Veracode pitches backdoor apps security

Veracode launched a new version of its binary code analysis service on Monday that focuses specifically on helping software engineers find potential backdoor vulnerabilities in their programs.

While some applications security companies scour source code for flaws, such as Fortify, and others specialize in testing programs already running in production, such as Cenzic, Veracode is spinning itself as an alternative by channeling its efforts into looking for vulnerabilities in binary code and offering the capabilities as a fully-hosted service.

Officials with the applications security startup -- which was originally spun out of Symantec and launched its initial analysis service in Feb. 2007 -- claim that the company's unique ability to find backdoors could be one of the differentiators that allow Veracode to grow its presence in the applications security sector.

With backdoor vulnerabilities in particular, said company officials, the use of binary code analysis is ideal for finding potential flaws that are hard to predict or address in other stages of development.

"There are a lot of advantages to looking at binaries versus looking at source code, and it turns out that finding backdoors is one of those, and there hasn't been anything on the market that really addresses the problem in general," said Chris Wysopal, CTO at Veracode. "Some static analysis tools may look for static passwords, but if the code is even slightly obfuscated, they can't, and they don't, look for hidden keys or rootkit behavior, so this is truly something new that we're offering."

Along with special credentials, which are most often embedded in applications code by developers as a means to get back into the programs, Veracode is also promising to chase down any hidden functionality, or secret sets of commands left inside many software systems by their authors.

The service also promises to look for warning signs of malicious code behavior, such as evidence of any rootkits built into a program, and unusual network activity, such as functionality that causes an application to mail out data to a predestined recipient.

As more companies outsource elements development of their applications, it will be vital for them to run such scans against their programs to look for the potential weak points, the CTO said.

Leaving backdoors in code is one of the oldest tricks on the book for developers looking for easy ways to get back into their programs to either fix them or carry out malicious schemes, Wysopal contends.

"Sometimes it's just something that is meant to be left in for debugging purposes, other times its code that was meant to be removed but simply slipped through the cracks, either way these are vulnerabilities that need to be addressed," said Wysopal. "Most customers want a third-party review in this day, and we can offer that as a hosted service, so we think there's a lot of potential for how much interest backdoor scans can drive uptake of our services."

Veracode targets financial services, commercial software markets

Financial services firms in particular are very concerned that outsourced code developers may be leaving backdoors in place to sell to malware code writers or use to break into applications on their own for the purpose of stealing data, said the expert.