Sam King, CEO of Veracode – Interview Series

Sam King is the Chief Executive Officer of Veracode and a recognized expert in business management and cybersecurity. A founding member of Veracode, Sam has played a significant role in the company’s growth trajectory over the past 17 years, helping to mature it from a small startup to a company with a $2.5 billion plus valuation.

Veracode is an application security company. Founded in 2006, it provides SaaS application security that integrates application analysis into development pipelines.

You’ve been involved in cybersecurity for over 2 decades, what initially attracted you to the industry?

My interest in cybersecurity didn’t come until several years into my technology career. I worked in computers and technology for a long time and around 2000 someone I knew founded a cybersecurity company and invited me to join them. I previously had little knowledge of cybersecurity, but once I got involved, the rest is history.

You initially began your career with Veracode as a VP of Service Delivery in 2006 and have since worked your way up to CEO. What have been some key takeaways from this experience?

I feel privileged to have been on this journey. I’ve worked in almost every function at Veracode over my 17 years at the company and the key takeaway for me is that growing a successful business is — above all — a team sport. Progressing from VP of Service Delivery to CEO, I learned it’s not one person but the connective tissue and collective efforts across the organization that governs the speed and scale of your achievements. I also gained empathy for the demands of different roles having had to perform most of them from our pre-revenue days to the global organization we are now.

Veracode envisions a world where software is developed securely from the start. Can you discuss why enterprises should integrate application security early into the software development life cycle?

Software is the underlying fabric of organizations and enterprises need to realize that integrating application security early into the software development life cycle (SDLC) is not just the right thing to do, but it is also the smart thing to do. The cost of waiting to discover and fix vulnerabilities in the later stages of the SDLC or after the application has gone live is extremely high. According to NIST, it is 30X the cost to fix vulnerabilities in production than earlier. Furthermore, it makes for a frustrating experience for a developer when they are trying to get functionality out to market, and security checks hold up the process. The ideal process includes testing in the IDE and the CI/CD pipeline. The very process of developing code becomes the process of developing secure code when security testing and remediation are integrated deeply into the SDLC toolchain.

Veracode helps enterprises build and execute scalable AppSec and DevSecOps programs. For readers who are unfamiliar with these terms could you define them for us?

AppSec is short for “application security” and refers to the tools, policies and practices that can be used to develop a program that ensures code is secure across internal software development as well as third-party applications, open source code and the extended software supply chain. DevSecOps, also known as “secure devops”, is the mindset that security is integrated throughout the entire SDLC, from requirements to architecture and design, coding, testing, release and deployment. Essentially, this means that everyone involved in software development is responsible for application security. The two go hand-in-hand as they share the goal of making better security decisions and delivering safer software with greater speed and efficiency.

Could you briefly discuss some of the different solutions that are offered such as Veracode SAST, Veracode SCA, and Veracode DAST?

Veracode’s Static Analysis (SAST), which embeds security throughout an organization’s entire SDLC so developers can write secure code in their integrated development environment (IDE), automates scans in its continuous integration and continuous integration/continuous deployment (CI/CD) pipeline and ensures policy compliance before deploying. It helps manage risk by scanning code and finding flaws – then it triages findings and gives developers contextual guidance to prioritize effort, fix critical flaws and reduce risk.

Veracode’s Software Composition Analysis (SCA) automates finding all the components that make up an application and prescribes actions to manage risk within them. SCA’s machine learning and auto-remediation capabilities prescribe fixes – with the goal of doing so with the least amount of production disruption possible.

Lastly, Dynamic Analysis (DAST) is the part of Veracode’s intelligent software security platform that enables security teams to uncover attack surfaces they never knew existed, find vulnerabilities in runtime environments, and get a comprehensive view of the security posture of their web applications and APIs.

On April 18, 2023, Veracode Introduced Intelligent Software Security with the launch of Veracode Fix, a tool that leverages the power of GPT (Generative Pre-trained Transformer) technology. Why was GPT such an important breakthrough in cybersecurity?

Software development and security teams have been sprinting just to stand still. For years, software security has revolved around testing to find issues, but for every issue found, there is a manual task to fix. Developers are often tasked with spending time they don’t have, fixing security flaws they don’t understand, in code that they didn’t create… only to find in the time it takes to fix one flaw, two more are created elsewhere. The need for transformation is evident.

Veracode Fix delivers that transformation, shifting the paradigm from find to fix and marking the advent of intelligent software security. By harnessing the power of artificial intelligence (AI) to automatically generate fixes for insecure software, Veracode Fix finally brings automation to flaw remediation and re-balances the software security landscape. Unlike most generative AI coding tools, Veracode Fix is not trained on open-source code or code in the wild and does not use or retain customer data to train the model.

Instead, we trained Veracode Fix on a proprietary, curated dataset with supervised learning and alignment from our team of leading security researchers and application security consultants to deliver Veracode’s aggregate experience and expertise in a simple, powerful experience: the power of Veracode at your fingertips.

The Veracode Fix tool shifts the paradigm from AI merely identifying issues to fixing issues. Can you discuss some of the scaling benefits this offers? 

Organizations have had to choose between remediating software security flaws and meeting aggressive deadlines to push code into production. Powered by AI and Veracode’s proprietary dataset, Veracode Fix saves developers time by enabling them to write more secure code, quickly. This means flaws that would take hours to remediate and otherwise last for months can now be fixed in minutes. The scaling benefit is clear – developers can now create more software faster and thus innovate securely.

How much human intervention is needed before an issue is fixed, and where in the picture do humans factor into this type of cybersecurity?

Despite automation in the software development process, fixing security flaws – particularly in first-party code – has relied solely on manual effort from overburdened and under-supported developers. Until now.

Veracode Fix uses machine learning to generate suggested fixes that developers can review and implement without writing any code.

It’s important to note that Veracode Fix doesn’t automatically fix code but rather suggests fixes. The developer then reviews and implements the fixes without writing any code. This saves developers time, accelerates secure development, and makes it possible to manage risk and pay down security debt at scale with less effort and cost.

Is there anything else that you would like to share about Veracode?

Technology is constantly evolving and Veracode is too, but the goal has remained the same since 2006: to secure software at scale. Just as Veracode pioneered AppSec more than 17 years ago, we are now pioneering intelligent software security. Our products and innovations, such as Veracode Fix, are a testament to that.

Veracode was founded by Chris Wysopal, a former white hat hacker turned cyber policy influencer. In 1998, as part of the hacker collective L0pht, Chris testified in front of a U.S. Senate Committee investigating government cyber issues saying that cyber vendors need to do better — they need to own the problem.

Since its founding, Veracode has grown from a start-up to a global business with more than 2,600 customers – and what an amazing journey it’s been to watch unfold over all these years. It’s thanks to our commitment to helping customers with their biggest challenges: integrating security into the SDLC; building developer security competency; protecting the software supply; managing web app attack surface risk; and securing cloud-native application development. We are a 10X Leader in the Gartner Magic Quadrant for Application Security Testing – one of the industry’s most in-depth evaluations of our industry – and have received numerous industry accolades over the years.

An area we are particularly proud of is the culture we have nurtured throughout our history. Just this past year, Veracode was named a 2022 Top Place to Work by The Boston Globe and a 2023 Top Workplaces USA by Energage. We were honored and humbled to be awarded these accolades because we pride ourselves on an inclusive culture that fosters talent and enables employees to perform at their best.

Thank you for the great interview, readers who wish to learn more should visit Veracode.