New tool for testing application security

InfoWorld - Veracode Inc. yesterday launched a new software-security rating service, introducing a new system for testing the security of both internal corporate application development efforts and those of third-party software makers.

With the debut of the service, Burlington, Mass.-based Veracode claims to have unveiled the world's first standards-based system for rating the overall security of software programs before they are put into production mode.

While many companies that harbor software development departments have begun using source code analysis tools to look for potential vulnerabilities in their applications, Veracode aims to take the process one step further by offering businesses and ISVs the ability to scan binary code of their programs for problems.

Testing binary code, versus scouring individual lines of source code, allows developers to scan an entire application before it is taken into production, thus increasing their likelihood of finding errors they might have missed along the way and eliminating the need to pursue code that ends up getting cut from a program before it approaches its final state, Veracode officials said.

The approach also benefits efforts to develop software using the increasingly popular SOA approach by allowing workers to test code being drawn from multiple programs in their final, integrated state, the company maintains.

To support its ratings service -- which customers can use to test the code of their own homegrown applications or those of third-party providers -- the company built a scoring system based on the CWE (Common Weakness Enumeration) classification, which has been forwarded by federally funded IT security watchdog Mitre, as well as the CVSS (Common Vulnerability Scoring System), which has been piloted by the FIRST (Forum of Incident Response and Security Teams) industry group.

By combining the two standards into an integrated testing tool that scans for potential problems and produces a score based on its findings, Veracode officials claim that they can offer companies a more comprehensive manner of understanding just where their programs are weakest from a security perspective.

"The software industry is valued at roughly $350 billion, but the entire industry has almost no notion of its own security quality, and part of that problem is that there haven't been tools like this in the past," said Matt Moynahan, CEO of Veracode and a former division manager at Symantec Corp.

"This is a responsible way for people to improve the security of their code without placing an undue burden on an ISV community that is already desperate to fix this problem but faces a huge challenge in finding people who are capable of writing safer programs," he said.

Moynahan said that during his time at Symantec -- where he helped oversee sales of the company's Norton consumer desktop antivirus products -- he was exposed to the grueling testing process that software developers must undergo to eliminate flaws from their applications.