Veracode Shines Spotlight on Software Backdoors as an Emerging Threat

Burlington, MA (PRWEB) December 17, 2007 -- Veracode Inc., the leading provider of on-demand application security testing solutions, today announced comprehensive support for detecting backdoors and malicious code as part of Veracodes SecurityReview solution for developers and purchasers of software. Based on research conducted by the Veracode security team, Veracode has added new scanning capabilities as well as deeper support for detection of backdoors and malicious code using Veracodes patented static binary analysis technology. As the complexity of modern software applications increases, with components assembled from reusable binary components, backdoors can easily circumvent even the best of QA cycles, resulting in the need for a more complete and accurate approach to software security testing. Veracodes binary software testing, which provides 100% coverage as opposed to the partial coverage of todays source code-only analysis solutions, is uniquely positioned to tackle the backdoors and malicious code challenge by offering a complete, independent security verification of an entire software application. To combat the risks backdoors pose to organizations, Veracode conducted extensive research and developed the first comprehensive taxonomy of backdoors so that organizations and application developers can better understand how to detect these hidden threats. In the course of the research, Veracode found that the average time to discovery of a backdoor inserted in open source software was measured in weeks. Backdoors in commercial "closed source" applications went undetected for years, putting company and individuals personal data at risk. In order to better protect Veracode customers from these often undetected threats, Veracode has augmented its SecurityReview application testing solution to provide better detection of backdoors and malicious code, including: special credential backdoors, hidden functionality backdoors, rootkits, as well as unintended developer-introduced features that pose security risks. (See definitions below.) "Backdoors and malicious code pose significant operational risk to enterprises and software that are just too significant to ignore," said Matt Moynahan, chief executive officer of Veracode. "Given the complexity of modern application development, the common practice of outsourcing and increasing use of third party libraries, it is nearly impossible for an enterprise to identify the pedigree and security level of the software running their business-critical applications and handling their customers personally identifiable information. As a result, we expect backdoors and malicious code insertion to become an increasingly prevalent attack vector against the enterprise. Because the binary (compiled code) represents the actual attack surface for the hacker, testing the application binaries is the most accurate and complete way to conduct final, independent security validation and verification." The Depository Trust Clearing Corporation (DTTC), which provides custody and asset servicing for 2.8 million securities issues from the United States and 107 other countries and territories, valued at $36 trillion, understands that backdoors and malicious... To read the press release in full goto