3 min read

The Truth About Software Security

Outsourced service provides deep dive into security of software code.
Businesses have come to expect that the software their IT departments build, and even what they buy, will be flawed. But that doesn't mean they have to accept it. There are tools available to analyze and test how secure a software application is, as well as consultants who will do that work for you. And now, there's a hybrid: an outsourced software-security analysis service.

Veracode is a spin-off of security software vendor Symantec. Veracode clients send a compiled version of the software they want analyzed over the Internet and within 72 hours receive a Web-based report explaining--and prioritizing--its security flaws. Veracode's service, which started last March using the resources Symantec obtained from its acquisition of @stake in 2004, hunts for security vulnerabilities; malicious code that may have been written into the software, such as a rootkit or back door; and missing security features such as data encryption.

Veracode's Truth Telling
Scale Model Fees for Veracode's app security analysis are based on a sliding scale
Compile, Conquer Veracode works on compiled code, which mirrors a hacker's attack scenario
Quick Service The company says it will get its analysis back to clients within 72 hours
Over the past six months, Veracode has raised $20 million in funding from Atlas Venture, Symantec, and Macrovision, a maker of video security technology. Veracode claims to have more than 20 customers for its service; pricing is based on the resources Veracode needs to dedicate in its IT system to perform the analysis. Companies should expect to pay at least $50,000 per year for a security analysis if they're testing alpha or beta versions of their software, and as much as "seven figures" for more intricate programs.

Veracode's service approach is unique in two ways: It can be scaled, depending upon the size of the software app being tested, and it primarily analyzes compiled binary code rather than source code. Veracode will tie its analysis of security flaws to specific areas of a program's source code if a client makes it available, but CEO Matt Moynahan says sharing source code is an unnecessary risk to a client's intellectual property. "Attackers don't attack source code, they attack the application," says Moynahan, former VP of Symantec's Consumer Products and Solutions division. "Our analysis is close to the actual attack scenario that hackers would take."

Other software security providers disagree. "Everything about the security of software is instantiated by its source code," says Mike Armistead, VP of corporate development for Fortify Software, which sells tools for testing an application's security at source-code level. Last week, Fortify unveiled plans to acquire Secure Software for that company's expertise in analyzing applications developed using IBM's Rational software toolset.

Along with testing clients' internally developed applications, Veracode can analyze software written by third parties, such as an offshore services firm.