Veracode gets $40M to help companies find security holes in their applications

Veracode, a startup that specializes in making application development more secure, brought in $40 million in its eighth round of funding, bringing the company’s total funding to $134 million. This will be the startup’s last funding round before it considers a possible IPO, said its CEO Bob Brennan.

What makes Veracode different than the recent torrent of security startups that have been raising cash is how its technology aims to strengthen the development process of applications rather than providing network-monitoring services like [company]RiskIQ[/company] or identity management features like [company]Okta[/company]. Brennan said he believes that many of the security breaches today occur by taking advantage of holes in the design and source code of the application itself, especially as these apps are dealing with lots of data flowing in and out.

Many applications don’t take into account today’s “hostile environment” caused by hackers who seemingly cause major breaches each week, explained Brennan. The rise of agile and more rapid development life cycles has also caused the chances of developers overlooking security holes to increase, especially when it’s often the case that developers and the operations staff responsible for overseeing security are separate from each other.

“The world views of security and development are different; one is focussed on building things and one is focussed on monitoring,” Brennan said.

Veracode CEO Bob Brennan

Veracode CEO Bob Brennan

Veracode works by hooking into the development tools used by coders so its cloud-based system can scan their application for vulnerabilities or bugs in the code. Veracode looks for problem spots based on a set of policies that a company sets up to make sure the code adheres to its standards.

“We get deeply embedded in the build process so we are like air,” Brennan said.

Developers don’t even have to send their entire codebase to Veracode; they just need to send the application’s binary, which is essentially the file that contains the whole program that runs when it is opened. Veracode’s patented technology can understand the binary and create a model of the application without actually needing the source code.

After scanning the application, Veracode can tell whether or not a development team has been introducing SQL injection errors and other common security bugs. It then reports that information back to the developers so that they can properly patch up their system.

“We run the program to tell them what has been remediated and what hasn’t,” Brennan said.

Wellington Management Company led the funding round along with existing investors Atlas Venture, 406 Ventures, Meritech Capital Partners, StarVest Partners and Cross Creek.

Post and thumbnail images courtesy of Shutterstock user bluebay.

[go_inject unit=”hide”]