Closing the Back Door: Veracode Verifies Software Code One Bit at a Time
Many companies know that they need outside help evaluating software for security flaws, whether it’s code they’ve written themselves or software they’re considering buying from a third-party vendor. But few organizations (or their vendors) are willing to let the actual source code for their applications leave their premises, over concerns about potential copying and theft. Enter Veracode, a Burlington, MA, startup founded in 2006 as a provider of automated software testing services. Backed by $20 million in funding from Atlas Venture, Polaris Venture Partners, and .406 Ventures (as well as strategic investors Symanetic, Macrovision, and Telus), Veracode gets around customers’ confidentiality concerns by examining binary code—the stream of 1s and 0s into which source code is compiled before it’s actually executed by a computer’s logic circuits—rather than human-readable source code.
“Any company is scared to death of their source code getting pirated,” says Veracode CEO Matt Moynahan. “With binary format, you don’t have that issue. We can do outsourced security testing without having any insight into the source code.”
If you’re wondering how it’s possible to find security vulnerabilities in code—such as the “back doors” that programmers occasionally leave open, whether intentionally or not—without actually looking at that code, well, that’s the secret sauce Veracode is selling to customers such as Cisco Systems and Barclays Bank. In essence, the company tests every potential path for a piece of data through a program, to see whether it’s popping out in places it shouldn’t—almost like an electrical engineer testing every individual node on a circuit board.
Moynahan, trying his best to be non-technical, explains it this way: “We create a model of the application that replicates all of the interprocedural flows, runs scans against it, and traverses all possible paths almost infinitely, looking for all of the possible ways somebody could exploit those procedures.”
Presuming you can follow that, there’s an added advantage to Veracode’s approach, since binary code is what most hackers attack. And Veracode’s founders have plenty of experience dealing with hackers. Co-founder and chief technology officer Chris Wysopal wrote a famous Windows password auditing and recovery program called @stake and helped to develop the practices many software security companies now follow for exchanging information about software vulnerabilities. Chief scientist Christien Rioux founded a security consultancy with Wysopal (it was also called @stake) and authored the AntiSniff intrusion detection system. Moynahan came to Veracode from Symantec, where he managed the company’s $2 billion consumer and small business division (home of the widely used Norton Antivirus product).
“While I was at Symantec I saw us go from the 20th-most attacked application to the second-most-attacked,” Moynahan says. “I was the executive in charge of solving the application security problem, and ironically, even though I was sitting inside one of the world’s best security companies, I still couldn’t solve it. The reason is that there just aren’t enough people to go around. There is no class in any university that teaches how to write secure code.”
In the absence of a steady supply of programmers qualified to review code manually for security flaws, the only alternative is to automate the process, Moynahan asserts. “Large enterprises buy a lot of code, and insecure code leads to very expensive security breaches and fraud,” he says. “Sending binaries allows companies to take advantage of third-party risk assessment. Large buyers of code like Boeing or Barclays can request their vendors to get their code scanned and rated by Veracode before they buy it.”
There’s no doubt software security review is a burgeoning business. NetworkWorld named Veracode one of “10 IT security companies to watch” last October, and security bloggers such as Dave Lewis, publisher of the Liquidmarix Security Digest, have mentioned the company as a potentially attractive acquisition target for larger IT or consulting outfits. Indeed, IBM snapped up a similar company last June: Waltham, MA-based Watchfire, which makes software that searches for vulnerabilities in Web-based applications.
With 60 employees to go with its $20 million, Veracode has “nice momentum going into 2008,” Moynahan says. “A company could hire a consultant to manually review their code, but we are a faster path to the same destination, especially if they have some application they don’t want to send off-site,” he says. The company even makes suggestions about how to fix code with proven vulnerabilities. Says Moynahan, “We’re trying to bring security to the masses.”