Director - Product Management

Veracode named a Leader in GigaOm Radar for Software Supply Chain Security. By Karen Buffo Modern software development is a balancing act. You are under constant pressure to innovate faster, ship features daily, and maintain near-perfect uptime. To meet these demands, development teams rely heavily on open-source libraries, APIs, and third-party components. It's efficient, but it introduces a significant challenge: your attack surface is now composed of code you didn't write. Securing this complex web of dependencies - your software supply chain - is no longer optional. It is a critical requirement for enterprise security. Veracode is proud to announce that Veracode, Inc. has been named a Leader in the GigaOm Radar Report for Software Supply Chain Security. This recognition validates its platform-centric approach to application security and underscores its commitment to helping you build software that is secure by design. The rising stakes of Supply Chain Security. Software supply chain attacks have shifted the security paradigm. Attackers are no longer just looking for vulnerabilities in your custom code; they are targeting the pipelines, tools, and open-source components that build your applications. A single compromised library can cascade into a widespread breach, affecting not just your organization but your customers as well. This reality has driven a surge in regulatory focus, such as the executive orders on cybersecurity and the increasing demand for Software Bills of Materials (SBOMs). Organizations need more than just a scanner. You need comprehensive visibility and control over every component that enters your development lifecycle. However, many security tools struggle to keep pace. They often flood developers with false positives, lack context, or sit outside the development workflow, creating friction that slows down innovation. Why Veracode was named a Leader. Its position as a Leader in the GigaOm Radar reflects its philosophy that security must be integral to the development process, not an obstacle to it. Veracode, Inc. believe that to truly secure the supply chain, you need a solution that connects the dots between code, dependencies, and deployment. Here is a closer look at the strengths that distinguish the Veracode Continuous Software Security Platform. 1. A unified platform approach. GigaOm recognizes the value of a comprehensive platform. Point solutions often create data silos, making it difficult for security leaders to get a clear picture of their risk posture. Veracode brings together Static Analysis (SAST), Dynamic Analysis (DAST), Software Composition Analysis (SCA), and Container Security into a single, unified view. This convergence allows you to manage your entire application security program from one dashboard. You get consistent policy enforcement and reporting across all your applications, whether they are legacy monoliths or cloud-native microservices. 2. Seamless integration into the SDLC. Security tools are only effective if developers use them. Veracode, Inc. engineered its platform to fit seamlessly into the tools your teams already use every day. Whether it is integrating directly into IDEs like IntelliJ and VS Code, or automating scans within Jenkins, GitHub, or Azure DevOps pipelines, Veracode meets developers where they are. This "shift left" capability ensures that security checks happen early and often. By catching vulnerabilities during the coding phase - rather than waiting for a pre-production scan - you reduce the cost and time required to fix them. 3. Turning insight into action with AI. Identifying a vulnerability is only half the battle. The real challenge lies in remediation. Developers often spend hours researching how to fix a specific flaw without breaking the build. Veracode is leading the charge in AI-driven remediation. Its solution doesn't just flag a problem; it suggests the fix. By leveraging a vast database of secure code patterns, Veracode, Inc. provide developers with automated pull requests and remediation advice. This dramatically reduces the "fix rate" time, helping teams clear their security debt faster and focus on building new features. 4. Visibility through sboms. You cannot secure what you cannot see. As regulations tighten, the ability to produce and manage an accurate SBOM is essential. Veracode provides deep visibility into your open-source dependencies, including transitive dependencies (the libraries your libraries use). Veracode, Inc. help you identify license risks and security vulnerabilities hidden deep in your dependency tree. With its continuous monitoring, you receive alerts the moment a new vulnerability is discovered in a component you are using, allowing for immediate response. Understanding the GigaOm Radar. The GigaOm Radar Report is one of the most respected technical assessments in the industry. Unlike traditional market quadrants that may focus heavily on market share, the GigaOm Radar evaluates vendors based on technical capabilities, product roadmap, and innovation. It looks at how well a solution meets the needs of modern enterprises today and how well-positioned it is to handle future challenges. In this report, GigaOm analyzes the Software Supply Chain Security (SSCS) landscape. They evaluate vendors on key criteria such as: * SBOM Management: The ability to generate and manage Software Bills of Materials. * Pipeline Security: protecting the integrity of the CI/CD pipeline itself. * Open-Source Security: Identifying and remediating vulnerabilities in third-party libraries. * Policy Enforcement: Automating governance across the development lifecycle. GigaOm classifies vendors into different sectors based on their maturity and focus. Being named a Leader signifies that a vendor demonstrates a strong balance of innovation and platform maturity, offering scalable solutions that deliver high value to the enterprise. Moving forward with confidence. The recognition from GigaOm is not just an award for Veracode, Inc.; it is a signal to the market that the future of application security is integrated, automated, and platform-based. As software supply chains grow more complex, the "trust but verify" model is obsolete. You must verify continuously. You need a partner that evolves as fast as the threat landscape does. Veracode, Inc. is committed to empowering your developers to write secure code and enabling your security teams to manage risk at the speed of business. By reducing false positives, automating remediation, and providing crystal-clear visibility, Veracode, Inc. help you turn security from a bottleneck into a competitive advantage. Take the next step. Don't let supply chain vulnerabilities be your blind spot. Equip your team with the insights and tools validated by industry experts. Read the full GigaOm Radar Report for Software Supply Chain Security to explore the key criteria for evaluating vendors, understand the market landscape, and see why Veracode was named a Leader. Interested in Learning More? Subscribe today to stay informed and get regular updates from Veracode. By Karen Buffo As Chief Marketing Officer at Veracode, Karen Buffo brings more than 18 years of global security expertise, with a proven track record of developing and executing marketing strategies that deliver value to customers, partners, shareholders, and employees alike. Prior to joining Veracode, Karen held leadership positions at MixMode, Anomali, The Symantec Enterprise Division of Broadcom, and Oracle. Throughout her career, she has defined and implemented comprehensive global marketing initiatives that strengthen brands and drive worldwide growth. Karen's multifaceted background in strategy, business enablement, and global marketing provides her with a holistic perspective on companies' distinctive capabilities, opportunities, and growth drivers - resulting in sustainable business value. A recognized industry keynote speaker, mentor, and active contributor to the cybersecurity community, Karen holds a Bachelor's degree in Consumer Science and Business Administration.

