Veracode
Encyclopedia
Veracode is a Burlington
, Massachusetts
-based application security
company offering a cloud-based
platform for application risk management
. Veracode was founded in 2006 by a team of application security practitioners from @stake
, Guardent, Symantec
, and VeriSign
to provide an automated third party application security review service. The core technology of Veracode's service is a static code analysis
engine that analyzes compiled
applications
for security flaws
.
trade show in February 2007.
On November 29, 2011, the company announced that it had appointed Robert T. Brennan, former CEO of Iron Mountain Incorporated
, as its new chief executive officer
.
Veracode has won awards from industry press and analysts, including Gartner
, who named Veracode a "Cool Vendor" in 2008;Related press release: SC Magazine's Best Security Solution for Financial Services; the 2009 SD Times 100
; and the Wall Street Journal 2008 Technology Innovation Award for Network Security. Veracode was positioned as a Leader in the 2010 Gartner Magic Quadrant for Static Application Security Testing.
on compiled binary executables
or bytecode
; dynamic web application analysis
; and manual penetration test
ing and source code review
. The capabilities are delivered through a software as a service
platform and are sold by subscription. Using the Veracode platform, users can detect and triage flaws, get a security rating, and review findings and metrics about their applications.
Veracode supports analysis of binaries, bytecode, and other application formats in a variety of different languages, platforms, and compilers, including C, C++
, Java
, .NET
bytecode, PHP
, ColdFusion
, Windows Mobile
, BlackBerry
, Android, and iOS.
Comparing Veracode's static binary analysis to other static source code analyzers, Doug Dinely in InfoWorld wrote, "Veracode has produced an offering that differs from other static security analyzers in two important respects. First, it analyzes the application binary, not the source code, allowing security testing to be done as part of the development process or even when source code is not provided or available. Second, it's provided as outsourced service: customers send Veracode the binary, then Veracode sends back a report."
and CVSS
against vulnerability benchmarks such as the OWASP
Top 10 and CWE-SANS
Top 25.
Zero in a bit. The team has co-authored the book The Art of Software Security Testing and published research, including "Static detection of application backdoors," "Anti-Debugging, a Developer's View", "Detecting Certified Pre-Owned Software" and "BlackBerry Mobile Spyware"
Burlington, Massachusetts
Burlington is a town in Middlesex County, Massachusetts, United States. The population was 24,498 at the 2010 census.- History :It is believed that Burlington takes its name from the English town of Bridlington, however this has never been confirmed....
, Massachusetts
Massachusetts
The Commonwealth of Massachusetts is a state in the New England region of the northeastern United States of America. It is bordered by Rhode Island and Connecticut to the south, New York to the west, and Vermont and New Hampshire to the north; at its east lies the Atlantic Ocean. As of the 2010...
-based application security
Application security
Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application.Applications only...
company offering a cloud-based
Cloud computing
Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility over a network ....
platform for application risk management
Risk management
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
. Veracode was founded in 2006 by a team of application security practitioners from @stake
@stake
ATstake, Inc. was a computer security professional services company in Cambridge, Massachusetts, United States. It was founded in 1999 by Battery Ventures and Ted Julian...
, Guardent, Symantec
Symantec
Symantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
, and VeriSign
VeriSign
Verisign, Inc. is an American company based in Dulles, Virginia that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc and .tv country-code...
to provide an automated third party application security review service. The core technology of Veracode's service is a static code analysis
Static code analysis
Static program analysis is the analysis of computer software that is performed without actually executing programs built from that software In most cases the analysis is performed on some version of the source code and in the other cases some form of the object code...
engine that analyzes compiled
Compiler
A compiler is a computer program that transforms source code written in a programming language into another computer language...
applications
Executable
In computing, an executable file causes a computer "to perform indicated tasks according to encoded instructions," as opposed to a data file that must be parsed by a program to be meaningful. These instructions are traditionally machine code instructions for a physical CPU...
for security flaws
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
.
History
Veracode's core technology, originally called SmartRisk Analyzer, was created by Christien Rioux as an @stake research project to automate the identification of security flaws in compiled code. After @stake was purchased by Symantec, Rioux and Chris Wysopal worked with Maria Cirino from .406 Ventures to spin the technology out as an independent company. The first demonstration of the Veracode service was at the RSA SecurityRSA Security
RSA, the security division of EMC Corporation, is headquartered in Bedford, Massachusetts, United States, and maintains offices in Australia, Ireland, Israel, the United Kingdom, Singapore, India, China, Hong Kong and Japan....
trade show in February 2007.
On November 29, 2011, the company announced that it had appointed Robert T. Brennan, former CEO of Iron Mountain Incorporated
Iron Mountain Incorporated
Iron Mountain Inc , founded in 1951, is a company whose headquarters are located in Boston, Massachusetts. It offers records management, information destruction and data backup services to more than 120,000 customers throughout North America, Europe, Latin America and Asia...
, as its new chief executive officer
Chief executive officer
A chief executive officer , managing director , Executive Director for non-profit organizations, or chief executive is the highest-ranking corporate officer or administrator in charge of total management of an organization...
.
Veracode has won awards from industry press and analysts, including Gartner
Gartner
Gartner, Inc. is an information technology research and advisory firm headquartered in Stamford, Connecticut, United States. It was known as GartnerGroup until 2001....
