PRESS RELEASE

Burlington, Mass. " April 21, 2010 " Veracode, Inc., provider of the world's leading cloud-based application risk management services platform, today announced Veracode SecurityInsights, the first application intelligence service of its kind. Customers using SecurityInsights benefit from interacting with the broadest, deepest code-level security information in the world to set standards for security quality throughout their software supply chain. With a click of the "Compare Me" button, SecurityInsights also enables current Veracode SecurityReview' users to instantly compare their software portfolio against the aggregated security quality benchmarks from thousands of applications in their industry, programming language, third-party supplier and/or type of application.

"Having the ability to compare the state of security in our application portfolio to other organizations in similar industries and projects across Veracode's comprehensive repository of applications from around the world will be invaluable," said Donna Durkin, chief information security and privacy officer, Computershare. "This information at our fingertips will not only help us make the right business decisions, but will enable us see where we can improve before a problem arises."

Unmatched Application Security Insight, Unparalleled Decision Making and Protection

Recent examples of third-party risk, such as the Google-China incident, have created widespread recognition in the global 2000 of the need for operating controls to manage application risk. To accomplish this, organizations require credible application security information to set specific acceptance criteria and internal security policies. For example, by leveraging the knowledgebase of SecurityInsights, users know that open source projects today have comparable security to commercial applications when evaluated against the CWE/SANS Top 25 Most Dangerous Programming Errors, enabling decision makers to establish informed acceptance criteria for similar commercial alternatives.

"Veracode SecurityInsights was designed to make it easier for our customers to solidify their software infrastructure before they are attacked or fall victim to a zero-day application vulnerability," said Matt Moynahan, CEO of Veracode. "Because Veracode's application intelligence from our cloud-based service is as dynamic as the threat environment itself, no enterprise or on-premise tool can provide this level of comprehensive analysis that users can immediately turn into business decision-making intelligence. Rather than merely responding to breaches and threats, executives now have what it takes to make proactive, enforceable decisions on the level of acceptable application security quality before the attack takes place."

Depth of Application Security Data

The information in SecurityInsights is comprised of anonymized application security data from billions of lines of code and thousands of applications that have been submitted to Veracode for static, dynamic, and/or manual security testing. It provides the most comprehensive benchmark information on security quality in categories including:

Application Profile and Portfolio Distribution

Application Security Policy Compliance

Vulnerability Prevalence

Standards Compliance against CWE/SANS Top 25, OWASP Top 10

Remediation Performance (e.g. How long to get to a VerAfied rating?)

The growing repository of code-level application information in SecurityInsights features the full spectrum of application types including Web and non-Web applications, programming languages such as Java, C/C++ and .NET from internal development teams, commercial, open source and outsource software suppliers, and represents more than 15 industries. More detailed information on the types of applications and vulnerabilities explored can be found in Veracode's State of Software Security report.

Pricing and Availability

Veracode SecurityInsights will be available in Q2 2010 and bundled with Veracode's SecurityReview Enterprise Edition at no additional cost. It will also be available as a stand-alone service. Pricing available upon request. For more information, contact Veracode at +1 781-425-6040 or [email protected].

About Veracode

Veracode is the world's leader in cloud-based application risk management. With patented binary code analysis, dynamic Web assessments, and partner or Veracode-delivered manual penetration testing, combined with developer e-learning and access to open source security ratings, Veracode SecurityReview' allows customers to independently verify application security in both internally developed applications and third-party software without requiring source code or expensive tools. Veracode provides the most simple, complete and accurate way to implement security best practices, reduce operational cost and comply with internal security policies or external standards such as OWASP Top 10, CWE/SANS Top 25 and PCI. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees' Retirement System (CalPERS), Computershare, and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com.