A Forrester Total Economic Impact™ Study Commissioned By Veracode, August 2024
Applications form the foundation of today’s modern enterprise. They consist of intricate first-party code as well as open-source and third-party components, and they rely on a diverse and complex supply chain of tools and services for development and deployment. In reviewing the world’s biggest data breaches and privacy abuses in 2023, Forrester found that software supply chain flaws help attackers scale.1 To successfully secure applications and their data, collaboration between security, development, and operations is essential.2
The Veracode Application Risk Management Platform is a unified end-to-end application security (AppSec) solution that provides developers and application security professionals with a single source of all potential first-party and open-source code vulnerabilities. It helps organizations:
Veracode commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying the Veracode Application Risk Management Platform.3 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of the Veracode Platform on their organizations.
To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed four representatives with experience using the Veracode Platform. For the purposes of this study, Forrester aggregated the interviewees’ experiences and combined the results into a single, composite organization with $2 billion in annual revenue, 1,000 managed apps, and a business goal of increasing development velocity in support of strategic revenue growth.
Interviewees said that prior to using the Veracode Platform, their organizations were vulnerable to an array of software-based attacks, yet their companies lacked the people, processes, and technologies needed to secure their software development pipelines and processes at scale. The tools and programs they had in place were riddled with false positives and occurred too late in the development lifecycle. This caused unplanned rework and delays for developers, while the lack of visibility made it difficult for AppSec managers to effectively triage testing for priority release; this was exacerbated by broad-based inefficiencies for these high-value resources. Interviewees demonstrated how their previous, ineffective AppSec environments hampered organizational agility, stymied innovation, and, at worse, led to costly material data breaches.
After the investment in the Veracode Platform, as well as in the people and processes needed to support related business and growth objectives, the interviewees reported that their organizations mitigated the risk of software-based attacks by measurably reducing security debt earlier in the development process and easing the operational burden required to use several standalone tools. The interviewees discussed how these efficiencies gave developers more time for innovation while accelerating secure software development schedules at scale.
Interviewees’ key results from the transition to the Veracode Platform included reduced costs associated with software-based attacks as well as better relationships with and a shared sense of responsibility between security professionals and developers. In addition, they unified their AppSec operations on a single platform, which helped avoid tool fatigue while enabling developers to better innovate in response to customer needs. The resulting improvements to overall application security, time to market, product-market fit, and security reporting enabled interviewees’ organizations to significantly accelerate growth revenues, win more deals, and retain more business.
In Forrester’s Security Survey, 2023, security decision-makers most commonly reported that software vulnerability exploits and software supply chain breaches were the cause of breaches from external attacks. In 2022, 52% of security decision-makers told us that application-related exploits were the external attack vector for breaches; that rose to 58% in 2023. Applications, APIs, and their infrastructure have replaced the network as the organization’s new perimeter. Applications have access to lucrative sensitive data from your customers, partners, and employees and are useful for getting a foot in the door before moving across your organization.4
Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:
Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:
Costs. Three-year, risk-adjusted PV costs for the composite organization include:
The representative interviews and financial analysis found that the composite organization experiences benefits of $7.1 million over three years versus costs of $2.5 million, adding up to a net present value (NPV) of $4.6 million and an ROI of 184%.
Return on investment (ROI)
Benefits PV
Net present value (NPV)
Payback
From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in the Veracode Application Risk Management Platform.
The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that the Veracode Platform can have on an organization.
Interviewed Veracode stakeholders and Forrester analysts to gather data relative to the Veracode Platform.
Interviewed four representatives at organizations using the Veracode Application Risk Management Platform to obtain data about costs, benefits, and risks.
Designed a composite organization based on characteristics of the interviewees’ organizations.
Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.
Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.
Readers should be aware of the following:
This study is commissioned by Veracode and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.
Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in the Veracode Application Risk Management Platform.
Veracode reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.
Veracode provided the customer names for the interviews but did not participate in the interviews. The scope of the cyber security practice within Forrester is founded in industry knowledge and survey information from global organizations, updated on an annual basis. Further information is available from Forrester Business Technographics or with a Forrester analyst.
