Businesses have come to expect that the software their IT departments build, and even what they buy, will be flawed. But that doesn't mean they have to accept it. There are tools available to analyze and test how secure a software application is, as well as consultants who will do that work for you. And now, there's a hybrid: an outsourced software-security analysis service.
Veracode is a spin-off of security software vendor Symantec. Veracode clients send a compiled version of the software they want analyzed over the Internet and within 72 hours receive a Web-based report explaining--and prioritizing--its security flaws. Veracode's service, which started last March using the resources Symantec obtained from its acquisition of @stake in 2004, hunts for security vulnerabilities; malicious code that may have been written into the software, such as a rootkit or back door; and missing security features such as data encryption.
|Veracode's Truth Telling|
|Scale Model Fees for Veracode's app security analysis are based on a sliding scale|
|Compile, Conquer Veracode works on compiled code, which mirrors a hacker's attack scenario|
|Quick Service The company says it will get its analysis back to clients within 72 hours|
Veracode's service approach is unique in two ways: It can be scaled, depending upon the size of the software app being tested, and it primarily analyzes compiled binary code rather than source code. Veracode will tie its analysis of security flaws to specific areas of a program's source code if a client makes it available, but CEO Matt Moynahan says sharing source code is an unnecessary risk to a client's intellectual property. "Attackers don't attack source code, they attack the application," says Moynahan, former VP of Symantec's Consumer Products and Solutions division. "Our analysis is close to the actual attack scenario that hackers would take."
Other software security providers disagree. "Everything about the security of software is instantiated by its source code," says Mike Armistead, VP of corporate development for Fortify Software, which sells tools for testing an application's security at source-code level. Last week, Fortify unveiled plans to acquire Secure Software for that company's expertise in analyzing applications developed using IBM's Rational software toolset.
Along with testing clients' internally developed applications, Veracode can analyze software written by third parties, such as an offshore services firm.