6.25.07 Veracode Answers Industry Call for Security Insight with Industry's First Software Security

News & Events

Veracode answers industry call for security insight with industry's first software security ratings service

With software attacks on the rise, Veracode leverages its breakthrough binary security analysis capability

Burlington, MA. – June 25, 2007 – Veracode, Inc., provider of the industry's first automated, on-demand, application security code reviews, today announces that it has released the industry's first standards-based ratings service for determining security levels in software. The Veracode Software Security Ratings Service™ provides a pragmatic way for enterprises and ISVs to measure, compare and improve application security levels.

Veracode's Software Security Ratings Service is used to assess and identify the severity and exploitability of software flaws. By producing a software security rating, enterprises now are able to gain insight into the security quality of software similar to that provided by Moody's®, Standard and Poor's® or Consumer Reports® for other products.

Today's software industry is one of the largest in the world, with annual revenues of over $350 billion *, yet there is no standard way to measure software security. The operational risk and burden on enterprises and consumers from insecure software has been steadily growing due to increasing vulnerability disclosures, associated product patches, data breaches leading to massive identity theft and, more recently, fluctuations in corporate stock prices.
Until now, independent software ratings have not been possible due to the sensitivity associated with releasing source code for independent evaluation and the fact that existing evaluation tools are not able to assess 100% of the application code, a pre-requisite for an accurate security assessment. Veracode's innovation with binary security analysis, coupled with its on-demand service model that integrates multiple testing techniques, makes this rating service possible.

"Our breakthrough binary analysis makes it possible for Veracode to assist the software community to raise the level of software security,” said Matt Moynahan, president and CEO of Veracode. “Our objective is to drive innovation that makes it easy and cost effective for enterprises and ISVs alike to independently determine whether the software they are buying or selling is secure and demonstrate that they take software security seriously."

Veracode's Software Security Rating Service is based on respected industry standards including MITRE's Common Weakness Enumeration (CWE) for classification of software weaknesses and FIRST's Common Vulnerability Scoring System (CVSS) for severity and ease of exploitability. Veracode is the only organization to combine these standards into a meaningful and practical way to assess software security across internally and externally developed applications.

“We are pleased that Veracode, the first organization to declare Common Weakness Enumeration compatibility for CWE Coverage, CWE Output and CWE Searchable, is committed to promoting standards such as CWE," said Steve Christey, technical lead for MITRE's CWE initiative. "Early adopters such as Veracode play an important role in bringing clarity to the application security space for their customers.”

Enterprise use cases for the ratings service include implementing software procurement best practices through security thresholds for purchased software, implementing code acceptance security policies for outsourced application development and evaluation of software security risk in M&A transactions.

“The industry needs a way to measure how secure software is, whether that software is purchased, built in house or comes from an outsourced developer,“ said Diana Kelley, analyst at the Burton Group. “The ability to rate software security levels allows companies to manage risk by determining whether or not the software meets their requirements.“

Learn more about Veracode software ratings at: http://www.veracode.com/
*Software Magazine, October 2006

About Veracode

Veracode is the industry's first provider of automated, on-demand application security solutions. Created by a world-class team of application security experts from @stake, Guardent, ISS, VeriSign and Symantec, the company delivers services to identify software flaws introduced through coding errors or malicious intent. Veracode's core service, SecurityReview™, uses patented binary code analysis that is uniquely able to inspect entire application inventories, including components, and does not require companies to expose their valuable source code. Enterprises can now protect their intellectual property while preventing attacks allowed by vulnerabilities in applications.

As the most accurate and comprehensive solution, Veracode makes it simple and cost-effective to implement application security best practices and reduce operational costs related to manual reviews. Whether a company is developing applications internally, purchasing software or integrating code from partners, Veracode SecurityReview provides insight to the security level of your applications. Outsourcing code analysis to Veracode is the easiest way to secure your software. With a pragmatic approach to application security, Veracode helps you fix what matters most to your business.

Based in Burlington, Mass., Veracode is backed by .406 Ventures, Atlas Venture and Polaris Venture Partners. http://www.veracode.com/

Contact:
Kate Munro
Veracode, Inc.
781-425-6040 ext. 296
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

PRESS RELEASE ARCHIVE

Site Map | Responsible Disclosure Policy | Privacy Policy | Contact Us

Veracode offers the first on-demand, application security solution that provides automated application security testing through an easy-to-use, software-as-a-service delivery model. By providing code analysis and web application security testing as a service, organizations have no software or hardware to purchase, install, maintain or upgrade.

With Veracode, enterprises can use application security assessment to achieve code security and implement testing into their secure software development life cycle at key development milestones. For enterprises that want to improve SDLC security without sacrificing profitability or competitiveness, Veracode offers SecurityReview®. SecurityReview combines static, dynamic, and manual testing capabilities and scans code after it has been compiled—at the binary level or "byte" code level rather than the source level, as other solutions do. This offers two distinct advantages: One, binary code analysis is more efficient, so vulnerabilities can be found more quickly and with fewer false positives. And two, binary code analysis is the most complete application security testing method because all code can be scanned regardless of origin.

Information on other topics related to application security assurance, dynamic application security testing, XSS, SQL Injection, IT risk management, static code analysis, and offshore development are also available on this site.