News Analysis

Veracode launches on-demand code analysis service

Dennis Fisher, Executive Editor
As software security and secure development techniques have continued to gain momentum, the demand for code-auditing tools and services has risen as well. A number of companies have sprouted up to meet that demand, but a new company called Veracode Inc, is bringing a unique on-demand services model to a market comprising almost exclusively software offerings.
We can do code analysis at a deep binary level. The engine traverses more code paths than source code tools can.
Matt Moynahan,
CEOVeracode Inc.

Veracode's Code Assurance Security Platform enables customers to upload code to the company's servers, where it is then analyzed using Veracode's proprietary binary-analysis tool. About a day later, the customer gets a complete report on all of the vulnerabilities found in the code. The customer can click on each vulnerability in the report and link directly to the section of the code where the problem lies. The goal is to make the arduous task of code analysis much more efficient and accurate than it is now.

Aside from the on-demand, subscription-based model, Veracode's key innovation is its tool's ability to analyze the application binary, and not simply the source code.

"We can do code analysis at a deep binary level. The engine traverses more code paths than source code tools can," said Matt Moynahan, CEO of Veracode, based in Burlington, Mass. "The binary is what's running online, not the source code."

Veracode's platform enables a closed-loop feedback system in which mistakes found in one customer's code help the company's analysts identify and correct that problem in other customers' applications. This allows for continuous improvement in both Veracode's analysis methods and its customers' development techniques.

Code analysis:
Static and dynamic code analysis: A key factor for application security success

Source code analysis tool key to absentee ballot system

Code-scanning tool automates software review at financial firm

Attackers hide malicious code using new method

Veracode's entry into the market comes at a time when on-demand services in general are becoming more and more popular in the enterprise. The success of pioneers such as Salesforce.com, Netsuite Inc., and others has convinced industry giants like Microsoft Corp. and IBM that there is plenty of appetite for subscription-based services and more flexible delivery and pricing models. However, Veracode is the first vendor to offer a code auditing service using the model. Its competitors, including Fortify, Coverity, Ounce Labs and others all sell software.

Veracode is the brainchild of co-founders Chris Wysopal and Christien Rioux, both veterans of the famed L0pht hacking collective and its eventual corporate parent, @stake Inc. Wysopal, the company's CTO, helped write the binary analysis tool that is at the heart of Veracode's offering. After Symantec Corp. bought @stake in 2004, Wysopal joined the security giant for a time, but left last year in order to get Veracode up and running. Rioux is the company's chief scientist and is well-known in the security community for his vulnerability research and other work. The company's management team boasts a number of other Symantec and @stake veterans, including Mike Pittenger, the vice president of business development, and Malcolm Lockhart, the chief architect.

Veracode plans to demonstrate its service at the RSA Conference in San Francisco next month.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy