Veracode Boosts Security Oversight with Advanced Supply Chain Risk Management Capabilities
Veracode, a global leader in application risk management, has unveiled powerful new features aimed at strengthening software supply chain security and streamlining application vulnerability management. As the frequency and severity of software supply chain attacks surge to unprecedented levels, Veracode is doubling down on its mission to offer centralized, real-time risk visibility and ensure secure software development at every stage of the lifecycle.
The newest enhancements to the Veracode Risk Manager (VRM), along with the early access launch of Veracode Package Firewall, mark a pivotal moment in the company’s strategy to address modern security threats with smarter, automated tools that empower both security and development teams.
Tackling Evolving Threats with Modern Solutions
“Security teams today are facing immense challenges as cyber threats continue to evolve rapidly,” said Derek Maki, Head of Product at Veracode. “At the same time, developers are under pressure to deliver software faster and more frequently. Our latest enhancements provide a balanced approach that doesn’t compromise innovation for the sake of security.”
Veracode’s updated platform empowers organizations with the ability to identify, trace, and proactively address vulnerabilities before they enter production environments, ensuring resilient software supply chains.
Veracode Package Firewall: Raising the Bar for Open Source Risk Management
With over 97% of modern applications depending on open-source components, vulnerabilities in these packages represent a significant threat vector. Veracode Package Firewall offers an advanced solution for proactively mitigating this risk. Developed using technology from Phylum Inc., this innovative Supply Chain tool leverages Open Policy Agent (OPA) to provide automated, enforceable security policies across development environments.
Key benefits of the Veracode Package Firewall include:
- Proactive Risk Mitigation: Prevents malicious or non-compliant packages from being introduced into enterprise ecosystems, thereby reducing the attack surface and enhancing operational resilience.
- Efficient Governance and Compliance: Streamlines the compliance process through policy automation and simplifies audit readiness, enabling faster release cycles without sacrificing security.
- Secure Developer Productivity: Provides developers with the freedom to focus on building and shipping high-quality software by removing insecure dependencies at the source.
Currently in early access, Veracode Package Firewall is expected to become widely available in June 2025.
Smarter Vulnerability Prioritization with Veracode Risk Manager
Application security teams are often overwhelmed by a high volume of alerts with limited context. The Supply Chain enhanced VRM now incorporates features designed to reduce alert fatigue while providing precise insight into real risk factors.
Noteworthy upgrades to VRM include:
- Runtime Container Risk Context: Integrates seamlessly Supply Chain with Kubernetes environments, allowing users to evaluate which vulnerabilities are actually loaded and active during runtime. This enables security teams to focus on remediating threats that are truly impactful.
- Advanced Labeling Capabilities: Offers fine-grained tagging and classification of risks, giving organizations full control to customize views and prioritize vulnerabilities based on business needs.
- Repository Tools Integration: Tracks the exact origin of vulnerabilities by connecting to code repositories. This accelerates root cause identification and resolution.
These intelligent features not only elevate application security posture management (ASPM) but also improve operational efficiency across the software development lifecycle. With VRM, enterprises gain a unified platform to monitor threats, automate investigations, and prioritize responses based on contextual business impact.
Expanding Security Across the SDLC
Veracode’s platform enhancements signify an industry-wide push toward end-to-end Supply Chain security integration across the software development lifecycle (SDLC). The company offers a suite of solutions that include static and dynamic analysis, software composition analysis, container hardening, penetration testing, and now, expanded supply chain protection.
Veracode Risk Manager and Veracode Package Firewall seamlessly integrate with modern DevOps pipelines, CI/CD tools, and cloud-native architectures. This helps teams operationalize security without introducing friction or delaying innovation.
Live Demonstrations at RSAC 2025
Veracode will be showcasing these innovations live at the RSA Conference 2025, taking place from April 28 to May 1 in San Francisco. Conference attendees can visit booth #1243 for in-depth demos and expert-led discussions on preemptive security strategies for today’s evolving threat landscape.
About Veracode
Veracode is recognized globally as a leader in application risk management for the AI-driven era. Leveraging the power of trillions of code scans and a proprietary AI-based remediation engine, the Veracode platform equips organizations with adaptive security tools that span from code creation to cloud deployment.
Thousands of development and security teams around the world rely on Veracode daily to identify exploitable risks, resolve vulnerabilities in real time, and reduce security debt at scale. The company’s comprehensive portfolio covers:
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Software Composition Analysis (SCA)
- Container Security and Hardening
- Application Security Posture Management (ASPM)
- Penetration Testing and Malicious Package Detection
Headquartered in the United States, Veracode serves customers globally, offering deep expertise, award-winning solutions, and an unwavering commitment to enabling secure innovation.
To explore Veracode’s offerings, visit www.veracode.com.
This article is based on information from Veracode’s official announcement. The original press release remains the authoritative source and should be referred to for official purposes.
