This article can also be found in the Premium Editorial Download "Information Security magazine: CISO survival guide: 18 of the best security tips."
Download it now to read this article plus other related content.
Price: Minimum cost of engagement is at $40K
Application development has historically given short shrift to security, and we pay the price for
Companies are finally building security into the software development lifecycle, but vetting software for security is difficult, time-consuming and error-prone. Organizations often turn to pen testers and/or a variety of commercial products.
Symantec spinoff Veracode weighs in with an on-demand software-as-a-service (SaaS) that performs binary analysis of any application.
Customers upload apps to Vera-code, which reports possible flaws and recommends remediation.
Binary analysis offers particular advantages. Companies are often twitchy about sharing source code, and binary analysis may well find flaws that source code, Web crawling and manual analysis miss. Moreover, applications are typically not monolithic, single-source programs but are built on various pieces contributed by internal and external developers.
"Modern applications are assembled from a mixed code base," says Veracode CEO Matt Moynahan. "Binary analysis analyzes 100 percent of the code."
Moynahan says that binary analysis complements other methods, including source code analysis and human testing. Veracode partners with SPI Dynamics, maker of the WebInspect app scanner.
"All applications are not equal," he says. "If you have a flight control system for a Boeing 747, for example, you want to test with a variety of methods."
This was first published in July 2007