organizations increased their overall investment in application security as they deployed the Veracode Platform. In the transition, however, they noted that their organizations avoided several legacy costs, prevented product sprawl, and optimized spending in other areas.

The CISO at the healthcare technology company indicated that their organization’s inclusion of the Veracode Platform helped reduce the cost of maintaining cyber insurance coverage. They also shared how it helped prevent product sprawl. “We got rid of [our legacy solution], but we would have been bringing in other brands’ tooling, so it’s prevented us from getting tool sprawl as it necessarily consolidated us.”
An improved security culture. Interviewees noted that the productivity improvements for developers and security resources had several cascading impacts. Individual contributors reported better day-to-day experiences and relationships.
- The CISO at the healthcare technology company observed an overall improvement in the relationship between security and developer teams as a result of their organization’s investment in the Veracode Platform. Part of this improvement was derived from incentivizing action on security flaws that would have been difficult, if not impossible, to identify in the previous environment. They said: “We do partner with [developers] very closely in terms of helping them understand where they don’t know how to handle vulnerabilities. … I think [the Veracode Platform] has helped us to be on the same team, emotionally speaking. All the AppDev teams need to understand that these risks exist and that I’m going to prevent them from going to production with [them]. Those things impact their bonuses, which motivates them to fix these vulnerabilities.”
- The director of risk and security at the software company shared how their organization was able to seamlessly build a mature, sophisticated, developer-driven security culture that was integrated into the development cycle. They said: “[We took] the automations together with our CI/CD pipeline, put the security champion and scrum teams in place, and built a distributed security program that is invisible. [The developers] do so much security they don’t even know it.”
Improved developer experiences and security maturity. Interviewees pointed out that the Veracode Platform equipped their developers by gathering all their testing needs in one place. They shared that the clarity of Veracode’s insights and reports also helped instill a greater appreciation for security and foster strong relationships between the developer and security communities in their organizations.
- The head of global engineering tools at the professional services company said: “Veracode has been pivotal in having this one tool to get help on the security testing using DAST, software composition, and static scanning. If we did not have that, we would spend a lot more time … diving into all of these different tools. Now that we have one vendor, we can ask the onboarding team to come in and hold a session on a specific topic for everyone, which is super fantastic.”
- The CISO at the healthcare technology company shared: “My team has been very satisfied with how easy it is to explain to the developers how to use it. It’s a very easy-to-use tool … [and the developers] are happier when they catch up to that tech debt and it’s no longer [on their minds].”

“When I have had to go back and [justify] more dollars for more Veracode licenses, everybody already understood the value of it, [including] how that impacted our ability to meet our [federal] contracts. So, I had no problem getting additional funding to expand Veracode.”

CISO, healthcare

Flexibility

The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement the Veracode Platform and later realize additional uses and business opportunities.

In particular, the director of risk and security at the software company indicated that their organization’s growing security maturity served as the impetus to expand the Veracode Platform. Its organization established a committee to plan the continued rearchitecting of their development program and build out the following platform functions in line with their company’s business objectives:

Veracode Fix. The interviewee’s software company was in the proof-of-value stage for Veracode Fix; it wants to use it to drive further developer efficiencies in fixing flaws while improving the speed to secure development.
Veracode Container Security. The interviewee also told Forrester that their organization was investing in the Veracode Platform’s Container Security functionality for added coverage across its app stack.

Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Appendix A).

“I’m starting to drive the [AppSec] standard higher, including getting us to a [higher] FedRAMP level. We’re rearchitecting the CI/CD pipeline, we’re bringing in new technology, we’re bringing the container scans, we started looking at Veracode Fix. We’re starting to pursue solutions that I wasn’t pursuing in the past because we’re tooling up for a really crazy year. … The game is about to change significantly.”

