As software security and secure development techniques have continued to gain momentum, the demand for code-auditing tools and services has risen as well. A number of companies have sprouted up to meet that demand, but a new company called Veracode Inc., launching this week, is bringing a unique on-demand services model to a market comprising almost exclusively software offerings.
Veracode's Code Assurance Security Platform enables customers to upload code to the company's servers, where it is then analyzed using Veracode's proprietary binary-analysis tool. About a day later, the customer gets a complete report on all of the vulnerabilities found in the code. The customer can click on each vulnerability in the report and link directly to the section of the code where the problem lies. The goal is to make the arduous task of code analysis much more efficient and accurate than it is now.
Aside from the on-demand, subscription-based model, Veracode's key innovation is its tool's ability to analyze the application binary, and not simply the source code.
"We can do code analysis at a deep binary level. The engine traverses more code paths than source code tools can," said Matt Moynahan, CEO of Veracode, based in Burlington, Mass. "The binary is what's running online, not the source code."
Veracode's platform enables a closed-loop feedback system in which mistakes found in one customer's code help the company's analysts identify and correct that problem in other customers' applications. This allows for continuous improvement in both Veracode's analysis methods and its customers' development techniques.
Veracode's entry into the market comes at a time when on-demand services in general are becoming more and more popular in the enterprise. The success of pioneers such as Salesforce.com, Netsuite Inc., and others has convinced industry giants like Microsoft Corp. and IBM that there is plenty of appetite for subscription-based services and more flexible delivery and pricing models. However, Veracode is the first vendor to offer a code auditing service using the model. Its competitors, including Fortify, Coverity, Ounce Labs and others all sell software.
Veracode is the brainchild of co-founders Chris Wysopal and Christien Rioux, both veterans of the famed L0pht hacking collective and its eventual corporate parent, @stake Inc. Wysopal, the company's CTO, helped write the binary analysis tool that is at the heart of Veracode's offering. After Symantec Corp. bought @stake in 2004, Wysopal joined the security giant for a time, but left last year in order to get Veracode up and running. Rioux is the company's chief scientist and is well-known in the security community for his vulnerability research and other work. The company's management team boasts a number of other Symantec and @stake veterans, including Mike Pittenger, the vice president of business development, and Malcolm Lockhart, the chief architect.
Veracode plans to demonstrate its service at the RSA Conference in San Francisco next month.