Corporates worried about the nasty security holes that might lie under the surface of their expensively-assembled applications are being offered a new code testing service.
Veracode's SecurityReview service pitches two selling points. First, it claims to be the first on the market that lets businesses give applications a once-over as a service, without the need to buy and learn how to use a software tool.
The second certainly marks it out from the growing ranks of applications assessment systems - it analyses code at binary level, something normally considered to be difficult to pull off. According to the company, this lets SecurityReview peer into the various components from which many of today's applications are built, looking for vulnerabilities.
The company is coy about how the system performs binary analysis on large volumes of binary code, but the ability to look at an application without the need to have source code - which might represent intellectual property from several vendors - has obvious attractions. Few want third parties running their eyes all over an application's deepest secrets.
"All you do is give us the binary and we can tell you what's wrong with it and help to fix it," said Veracode's young CEO Matt Moynahan. "You end up with a set of results that a non-security expert can understand."
SecurityReview itself comes in a number of flavours, aimed at different elements of the security problem, including the Outsourcing service, one aimed at COTS (common off-the-shelf software), SDLC (software development lifecycle) reviews, and finally, one designed to help with PCI compliance.
"All you do is subscribe to us. We don't care whether it's Java, Windows or Linux, it's all one and zeroes to us," said Moynahan.
The service could also be used to assess code outsourcing teams against one another, he said.
The scale of the problem being addressed by the new service is hard to doubt. Earlier this month, a survey by Quocirca suggested that outsourcing might deserve to take some of the blame for the rise in software vulnerabilities. Security appears to be the last thing on the worry list of most companies when they boarded this bandwagon of lower cost software development.