If your company hires third parties to develop code or uses commercial off-the-shelf software (COTS), it can be difficult to ensure that the code is secure. Veracode hopes to facilitate that task with its SecurityReview, an automated, subscription-based auditing service.
"For the first time enterprises have the ability to test applications from any external source," said Bernd Leger, vice president of marketing at Veracode. "The reason why we can do this comes from our ability to test the binaries. We can tell them how secure the code is."
The challenge companies have faced is that it has been hard for them to tackle all the code that comes from different development teams, from outside the organization and from COTS, Leger said.
"Enterprises haven't had a way to evaluate the risks," he said. "They've done one of two things -- surveyed the vendors or had checklists for them, which means you're relying on them to tell you the truth, and manual penetration tests, which are too expensive and time-consuming."
And to test the code themselves, enterprises would have to ask for all of the code, Leger added. However, software makers won't give them the source code. When they do, testing that code is a large, time-consuming task, he said.
Aside from testing the code themselves, companies would have to rely on the software providers and third-party developers to test the code. But then testing is out of your control and you're relying on them to do it properly, Leger said.
Meets a need
Now companies have the option to use Veracode's SecurityReview on-demand service to review and test such code. Veracode uses static binary testing technology and dynamic Web scanning analysis to test the software. Companies simply contact Veracode, and "we take the work off their plate," Leger said.
"We're basically doing a security audit. The code is uploaded to our portal and we test it," he continued.
Leger further said that any information found during the tests is shared with the COTS vendors to help them improve their software.
"We never scan or test without permission from the companies. They need to opt in," he said. "And they're interested because they see the service we're providing."
Diana Kelley, partner at SecurityCurve, sees a need for this type of service. "Enterprises need effective ways to test and audit the risk associated with COTS and outsourced software when source code isn't available," she said.
The Veracode SecurityReview service portfolio, available now, comprises the following on-demand services:
- Outsourcing SecurityReview -- Provides simple, cost-effective and automated security audits that ensure enterprises receive secure code from offshore development partners.
- COTS SecurityReview -- Helps enterprises and government agencies quantify and manage the security risks of COTS.
- SDLC SecurityReview -- Enables security teams to conduct security assessments on mission-critical internally developed applications before they ship.
- PCI SecurityReview -- Automates and shortens the process for achieving compliance with the application security requirements of PCI-DSS, Visa PABP and PA-DSS.
"[With this service] enterprises can now make decisions around what outsourced vendor they should use, should they keep development in-house, etc.," Leger said.