Case Study

Veracode Partners with Coalfire on FedRAMP® Journey

January 25, 2023
Resources New Case Studies 814x460 Veracode

One of the early pioneers in vulnerability scanning, Veracode handles customers’ sensitive data from source code to thirdparty applications. According to Veracode’s State of Software Security v12, although software security has become a major priority for organizations, in 2021, the public sector not only realized the highest proportion of application security flaws (82%), it also had the lowest and slowest fix rates.


Recent high-profile software supply chain breaches like Log4j have forced a greater sense of urgency for government application security managers. Veracode’s clientele requested the company attain FedRAMP authorization as assurance of its security standing.

Demand was on the rise for Veracode’s vulnerability scanning prowess to integrate software testing into CI/CD pipelines and satisfy the government’s cloud-first, security first mandates. To continue supporting the vital cyber testing missions of its federal agency clients, Veracode was under a tight timeline to achieve FedRAMP Authority to Operate (ATO). Failure to gain ATO would mean losing existing customers and opportunities to gain new clients.


As the company migrated from local data centers to top cloud vendor AWS, there were hurdles to overcome, such as architecture adjustments and several unsuccessful attempts to attain FedRAMP authorization.

Veracode needed experienced guidance regarding the operational cloud functions running inside FedRAMP-controlled environments. Thanks to Coalfire’s experience spanning more than 1,200 FedRAMP engagements and its strong relationship with AWS, Veracode saw the benefits to having Coalfire’s Cloud Managed Services (CMS) team assist with sponsor and Program Management Office (PMO) consultations that provided initial government cloud configuration advice.

Veracode’s customers expected the company to move quickly, so Coalfire jumped into action – the required FedRAMP packages were quickly submitted, approved by the PMO, and audited well within Veracode’s deadlines.

“With executive orders coming from above, government agencies were under pressure to meet cyber maturity mandates. We knew this was an important market for us and that our clients and prospects needed to bring in qualified vendors like Veracode, and in turn, we needed to get authorized and added to the FedRAMP Marketplace to pursue these opportunities. We achieved ATO, and we’re moving forward with a great partner. Coalfire is an extension of our operations staff.”



With Coalfire’s help, Veracode attained FedRAMP ATO in approximately 9 months – less than half of the traditional 18-month timeline. Coalfire will help the company maintain compliance by supporting continuous monitoring activities.

The ATO allowed Veracode to launch enhanced tools to find and fix mission-critical API vulnerabilities that government clients can utilize where necessary.

As an increasing number of companies like Veracode gain FedRAMP ATO, government agencies – spanning local to federal levels – will be able to take advantage of state-of the-art vulnerability management capabilities, enabling them to focus on software security and reduce risk for all stakeholders.

“Coalfire was the right match for what we were trying to do,” said Scott Jensen, vice president, cloud operations for Veracode. “Moving forward, we know that with Coalfire, our clients will be secure, we’ll be able to keep our staff levels down, and the Coalfire CMS team will augment our capabilities at the infrastructure level.”