Two security startups have released their first products this week, claiming to break new ground in the way companies evaluate app security and stop information leaks.

Veracode's software automatically evaluates companies' own software for security problems, and Provilla makes a system designed to keep tabs on sensitive data. Both officially launched on Monday.

Veracode announced $19.5 million in venture capital funding at the same time as launching several versions of its automatic, on-demand security analysis system, SecurityReview. The company said SecurityReview is the industry's first on-demand security review service.

The service comes in three flavours: for enterprises, vendors and partners. Enterprises can use the service to continually evaluate programs for security issues, including bugs in the binaries, but also such higher-level issues as missing security features, or problems that can arise from combining two otherwise secure programs.

The vendor version looks at security that has been purchased before it's integrated into the rest of the infrastructure, and works with vendors to improve their applications. The partner version lets platform vendors evaluate the security level of partner-developed applications.

Because the service analyses binaries, companies don't have to allow outsiders access to their source code. Its approach has limitations, though - it doesn't provide manual analysis and doesn't fix the problems it uncovers, like some security firms.

Companies can stumble into security issues even if all their programs, separately, are secure, said Veracode chief scientist and co-founder Christien Rioux in a company blog post. The ability to continually scan programs is one answer to this problem, he said. "The digital immune system needs to be ‘always-on’, and deal with the occasional infection with speed and then come to recognise problems quicker the next time they surface."

The company's president and chief executive, Matthew Moynahan, is former vice president of Symantec’s Consumer Products and Solutions division.

Device lockdown

Meanwhile, Provilla makes a distributed system called LeakProof designed to address the security threat posed by ever more mobile and transient devices, including laptops, USB keys and wireless networks.

The system has a server and a lightweight application that runs in the background on endpoints such as PCs and laptops, recognising data that has been designated as sensitive via its algorithmic "fingerprints".

It is designed to address a wide variety of potential leak points, including network or I/O ports such as USB, Firewire, PCMCIA, Bluetooth, Wi-Fi, IrDA, serial and parallel ports, and devices such as USB drives, flash cards, (S)ATA and EIDE storage, printers, video cameras and other imaging devices.

The system monitors email services, instant messaging systems, websites, ftp servers and peer to peer networks, and can operate on laptops and PDAs even when they are offline, since the agent locally stores its own updated figerprint database.

It recognises more than 300 file types, including database data, graphics and multimedia files, software, engineering files and archives. The company claims it can identify confidential information even after it is heavily edited and saved as a different file, or when portions are cut and pasted into new files. If users want to encrypt data the agent can check the file before allowing them to do so.

Pricing starts at $20,000 per year for 50 to 100 endpoints and from $30 to $50 per endpoint for large enterprises. The company also has a free download called LeakSense that gives a taste of its ability to monitor data.