Yes, Veracode is one of my companies and, no, I’m not above peddling its blog to anyone who cares. More importantly, there are lots of people who should really care about what Christien Rioux, Chris Wysopal and Chris Eng have to say because the guys are old-time, real-world-tested security gurus (BTW, not everyone at Veracode is named Chris):

• Anyone who believes that there is inherent security risk in software, which is the result of poor security architecture/design + poor implementation + poor deployment/operation.
• Anyone who believes that building taller and wider security perimeters doesn’t fundamentally address that problem.
• Anyone who believes security is not an afterthought but an integral part of the software development lifecycle (SDLC).
• Anyone who believes the the problem of securing software is very complex, without a silver bullet solution.
• Anyone who cares about managing the risk associated with procuring and operating software.

I can’t be more open at this time because the company is slowly emerging out of stealth right now. To know more about Veracode, check out the company at the RSA Conference in a few weeks. Stop by the booth and go see Chris Wysopal’s talk.