Sam King is the Chief Executive Officer of Veracode and a recognized expert in business management and cybersecurity. A founding member of Veracode, Sam has played a big role in the corporate’s growth trajectory over the past 17 years, helping to mature it from a small startup to an organization with a $2.5 billion plus valuation.
Veracode is an application security company. Founded in 2006, it provides SaaS application security that integrates application evaluation into development pipelines.
You’ve been involved in cybersecurity for over 2 many years, what initially attracted you to the industry?
My interest in cybersecurity didn’t come until several years into my technology profession. I worked in computers and technology for a very long time and around 2000 someone I knew founded a cybersecurity company and invited me to hitch them. I previously had little knowledge of cybersecurity, but once I got involved, the remaining is history.
You initially began your profession with Veracode as a VP of Service Delivery in 2006 and have since worked your way as much as CEO. What have been some key takeaways from this experience?
I feel privileged to have been on this journey. I’ve worked in almost every function at Veracode over my 17 years at the corporate and the important thing takeaway for me is that growing a successful business is — above all — a team sport. Progressing from VP of Service Delivery to CEO, I learned it’s not one person however the connective tissue and collective efforts across the organization that governs the speed and scale of your achievements. I also gained empathy for the demands of various roles having needed to perform most of them from our pre-revenue days to the worldwide organization we are actually.
Veracode envisions a world where software is developed securely from the beginning. Are you able to discuss why enterprises should integrate application security early into the software development life cycle?
Software is the underlying fabric of organizations and enterprises need to appreciate that integrating application security early into the software development life cycle (SDLC) is just not just the proper thing to do, but it is usually the smart thing to do. The fee of waiting to find and fix vulnerabilities within the later stages of the SDLC or after the appliance has gone live is amazingly high. In response to NIST, it’s 30X the fee to repair vulnerabilities in production than earlier. Moreover, it makes for a frustrating experience for a developer after they try to get functionality out to market, and security checks delay the method. The best process includes testing within the IDE and the CI/CD pipeline. The very strategy of developing code becomes the strategy of developing secure code when security testing and remediation are integrated deeply into the SDLC toolchain.
Veracode helps enterprises construct and execute scalable AppSec and DevSecOps programs. For readers who’re unfamiliar with these terms could you define them for us?
AppSec is brief for “application security” and refers back to the tools, policies and practices that could be used to develop a program that ensures code is secure across internal software development in addition to third-party applications, open source code and the prolonged software supply chain. DevSecOps, also generally known as “secure devops”, is the mindset that security is integrated throughout the whole SDLC, from requirements to architecture and design, coding, testing, release and deployment. Essentially, because of this everyone involved in software development is answerable for application security. The 2 go hand-in-hand as they share the goal of creating higher security decisions and delivering safer software with greater speed and efficiency.
Could you briefly discuss a few of the different solutions which are offered reminiscent of Veracode SAST, Veracode SCA, and Veracode DAST?
Veracode’s Static Evaluation (SAST), which embeds security throughout a company’s entire SDLC so developers can write secure code of their integrated development environment (IDE), automates scans in its continuous integration and continuous integration/continuous deployment (CI/CD) pipeline and ensures policy compliance before deploying. It helps manage risk by scanning code and finding flaws – then it triages findings and provides developers contextual guidance to prioritize effort, fix critical flaws and reduce risk.
Veracode’s Software Composition Evaluation (SCA) automates finding all of the components that make up an application and prescribes actions to administer risk inside them. SCA’s machine learning and auto-remediation capabilities prescribe fixes – with the goal of doing so with the smallest amount of production disruption possible.
Lastly, Dynamic Evaluation (DAST) is the a part of Veracode’s intelligent software security platform that allows security teams to uncover attack surfaces they never knew existed, find vulnerabilities in runtime environments, and get a comprehensive view of the safety posture of their web applications and APIs.
On April 18, 2023, Veracode Introduced Intelligent Software Security with the launch of Veracode Fix, a tool that leverages the ability of GPT (Generative Pre-trained Transformer) technology. Why was GPT such a very important breakthrough in cybersecurity?
Software development and security teams have been sprinting simply to stand still. For years, software security has revolved around testing to search out issues, but for each issue found, there’s a manual task to repair. Developers are sometimes tasked with spending time they don’t have, fixing security flaws they don’t understand, in code that they didn’t create… only to search out within the time it takes to repair one flaw, two more are created elsewhere. The necessity for transformation is obvious.
Veracode Fix delivers that transformation, shifting the paradigm from find to repair and marking the arrival of intelligent software security. By harnessing the ability of artificial intelligence (AI) to robotically generate fixes for insecure software, Veracode Fix finally brings automation to flaw remediation and re-balances the software security landscape. Unlike most generative AI coding tools, Veracode Fix is just not trained on open-source code or code within the wild and doesn’t use or retain customer data to coach the model.
As an alternative, we trained Veracode Fix on a proprietary, curated dataset with supervised learning and alignment from our team of leading security researchers and application security consultants to deliver Veracode’s aggregate experience and expertise in an easy, powerful experience: the ability of Veracode at your fingertips.
The Veracode Fix tool shifts the paradigm from AI merely identifying issues to fixing issues. Are you able to discuss a few of the scaling advantages this offers?
Organizations have had to choose from remediating software security flaws and meeting aggressive deadlines to push code into production. Powered by AI and Veracode’s proprietary dataset, Veracode Fix saves developers time by enabling them to jot down safer code, quickly. This implies flaws that will take hours to remediate and otherwise last for months can now be fixed in minutes. The scaling profit is evident – developers can now create more software faster and thus innovate securely.
How much human intervention is required before a difficulty is fixed, and where in the image do humans factor into the sort of cybersecurity?
Despite automation within the software development process, fixing security flaws – particularly in first-party code – has relied solely on manual effort from overburdened and under-supported developers. Until now.
Veracode Fix uses machine learning to generate suggested fixes that developers can review and implement without writing any code.
It’s vital to notice that Veracode Fix doesn’t robotically fix code but somewhat suggests fixes. The developer then reviews and implements the fixes without writing any code. This protects developers time, accelerates secure development, and makes it possible to administer risk and pay down security debt at scale with less effort and price.
Is there the rest that you desire to to share about Veracode?
Technology is always evolving and Veracode is simply too, however the goal has remained the identical since 2006: to secure software at scale. Just as Veracode pioneered AppSec greater than 17 years ago, we are actually pioneering intelligent software security. Our products and innovations, reminiscent of Veracode Fix, are a testament to that.
Veracode was founded by Chris Wysopal, a former white hat hacker turned cyber policy influencer. In 1998, as a part of the hacker collective L0pht, Chris testified in front of a U.S. Senate Committee investigating government cyber issues saying that cyber vendors must do higher — they should own the issue.
Since its founding, Veracode has grown from a start-up to a worldwide business with greater than 2,600 customers – and what a tremendous journey it’s been to observe unfold over all these years. It’s due to our commitment to helping customers with their biggest challenges: integrating security into the SDLC; constructing developer security competency; protecting the software supply; managing web app attack surface risk; and securing cloud-native application development. We’re a 10X Leader within the Gartner Magic Quadrant for Application Security Testing – considered one of the industry’s most in-depth evaluations of our industry – and have received quite a few industry accolades over time.
An area we’re particularly pleased with is the culture we have now nurtured throughout our history. Just this past yr, Veracode was named a 2022 Top Place to Work by The Boston Globe and a 2023 Top Workplaces USA by Energage. We were honored and humbled to be awarded these accolades because we pride ourselves on an inclusive culture that fosters talent and enables employees to perform at their best.