Testing software applications to minimise the risk of security vulnerabilities and compliance failings is a time-consuming and costly process, albeit an essential one. Security testing company Veracode has developed a automated tool that promises to slash the time taken to complete this process.
It all began in 2002 when a specialist security consultancy @Stake created a smart piece of software to analyse application code for errors. The product, SmartRisk Analyzer, was an application security analysis tool, which automated identification of security vulnerabilities by checking the binary code of software applications. It was designed to help consultants work alongside developers and quality-assurance teams to find and fix security flaws early in the development cycle, minimising risk and reducing the need for incident response work.
Then, in 2004, Symantec acquired the technology when it bought @Stake. The technology underlying SmartRisk Analyzer was extended, and eventually brought to market by Symantec spin-off Veracode.
Based on the old SmartRisk Analyser technology, Veracode has taken the concept of binary code analysis and created a product called SecurityReview, which it sells as an online service. With Veracode, application code reviews are purchased on a software-as-a-service subscription basis, eliminating the need to install or maintain software, hardware or to train staff.
Tony Lock, programme director at analyst company Freeform Dynamics, said, "The beauty of Veracode's approach is that it runs as a software service, which removes a lot of concerns large businesses have with software-testing tools."
Using patented static-binary testing technology and dynamic web scanning analysis, the company said SecurityReview has been engineered to overcome the limitations of traditional tools and manual penetration tests. "We are automating manual code review," said Matt Moynahan, chief executive at Veracode.
Moynahan said he used it all the time in his previous job, where he managed Symantec's consumer software division. There are many software development tools that enable developers to check source code. But Veracode can analyse the binary file, meaning that even third-party code and libraries where the source code is unavailable can be checked. "By looking at the binary file, we are analysing the whole application," Moynahan said.
Veracode looks for traditional programming errors that can lead to buffer-overflow attacks, SQL injection and command-line injections. Additionally, it is able to search for the use of encryption within an application or hard-coded passwords and IP addresses that could be targeted by a hacker.
The product scans code using automated techniques designed to mirror the way hackers approach an attack, and through this aims to identify the severity of any weaknesses. Users upload the binary code to Veracode and specify the programming language environment that they used for software development.
"We translate the binary code into a model that looks at the way information flows in the application, all the way down to the application programming interfaces," Moynahan said. So, for instance, Veracode is able to identify if the application binary code uses an OpenSSL function.
As binary code is analysed, Veracode is able to build a database of common programming problems, which could be exploited by a hacker. Moynahan said this database helps users keep in step with new threats.
Veracode's services include internal security reviews, PCI compliance, commercial off-the-shelf security audits and outsourced secure code acceptance.
Users of SecurityReview include Delta Airlines, which effectively runs the Veracode service for outsourced application testing. "A third of our customers are using Veracode for PCI compliance," Moynahan said.
Another company using Veracode is retail bank Barclays. Rhonda MacLean, global information security officer in the global retail and commercial banking department at Barclays Bank, said, "In a rapidly changing threat environment, Veracode's technology and its software-as-a-service model have given us the flexibility to conduct rapid code review cycles, which is an obvious benefit for our customers."
The Veracode SecurityReview service portfolio is now comprised of the following on-demand services:
Provides automated security audits that ensure enterprises receive secure code from offshore development partners
Helps enterprises and government agencies quantify and manage security risks of commercial off-the-shelf software
Enables security teams to conduct security assessments on mission-critical, internally developed applications before they ship
Automates and shortens the process for achieving compliance with the application security requirements of PCI-DSS, Visa PABP and PA-DSS in a simple and cost effective way.
This was first published in May 2008