, who named Veracode a "Cool Vendor" in 2008;Related press release: SC Magazine's Best Security Solution for Financial Services; the 2009 SD Times 100
SD Times
Software Development Times, better known as SD Times, is a magazine published by BZ Media, in both a print version and an on-line electronic edition. It has been published since 2000. Since 2003, it has published an annual award list, the "SD Times 100", which honors the top 100 leaders and...
; and the Wall Street Journal 2008 Technology Innovation Award for Network Security. Veracode was positioned as a Leader in the 2010 Gartner Magic Quadrant for Static Application Security Testing.
Services
Veracode offers security assessments of applications through a variety of technologies, including static code analysisStatic code analysis
Static program analysis is the analysis of computer software that is performed without actually executing programs built from that software In most cases the analysis is performed on some version of the source code and in the other cases some form of the object code...
on compiled binary executables
Executable
In computing, an executable file causes a computer "to perform indicated tasks according to encoded instructions," as opposed to a data file that must be parsed by a program to be meaningful. These instructions are traditionally machine code instructions for a physical CPU...
or bytecode
Bytecode
Bytecode, also known as p-code , is a term which has been used to denote various forms of instruction sets designed for efficient execution by a software interpreter as well as being suitable for further compilation into machine code...
; dynamic web application analysis
Web Application Security Scanner
A web application security scanner is program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. It performs a black-box test...
; and manual penetration test
Penetration test
A penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...
ing and source code review
Code review
Code review is systematic examination of computer source code. It is intended to find and fix mistakes overlooked in the initial development phase, improving both the overall quality of software and the developers' skills...
. The capabilities are delivered through a software as a service
Software as a Service
Software as a service , sometimes referred to as "on-demand software," is a software delivery model in which software and its associated data are hosted centrally and are typically accessed by users using a thin client, normally using a web browser over the Internet.SaaS has become a common...
platform and are sold by subscription. Using the Veracode platform, users can detect and triage flaws, get a security rating, and review findings and metrics about their applications.
Veracode supports analysis of binaries, bytecode, and other application formats in a variety of different languages, platforms, and compilers, including C, C++
C++
C++ is a statically typed, free-form, multi-paradigm, compiled, general-purpose programming language. It is regarded as an intermediate-level language, as it comprises a combination of both high-level and low-level language features. It was developed by Bjarne Stroustrup starting in 1979 at Bell...
, Java
Java (programming language)
Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
, .NET
.NET
.NET may refer to:* .NET Framework, a software framework by Microsoft* .net, a top-level domain* .net * .NET Passport, an old name for Windows Live ID* .NET Messenger Service...
bytecode, PHP
PHP
PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document...
, ColdFusion
ColdFusion
In computing, ColdFusion is the name of a commercial rapid application development platform invented by Jeremy and JJ Allaire in 1995. ColdFusion was originally designed to make it easier to connect simple HTML pages to a database, by version 2 it had...
, Windows Mobile
Windows Mobile
Windows Mobile is a mobile operating system developed by Microsoft that was used in smartphones and Pocket PCs, but by 2011 was rarely supplied on new phones. The last version is "Windows Mobile 6.5.5"; it is superseded by Windows Phone, which does not run Windows Mobile software.Windows Mobile is...
, BlackBerry
BlackBerry
BlackBerry is a line of mobile email and smartphone devices developed and designed by Canadian company Research In Motion since 1999.BlackBerry devices are smartphones, designed to function as personal digital assistants, portable media players, internet browsers, gaming devices, and much more...
, Android, and iOS.
Comparing Veracode's static binary analysis to other static source code analyzers, Doug Dinely in InfoWorld wrote, "Veracode has produced an offering that differs from other static security analyzers in two important respects. First, it analyzes the application binary, not the source code, allowing security testing to be done as part of the development process or even when source code is not provided or available. Second, it's provided as outsourced service: customers send Veracode the binary, then Veracode sends back a report."
VerAfied
Veracode provides the "VerAfied" security mark as a quality indicator for the security level of applications and software components. Veracode's ratings are based on industry accepted standards for software assessment including CWECommon Weakness Enumeration
Common Weakness Enumeration is a software community project that aims at creating a catalog of software weaknesses and vulnerabilities. The goal of the project is to better understand flaws in software and to create automated tools that can be used to identify, fix, and prevent those flaws. The...
and CVSS
CVSS
Common Vulnerability Scoring System is an industry standard for assessing the severity of computer system security vulnerabilities. It attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be prioritized...
against vulnerability benchmarks such as the OWASP
OWASP
The Open Web Application Security Project is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and...
Top 10 and CWE-SANS
SANS Institute
The SANS Institute is a private US company that specializes in internet security training. It was founded in 1989, provides computer security training, professional certification through Global Information Assurance Certification , and a research archive - the SANS Reading Room...
Top 25.
Security research
Veracode's security research group maintains the blogBlog
A blog is a type of website or part of a website supposed to be updated with new content from time to time. Blogs are usually maintained by an individual with regular entries of commentary, descriptions of events, or other material such as graphics or video. Entries are commonly displayed in...
Zero in a bit. The team has co-authored the book The Art of Software Security Testing and published research, including "Static detection of application backdoors," "Anti-Debugging, a Developer's View", "Detecting Certified Pre-Owned Software" and "BlackBerry Mobile Spyware"