Veracode, a company which specialises in tracking bugs in applications, has unveiled the latest version of its Securetest service, which offers developers cloud-based code verification.
Jon Stevenson, senior vice-president for engineering at Veracode, said, "We accept binary files. We analyse the binaries to find vulnerabilities." T
he tests are run over 24 hours, after which Veracode sends a report of the vulnerabilities to the developer.
Stevenson said the report identifies modules and even the offending line of source code. The company claims results are often 100% lower in false positives than alternative on-premise source code tools.
The service supports programming languages and development environments including, C++. Java, .net, PHP and Cold Fusion.
In his most recent blog posting, Veracode chief executive Matt Moynahan wrote that fixing software vulnerabilities is often easier than fixing a functional problem with an application.
"Fixing security vulnerabilities can be faster and more cost-effective than fixing a functional bug. Fixing functional bugs often requires detailed diagnosis of the customer environment, configuration settings, other software interacting with it, etc. Changing the size of a buffer or closing a parameter is much simpler - if you can find the vulnerability and provide remediation advice on how to fix it"
Veracode bases its code analysis on common weaknss enumeration, a taxonomy developed by Mitre, a not-for-profit organisation which developes IT and systems standards. It also works with Sans Institute, which classifies vulnerabilities and conducts its own research
Veracode also conducts its own research, funded by InQTel, the venture arm of the CIA.