SOURCE: Veracode

April 20, 2009 09:00 ET

EquaTerra, EquaSiis and Veracode Partner to Enable Higher Security Standards to Combat Risks in Software Development and Management Outsourcing

Veteran Industry, Government Security and Risk Experts Partner to Implement Security Acceptance Controls and Improve Security Quality in Outsourced Software

HOUSTON, TX and BURLINGTON, MA--(Marketwire - April 20, 2009) - An initiative to help enterprises, government agencies and application outsourcing service providers better ensure the integrity of their data and security of their software, was announced today by industry leading management consultancy and sourcing advisor EquaTerra, sourcing software and services firm EquaSiis, and Veracode, provider of the world's leading Application Risk Management Platform. The collaboration between the three firms is squarely aimed at combating the increasing risk that data will be compromised by application security vulnerabilities in software, including those managed by third party outsourcers. The result will be new and innovative governance models that include contractual terms to mandate security verification, best practices, security acceptance criteria and an overall risk model for improving the security of outsourced software. EquaSiis, as part of this initiative, will enable and educate outsourcing service providers through training, guidance and best practices.

"Data and application security have become too critical in an era of global sourcing to be left to chance or addressed using yesterday's tools, techniques, terms and conditions," said Mark Robinson, COO at EquaTerra. "We are taking the initiative to help buyers mature their application sourcing and governance program and embody the security services, capabilities and contractual terms available in the market today."

While efforts to protect data and software applications are not new, most approaches have become increasingly ineffective, as they have not focused on the core issue -- the quality of the delivered application code itself. Organizations continue to spend more on data and application security and get less in return for this investment. "Failure to adequately secure sensitive customer, corporate and governmental data and intellectual property is not only a serious business risk, it is one that has national security implications as well," said Jack Tomarchio, Principal, the Agoge Group, and former Deputy Under Secretary for Operations Office of Intelligence and Analysis, Department of Homeland Security.

Analyst firm Gartner has forecast the application outsourcing market to surpass $81 billion by 2011(1) and has been a strong advocate of implementing proper security requirements into outsourced development contracts for some time. A recent report from Quocirca has found that over 60% of companies that outsource the coding of their critical applications do not mandate that security must be built into the applications.

"Gartner recommends that application security testing be mandatory in all outsourced development initiatives," said Arabella Hallawell, Gartner Research VP. "Outsourced contracts should specify terms and conditions that detail how security is built into the development lifecycle; when, how and by whom security testing and validation is performed; and which issues are to be fixed within a certain timeframe."

Collectively EquaTerra, EquaSiis and Veracode possess an unmatched set of capabilities to address data and application security challenges with a more holistic and multi-dimensional approach. Veracode's SecurityReview Application Risk Management Platform, EquaTerra's global sourcing expertise and EquaSiis' outsourcing governance software will enable enterprises to mandate and independently verify security quality, with metrics, tools and services to monitor performance and manage compliance.

"As corporate technology requirements continue to evolve, businesses more and more find themselves looking at outsourced development to provide solutions," said John Bird, VP at Chevy Chase Bank. "Today, the security quality of outsourced code is largely unknown and the risk inherent in the application belongs to the enterprise. Standard, sound and verifiable metrics, independent testing, and acceptance processes for security are critical elements of software development and should be embedded in outsourcing contracts. Customers and stockholders will demand that these risks be effectively addressed for their protection and that of their investments."

"You can outsource development, but not the liability associated with ensuring your employee and customer data is secure," said Matt Moynahan, CEO of Veracode. "We are excited about this important industry collaboration to empower enterprises with an easy and cost effective solution to govern the security quality of outsourced application development. In our experience, security of third party code is typically low on first verification, but with proper governance and services, remediation time can be shortened and quality dramatically improved. This partnership will enable organizations of all types to ensure that their software infrastructure is secure, while continuing to enjoy the benefits of their global outsourcing efforts."

About EquaTerra

EquaTerra sourcing advisors help clients achieve sustainable value in their IT and business processes. Our advisors average more than 20 years of industry experience and have supported over 2000 transformation and outsourcing projects across more than 60 countries. Supporting clients throughout the Americas, Europe, Middle East, Africa and Asia Pacific, we have deep functional knowledge in finance and accounting, HR, IT, procurement and other critical business processes. EquaTerra helps clients achieve significant cost savings and process improvement with internal transformation, shared services and outsourcing solutions. For more information, please contact Lee Ann Moore at +1 713.669.9292;

About EquaSiis

EquaSiis provides software and services that improve the business support services lifecycle for shared services, outsourcing practitioners and service providers. The software, EquaSiis Workbench and EquaSiis Enterprise, is a framework for collaboration used during the service delivery assessment and sourcing process to assist in analysis and decision making for shared services or outsourcing. EquaSiis provides intelligence and optimization for the delivery of business support services across the entire organization. The company also offers service providers market intelligence, research, customer satisfaction and trending data through its Insights group. For more details on the Veracode relationship, please contact Stan Lepeak. To learn more about EquaSiis, contact Ron Walker +1 858.486.6035; or

About Veracode

Veracode provides the world's leading Application Risk Management Platform. Veracode SecurityReview's patented and proven cloud-based capabilities allow customers to govern and mitigate software security risk across a single application or an enterprise portfolio with unmatched simplicity. Customers include the world's largest and most security aware organizations in every industry. Recognized as a Gartner "Cool Vendor," The Wall Street Journal's "Technology Innovation Award," The Banker's "Information Security Project of the Year" with Barclays, SC Magazine's "Best Vulnerability Assessment Solution," Information Security "Readers' Choice Award," and AlwaysOn Northeast's "Top 100 Private Company," Veracode is Software Security Simplified™. For more information, visit

(1) Gartner Outsourcing & Vendor Management Summit, Applications Services Scenario: 2008 to 2012 -- Trends and Directions, Dane Anderson, May 19-21, 2008

Contact Information