Veracode Risk Manager Drives Intelligent Vulnerability Prioritization And Efficient Remediation

Veracode commissioned Forrester Consulting to interview four representatives and conduct a Total Economic Impact™ (TEI) study to better understand the benefits, costs, and risks associated with its flagship Veracode Application Risk Management Platform.¹ This abstract will focus on specific benefits related to the platform’s application security posture management (ASPM) solution Veracode Risk Manager (VRM). A new addition to the Veracode Risk Management Platform, VRM is ASPM serving as an intelligence engine that connects to existing security tools to unify context on assets to deliver a unified view of risk from code repositories to runtime environments.

Forrester interviewed two additional customers regarding the business value of using VRM in their Veracode environment at their organizations. These interviewees shared their organizations’ experience leveraging VRM from opposite ends of the security maturity spectrum and included:

• An information security leader at an expanding global insurance organization with over $10 billion in annual revenue and more than 50,000 FTEs. Marked by complexity and transformation, the interviewee described a mature cybersecurity organization with teams in security engineering, application security (AppSec) scanning, cloud infrastructure, vulnerability management, and security assessment.
• An information security leader at an IT services company with fewer than 500 FTEs that is focused on supporting startup and early-stage venture CISOs to build their technology organizations from the ground up.

Despite their wide-ranging starting points, the interviewees shared common challenges in their organizations’ prior technology environments, including insufficient tooling to meet the growing cyberthreats from social engineering, ransomware, and other external and internal threats. Both interviewees came from organizations that were dealing with rapid growth, scaling development for new products and areas while lacking sufficient security expertise and resources to address key security flaws that led to cascading failure points.

Legacy cloud security posture management solutions did not have an application-centric — and therefore business-oriented — risk view of critical security data with existing tools. As a result, lack of visibility into the assets caused costly and risky cloud misconfigurations, as well as high false positive rates and resolution times, with excessive investigation labor leading to burnout and strained relationships between security and developers.

The information security leader at the insurance company further stated: “We have a significant number of vulnerabilities, but it’s the quantification of the risk around those vulnerabilities that we care about more than anything. So VRM has helped us a lot with that.”

Security gaps led to frequent security incidents and added to the potential costs of a material data breach, including business disruption and reputational damage and even dangerous insiders allowing lateral movement within an organization’s network:

• The information security leader at the IT services company discussed the theoretical costs of a breach at their organization: “[Costs of] a breach would probably be more reputational. [Fines from an incident we discovered with VRM] would have been tens of millions; I would have been in a firefight for four to six weeks, and it would have [led to] people losing their jobs [and] respect for the technology function, [causing them to be] unwilling to trust them to do their job going forward.”
• The information security leader at the IT services company also discussed an incident with an offshore consultant sharing their credentials and privileges to allow other people into the environment to access mission-critical systems, data, and cloud applications.

INVESTMENT DRIVERS FOR VRM Customers

The interviewees’ organizations adopted the Veracode Risk Manager as an intelligence engine to drive efficient vulnerability prioritization and remediation. With the ability to continuously evaluate threats, interviewees noted the importance of their newfound abilities to understand risk at a higher level of sophistication, as well as to:

• Optimize the security technology stack for lowest risk. Interviewees told Forrester that, in their prior environments, their organizations were not using their existing security solutions, including their cloud security posture management (CSPM) tools, to the best of their advantage. This was because the tools lacked the necessary data sources to tackle the most appropriate, less costly approach to fixing security issues. Interviewees also discussed how their organizations sought to optimize their environment with VRM by learning how to streamline technology deployments with fewer cloud security agents. VRM gave their organizations the ability to allow different vendor CSPM platforms to operate within different business units with VRM offering a unified view.
  
  The information security leader at the IT services company indicated that their teams did not want to purchase a standalone CSPM because resources who had used them before didn’t see the value proposition based on their prior experience: “The team had thought about using a traditional CSPM-type tool and chose VRM, [which] is complementary to a [CSPM] because it will ingest [data from cloud colocation providers and cloud apps]. It will also ingest the vulnerability information from your SIEM [security information and event management]. We [also] chose VRM because it had the correlation ability [we] wanted out of the box. It’s that aggregation layer above to help quantify and understand the risk from all of these different sources. At this point, you can do it almost anywhere.”

• Eliminate excess labor through automated workflows and cease the flow of production vulnerabilities stemming from root cause origins. The interviewees indicated the lack of visibility in the prior environment led to excess effort due to labor-intensive workarounds, as well as the inability to prioritize the flow of alerts and actions coming from multiple disparate data sources. As their organizations sought to overcome their prior lack of visibility with VRM, they also intended to better direct their resources’ attention and avoid burnout.
  
