CA Technologies has signed a deal to acquire Veracode. Veracode is a Software as a Service (SaaS) security solution for application security testing (AST). This is not just about developers. Veracode delivers security solutions for developers, operations teams and auditors. It fills a gap in most companies DevOps strategy by ensuring that security is part of the solution. This is a cash only deal that will cost CA around $614 million and is expected to complete in Q1 of fiscal year 2018.
According to Ayman Sayed, President and Chief Product Officer, CA Technologies: “Software is at the heart of every company’s digital transformation. Therefore, it’s increasingly important for them to integrate security at the start of their development processes, so they can respond to market opportunities in a secure manner. This acquisition will unify CA’s Security and DevOps portfolios with a SaaS-based platform that seamlessly integrates security into the software development process.
“Looking holistically at our portfolio, now with Veracode and Automic, we have accelerated the growth profile of our broad set of solutions. We now expect that the size of our growing solutions within our Enterprise Solutions portfolio will eclipse the more mature part of the Enterprise Solutions portfolio in FY19.”
Accelerated code demands better testing solutions
As organisations look to increase the speed with which they deploy new software there are increasing concerns over software testing. Despite an increase in continuous testing and continuous integration, software testing is still an afterthought. According to research from Veracode this results in over 60% of software still failing security tests. Part of the problem is that organisations are still focused on testing the entire application. Veracode believes that to accelerate and improve testing, they have to identify code that has been tested and not changed. This allows them to focus their testing on new code rather than wasting resources testing and retesting old code.
What Veracode offers is an accelerated testing solution that can be integrated into the DevOps process. This works with existing solutions such as static testing to improve code at the earliest opportunity. Fixing code early not only reduces risk but substantially lowers costs. If code gets through to production before mistakes are discovered then NIST says the costs of fixing climb more than 30x. More importantly, the time that code is in production exposes the organisation to the risk of attack and data loss.
Conclusion
Taken together, this acquisition and that of Automic in January show how seriously CA is taking DevOps and Digital Transformation. Both require high degrees of automation and both are generally security poor inside most organisations. To date, most of the attention has been around aligned cross-department processes. Veracode offers something different by bringing security into that automation space. It extends DevOps to DevOpsSec meaning that increased automation does not have to mean increased risk.
CA already plans to put the two products together in the same division. However, will it also add in its API management and mobile app development tools to that? This is an area where there is a lot of activity with companies rushing to create APIs without necessarily considering the security aspect.
Enterprise IT departments are also stretched when it comes to creating mobile apps. Many are outsourcing them and have little control over the code or app security. Veracode is a SaaS application which allows IT departments to require third-party app developers to use it as part of their process. They can then ask for the test results as part of the software delivery process.
CA can add significant value to its customers with its two latest acquisitions. It can speed up processes and software while showing it can all be done securely. The next few months will be interesting.