Director of risk and security, software

Quantified cost data as applied to the composite

Total Costs

Ref.	Cost	Initial	Year 1	Year 2	Year 3	Total	Present Value
Etr	Veracode fees	$0	$457,590	$930,405	$1,151,325	$2,539,320	$2,049,928
Ftr	Deployment	$158,235	$61,373	$43,995	$0	$263,603	$250,388
Gtr	Administration and scale	$0	$46,547	$87,292	$108,654	$242,492	$196,090
	Total costs (risk-adjusted)	$158,235	$565,509	$1,061,692	$1,259,979	$3,045,415	$2,496,406

Veracode Fees

Evidence and data. Interviewees’ organizations had deployed various configurations of the Veracode Platform according to their use cases, including SAST, SCA, DAST, PTaaS, eLearning, Security Labs, and customer success and support services.

The application security engineer at the mining company shared that the Veracode Platform’s eLearning and Security Labs provided developers with continual, asynchronous AppSec enrichment opportunities. They also noted their organization’s scanning frequency of 20,000 static scans annually, with another 10,000 DAST scans weekly. When reflecting on the value that their organization harvested from the Veracode Platform, the interviewee shared: “It’s affordable, and for what it provides, it’s worth it. … It’s good value.”
Pricing may vary. Contact Veracode for details.

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

In Year 1, the composite organization deploys daily SCA and SAST scanning for 60% of critical, customer-facing apps, such as those generating revenue, as well as 50% of internal critical apps like HR management. It also launches eLearning and Security Labs on the Veracode Platform, with 40% of developers onboarded during this phase.
In Year 2, the composite organization increases the scope of its scanning program, with daily SCA and SAST scanning for all critical apps. It also adds monthly DAST scanning for all critical apps and launches PTaaS. By the end of the year, 80% of all developers are onboarded to the Veracode Platform.
In Year 3, the composite organization onboards the remaining 250 noncritical apps to the same schedule, with all apps now on a schedule of daily SCA and SAST scanning and monthly DAST scanning. By the end of the investment period, all developers are onboarded to the Veracode Platform.

Risks. Results may differ from those presented in the financial model due to an organization’s:

Extent to which it rolls out AppSec capabilities on the Veracode Platform.
Size and scope of application portfolio and associated developer teams.
Percentage of developers onboarded to the Veracode Platform and the ability to adopt the platform across organization.
Breadth of customer-facing applications.

Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $2 million.

Increase in scanning capacity with automations

“When we implemented automation in 2018, we [were doing] 4,000 scans, and today we do 24,000 to 25,000 scans a year, and it’s [all due to] automation.”

Director of risk and security, software

Veracode Fees

Ref.	Metric	Source	Initial	Year 1	Year 2	Year 3
E1	Veracode Platform fees	Composite	0	$435,800	$886,100	$1,096,500
Et	Veracode fees	E1	$0	$435,800	$886,100	$1,096,500
	Risk adjustment	↑5%
Etr	Veracode fees (risk-adjusted)		$0	$457,590	$930,405	$1,151,325
Three-year total: $2,539,320			Three-year present value: $2,049,928

Deployment

Evidence and data. Interviewees discussed internal and external deployment costs and their organizations’ approaches to scaling the Veracode Platform. These included:

Internal and external deployments costs. Interviewees distinguished between the immediate deployment steps to stand up the Veracode Platform and the broader process to onboard developers and reach a steady state. Interviewees said that the former, rapid deployment process took between two days and two weeks and included efforts to set up scanners and onboard users. The broader organizational implementation process ranged from three to six months and consisted of the proof of concept, planning, developer and administrator enablement, tool configuration and integrations, and application rollout activities, including user setup, pipeline integration, and scanning calibrations.
- The application security engineer at the mining company reported that their organization had a two-day platform standup: “Because Veracode is cloud, we didn’t need any of the hardware. In fact, the implementation was done in two days. Then it included setting up all the users, setting up the scanner.”
- The head of global engineering tools at the professional services company said that their organization’s full implementation process took three months. Within that timeframe, however, they noted that Veracode customer support ensured developers had pipelines integrated and ready for scanning within 3 hours of user setup.
- The CISO at the healthcare technology company shared that their organization’s entire implementation stretched across three to six months between the proof of concept and go-live. During that time, the interviewee fully dedicated one internal resource to deployment efforts, such as setting up single-sign-on integrations. They dedicated 50% of another internal resource to pipeline integration.
Scaling considerations. The interviewees reflected on how their organizations approached implementation elements, such as scanning policies and frequencies, prioritization, and expansion of the platform.
- The application security engineer at the mining company described a six-month adoption process for scanning all critical and high-risk apps into Veracode. Their organization then expanded into static scanning to cover the critical and highest-risk apps based on the type of data managed, such as SOC and HR. They shared: “We have the riskier bunch of 25 to 30 of the 108 apps that are considered highest risk … being scanned regularly with dynamic, static, and software composition.”
- The head of global engineering tools at the professional services company described how their organization expanded to other sections: “I partnered with another department when we were choosing a vendor and started to advocate to the other business areas that we should invest in enterprise agreements for having SAST, DAST, and software composition analysis. As we have proven the value, all the other business units also are aligning.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

