CA Technologies has announced plans to snap up application security testing vendor Veracode. The terms of the deal, announced March 6, would see CA paying approximately $614 million in cash for Veracode. Veracode offers software and services to help organizations secure their web, mobile and third-party applications at all stages of the software development lifecycle. That includes tools - including software-as-a-service testing - for in-development code, as well as static testing services designed to analyze third-party applications and open-source components. The firm has offices in Burlington, Mass. and London, and more than 500 employees worldwide.
CA says Veracode will feature in its security and DevOps product portfolios, and plans to offer it as a software-as-a-service product. The deal follows CA in January announcing that it had completed its acquisition of cloud-enabled business automation software vendor Automic for 600 million euros ($635 million), as part of what seems to have been a DevOps acquisition spree. Indeed, CA also bolstered its DevOps portfolio via the acquisition of Israeli application performance testing firm BlazeMeter in 2016. In 2015, it purchased agile solution - and DevOps - vendor Rally Software, enterprise test data management firm Grid-Tools, and identity management application vendor IdMlogic.
Veracode: L0pht Roots
Veracode was founded in 2006 by Chris Wysopal and Christien Rioux, both former members of the L0pht, a hacker think tank, and later part of influential security research firm @Stake, which was later acquired by Symantec. Wysopal has remained Veracode's CTO and Rioux, who's credited with writing much of the code in Veracode's products, its chief scientist.
Information security experts have long advocated that organizations that build software - from consumer applications used on desktops and laptops, to the apps that run on mobile devices, to the firmware that gets embedded in hardware and internet of things devices - ensure that their code is as free from bugs as possible before it gets shipped. Numerous studies continue to highlight the relatively low cost required to fix code early in the development stage, as well as the massive spike in costs that occur if bugs must be fixed during testing or after products have been shipped to market.
The Rise of DevOps
The practice of ensuring that code is as free from bugs as as possible is called secure development, although the concept has been supplanted by DevOps or SecDevOps, which combines security, software development and IT operations. The nomenclature reflects the embrace of agile development practices in which complete software iterations can be designed - from conception to working software - in "sprints" of as little as two weeks.
In the previous age of so-called waterfall development, software applications were specified in full, coded over a period of months, then delivered to market - by which time they were out of date, and software testing often an afterthought. Agile, by contrast, prioritizes getting working software into the hands of whoever needs it, quickly. To accomplish that, agile development teams typically include not just coders but also embedded customers.
Many software development teams have begun incorporating security checks into their DevOps practices as a mandatory part of any sprint. "Just like they fail a build when there's a functionality problem or a performance problem that's unacceptable ... have them fail the build when there are security defects found that can't go into production," Wysopal said recently, summarizing the SecDevOps mindset (see Better Bug Eradication in the Age of Agile Development).
CA Seeks Stronger DevOps Offerings
In announcing the Veracode deal, Ayman Sayed, CA's president and chief product officer, says a big impetus for the move is to bolster the company's DevOps offerings, which aim to help customers apply secure application testing to nuke code flaws as early in the development process as possible.
"For most organizations, implementing software security controls has been inconsistent and un-scalable. Embedding security into the software development lifecycle and making it an automated part of the continuous delivery process means that developers can write code without the hassles of a manual and fragmented approach to security," Sayed says in a blog post. "In turn, end users experience better apps with better code and fewer bugs and false positives. As a result, organizations save time in their remediation efforts and resolution - and consequently, innovation - is sped up.
CA says the deal is also a move to find new sources of revenue, and by 2019 expects sales from new SaaS services acquired with Veracode and Automic to outpace its existing suite of "enterprise solutions."