Security start-up Veracode updated its SecurityReview tool this week to allow companies to scan for backdoors and malicious code introduced during the development process, a class of security holes often missed by existing scanners.
Veracode, which was established by former Symantec employees and launched its initial service in February, is seeking to distinguish itself by focusing on backdoor detection and on-demand services.
Companies such as Fortify, whose products only scan program source code, aren't able to find certain classes of security flaw, according to Veracode. The company argues its approach of scanning compiled, binary code is more accurate and complete.
"The binary represents the actual attack surface for the hacker," said Veracode's chief executive officer, Matt Moynahan, in a statement.
Backdoors, which are often included in programs by developers for legitimate purposes, nevertheless can pose a serious threat to companies, Veracode argues.
Financial services firms, which increasingly assemble their software from reusable binary components or rely on third-party development work, originally requested the ability to detect such backdoors, Veracode said. The company is also focusing on military software, but said any organisation could be under threat from backdoors.
Veracode's research has found that backdoors are typically eliminated from open-source software in weeks but could exist undetected in commercial applications for years.
The company also cites research from the US Department of Homeland Security pointing to a significant risk from backdoors. The research found that 23 software packages that US government employees might download for tools or development had backdoors within them.
The backdoor-scanning features, added at no extra cost to Veracode's core SecurityReview testing service, aim to eliminate special credential backdoors, often introduced by programmers for debugging purposes, as well as hidden-functionality backdoors, which are hidden commands left in software by developers or attackers, often found in web applications.
Read this
Q&A: When more bugs can mean tighter security
Mozilla Europe's president Tristan Nitot explains why having fewer disclosed vulnerabilities doesn't mean Internet Explorer is safer than the open-source web browser
The service also scans for rootkits and for certain types of network activity that are a common characteristic of backdoors.
Critics may question whether large companies will be willing to hand their proprietary code over to be scanned by a third party, but Veracode said it has already worked with several significant customers, including three of the four largest independent software vendors (ISVs) and Barclays bank.
Barclays is using SecurityReview to test the applications of business partners who wish to link their software to Barclays' own systems, Veracode said.
