Web Development Live

Veracode, which was established by former Symantec employees and launched its initial service in February, is seeking to distinguish itself by focusing on backdoor detection and on-demand services.

Companies such as Fortify, whose products only scan program source code, aren’t able to find certain classes of security flaw, according to Veracode. The company argues its approach of scanning compiled, binary code is more accurate and complete.

“The binary represents the actual attack surface for the hacker,” said Veracode’s chief executive officer, Matt Moynahan, in a statement.

Backdoors, which are often included in programs by developers for legitimate purposes, nevertheless can pose a serious threat to companies, Veracode argues.

Financial services firms, which increasingly assemble their software from reusable binary components or rely on third-party development work, originally requested the ability to detect such backdoors, Veracode said. The company is also focusing on military software, but said any organisation could be under threat from backdoors.

Veracode’s research has found that backdoors are typically eliminated from open-source software in weeks but could exist undetected in commercial applications for years.

The company also cites research from the US Department of Homeland Security pointing to a significant risk from backdoors. The research found that 23 software packages that US government employees might download for tools or development had backdoors within them.

This entry was posted on Sunday, February 17th, 2008 at 4:57 pm and is filed under Web Development Classes. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.