Veracode Logo

Veracode Strengthens Its Software Security Platform Using Scalable AWS Services


Cybersecurity issues have grown in frequency and sophistication in recent years, and Veracode was founded to help companies of all sizes secure their software to protect their operations, customer data, and reputations. Research shows that two of the top five vectors for cybersecurity events are related to software security. This risk and the growing use of DevSecOps techniques and shift-left application security strategies has exponentially increased scan frequency and volume. To meet growing demand, Veracode realized that it needed to migrate to the cloud from its homegrown software-as-a-service (SaaS) infrastructure.

Veracode chose to modernize its architecture on Amazon Web Services (AWS) using a multiphase approach. By migrating to AWS, Veracode is scaling to support tens of millions of scans per month, accelerating its ability to detect vulnerabilities in its customers’ software.

Veracode team photo
AWS services have been instrumental in helping us scale to meet rapidly growing demand and break free from the constraints that we had in our own data center.”

Tim Jarrett
Senior director of product management, Veracode

Breaking Free from the Constraints of the Data Center

Veracode is a leading application security partner for creating software that reduces the risk of security breaches and increases productivity for security and development teams. With its combination of process automation, integrations, speed, and responsiveness, Veracode helps customers get accurate results so that they can focus their efforts on innovation, rather than fixing security flaws in their code.  Used by thousands of global customers, Veracode has assessed trillions of lines of code and helped users fix tens of millions of security flaws.
When Veracode was founded in 2006, it chose to operate its own data center and host databases using a third-party vendor. As the company matured, Veracode realized that it needed to look beyond its bespoke SaaS architecture. “We’re in a different world of scale now compared to where we were when we started,” says Tim Jarrett, senior director of product management at Veracode. “All software can have bugs, and some of those bugs may actually be security vulnerabilities. The way software is built has changed, and we need to exponentially scale to keep up with demand and customers’ expectations for speed.”
Managing tens of millions of scans per month was challenging with on-premises infrastructure. Veracode needed infrastructure that was simple to scale and support new customers as well as test an exponentially growing number of applications. Having used AWS services since 2011, Veracode chose to migrate its entire platform to AWS. “We knew that the elasticity that AWS offers could get us to the scale that we needed,” says Jarrett. In 2018, Veracode and the AWS team planned and initiated the three-part migration of its remaining SaaS infrastructure. It began by migrating its third-party database to Amazon Relational Database Service (Amazon RDS) for Oracle, a fully managed commercial database that makes it simple to set up, operate, and scale Oracle deployments in the cloud and allows customers to spend time innovating and building new apps, not managing infrastructure.

Achieving Elasticity and Meeting Business Requirements on AWS

Veracode’s vision is to offer a comprehensive and open continuous software security platform that brings development and security teams together. Pursuing a modern architecture to support its platform, Veracode is using multiple AWS services. For example, the data lake that powers analytics, platform insights, and benchmarking uses services like Amazon Simple Storage Service (Amazon S3)—an object storage service offering industry-leading scalability, data availability, security, and performance—as well as AWS Glue, a serverless data integration service. On AWS, Veracode completed the first part of the migration quickly, migrating 10 services and 50–60 workflows in a single night.
During the second phase, Veracode wanted to expand into the European marketplace, which is traditionally wary of SaaS solutions based outside of the region. It launched a dedicated instance of its platform for the European market on AWS. To support US federal government customers, Veracode is working to achieve compliance with the Federal Risk and Authorization Management Program (FedRAMP), which delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud services. In 2022, Veracode will expand its customer base by using AWS Regions like AWS GovCloud (US), which gives government customers and their partners the flexibility to architect secure cloud solutions.
Veracode relies on Amazon Redshift, which uses SQL to analyze structured and semistructured data, as a descriptive reporting solution. After data is extracted and transformed in batches from its data lake, it uses Amazon Redshift to automatically create reports. Veracode can then access this information and deliver important security insights to its customers. It also uses Amazon ElastiCache, a fully managed, in-memory caching service, to store user session information and optimize the customer experience.
By architecting on AWS, Veracode has achieved elastic scale, high performance, and flexibility well beyond what its previous architecture could provide. It can scale horizontally without rewriting complex code, improving service speed and quality. “When a large financial institution asks you to look at every piece of code over a weekend and identify where a bug might be, it wouldn’t have been possible with our prior architecture,” says Jarrett. “AWS services have been instrumental in helping us scale to meet rapidly growing demand and break free from the constraints that we had in our own data center.”

Optimizing Its Infrastructure for Future Growth

Veracode will continue the third part of its migration by further optimizing its infrastructure. It is migrating data from Amazon RDS for Oracle to Amazon Aurora, a MySQL- and PostgreSQL-compatible relational database built for the cloud. Due to the clustered nature of Aurora, Veracode can scale out its database layer without rewriting most of its code. The company is strategizing ways to complete this project while maintaining data consistency and minimizing interruption. “Aurora has been our vulnerability database and a key part of our architecture for a long time,” says Rob Parrott, vice president and chief architect of Veracode. “We’re looking to go all in on Aurora for our relational database management system needs.”
This cloud migration has required a series of careful steps to maintain production workloads while migrating to modern infrastructure. Veracode has realized key benefits, such as increased scalability, elasticity, and speed for future growth. In the future, it expects to continue to innovate on AWS to strengthen its solution and keep pace with emerging trends, empowering customers to better understand their security posture and mitigate risks quickly. Jarrett says, “On AWS, we can deliver better quality of service to our customers during normal operations and when there are surges in demand.”  

About Veracode

Veracode is a leading application security partner for creating secure software, reducing security risks, and increasing security and development teams’ productivity. With its solutions, Veracode helps companies get accurate results to fix potential vulnerabilities.

Benefits of AWS

  • Migrated 10 services and 50–60 workflows in 1 night
  • Scales to support tens of millions of scans per month
  • Improved service quality and speed
  • Scales horizontally without the need to rewrite complex code
  • Is expanding into new AWS Regions to support new customer bases

AWS Services Used

Amazon Aurora

Amazon Aurora is a MySQL and PostgreSQL-compatible relational database built for the cloud that combines the performance and availability of traditional enterprise databases with the simplicity of open source databases.

Learn more »

Amazon RDS for Oracle

Amazon Relational Database Service (Amazon RDS) for Oracle makes it easy to set up, operate, and scale Oracle databases in the cloud.

Learn more »

AWS Glue

AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics.

Learn more »

Amazon S3

Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.

Learn more »

Get Started

Organizations of all sizes across all industries are transforming their businesses and delivering on their missions every day using AWS. Contact our experts and start your own AWS journey today.