Veracode debuts system to test binary code

Standards-based method would allow enterprises to scan programs' binary code for problems before they are put into production

Veracode launched its Software Security Ratings Service on June 25, introducing its new system for use in testing the safety of applications development among enterprise customers and third-party software makers.

With the debut of the service, Veracode, which is based in Burlington, Mass., claims to have unveiled the world's first standards-based system for rating the overall security of software programs before they are put into production mode.

While many companies that harbor software development departments have begun using source code analysis tools to look for potential vulnerabilities in their applications, Veracode aims to take the process one step further by offering businesses and ISVs the ability to scan binary code of their programs for problems.

Testing binary code, versus scouring individual lines of source code, allows developers to scan an entire application before it is taken into production, thus increasing their likelihood of finding errors they might have missed along the way and eliminating the need to pursue code that ends up getting cut from a program before it approaches its final state, Veracode officials said.

The approach also benefits efforts to develop software using the increasingly popular SOA approach by allowing workers to test code being drawn from multiple programs in their final, integrated state, the company maintains.

To support its ratings service -- which customers can use to test the code of their own homegrown applications or those of third-party providers -- the company built its scoring system around the CWE (Common Weakness Enumeration) classification, which has been forwarded by federally funded IT security watchdogs Mitre, as well as the CVSS (Common Vulnerability Scoring System), which has been piloted by the FIRST (Forum of Incident Response and Security Teams) industry group.

By combining the two standards into an integrated testing tool that scans for potential problems and produces a score based on its findings, Veracode officials claim that they can offer companies a more comprehensive manner of understanding just where their programs are weakest from a security perspective.

"The software industry is valued at roughly $350 billion, but the entire industry has almost no notion of its own security quality, and part of that problem is that there haven't been tools like this in the past," said Matt Moynahan, chief executive of Veracode and a former division manager at Symantec.

"This is a responsible way for people to improve the security of their code without placing an undue burden on an ISV community that is already desperate to fix this problem, but faces a huge challenge in finding people who are capable of writing safer programs," he said.

Moynahan said that during his time at Symantec -- where he helped oversee sales of the company's Norton consumer desktop anti-virus products -- he was exposed to the grueling testing process that software developers must undergo to eliminate flaws from their applications.

By allowing such ISVs and internal software development shops to assess where they may have problems earlier in the design process, or before applications have been installed, Veracode can dramatically cut the amount of time and effort necessary to find and fix subsequent security problems, he said.

The Software Security Ratings Service promises to chart both the severity and potential exploitability of any flaws it locates in a particular program, along with the types of business information which could be exposed by an attack on the applications being tested.

"This isn't necessarily a development problem as people have been making it out to be; secure coders simply don't grow on trees, and developers have not been trained in the security testing process," Moynahan said. "This also helps tackle the development outsourcing problem when it comes to security, instead of forcing companies to reconsider the approach altogether based on fears of insecure code."

One roadblock that has made it difficult for such an independent software rating system to have been developed in the past is that companies have been reluctant to release their source code to outsiders for testing, mainly out of fear of handing over their most valuable intellectual property to others, the CEO said.

Since the ratings system is delivered via a software-as-a-service (SaaS) model whereby users aren't forced to distribute their code externally for testing, Moynahan expects that more development shops will be open to testing their code in such a manner.

Beyond the ratings service, Veracode similarly offers its flagship SecurityReview application -- which promises to automate applications security auditing -- as an on-demand subscription service.

In the last month alone, two of the best-known providers of source code and Web applications security testing, Watchfire and SPI Dynamics, have been acquired by IBM and HP respectively, illustrating a major push among providers of software development tools to further integrate security monitoring features into their products.

While those acquisitions should prove useful in helping businesses improve the security of their applications development process, at least one expert said that technologies provided by companies such as Veracode -- those that can look directly at binary code for vulnerabilities -- could see increased demand as developers seek even more tools for driving mistakes and incompatibilities out of their programs.

"Developers should be trying to find all possible ways to break their applications, not just looking at source code for mistakes; they need to have a more hacker-like mentality, and to do that you have to test throughout the whole development process," said Joseph Feiman, analyst with Gartner, based in Stamford, Conn.

"To that end, no one today is testing binary code, which could be a significant benefit to improving security, so there will be a growing market for those tools that can handle that type of work," Feiman said. "Especially with the rise of SOA, and with people buying packages and services that offer them no access to the source code, we should see growth in this evolving market for binary testing tools."

Join the discussion
Be the first to comment on this article. Our Commenting Policies