Veracode targets financial services, commercial software markets
Financial services firms in particular are very concerned that outsourced code developers may be leaving backdoors in place to sell to malware code writers or use to break into applications on their own for the purpose of stealing data, said the expert.

While some industry watchers have questioned how many firms will be willing to hand over their proprietary code to Veracode for testing, the CTO said that with businesses outsourcing more software development than ever, most large companies are already conditioned to working with third parties on that level -- and willing to give someone a chance to examine their software for security purposes.

Commercial software vendors represent another significant opportunity for Veracode, and it has already run scans for three or four of the largest ISVs in the world, Wysopal said. The executive claims that the company is also currently serving four of the world's top ten financial services companies with its vulnerability discovery services.

The increasing popularity of open-source software in the business setting is another reason why Veracode's services make sense, he said. However, the problem is even more acute for proprietary programs.

"When we did our research, we found that if a backdoor was placed in an open-source project, the lifetime was typically weeks, but for commercial products, the backdoors lived for years," said Wysopal. "Maybe you could find these problems if you did manual code reviews, but we know that is becoming harder than ever with shared libraries and outsourcing; we think that by becoming the leading experts in backdoors, we can grow our business even faster."

Industry analysts downplayed the notion that binary analysis is the best way to look for backdoors, pointing out that source code scanning specialists like Ounce Labs and Fortify have just as good an opportunity to find the flaws.

However, the industry watchers said that Veracode might have an advantage in the process of finding the backdoor bugs compared to so-called "black box" vendors, including Cenzic.

"I don't think it is as large of an advantage as they might claim, but it does help them differentiate over the black box crowd," said Dr. Chenxi Wang, analyst with Forrester Research. "But with the issue of people being afraid to hand over their code to Veracode, I don't think that's as big of a deal as some have made it out to be either."

The analyst said that Veracode is winning interesting deals with banks like Barclay's -- which is using the company's scanning services to test the applications of its business partners that want to link to its own software systems.

Binary analysis and the ability to utilize Veracode's hosted model in such a fashion may in fact help the company grow the applications security space in general, she said.

"Their approach so far has been pretty smart, you can see how the model being used with the banks may drive great interest in applications scanning, it's not that the market is flat but there's a lot of room for growth," Wang said. "We'll have to wait to see if Veracode can draw more customers, and see the size of those deals, but they do have an opportunity to shake things up."