Information Age: News, analysis & insight for IT & business leaders

Fledgling testing provider declares war on insecure code

In the past two years, applications – particularly those hosted on the web – have emerged as the weakest links in the corporate software chain. Malicious code, backdoors and coding errors are the principal vulnerabilities, designed or accidental, by which applications are compromised. Prior to the Internet, such flaws merely disrupted the functionality of the system, but in the contemporary online world – fraught as it has become with diverse security threats – they are a major source of risk. An opportunity-filled sub-sector of the information security industry has emerged that has given rise to contenders such as Veracode, a fledgling Boston-based application security testing provider.

Matt Moynahan, the company’s youthful CEO, has some salient first-hand experience where the application security challenge is concerned. During his time heading up the consumer products and solutions division at software giant Symantec, Moynahan watched closely as the hacking community began increasingly to devote its energies to compromising systems applications. As such, he realised, “If they defeated security software in these applications they could gain access to people’s PCs.”

The world’s second-largest software company at the time, Symantec’s security software was sitting on around 400 million PCs worldwide, he adds.

The scale of the threat was obvious, but Symantec, says Moynahan, lacked both the internal skills-pool and toolset to effectively address it. Meanwhile, the globalisation of the software development chain, coupled with the trend towards splicing and dicing code across multiple applications, has effectively scattered application source code all over the globe. “Most companies,” continues Moynahan, “don’t know where their code comes from. It’s very difficult to test source code you don’t own.”

In short, he adds candidly, “I was sitting inside the world’s largest security company and I couldn’t solve my own security problems.” In 2004, Moynahan engineered the purchase of Boston-based consultancy @Stake, which had developed an application security analysis tool, SmartRiskAnalyser. Recognising that the tool’s underlying, patented technology might form the basis of a compelling security offering, Moynahan went on to spin Veracode out of Symantec in early 2007.

Unlike some application security companies that scan the available source code on premise, or those that test programs in production, the core innovation developed by @Stake is an engine that looks for vulnerabilities in an application’s binary code executables – the file that allows the source code to be interpreted as a program. As such, the technology does not require companies to expose their precious source code IP. Furthermore, by deploying static binary analysis, Veracode is able to inspect 100% of the application’s code base – as opposed to the average 30% to 40% of source code usually available.

The company is marketing the technology for on-premise use and on a software-as-a-service (SaaS) basis, reflecting the trend within the security sector to exploit the benefits of scale and offer security as a service – one of the industry’s strongest growth vectors at around 17%. With impressive growth in the application security sector, particularly web application vulnerability assessment – projected to enjoy a 25% compound annual growth rate through 2009, according to IDC – Veracode has effectively planted itself in some of the most fertile terrain of the information security landscape.

But Moynahan is not content to let market developments drive growth.

Nor is he resigned to the monotonous grind of client sell-ins. Instead, Veracode targets the blue-chip big hitters, particularly those labouring under stringent regulation such as the banking community – in order to leverage their weight throughout the software industry and force up general standards of software code. Asset management giant Fidelity is already using Veracode to test the integrity of third-party supplied code. In this way, it is Moynahan’s ambition to establish Veracode as the de facto standard by which all software code – acquired, developed internally or purchased – must be rubber-stamped. “Our model is to be a friend to the software companies,” he explains. “There are SME software providers that are trying to sell into the financial services industry and are looking for cost-effective ways to solve binary code problems. We want to make it easy for them to comply with demands.”

Whether the industry wants to be friends with Veracode is another matter: some claim that hyper-competitiveness within the industry has suppressed rather than enhanced software code quality. However grandiose his vision might sound, Moynahan has some mega brands behind him. Technology giants Cisco Systems and Telus are already customers, while a number of high street banks, with whom Moynahan is attempting to forge an industry-wide alliance, seem persuaded by his logic. “Banks clearly have significant buying power,” he states.

Now, he adds, they intend to issue a statement to the software industry: “We’re no longer prepared to accept poor code.”

Further reading

Anti-virus vendors: Fighting a losing battle Anti-virus vendors are struggling to keep up with the new malware methods

Find more stories in the SOA & Development and Security & Continuity Briefing Rooms.