Dr. Dobb's is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Channels ▼
RSS

Security

The Truth About Software Security

By Larry Greenemeier, January 20, 2007

Outsourced service provides deep dive into security of software code.
Businesses have come to expect that the software their IT departments build, and even what they buy, will be flawed. But that doesn't mean they have to accept it. There are tools available to analyze and test how secure a software application is, as well as consultants who will do that work for you. And now, there's a hybrid: an outsourced software-security analysis service.

Veracode is a spin-off of security software vendor Symantec. Veracode clients send a compiled version of the software they want analyzed over the Internet and within 72 hours receive a Web-based report explaining--and prioritizing--its security flaws. Veracode's service, which started last March using the resources Symantec obtained from its acquisition of @stake in 2004, hunts for security vulnerabilities; malicious code that may have been written into the software, such as a rootkit or back door; and missing security features such as data encryption.

Veracode's Truth Telling
Scale Model Fees for Veracode's app security analysis are based on a sliding scale
Compile, Conquer Veracode works on compiled code, which mirrors a hacker's attack scenario
Quick Service The company says it will get its analysis back to clients within 72 hours
Over the past six months, Veracode has raised $20 million in funding from Atlas Venture, Symantec, and Macrovision, a maker of video security technology. Veracode claims to have more than 20 customers for its service; pricing is based on the resources Veracode needs to dedicate in its IT system to perform the analysis. Companies should expect to pay at least $50,000 per year for a security analysis if they're testing alpha or beta versions of their software, and as much as "seven figures" for more intricate programs.

Veracode's service approach is unique in two ways: It can be scaled, depending upon the size of the software app being tested, and it primarily analyzes compiled binary code rather than source code. Veracode will tie its analysis of security flaws to specific areas of a program's source code if a client makes it available, but CEO Matt Moynahan says sharing source code is an unnecessary risk to a client's intellectual property. "Attackers don't attack source code, they attack the application," says Moynahan, former VP of Symantec's Consumer Products and Solutions division. "Our analysis is close to the actual attack scenario that hackers would take."

Other software security providers disagree. "Everything about the security of software is instantiated by its source code," says Mike Armistead, VP of corporate development for Fortify Software, which sells tools for testing an application's security at source-code level. Last week, Fortify unveiled plans to acquire Secure Software for that company's expertise in analyzing applications developed using IBM's Rational software toolset.

Along with testing clients' internally developed applications, Veracode can analyze software written by third parties, such as an offshore services firm.


Related Reading

News

Commentary

Slideshow

Video

Most Popular

More Insights

White Papers

More >>

Reports

More >>

Webcasts

More >>
INFO-LINK




Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Security Recent Articles

Most Popular

Stories Blogs

Upcoming Events



Most Recent Premium Content

Digital Issues