WHAT IS THIS TECHNOLOGY? The software industry is one of the largest manufacturing industries in the world, with $350 billion in off-the-shelf software sold each year and over $100 billion customized applications generated on top of that. Unfortunately, there is no standardized notion of software security quality. Veracode realized there was a need to raise the bar on securing software, that what the industry needed was a trusted, independent third-party application security solution.
In January 2007, Veracode introduced Veracode SecurityReview®, the industry’s first automated, on-demand security testing solution. SecurityReview provides the most complete application security assessment on the market because 1) it is the only application security solution offered as an automated, on-demand service; and 2) it is the only solution that uses patented binary code analysis which is the most comprehensive way to test the security quality of software applications.
WHAT DOES THIS TECHNOLOGY DO? As an on-demand solution, Veracode is better positioned to solve application security problems without the need to invest in software licenses, infrastructure, and maintenance resources. Customers have access to the world’s top application security experts delivered as an automated service. Most software applications are comprised of significant third-party or outsourced components for which no source code or vulnerability information is available. Developers who lack “practical” access to code due to organizational barriers benefit as well. Veracode’s patented technology performs automated security analysis on compiled – or binary – code. Source code isn’t required, which enables deeper analysis of the application across all code including third-party libraries and interactions. As a result, Veracode is the only vendor than can assess the security of 100% of the application. SecurityReview can be globally deployed in under 24 hours and can scale across distributed teams and vendors.
Using Veracode, customers can implement standard, repeatable processes that automate the security assessment of applications without changing their existing development environment or processes.
100% code coverage –SecurityReview analyzes binaries (object code), not source code. As a result, Veracode finds security flaws across the entire code base including shared components and third party libraries for which organizations have no source code.
Improved brand and trust with customers – Veracode’s analysis finds vulnerabilities in three critical areas: security issues introduced during development, the absence of critical security features and the presence of malicious code injected by untrustworthy sources. This provides for a more thorough analysis compared to looking for vulnerabilities alone.
Automated and on-demand – Veracode’s automated service is consistent and transparent across development teams and different application types. This enables enterprises to easily implement application security best practices.
Rapid deployment and reduced costs – Getting started with Enterprise SecurityReview is simple and easy. Whether a customer has a single site or a geographically dispersed development team (including contractors), the company will be up and running in less than 24 hours without any investment insoftware, hardware or consulting services.
As an independent, third-party security solution, SecurityReview helps companies control security risks and operation costs for both purchased software (COTS) and internally-developed software. In fact, Veracode is often referred to as a “friend to the industry” as the company strives to create best practices for application security for both vendors and enterprises.
As we mentioned earlier, the software industry is one of the largest industries in the world. But despite the size, there is no standardized notion of software security quality even though the repercussions include product patches, data breaches leading to massive identity theft and fluctuations in corporate stock prices.
Until recently, independent software ratings have not been possible for two reasons:
Due to the sensitivity associated with releasing source code for independent evaluation;
Existing evaluation tools are not able to assess 100% of the application code, which is a pre-requisite for an accurate assessment.
As a part of the SecurityReview service, Veracode provides the industry’s first standards-based application ratings system, which provides a pragmatic way to measure and increase an application’s security state. The ratings system gives executives and development teams a clear, meaningful and actionable decision making framework, which assists organization in optimizing security spend while maximizing time to market.
The Veracode Ratings System provides:
Clear insight into the application security based on assurance level
Information organizations need to perform gap analysis on the current and target security state of their application
A framework to optimize an organization’s security spend according to time to fix and cost to fix business objectives
A practical roadmap to get organizations where they need to be over time
Conclusion: Veracode offers the most complete assessment by looking at not only vulnerabilities and malicious code, but also testing for the absence or presence of security features (i.e., security gates in a banking application). SecurityReview requires no access to source code, while providing organizations with the ability to continually analyze applications at any time in a secure, simple, and cost-effective manner.
4 Van de Graaff Drive
Burlington, MA 01803