Veracode Strengthens Its Software Security Platform Using Scalable AWS Services

Veracode is a leading application security partner for creating software that reduces the risk of security breaches and increases productivity for security and development teams. With its combination of process automation, integrations, speed, and responsiveness, Veracode helps customers get accurate results so that they can focus their efforts on innovation, rather than fixing security flaws in their code.  Used by thousands of global customers, Veracode has assessed trillions of lines of code and helped users fix tens of millions of security flaws.

 

When Veracode was founded in 2006, it chose to operate its own data center and host databases using a third-party vendor. As the company matured, Veracode realized that it needed to look beyond its bespoke SaaS architecture. “We’re in a different world of scale now compared to where we were when we started,” says Tim Jarrett, senior director of product management at Veracode. “All software can have bugs, and some of those bugs may actually be security vulnerabilities. The way software is built has changed, and we need to exponentially scale to keep up with demand and customers’ expectations for speed.”

 

Managing tens of millions of scans per month was challenging with on-premises infrastructure. Veracode needed infrastructure that was simple to scale and support new customers as well as test an exponentially growing number of applications. Having used AWS services since 2011, Veracode chose to migrate its entire platform to AWS. “We knew that the elasticity that AWS offers could get us to the scale that we needed,” says Jarrett. In 2018, Veracode and the AWS team planned and initiated the three-part migration of its remaining SaaS infrastructure. It began by migrating its third-party database to Amazon Relational Database Service (Amazon RDS) for Oracle, a fully managed commercial database that makes it simple to set up, operate, and scale Oracle deployments in the cloud and allows customers to spend time innovating and building new apps, not managing infrastructure.

Veracode’s vision is to offer a comprehensive and open continuous software security platform that brings development and security teams together. Pursuing a modern architecture to support its platform, Veracode is using multiple AWS services. For example, the data lake that powers analytics, platform insights, and benchmarking uses services like Amazon Simple Storage Service (Amazon S3)—an object storage service offering industry-leading scalability, data availability, security, and performance—as well as AWS Glue, a serverless data integration service. On AWS, Veracode completed the first part of the migration quickly, migrating 10 services and 50–60 workflows in a single night.

 

During the second phase, Veracode wanted to expand into the European marketplace, which is traditionally wary of SaaS solutions based outside of the region. It launched a dedicated instance of its platform for the European market on AWS. To support US federal government customers, Veracode is working to achieve compliance with the Federal Risk and Authorization Management Program (FedRAMP), which delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud services. In 2022, Veracode will expand its customer base by using AWS Regions like AWS GovCloud (US), which gives government customers and their partners the flexibility to architect secure cloud solutions.

 

Veracode relies on Amazon Redshift, which uses SQL to analyze structured and semistructured data, as a descriptive reporting solution. After data is extracted and transformed in batches from its data lake, it uses Amazon Redshift to automatically create reports. Veracode can then access this information and deliver important security insights to its customers. It also uses Amazon ElastiCache, a fully managed, in-memory caching service, to store user session information and optimize the customer experience.

 

By architecting on AWS, Veracode has achieved elastic scale, high performance, and flexibility well beyond what its previous architecture could provide. It can scale horizontally without rewriting complex code, improving service speed and quality. “When a large financial institution asks you to look at every piece of code over a weekend and identify where a bug might be, it wouldn’t have been possible with our prior architecture,” says Jarrett. “AWS services have been instrumental in helping us scale to meet rapidly growing demand and break free from the constraints that we had in our own data center.”

Veracode will continue the third part of its migration by further optimizing its infrastructure. It is migrating data from Amazon RDS for Oracle to Amazon Aurora, a MySQL- and PostgreSQL-compatible relational database built for the cloud. Due to the clustered nature of Aurora, Veracode can scale out its database layer without rewriting most of its code. The company is strategizing ways to complete this project while maintaining data consistency and minimizing interruption. “Aurora has been our vulnerability database and a key part of our architecture for a long time,” says Rob Parrott, vice president and chief architect of Veracode. “We’re looking to go all in on Aurora for our relational database management system needs.”

 

This cloud migration has required a series of careful steps to maintain production workloads while migrating to modern infrastructure. Veracode has realized key benefits, such as increased scalability, elasticity, and speed for future growth. In the future, it expects to continue to innovate on AWS to strengthen its solution and keep pace with emerging trends, empowering customers to better understand their security posture and mitigate risks quickly. Jarrett says, “On AWS, we can deliver better quality of service to our customers during normal operations and when there are surges in demand.”