  The information security leader at the IT services company said: “I didn’t know everything that was going on in my environment. I bought a bunch of tools [and] could see … a lot of things that [were] misconfigured or had issues, so the pile of issues grew very quickly into this giant iceberg. … We were burying the teams with issues at the beginning and, because we didn’t know [how to prioritize], we … were destroying them to the point of getting backlash from them.”
  
  The information security leader at the insurance company said: “You have to shift left if you want to solve the security problem because it’s not a security problem — it is an organizational process problem. VRM opens up that visibility and incorporating the Veracode data gives us so much rich data on what the problems are. That’s the value to be proactive and to get that visibility.”
• Mitigate cyber risk and associated costs of a data breach. Interviewees stated that VRM could help their organizations meet growing cyber defense needs in the face of complexity. They noted how it could complement their traditional CSPM solutions by integrating with broader systems to provide additional context related to flaws and vulnerabilities.
  
  The information security leader at the IT services company said: “As soon as we turned the tool on, we got a report that said you have all of these assets in your cloud that are publicly available that have sensitive data in them. [Our engineers] are trying to develop new platforms for the company to do cool stuff and to move the business along. … They’re not [doing it] for wrong or malicious reasons ... but [they are responsible for] all these assets with personal, private, or company confidential information that we have exposed publicly.”

Key Results FOR VRM Customers

The results of the investment for the interviewees’ organizations include:

Improved visibility. VRM unified and prioritized security issues for the interviewees’ organizations by revealing the connections between cloud misconfigurations and root causes with issues in source code, often revealing the answer to remediating multiple current and future issues with one single course of action. VRM improved visibility for interviewees’ organizations by:

• Bringing together more tools and data sources than before. Interviewees said that VRM was unique in its open-ecosystem approach to improve the breadth and quality of insights their organizations were able to glean by integrating multiple solutions into their environments.
  
  The information security leader at the insurance company said that by improving visibility, VRM decreased the amount of legwork it would take to achieve a commensurate level of context with labor alone: “I think that we’ve improved our observability and our understanding with the help of VRM. It has the ability to take inputs [from many different sources] and show you [the context] from code-to-cloud in the interface. … You’re going to get a conglomerated view of your environment and get insights already out of the box, which are different than a traditional toolset. … It’s helping us identify more of the embedded vulnerabilities that aren’t easily identified through other tools because it brings in so many different sources that we can correlate items.”
  
  The information security leader at the IT services company told Forrester: “[VRM] is an illuminating tool. It’s shining light in corners that you may not have known were dark, and you’re seeing some things that you weren’t seeing before and certainly in a way that you weren’t seeing them before. I have not seen a tool that does it as well as theirs yet.”

Advanced correlation. Interviewees shared that VRM deduplicated, correlated, and contextualized findings with added value of tracking vulnerabilities to their root causes. The information security leader at the insurance company said that their organization had better risk quantification and prioritization with VRM’s correlation abilities. The interviewee reported that this in turn lent efficiency to their newly integrated incident response platforms: “[We are seeing results] not just with VRM, but with that [entire Veracode Risk Management Platform] suite. We’re connecting that correlation to our incident response systems so that those critical types of alerts can be ran through our incident response instead of just sending it to the business unit to fix it.”

Better-informed root cause analysis with greater downstream remediation impact. Interviewees noted that VRM’s root cause analysis offered a higher order of magnitude in efficacy, providing better correlation to key data sources. Furthermore, VRM had the added benefit of providing helpful and effective Best Next Actions with automated capabilities to execute on remediation efforts. Oftentimes, they noted that the Best Next Actions resolved upstream flaws that caused many vulnerabilities flowing from them, with further benefits including:

• A more holistic, streamlined, and risk-adjusted security investigation and remediation workstream. Interviewees noted that VRM provided a helpful aggregation point for information for investigators by providing an advanced view into issues and vulnerabilities. With that more rapid, better-informed analysis, interviewees discussed how their security resources were able to remediate issues faster and more effectively.
  
  The information security leader at the insurance company said that VRM offered a valuable new vantage point for automated issue resolution at the root cause level: “You can push a button and start a ticket flow and get things fixed and it’s more of an operational aggregation point … but you get this view that you don’t get in the other tools. You get the conglomeration of information so that if I pull this one thread, I fix 10 things versus pulling 10 threads, which is what a traditional tool will tell you. … We’re [able to say] not only did you have this vulnerability on this particular platform or environment, but you also have a code issue on there as well, which exacerbates the problem [and] makes that asset or that application even higher at risk and getting more at the top of the list of things to work on.”
  