The composite organization dedicates 780 resource hours to the Veracode deployment during a three-month initial period. In Year 1, the composite organization then dedicates 130 hours to support adoption and scaling. The composite further expands deployment efforts in Year 2, dedicating 260 resource hours to DAST deployment and the final adoption and scaling efforts.
The fully burdened hourly rate of an implementation resource is $65.
The composite organization engages a third-party deployment partner for $100,000. The composite continues to retain the third party through the successive scaling and deployment of DAST, paying $50,000 in third-party partner fees in in Year 1; this drops to $25,000 in Year 2.

Risks. Results may differ from those presented in the financial model due to an organization’s:

Size and scope of application portfolio and associated developer teams.
Percentage of developers onboarded to the Veracode Platform and the ability to adopt the platform across organization.
Number of FTEs and the total number of FTE hours dedicated to iterative deployments.
Fully burdened hourly rate of implementation resources and developers and the prevalence of offshore or contract developers.
Reliance on a third party for deployment efforts. Organizations that do not engage a third party can expect a higher number of internal implementation labor hours and higher related personnel and overhead costs.

Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $250,000.

3 hours

Developer onboarding time from user setup to integrated pipeline scanning

“[With the Veracode Platform,] we brought in new apps in batches of a dozen at a time, and those scans would run right away and produce results. … At one point we were up to about 4,500 medium vulnerabilities. I just looked again today and there are 1,600, a 75% reduction.”

Application security engineer, mining

Deployment

Ref.	Metric	Source	Initial	Year 1	Year 2	Year 3
F1	Number of FTEs dedicated to iterative deployments	Interviews	1.5	0.5	1.0	0
F2	Hours per employee	Interviews	520	260	260	0
F3	Total FTE hours dedicated to iterative deployments	F1*F2	780	130	260	0
F4	Fully burdened hourly rate of an implementation resource	Composite	$65	$65	$65	$65
F5	Total internal deployments costs	F3*F4	$50,700	$8,450	$16,900	$0
F6	Total third-party deployment costs	Interviews	$100,000	$50,000	$25,000	$0
Ft	Deployment	F5+F6	$150,700	$58,450	$41,900	$0
	Risk adjustment	↑5%
Ftr	Deployment and adoption (risk-adjusted)		$158,235	$61,373	$43,995	$0
Three-year total: $263,603			Three-year present value: $250,388

Administration And Scale

Evidence and data. As interviewees’ organizations navigated the phased deployment of the Veracode Platform described above, they were quickly able to establish a steady operational state. The interviewees described how their organizations dealt with:

Administrative costs. Following the initial standup and scaled deployment of the Veracode Platform, interviewees reported minimal ongoing administrative costs.
- The CISO at the healthcare technology company shared that the ongoing administrative effort to maintain the Veracode Platform was limited to approximately 2 hours per week.
- The head of global engineering tools at the professional services company shared that the bulk of their organization’s administration of the Veracode Platform totaled approximately 2 hours per month in the form of an hour-long monthly meeting with two internal resources.
Scaling and adoption considerations. Interviewees also discussed ways in which their organizations promoted and enabled platform adoption.
- The application security engineer at the mining company indicated that the Veracode Platform’s clear reporting served a vital role in supporting developer adoption: “Without Veracode, I don’t think anything would have been done because there would have been no visibility and no transparency. The development community would not have deliberately put in a software security function, so things would just continue as they were.”
- The director of risk and security at the software company discussed how using the Veracode Platform enabled their organization’s security champions program. From a developer labor perspective, this program entailed leading optional monthly meetings for developers to discuss and advance their AppSec efforts.
- The head of global engineering tools at the professional services company indicated that their organization intended to scale adoption as much as possible: “In [my business unit], we are 230 people and we have 140 people onboarded onto the platform, but I want to onboard as many as possible. I want the product managers to be able to go in and use the tool to get reports to know their state of security.”

Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:

The composite organization spends 2 hours per week on Veracode Platform administration, totaling 106 hours in Year 1. With developer adoption and growth in the platform, this increases to 127 hours of administration in Year 2 and 152 hours in Year 3.
In addition, 15% of onboarded developers participate in 1 hour of community-of-practice (COP) engagement per month. This may include a monthly hour-long, internal COP meeting, eLearning, Security Labs, and other AppSec enrichment opportunities.
The fully burdened hourly rate of a developer is $65.

Risks. Results may differ from those presented in the financial model due to an organization’s:

Size and scope of application portfolio and associated developer teams.
Percentage of developers onboarded to the Veracode Platform and their ability to adopt the platform across organization.
Level of developer engagement in AppSec communities of practice.
Fully burdened hourly rate of an administrator.

Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $196,000.

2 hours

Platform administration per week

“[Administration of the Veracode Platform ] stays pretty steady state. It only changes when we’re looking at the next piece of the implementation.”

CISO, healthcare technology

Administration And Scale

Ref.	Metric	Source	Initial	Year 1	Year 2	Year 3
G1	Total hours of administration per year	Interviews	0	106	127	152
G2	Average hours of internal community-of practice engagement per month	Interviews	0.0	1.0	1.0	1.0
G3	Average number of developers actively engaged in a community of practice and scaled adoption	15% of developers on platform	0	48	96	120
G4	Total hours of community-of-practice engagement	G2G312	0	576	1,152	1,440
G5	Total administration and community-of-practice hours	G1+G4	0	682	1,279	1,592
G6	Hourly rate	Composite	$65	$65	$65	$65
Gt	Administration and adoption	G5*G6	$0	$44,330	$83,135	$103,480
	Risk adjustment	↑5%
Gtr	Administration and adoption (risk-adjusted)		$0	$46,547	$87,292	$108,654
Three-year total: $242,492			Three-year present value: $196,090

Consolidated Three-Year Risk-Adjusted Metrics

Cash Flow Chart (Risk-Adjusted)

Total costs Total benefits Cumulative net benefits

The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.

These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.

Cash Flow Analysis (Risk-Adjusted Estimates)

	Initial	Year 1	Year 2	Year 3	Total	Present Value
Total costs	($158,235)	($565,509)	($1,061,692)	($1,259,979)	($3,045,415)	($2,496,406)
Total benefits	$0	$1,528,138	$3,232,594	$4,040,743	$8,801,475	$7,096,651
Net benefits	($158,235)	$962,629	$2,170,903	$2,780,764	$5,756,060	$4,600,245
ROI						184%
Payback period (months)						<6

Appendix A: Total Economic Impact

Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders.

Total Economic Impact Approach

Benefits represent the value delivered to the business by the product. The TEI methodology places equal weight on the measure of benefits and the measure of costs, allowing for a full examination of the effect of the technology on the entire organization.
Costs consider all expenses necessary to deliver the proposed value, or benefits, of the product. The cost category within TEI captures incremental costs over the existing environment for ongoing costs associated with the solution.
Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. Having the ability to capture that benefit has a PV that can be estimated.
Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”

PRESENT VALUE (PV)

The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PV of costs and benefits feed into the total NPV of cash flows.
NET PRESENT VALUE (NPV)

The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs.
RETURN ON INVESTMENT (ROI)

A project’s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits less costs) by costs.
DISCOUNT RATE

The interest rate used in cash flow analysis to take into account the time value of money. Organizations typically use discount rates between 8% and 16%.
PAYBACK PERIOD

The breakeven point for an investment. This is the point in time at which net benefits (benefits minus costs) equal initial investment or cost.

