Application testing outfit Veracode has announced an upgrade to its SecurityReview service that will interest coders everywhere – the ability to spot back doors and other malicious insertion.

Aimed squarely at enterprise developers assessing their own or outsourced code, as well as IT departments buying ready-made software, the company has enhanced SecurityReview to better detect new threats, including ‘special’ and ‘hidden-credential’ backdoors. The bane of researchers – the rootkit - is now also on the detection menu.

The company said it was introducing the new feature after direct requests from “financial and government bodies in the US who are seeing the exploitation of backdoors as a real problem.” The company also pointed to research by the US department of Homeland Security that suggested that up to 23 percent of software could have backdoors of one sort or another.

Back doors can find their way into software - now highly 'componentised' – in a number of ways. It can be put there deliberately by developers, a common practice in closed-source software. It can be put there inadvertently, creating a risk if the vulnerability is found by hackers, again a common phenomenon. Less commonly, it can be put there by the hackers themselves.

Developer vulnerabilities included the insertion of special usernames or hard-coded keys, used for debugging. Hackers could also insert code to do the same thing, the so-called ‘special credential’ backdoor.
According to Veracode, the average time to discover of such vulnerabilities in open source software ran to weeks, while in closed-source programs it might never come to light until it was uncovered by hackers themselves.

“We expect backdoors and malicious code insertion to become an increasingly prevalent attack vector against the enterprise. Because the binary (compiled code) represents the actual attack surface for the hacker, testing the application binaries is the most accurate and complete way to conduct final, independent security validation and verification,” said Veracode’s Matt Moynahan.

“Given the complexity of modern application development, the common practice of outsourcing and increasing use of third party libraries, it is nearly impossible for an enterprise to identify the pedigree and security level of the software running their business-critical applications and handling their customer’s personally identifiable information,” he added.

SecurityReview provided developers with an independent, standards-based approach to what had grown into a major headache for security professionals.

The company has produced a number of white papers to illustrate what it says is the need for thorough application assessment.