  The information security leader at the IT services company said that VRM’s more comprehensive and intuitive root cause analysis capabilities allowed security and AppSec resources with a better view into their vulnerabilities. Furthermore, VRM augmented their teams’ ability to monitor their environment continuously: “It’s not humanly possible [to do what VRM does] because these platforms are so complex. There’s no way you can possibly know every switch and bell and button and buzzer. … These tools really give you insight and monitoring all the time. They’re always [on and] watching; while I’m sleeping, they’re watching. It [would be] impossible [for a human to monitor] thousands of servers, thousands of environments.”
• Better root cause analysis, avoiding effort to locate and remediate by leveraging critical information. Interviewees reported that VRM provided advanced, continuous threat evaluation in real time, an effort that would have been impossible or insufficient without automation.
  
  The information security leader at the IT services company said: “VRM is going to give you that Best Next Action that lets you see what crown jewel is exposed. [Before, security resources] were doing that with their brains, so feeding all that information into VRM gives them a more centralized look into the world, which helps. [Without VRM], they could have easily added two heads to a 10-person infrastructure team. So, in a total of about 120 people, we probably would have added seven or eight heads just to fix stuff. They probably would have been temporary, but they would have been for a year at least.”
  
  The information security leader at the insurance company said VRM helped with reducing the effort required for container lifecycle management. The interviewee also said VRM reduced false positives immediately: “In the first integration that I talked about, the very first integration with XDR, the first run reduced false positives by 5,000. That is a small number for us, but it’s a good number.”
  
  The information security leader at the IT services company said that VRM Best Next Actions offered the best, most trustworthy guidance compared to that of other solutions they experienced: “I’ve never bought that the 10 things [our legacy tools told us to do] were the right 10 things. This is different. They got it right and it’s showing you the right things to work on that you can trust. It [shows] the context of what’s happening in the environment plus the risk that you have in the environment, so you can identify your [riskiest] assets. I’m telling you, it’s really, really well done. I’m impressed by how well it’s done.”
  
  The information security leader at the insurance company said: “What we needed was something that saw a lot more [than traditional CSPMs]. And VRM came along, it was kind of that threat abstraction layer where you could pump other things into it and take a lot of data. So, it was like a SIEM [but goes beyond a SIEM] to manage the risks within your organization and truly understand them and go after what matters instead of just focusing on processes that don’t solve the root of your issue. How do we find a solution to 20,000 vulnerabilities in containers? Well, we don’t stand up a process to keep patching those vulnerabilities. We stand up a process to stop delivering those.”

Additional unanticipated benefits. In addition to reducing risk and related workflows, interviewees shared a number of additional, anticipated unintended benefits that arose from their expanded deployment of VRM, including:

• Improved secure posture in the cloud. Taken together, the improved context, correlation, and action served to improve the interviewees’ organizations’ cloud security posture. The information security leader at the insurance company reported that, in combination with change management best practices for the cloud, such as tagging for automated discovery, their organization was able to measurably increase their cloud security posture: “We’re about a 3.5 on NIST CSF maturity scale. … We saw improvements across several areas [after deploying VRM], including attack surface management and access management”
• Reduced operational cloud expenses. The information security leader at the insurance company shared that their organization was able to decrease reliance on their organization’s cloud service providers: “We may be turning off [our cloud service provider’s resource manager]. [It] costs us quite a bit of money and we’re finding that we see the same data in [our CSPM] and VRM from multiple sources. … It looks like we’re going to be able to carve out a pretty large expense for the organization … in the millions without a doubt [and] that would be out of everybody’s operational expenses. … We’ve already had around a quarter of a million dollars in savings by identifying images that people were just storing for no reason. They didn’t even know they were storing them. They had a process that made a copy, and these images were just sitting there, costing money.”
• Optimized and diversified tech stack validation. The information security leader at the insurance company noted that VRM gave their organization the ability to allow different vendor CSPM platforms to operate within different business units with VRM offering a unified view. Furthermore, VRM’s ability to take in many different sources of data well-positioned it to assist in measuring the efficacy of other cyber defense solutions: “Because we get data sources from so many different places, we’re starting to use it as a bake-off between our various solutions. We wanted to see how [a CSPM we were using] was doing so we’re doing a comparison of [two solutions] and seeing what percentage of alerts it’s finding come renewal season.”
• Decreased audit expenses. The information security leader at the insurance company said: “One of the organizations does a SOC 2 [certification]. They have an external auditor come in and validate that they’re meeting all our control. [With VRM], we can do automated control reporting. … Nobody has to collect evidence. Nobody has to go and do a big process. ... The issues are going into tickets, and then the process is tested during an audit, so it reduces your control testing requirements. When you audit an IT system, if it’s an automated control, you only test it once. If it’s not automated, you have to sample. So, your audit fees go down. Everything goes down with automated controls.”
• Decreased burnout for technology resources. The information security leader at the IT services company noted that, by shifting left and decreasing the number of root issues causing multiple problems in production, they were able to decrease pressure on the team while at the same time actively lowering risk in the environment.

Appendix A: Endnotes