Bob Brennan isn’t one to mince words.
“The world runs on software,” he says. “The software wasn’t written with a hostile environment in mind. We can button it up better than every other company, and the secret sauce is that we don’t need access to the source code. We have an entirely different approach that disrupts the whole notion of the software supply chain.”
There’s a touch of bravado in Brennan’s voice, but for good reason. He is the chief executive of Veracode, a Burlington, Mass.-based cyber security firm founded by Symantec veterans in 2006. (If his name sounds familiar, he was once the CEO of Iron Mountain, the enterprise information management company.) Veracode, which has 350 employees, promises to protect large companies from threats that come through their web and mobile applications. Worrying about your network? Brennan insists that it’s an old way of thinking. The worst attacks, he says, are coming through your corporate apps.
“Despite increased spending on security, there is still an unprecedented level of attack, and it’s coming from web pages—applications,” he says. “Development has become a really complex environment where release cycles are measured in weeks and you rely on a supply chain with unknown origins. It’s made application security an acute issue. This category is going to be bigger than network security because applications are going to have a more prominent profile in how we operate with businesses.”
On Thursday, Veracode announces that it has raised $40 million in a late-stage funding round led by Wellington Management Company with participation from its existing investors. The sum brings the company’s total raised to $134 million. It gives it capital to invest in expansion in markets where it lacks a strong presence, such as Asia, South America, and the U.S. federal government. It also paves its path toward what seems to be an inevitable initial public offering.
“We want to be able to take a very measured approach toward going public and not have the pressure to do that,” Brennan says. “Having Wellington on board allows us to march at that without worrying about how the markets are doing or hitting an IPO window. Our business model is a compound annuity: [customers] pay per application per year, and while they do retire applications, they add many more. It’s quite attractive.”
Veracode counts three of the top four banks in the Fortune 100 as its customers. Its services, which promise to methodically and dynamically root out threats at the application layer in a number of ways, are cloud-based and sell with a subscription model. It competes with some of the world’s largest software companies: Hewlett-Packard, IBM, WhiteHat Security. “Our competition is really the old way of doing things,” Brennan says.
The company is also riding a wave of increased interest in cyber security, from the board of directors on down. “Security has historically been bolted on to infrastructure. The CISO was at the little kids’ table,” he says, using the term for chief information security officer. “Now the CISO is in the board room.” During a recent dinner, he adds, the CISO of a major bank told him that he has twice as many software developers as Microsoft.
The steady march of “hacked!” and “breach!” news headlines certainly helps. “When Heartbleed hit, we were able to go to all of our customers and say, here’s where you have OpenSSL, and here’s how you get away from it,” Brennan says. “We can do that in days.” To deal with this new way of threats, he adds, companies must completely rethink the way they build and buy software.
“We’re making an argument with the largest companies in the world that this is an area that they have to go deep on for a very long time,” he says. “The business has tremendous potential. I like our chances.”
Update, September 11, 2014: My colleague Dan Primack reports in Fortune‘s Term Sheet newsletter that Veracode’s funding was done at a post-money valuation of nearly $500 million.