Consulting Team:
Courtenay O’Connor
Role | Industry | Region | Number of developers |
---|---|---|---|
Director of risk and security | Software | US HQ, global operations | 400 |
Application security engineer | Mining | US HQ, global operations | 30 |
CISO | Healthcare technology | US HQ and operations | 500 |
Head of global engineering tools | Professional services | Europe HQ and operations | 600 |
Prior to investing in the Veracode Platform, interviewees shared a high and growing level of risk associated with their organizations’ software supply chains. Legacy apps were often weighed down with security debt, and inefficient AppSec processes underpinned by inadequate, poorly configured tools prevented interviewees’ organizations from accelerating development cycles and limited their ability to serve new and existing customers. Faced with high numbers of false positives, interviewees’ organizations spent such an overwhelming amount of time on triaging these false-positive findings that they were unable to increase development velocity in support of business needs and growth efforts.
Interviewees further lamented their organizations’ inability to quantify and communicate their risk exposure to developers, leadership, customers, or regulators. The lack of adequate reporting on baseline security debt and progress improvements meant security leaders couldn’t meet regulator or customer requirements, lowering profitability and limiting their ability to advocate for further investment in AppSec.
The interviewees noted how their organizations struggled with other common challenges, including:
The interviewees’ organizations searched for a solution that could:
Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the four interviewees, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:
Description of composite. The composite organization has globally distributed customers and operations. Of its 10,000 full-time employees (FTEs), 800 are developers and eight are AppSec professionals. It relies on legacy and newly developed apps for diversified revenue streams from both B2B and B2C go-to-market approaches, and its broad customer base spans the public and private sectors.
The composite generates $2 billion from all revenue streams, but it wants to accelerate the development of multiple, high-growth products to expand its market share. While revenue from these growth segments total $50 million at the start of the investment period, the composite organization determines that its legacy technology stack can only support limited organic growth.
Deployment characteristics. As part of the composite organization’s broader digital transformation efforts, it transitions its AppSec program onto the Veracode Application Risk Management Platform. In the first year, it prioritizes addressing security flaws in critical apps; it onboards apps to Veracode for SAST and SCA scanning, shifting from quarterly to daily scanning. It also deploys eLearning and Security Labs to help improve the security maturity of its developers.
In Year 2, the composite organization expands its functionality, adding monthly DAST scans for critical apps while incrementally incorporating PTaaS into its Veracode configuration in Year 3. This allows the composite organization to further reduce the number of software flaws while streamlining its AppSec tech stack.
Ref. | Benefit | Year 1 | Year 2 | Year 3 | Total | Present Value |
---|---|---|---|---|---|---|
Atr | Reduced cost of a material breach | $314,654 | $674,257 | $842,822 | $1,831,733 | $1,476,511 |
Btr | Developer productivity improvement | $730,080 | $1,557,504 | $1,946,880 | $4,234,464 | $3,413,622 |
Ctr | Application security productivity improvement | $272,204 | $578,433 | $723,041 | $1,573,678 | $1,268,733 |
Dtr | Improved revenue | $211,200 | $422,400 | $528,000 | $1,161,600 | $937,785 |
Total benefits (risk-adjusted) | $1,528,138 | $3,232,594 | $4,040,743 | $8,801,475 | $7,096,651 | |
Evidence and data. Interviewees reported a significant increase in application security indicators after their organizations’ investments in the Veracode Platform. They reported that their organizations effectively eliminated lingering security debt by adopting the Veracode Platform while mitigating the risks associated with software security flaws. Interviewees also shared that their organizations were able to accelerate their fix rate and reduce the overall time it took to remediate flaws. As a result, they:
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
Risks. Results may differ from those presented in the financial model due to an organization’s:
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.5 million.
Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
---|---|---|---|---|---|---|
A1 | Likelihood of experiencing one or more breaches per year | Forrester Research | 89% | 89% | 89% | |
A2 | Cost of a software-based attack | Interviews | $3,031,584 | $3,031,584 | $3,031,584 | |
A3 | Percentage of breaches originating from external attacks | Composite | 49% | 49% | 49% | |
A4 | Reduced likelihood of a data breach with Veracode | Interviews | 70% | 75% | 75% | |
A5 | Material breach risk reduction savings | A1*A2*A3*A4 | $925,452 | $991,555 | $991,555 | |
A6 | Percentage of developers onboarded to the Veracode Platform | Composite | 40% | 80% | 100% | |
At | Reduced cost of a material breach | A5*A6 | $370,181 | $793,244 | $991,555 | |
Risk adjustment | ↓15% | |||||
Atr | Reduced cost of a material breach (risk-adjusted) | $314,654 | $674,257 | $842,822 | ||
Three-year total: $1,831,733 | Three-year present value: $1,476,511 |
Evidence and data. Interviewees shared how the Veracode Platform allowed their organizations to better support their developers’ AppSec efforts in terms of both efficacy and efficiency. Rather than expend valuable resources on ineffective testing efforts, their organizations were able to transform their software delivery to be more dynamic and responsive to customer needs. Clear, compelling, and rapid results from AppSec scans empowered developers to secure code with confidence and within schedules and policy guidelines. Interviewees credited these improvements to the Veracode Platform’s functionality, automations, and ease of use. This led to:
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
Risks. Results may differ from those presented in the financial model due to an organization’s:
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $3.4 million.
Ref. | Metric | Source | Year 1 | Year 2 | Year 3 |
---|---|---|---|---|---|
B1 | Total developers | Composite | 800 | 800 | 800 |
B2 | Percentage of developer time dedicated to application security in the prior environment | Composite | 5% | 5% | 5% |
B3 | Total developer hours dedicated to application security in the prior environment | B1*B2*2,080 | 83,200 | 83,200 | 83,200 |
B4 | Percentage of developers onboarded to the Veracode Platform | Composite | 40% | 80% | 100% |
B5 | Percentage reduction in developer hours dedicated to application security | Interviews | 75% | 80% | 80% |
B6 | Productivity recapture | TEI standard | 50% | 50% | 50% |
B7 | Average fully burdened hourly rate for a developer | Composite | $65 | $65 | $65 |
Bt | Developer productivity improvement | B3*B4*B5*B6*B7 | $811,200 | $1,730,560 | $2,163,200 |
Risk adjustment | ↓10% | ||||
Btr | Developer productivity improvement (risk-adjusted) | $730,080 | $1,557,504 | $1,946,880 | |
Three-year total: $4,234,464 | Three-year present value: $3,413,622 |
Evidence and data. Interviewees shared that their organizations overhauled their AppSec programs with the Veracode Platform; they greatly reduced the labor associated with scanning efforts and improved the efficacy of the program. They:
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
Risks. Results may differ from those presented in the financial model due to an organization’s:
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.27 million.
Ref. | Metric | Source | Year 1 | Year 2 | Year 3 |
---|---|---|---|---|---|
C1 | Total application security effort in the prior environment (hours) | Composite | 16,640 | 16,640 | 16,640 |
C2 | Percentage of developers onboarded to the Veracode Platform | Composite | 40% | 80% | 100% |
C3 | Percentage reduction in AppSec workflows with Veracode automation | Interviews | 80% | 85% | 85% |
C4 | Productivity recapture | TEI standard | 80% | 80% | 80% |
C5 | Average fully burdened hourly rate for an AppSec engineer | Composite | $71 | $71 | $71 |
Ct | Application security productivity improvement | C1*C2*C3*C4*C5 | $302,449 | $642,703 | $803,379 |
Risk adjustment | ↓10% | ||||
Ctr | Application security productivity improvement (risk-adjusted) | $272,204 | $578,433 | $723,041 | |
Three-year total: $1,573,678 | Three-year present value: $1,268,733 |
Evidence and data. Several interviewees described how the improved productivity and reduced security debt described above permitted resources to focus on product innovation efforts. The interviewees enumerated the ways in which the Veracode Platform directly impacted their organizations’ revenue growth for existing offerings and newly developed products. Interviewees shared how the platform allowed them to:
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
Risks. Results may differ from those presented in the financial model due to an organization’s:
Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $940,000.
Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
---|---|---|---|---|---|---|
D1 | Annual revenue from growth segments in the prior environment | Composite | $50,000,000 | $50,000,000 | $50,000,000 | |
D2 | Increase in annual revenue from growth segments in the Veracode environment | Interviews | 6.6% | 6.6% | 6.6% | |
D3 | Percentage of developers onboarded to the Veracode Platform | TEI standard | 40% | 80% | 100% | |
D4 | Operating margin | Composite | 20% | 20% | 20% | |
Dt | Improved revenue | D1*D2*D3*D4 | $264,000 | $528,000 | $660,000 | |
Risk adjustment | ↓20% | |||||
Dtr | Improved revenue (risk-adjusted) | $211,200 | $422,400 | $528,000 | ||
Three-year total: $1,161,600 | Three-year present value: $937,785 |
Interviewees mentioned the following additional benefits that their organizations experienced but were not able to quantify:
The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement the Veracode Platform and later realize additional uses and business opportunities.
In particular, the director of risk and security at the software company indicated that their organization’s growing security maturity served as the impetus to expand the Veracode Platform. Its organization established a committee to plan the continued rearchitecting of their development program and build out the following platform functions in line with their company’s business objectives:
Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Appendix A).
Ref. | Cost | Initial | Year 1 | Year 2 | Year 3 | Total | Present Value |
---|---|---|---|---|---|---|---|
Etr | Veracode fees | $0 | $457,590 | $930,405 | $1,151,325 | $2,539,320 | $2,049,928 |
Ftr | Deployment | $158,235 | $61,373 | $43,995 | $0 | $263,603 | $250,388 |
Gtr | Administration and scale | $0 | $46,547 | $87,292 | $108,654 | $242,492 | $196,090 |
Total costs (risk-adjusted) | $158,235 | $565,509 | $1,061,692 | $1,259,979 | $3,045,415 | $2,496,406 | |
Evidence and data. Interviewees’ organizations had deployed various configurations of the Veracode Platform according to their use cases, including SAST, SCA, DAST, PTaaS, eLearning, Security Labs, and customer success and support services.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
Risks. Results may differ from those presented in the financial model due to an organization’s:
Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $2 million.
Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 | |
---|---|---|---|---|---|---|---|
E1 | Veracode Platform fees | Composite | 0 | $435,800 | $886,100 | $1,096,500 | |
Et | Veracode fees | E1 | $0 | $435,800 | $886,100 | $1,096,500 | |
Risk adjustment | ↑5% | ||||||
Etr | Veracode fees (risk-adjusted) | $0 | $457,590 | $930,405 | $1,151,325 | ||
Three-year total: $2,539,320 | Three-year present value: $2,049,928 |
Evidence and data. Interviewees discussed internal and external deployment costs and their organizations’ approaches to scaling the Veracode Platform. These included:
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
Risks. Results may differ from those presented in the financial model due to an organization’s:
Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $250,000.
Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 | |
---|---|---|---|---|---|---|---|
F1 | Number of FTEs dedicated to iterative deployments | Interviews | 1.5 | 0.5 | 1.0 | 0 | |
F2 | Hours per employee | Interviews | 520 | 260 | 260 | 0 | |
F3 | Total FTE hours dedicated to iterative deployments | F1*F2 | 780 | 130 | 260 | 0 | |
F4 | Fully burdened hourly rate of an implementation resource | Composite | $65 | $65 | $65 | $65 | |
F5 | Total internal deployments costs | F3*F4 | $50,700 | $8,450 | $16,900 | $0 | |
F6 | Total third-party deployment costs | Interviews | $100,000 | $50,000 | $25,000 | $0 | |
Ft | Deployment | F5+F6 | $150,700 | $58,450 | $41,900 | $0 | |
Risk adjustment | ↑5% | ||||||
Ftr | Deployment and adoption (risk-adjusted) | $158,235 | $61,373 | $43,995 | $0 | ||
Three-year total: $263,603 | Three-year present value: $250,388 |
Evidence and data. As interviewees’ organizations navigated the phased deployment of the Veracode Platform described above, they were quickly able to establish a steady operational state. The interviewees described how their organizations dealt with:
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
Risks. Results may differ from those presented in the financial model due to an organization’s:
Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $196,000.
Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 | |
---|---|---|---|---|---|---|---|
G1 | Total hours of administration per year | Interviews | 0 | 106 | 127 | 152 | |
G2 | Average hours of internal community-of practice engagement per month | Interviews | 0.0 | 1.0 | 1.0 | 1.0 | |
G3 | Average number of developers actively engaged in a community of practice and scaled adoption | 15% of developers on platform | 0 | 48 | 96 | 120 | |
G4 | Total hours of community-of-practice engagement | G2*G3*12 | 0 | 576 | 1,152 | 1,440 | |
G5 | Total administration and community-of-practice hours | G1+G4 | 0 | 682 | 1,279 | 1,592 | |
G6 | Hourly rate | Composite | $65 | $65 | $65 | $65 | |
Gt | Administration and adoption | G5*G6 | $0 | $44,330 | $83,135 | $103,480 | |
Risk adjustment | ↑5% | ||||||
Gtr | Administration and adoption (risk-adjusted) | $0 | $46,547 | $87,292 | $108,654 | ||
Three-year total: $242,492 | Three-year present value: $196,090 |
The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.
These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.
Initial | Year 1 | Year 2 | Year 3 | Total | Present Value | |
---|---|---|---|---|---|---|
Total costs | ($158,235) | ($565,509) | ($1,061,692) | ($1,259,979) | ($3,045,415) | ($2,496,406) |
Total benefits | $0 | $1,528,138 | $3,232,594 | $4,040,743 | $8,801,475 | $7,096,651 |
Net benefits | ($158,235) | $962,629 | $2,170,903 | $2,780,764 | $5,756,060 | $4,600,245 |
ROI | 184% | |||||
Payback period (months) | <6 | |||||
Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders.
Benefits represent the value delivered to the business by the product. The TEI methodology places equal weight on the measure of benefits and the measure of costs, allowing for a full examination of the effect of the technology on the entire organization.
Costs consider all expenses necessary to deliver the proposed value, or benefits, of the product. The cost category within TEI captures incremental costs over the existing environment for ongoing costs associated with the solution.
Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. Having the ability to capture that benefit has a PV that can be estimated.
Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”
The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.
1 Lessons Learned From The World’s Biggest Data Breaches And Privacy Abuses, 2023, Forrester Research, Inc., February 28, 2024.
2 The State Of Application Security, 2024, Forrester Research, Inc., June 7, 2024.
3 Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists vendors in communicating the value proposition of their products and services to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of IT initiatives to both senior management and other key business stakeholders.
4 The State Of Application Security, 2024, Forrester Research, Inc., June 7, 2024.
5 Forrester Technographics 2023. Forrester annually assesses cybersecurity metrics through interviews, surveys, and expertise in the field. Analyses are provided with information rooted with specific data sets most accurately applied to the situations that have been collected in the study.
Cookie Preferences
Accept Cookies
A cookie is a small text file that a website saves on your computer or mobile
device when you visit the site. It enables the website to remember your actions (data inputs, website
navigation), so you don’t have to re-enter data when you come back to the site or browse from one page to
another.
Behavioral information collected by our web analytics vendor is used to analyze
data pertaining to visitor trends, plan website enhancements, and measure overall website effectiveness. We
may also use cookies or web beacons to help us offer you products, programs, or services that may be of
interest to you and to deliver relevant advertising. We may use third-party advertising companies to help
tailor website content to users or to serve ads on our behalf. These companies may also employ cookies and
web beacons to measure advertising effectiveness.
Please accept cookies and the collection of behavioral information to receive
full functionality and enhance your experience. If you decline cookies, some features of the website may not
function normally.
Please see our
Privacy Policy for more information.
https://mainstayadvisor.com/go/mainstay/gdpr/policy.html