Testing software applications to minimise the risk of
security vulnerabilities and compliance failings is a
time-consuming and costly process, albeit an essential one.
Security testing companyVeracodehas developed a automated tool that promises to slash the
time taken to complete this process.
It all began in 2002 when a specialist security consultancy
@Stake created a smart piece of software to analyse application
code for errors. The product, SmartRisk Analyzer, was an
application security analysis tool, which automated identification
of security vulnerabilities by checking the binary code of software
applications. It was designed to help consultants work alongside
developers and quality-assurance teams to find and fix security
flaws early in the development cycle, minimising risk and reducing
the need for incident response work.
Then, in 2004, Symantec acquired the technology when it bought
@Stake. The technology underlying SmartRisk Analyzer was extended,
and eventually brought to market by Symantec spin-off Veracode.
Based on the old SmartRisk Analyser technology, Veracode has
taken the concept of binary code analysis and created a product
called SecurityReview, which it sells as an online service. With
Veracode, application code reviews are purchased on a
software-as-a-service subscription basis, eliminating the need to
install or maintain software, hardware or to train staff.
Tony Lock, programme director at analyst company Freeform
Dynamics, said, "The beauty of Veracode's approach is that it runs
as a software service, which removes a lot of concerns large
businesses have with software-testing tools."
Using patented static-binary testing technology and dynamic web
scanning analysis, the company said SecurityReview has been
engineered to overcome the limitations of traditional tools and
manual penetration tests. "We are automating manual code review,"
said Matt Moynahan, chief executive at Veracode.
Moynahan said he used it all the time in his previous job, where
he managed Symantec's consumer software division. There are many
software development tools that enable developers to check source
code. But Veracode can analyse the binary file, meaning that even
third-party code and libraries where the source code is unavailable
can be checked. "By looking at the binary file, we are analysing
the whole application," Moynahan said.
Veracode looks for traditional programming errors that can lead
to
buffer-overflow
attacks,
SQL
injection and command-line injections. Additionally, it is able
to search for the use of encryption within an application or
hard-coded passwords and IP addresses that could be targeted by a
hacker.
The product scans code using automated techniques designed to
mirror the way hackers approach an attack, and through this aims to
identify the severity of any weaknesses. Users upload the binary
code to Veracode and specify the programming language environment
that they used for software development.
"We translate the binary code into a model that looks at the way
information flows in the application, all the way down to the
application programming interfaces," Moynahan said. So, for
instance, Veracode is able to identify if the application binary
code uses an OpenSSL function.
As binary code is analysed, Veracode is able to build a database
of common programming problems, which could be exploited by a
hacker. Moynahan said this database helps users keep in step with
new threats.
Veracode's services include internal security reviews,
PCI compliance, commercial off-the-shelf security audits and
outsourced secure code acceptance.
Users of SecurityReview include Delta Airlines, which
effectively runs the Veracode service for outsourced application
testing. "A third of our customers are using Veracode for PCI
compliance," Moynahan said.
Another company using Veracode is retail bank Barclays. Rhonda
MacLean, global information security officer in the global retail
and commercial banking department at Barclays Bank, said, "In a
rapidly changing threat environment, Veracode's technology and its
software-as-a-service model have given us the flexibility to
conduct rapid code review cycles, which is an obvious benefit for
our customers."
The Veracode SecurityReview service portfolio is now
comprised of the following on-demand services:
Outsourcing SecurityReview
Provides automated security audits that ensure enterprises
receive secure code from offshore development partners
Cots SecurityReview
Helps enterprises and government agencies quantify and manage
security risks of commercial off-the-shelf software
SDLC SecurityReview
Enables security teams to conduct security assessments on
mission-critical, internally developed applications before they
ship
PCI SecurityReview
Automates and shortens the process for achieving compliance with
the application security requirements of PCI-DSS, Visa PABP and
PA-DSS in a simple and cost effective way.