Veracode, an application risk management company, reported strong growth in 2025, with new Annual Contract Value increasing 81% year-over-year in the fourth quarter. The company added over 130 new customers in the final quarter alone and closed several seven-figure, multi-year contracts. The platform processed 420 trillion lines of code and helped customers fix 131 million flaws throughout the year. Growth was driven by demand for comprehensive security platforms addressing AI-generated code risks and supply chain vulnerabilities. Veracode launched new products including Package Firewall and External Attack Surface Management. The company was recognised as a leader in multiple industry reports, including the Forrester Wave for SAST and Gartner Magic Quadrant for Application Security Testing. Total funding raised to date was not disclosed.

Veracode, a global leader in application risk management, has announced significant platform enhancements, headlined by Package Firewall, a preventive control for software supply chains. The release comes as supply chain-related third-party breaches doubled year over year, from 15% to 30%, according to Verizon's 2025 Data Breach Investigations Report. Package Firewall, originally launched in June 2025, blocks malicious packages before they enter development environments. The solution now integrates with Azure Artifacts and package managers including NPM, PyPI, Maven, Nexus and Artifactory, deploying in seconds. Additional updates include enhanced Dynamic Application Security Testing, improved Software Composition Analysis with intelligent policies, and OAuth-based single sign-on authentication across Veracode's Integrated Development Environment plugin portfolio. The platform now supports modern frameworks including .NET Semantic Kernel and Java JDK 25.