Dr. Dobb's Journal October 2007
Matt Moynahan
CEO of Veracode
DDJ: Why has application-level security suddenly moved into the forefront?
MM: Application security has moved to the forefront largely because hacking into enterprises has become a criminal activity driven by monetary gain. Applications are the weakest asset—or should I say, the target-richest environment for attackers. Enterprises have been largely successful in securing their networks, whereas they are just now realizing how difficult it is to secure applications. Evidence of this is that 90 percent of all new attacks occur at the application level, whereas still only 10 percent of IT security spending is at the application tier.
DDJ: When it comes to software, security raises its head both pre- and post-release. Is one stage more important than the other?
MM: Given the dynamic nature of the application security threat, security testing pre- and post-release is very important. That said, thorough testing pre-deployment has a much higher return on investment, given that you are likely to dramatically lower the probability of a successful attack against your application as well as reduce the operational cost burdens associated with constant security patching required for insecure software once it's been deployed.
DDJ: Veracode, your company, focuses on "on-demand" security. What is "on-demand" security?
MM: On-demand application security is simply delivering code security testing as a service. Part of the difficulty in deploying application security tools are cultural and process issues arising from different development teams, locations, and coding methodologies. Choosing to analyze your applications with an outsourced service enables you to focus on your core competencies—running your business—and relying on security experts and lowering your overall operational burden. Using a service is much simpler and does not involve the deployment of hardware and software, or expenses such as training and licenses.
DDJ: When it comes to security, what kind of metrics can be collected and what can developers do with that information?
MM: We [recently] announced the Veracode Software Security Ratings Service, which is a way to determine the security level of a piece of software. The ratings provide a pragmatic way for enterprises and ISVs to measure, compare, and improve the security of software. We do this by identifying and ranking the severity and exploitability of software flaws. With a rating, enterprises now have insight into the security quality of software for the first time. It's similar to the ratings provided by Moody's, Standard and Poor's, or Consumer Reports for other products. The developers of the application being rated receive a tailored report that clearly shows what the most serious flaws are and which ones are the most important to fix first, and a recommended remediation path, so the rating can go from a "B" to an "A" for example.
DDJ: Binary-code analysis versus source-code analysis. What's the advantage of one over the other?
MM: The ratings would never have been possible if the founders of Veracode hadn't solved the very hard problem of security analysis at the binary level. By looking for software flaws and vulnerabilities in binaries, [we are] able to assess 100 percent of the code in an application, including third-party libraries and components. These are portions you typically don't have the source code for. In addition, by doing binary-code analysis, there isn't the intellectual-property sensitivity there would be if you were analyzing the source code.
What I mean by that is [that] source code is a company's IP, like the secret formula for Coke or Pepsi. Those companies would never allow an off-site taste test if it required them to send their intellectual property, in this case, their special formula or recipe along with it. In this particular case, the software companies' IP is the source code. So bottom line, binary analysis is a superset of source-code analysis, allowing you to review 100 percent of an application for security flaws, not just a portion of it. That makes [our] security reviews more complete and more accurate.
Binary analysis also makes it possible for us to offer this analysis through an on-demand, outsourced service. For enterprises, that means an easier and more cost-effective solution to software security reviews than doing it in house, which can be time consuming—requiring internal training, licenses, and hardware and software. And for companies that are purchasing software, this means they have a way of getting a third party, external, software-security rating for the first time.