Veracode launched a new version of its binary code analysis service on Monday that focuses specifically on helping software engineers find potential backdoor vulnerabilities in their programs.
While some applications security companies scour source code for flaws, such as Fortify, and others specialize in testing programs already running in production, such as Cenzic, Veracode is spinning itself as an alternative by channeling its efforts into looking for vulnerabilities in binary code and offering the capabilities as a fully-hosted service.
Officials with the applications security startup -- which was originally spun out of Symantec and launched its initial analysis service in Feb. 2007 -- claim that the company's unique ability to find backdoors could be one of the differentiators that allow Veracode to grow its presence in the applications security sector.
With backdoor vulnerabilities in particular, said company officials, the use of binary code analysis is ideal for finding potential flaws that are hard to predict or address in other stages of development.
"There are a lot of advantages to looking at binaries versus looking at source code, and it turns out that finding backdoors is one of those, and there hasn't been anything on the market that really addresses the problem in general," said Chris Wysopal, CTO at Veracode. "Some static analysis tools may look for static passwords, but if the code is even slightly obfuscated, they can't, and they don't, look for hidden keys or rootkit behavior, so this is truly something new that we're offering."
Along with special credentials, which are most often embedded in applications code by developers as a means to get back into the programs, Veracode is also promising to chase down any hidden functionality, or secret sets of commands left inside many software systems by their authors.
The service also promises to look for warning signs of malicious code behavior, such as evidence of any rootkits built into a program, and unusual network activity, such as functionality that causes an application to mail out data to a predestined recipient.
As more companies outsource elements development of their applications, it will be vital for them to run such scans against their programs to look for the potential weak points, the CTO said.
Leaving backdoors in code is one of the oldest tricks on the book for developers looking for easy ways to get back into their programs to either fix them or carry out malicious schemes, Wysopal contends.
"Sometimes it's just something that is meant to be left in for debugging purposes, other times its code that was meant to be removed but simply slipped through the cracks, either way these are vulnerabilities that need to be addressed," said Wysopal. "Most customers want a third-party review in this day, and we can offer that as a hosted service, so we think there's a lot of potential for how much interest backdoor scans can drive uptake of our services."
Veracodetargets financial services, commercial software markets
Financial services firms in particular are very concerned that outsourced code developers may be leaving backdoors in place to sell to malware code writers or use to break into applications on their own for the purpose of stealing data, said the expert.
While some industry watchers have questioned how many firms will be willing to hand over their proprietary code to Veracode for testing, the CTO said that with businesses outsourcing more software development than ever, most large companies are already conditioned to working with third parties on that level -- and willing to give someone a chance to examine their software for security purposes.
Commercial software vendors represent another significant opportunity for Veracode, and it has already run scans for three or four of the largest ISVs in the world, Wysopal said. The executive claims that the company is also currently serving four of the world's top ten financial services companies with its vulnerability discovery services.
The increasing popularity of open-source software in the business setting is another reason why Veracode's services make sense, he said. However, the problem is even more acute for proprietary programs.
"When we did our research, we found that if a backdoor was placed in an open-source project, the lifetime was typically weeks, but for commercial products, the backdoors lived for years," said Wysopal. "Maybe you could find these problems if you did manual code reviews, but we know that is becoming harder than ever with shared libraries and outsourcing; we think that by becoming the leading experts in backdoors, we can grow our business even faster."
Industry analysts downplayed the notion that binary analysis is the best way to look for backdoors, pointing out that source code scanning specialists like Ounce Labs and Fortify have just as good an opportunity to find the flaws.
However, the industry watchers said that Veracode might have an advantage in the process of finding the backdoor bugs compared to so-called "black box" vendors, including Cenzic.
"I don't think it is as large of an advantage as they might claim, but it does help them differentiate over the black box crowd," said Dr. Chenxi Wang, analyst with Forrester Research. "But with the issue of people being afraid to hand over their code to Veracode, I don't think that's as big of a deal as some have made it out to be either."
The analyst said that Veracode is winning interesting deals with banks like Barclay's -- which is using the company's scanning services to test the applications of its business partners that want to link to its own software systems.
Binary analysis and the ability to utilize Veracode's hosted model in such a fashion may in fact help the company grow the applications security space in general, she said.
"Their approach so far has been pretty smart, you can see how the model being used with the banks may drive great interest in applications scanning, it's not that the market is flat but there's a lot of room for growth," Wang said. "We'll have to wait to see if Veracode can draw more customers, and see the size of those deals, but they do have an opportunity to shake things up."