Static analysis, also commonly called ”white-box” testing, looks at applications in a non-runtime environment. This method of security testing has distinct advantages in that it can evaluate both web and non-web applications and through advanced modeling, can detect flaws in the software’s inputs and outputs that cannot be seen through dynamic web scanning alone. In the past this technique required source code which is not only impractical as source code often is unavailable but also insufficient.
Veracode offers a fundamentally better approach to application security testing through our patented automated static binary analysis, which has been called a “breakthrough” by industry analysts such as Gartner. By looking at the code in its “final” compiled version Veracode can evaluate vulnerabilities introduced by linked libraries, APIs, compiler optimizations and third party components which source code testing cannot identify. This approach results in the most accurate and complete security testing available in the industry.
Application Security without Source Code
The primary inhibitor to organizations being able to identify software vulnerabilities is the availability of source code. Veracode’s patented static binary analysis enables enterprises to conduct application security audits through an easy to use platform, as part of an organization’s formal software release, compliance or acceptance process, without the need for source code or other intellectual property.
Superior Accuracy and Coverage through Binary Analysis
Binary analysis creates a behavioral model by analyzing an application’s control and data flow through executable machine code – the way an attacker sees it. Unlike source code tools, this approach accurately detects issues in the core application and extends coverage to vulnerabilities found in 3rd party libraries, pre-packaged components, and code introduced by compiler or platform specific interpretations.
Detect Hidden Backdoors and Malicious Code
Software development is a multi-tier process where growing types of threats – such as those coming from malicious code and backdoors – are impossible to spot with traditional tools because they are not visible in source code. For the first time, organizations can now detect these threats by using static binary analysis on the application in its final form.
Full integration with Dynamic Analysis
Unlike "stand-alone" web scanners, Veracode is the only solutions provider to incorporate both static and dynamic testing as a single offering. For the most complete security coverage it is important to test your software both statically and dynamically. Veracode’s static analysis is integrated with our dynamic analysis which enables enterprises to fully test their applications using multiple assessment methods to provide a single set of convergent results, ratings and reports.