As software security and secure development techniques have
continued to gain momentum, the demand for code-auditing tools and
services has risen as well. A number of companies have sprouted up
to meet that demand, but a new company called Veracode Inc, is
bringing a unique on-demand services model to a market comprising
almost exclusively software offerings.
 | | | | | We can do code analysis at a deep
binary level. The engine traverses more code paths than source code
tools can.
Matt Moynahan,
CEOVeracode Inc. |
| | | | | |
| |
|
Veracode's Code Assurance Security Platform enables customers to
upload code to the company's servers, where it is then analyzed
using Veracode's proprietary binary-analysis tool. About a day
later, the customer gets a complete report on all of the
vulnerabilities found in the code. The customer can click on each
vulnerability in the report and link directly to the section of the
code where the problem lies. The goal is to make the arduous task
of code analysis much more efficient and accurate than it is
now.
Aside from the on-demand, subscription-based model, Veracode's
key innovation is its tool's ability to analyze the application
binary, and not simply the source code.
"We can do code analysis at a deep binary level. The engine
traverses more code paths than source code tools can," said Matt
Moynahan, CEO of Veracode, based in Burlington, Mass. "The binary
is what's running online, not the source code."
Veracode's platform enables a closed-loop feedback system in
which mistakes found in one customer's code help the company's
analysts identify and correct that problem in other customers'
applications. This allows for continuous improvement in both
Veracode's analysis methods and its customers' development
techniques.
Veracode's entry into the market comes at a time when on-demand
services in general are becoming more and more popular in the
enterprise. The success of pioneers such as Salesforce.com,
Netsuite Inc., and others has convinced industry giants like
Microsoft Corp. and IBM that there is plenty of appetite for
subscription-based services and more flexible delivery and pricing
models. However, Veracode is the first vendor to offer a code
auditing service using the model. Its competitors, including
Fortify, Coverity, Ounce Labs and others all sell software.
Veracode is the brainchild of co-founders Chris Wysopal and
Christien Rioux, both veterans of the famed L0pht hacking
collective and its eventual corporate parent, @stake Inc. Wysopal,
the company's CTO, helped write the binary analysis tool that is at
the heart of Veracode's offering. After Symantec Corp. bought
@stake in 2004, Wysopal joined the security giant for a time, but
left last year in order to get Veracode up and running. Rioux is
the company's chief scientist and is well-known in the security
community for his vulnerability research and other work. The
company's management team boasts a number of other Symantec and
@stake veterans, including Mike Pittenger, the vice president of
business development, and Malcolm Lockhart, the chief
architect.
Veracode plans to demonstrate its service at the RSA Conference
in San Francisco next month.