SecurityReview

Veracode

www.veracode.com
Price: Minimum cost of engagement is at $40K

Application development has historically given short shrift to security, and we pay the price for it every day as attackers exploit vulnerable Web apps to control corporate systems and steal sensitive data.

Companies are finally building security into the software development lifecycle, but vetting software for security is difficult, time-consuming and error-prone. Organizations often turn to pen testers and/or a variety of commercial products.

Symantec spinoff Veracode weighs in with an on-demand software-as-a-service (SaaS) that performs binary analysis of any application.

Customers upload apps to Vera-code, which reports possible flaws and recommends remediation.

Binary analysis offers particular advantages. Companies are often twitchy about sharing source code, and binary analysis may well find flaws that source code, Web crawling and manual analysis miss. Moreover, applications are typically not monolithic, single-source programs but are built on various pieces contributed by internal and external developers.

"Modern applications are assembled from a mixed code base," says Veracode CEO Matt Moynahan. "Binary analysis analyzes 100 percent of the code."

Moynahan says that binary analysis complements other methods, including source code analysis and human testing. Veracode partners with SPI Dynamics, maker of the WebInspect app scanner.

"All applications are not equal," he says. "If you have a flight control system for a Boeing 747, for example, you want to test with a variety of methods."