The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.

Appendix B: Endnotes

¹ Lessons Learned From The World’s Biggest Data Breaches And Privacy Abuses, 2023, Forrester Research, Inc., February 28, 2024.

² The State Of Application Security, 2024, Forrester Research, Inc., June 7, 2024.

³ Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders.

⁴ The State Of Application Security, 2024, Forrester Research, Inc., June 7, 2024.

⁵ Forrester Technographics 2023. Forrester annually assesses cybersecurity metrics through interviews, surveys, and expertise in the field. Analyses are provided with information rooted with specific data sets most accurately applied to the situations that have been collected in the study.

ABOUT FORRESTER CONSULTING

Forrester provides independent and objective research-based consulting to help leaders deliver key transformation outcomes. Fueled by our customer-obsessed research, Forrester’s seasoned consultants partner with leaders to execute on their priorities using a unique engagement model that tailors to diverse needs and ensures lasting impact. For more information, visit forrester.com/consulting.

© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies.

Cookie Settings

This website uses cookies to deliver functionality and enhance your experience. GDPR requires that we obtain your consent before activating these cookies. Please accept the use of cookies or review your cookie settings now.

A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions (data inputs, website navigation), so you don’t have to re-enter data when you come back to the site or browse from one page to another.

Behavioral information collected by our web analytics vendor is used to analyze data pertaining to visitor trends, plan website enhancements, and measure overall website effectiveness. We may also use cookies or web beacons to help us offer you products, programs, or services that may be of interest to you and to deliver relevant advertising. We may use third-party advertising companies to help tailor website content to users or to serve ads on our behalf. These companies may also employ cookies and web beacons to measure advertising effectiveness.

Please accept cookies and the collection of behavioral information to receive full functionality and enhance your experience. If you decline cookies, some features of the website may not function normally.

Please see our Privacy Policy for more information.

Executive Summary

Table Of Contents

Application Exploits Are The Top External Attack Vectors

Applications And Their Ecosystems Are Ideal Targets For External Attacks

Key Findings

Key Statistics

184%

$7.10M

$4.60M

<6 months

Benefits (Three-Year)

TEI Framework And Methodology

Due Diligence

Interviews

Composite Organization

Financial Model Framework

Case Study

Disclosures

The Veracode Platform Customer Journey

Drivers leading to the Veracode Application Risk Management Platform investment

Interviews

Key Challenges

Investment Objectives For The Veracode Platform

Composite Organization

Key Assumptions

Analysis Of Benefits

Quantified benefit data as applied to the composite

Total Benefits

Reduced Cost Of A Material Breach

Reduced Cost Of A Material Breach

Developer Productivity Improvement

Developer Productivity Improvement

Application Security Productivity Improvement

Application Security Productivity Improvement

Improved Revenue

Improved Revenue

Unquantified Benefits

Flexibility

Analysis Of Costs

Quantified cost data as applied to the composite

Total Costs

Veracode Fees

Veracode Fees

Deployment

Deployment

Administration And Scale

Administration And Scale

Financial Summary

Consolidated Three-Year Risk-Adjusted Metrics

Cash Flow Chart (Risk-Adjusted)

Cash Flow Analysis (Risk-Adjusted Estimates)

Appendixes

Appendix A: Total Economic Impact

Total Economic Impact Approach

PRESENT VALUE (PV)

NET PRESENT VALUE (NPV)

RETURN ON INVESTMENT (ROI)

DISCOUNT RATE

PAYBACK PERIOD

Appendix B: Endnotes

ABOUT FORRESTER CONSULTING