Veracode debuts system to test binary code

Veracode launched its Software Security Ratings Service on June 25, introducing its new system for use in testing the safety of applications development among enterprise customers and third-party software makers.

With the debut of the service, Veracode, which is based in Burlington, Mass., claims to have unveiled the world's first standards-based system for rating the overall security of software programs before they are put into production mode.

While many companies that harbor software development departments have begun using source code analysis tools to look for potential vulnerabilities in their applications, Veracode aims to take the process one step further by offering businesses and ISVs the ability to scan binary code of their programs for problems.

Testing binary code, versus scouring individual lines of source code, allows developers to scan an entire application before it is taken into production, thus increasing their likelihood of finding errors they might have missed along the way and eliminating the need to pursue code that ends up getting cut from a program before it approaches its final state, Veracode officials said.

The approach also benefits efforts to develop software using the increasingly popular SOA approach by allowing workers to test code being drawn from multiple programs in their final, integrated state, the company maintains.

To support its ratings service -- which customers can use to test the code of their own homegrown applications or those of third-party providers -- the company built its scoring system around the CWE (Common Weakness Enumeration) classification, which has been forwarded by federally funded IT security watchdogs Mitre, as well as the CVSS (Common Vulnerability Scoring System), which has been piloted by the FIRST (Forum of Incident Response and Security Teams) industry group.

By combining the two standards into an integrated testing tool that scans for potential problems and produces a score based on its findings, Veracode officials claim that they can offer companies a more comprehensive manner of understanding just where their programs are weakest from a security perspective.

"The software industry is valued at roughly $350 billion, but the entire industry has almost no notion of its own security quality, and part of that problem is that there haven't been tools like this in the past," said Matt Moynahan, chief executive of Veracode and a former division manager at Symantec.

"This is a responsible way for people to improve the security of their code without placing an undue burden on an ISV community that is already desperate to fix this problem, but faces a huge challenge in finding people who are capable of writing safer programs," he said.

Moynahan said that during his time at Symantec -- where he helped oversee sales of the company's Norton consumer desktop anti-virus products -- he was exposed to the grueling testing process that software developers must undergo to eliminate flaws from their applications.

By allowing such ISVs and internal software development shops to assess where they may have problems earlier in the design process, or before applications have been installed, Veracode can dramatically cut the amount of time and effort necessary to find and fix subsequent security problems, he said.