Veracode Tightens Guard at Backdoor
Software-as-a-service tool handles new forms of intrusions
January 15, 2008 —
Veracode has updated its SecurityReview software security testing service to offer new back-door detection capabilities.
Veracode executives say it can take several weeks to discover a back door inserted into software, leaving the application vulnerable to intruders. The new version of SecurityReview, released in mid-December, provides better detection of back-door intrusions and malicious code, according to Veracode. SecurityReview is a software-as-a-service security offering that Veracode officials claim is the industry’s first on-demand security services on the market.
Some of the back-door techniques that the updated Veracode service can help guard against include special credential back doors, which occur when an attacker inserts logic and special credentials into the program code, and hidden functionality back doors, which allow attackers to issue commands without proper authentication, Veracode officials said.
“The special credential back door is definitely the most commonly found, and it could be because it’s fairly simple,” said Chris Wysopal, CTO of Veracode. “At some point, it goes through the normal authorization functionality of the program, so you can trace back from there to find static values in the program.
“The hidden functionality is a little bit more difficult to find. We look for signs that someone is trying to obfuscate the changes they made to the code. This is a common technique people use. Instead of putting the password in an embedded string, they might make it look like it’s random data, and when data is obfuscated within the binary, that sort of raises the flag in our analysis that there could be something there.”
Wysopal said that one common hidden functionality technique that Veracode frequently finds in customer code is when debugged code is left enabled in the binary; whether intentional or otherwise, it's still a large vulnerability, he said.
The updated Veracode service also defends against rootkits, which can signal that a back door may be present. Rootkits can subvert functions of the operating system and are used to hide back doors. Additionally, Veracode can now scan for unintended network activity such as listening on undocumented ports, making outbound connections to establish a command and control channel, or leaking sensitive information over the network via SMTP, HTTP or other protocols.
Wysopal said that code audits are a good way to find back doors, but that automated activities can also be a great help in uncovering them. Simply prepping the source base for back-door vulnerabilities can serve as a useful test before building an application, he added.
Share this link: http://sdt.bz/31663
Most Read Latest News Blog Resources
Zeichick’s Take: Radio moves from analog waveforms to digital packets
Streaming radio highlights the need for streaming applications to be designed to take up as little bandwidth as possible
|
|
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
Appcelerator Acquires Cocoafish to Add Instant Mobile Cloud Capabilities to its Industry Leading Titanium Platform
Appcelerator Offers Messaging, Social, Location and Storage Mobile Cloud Services to All Mobile App Publishers
|
|
ComponentOne Releases a Collection of 40+ UI Widgets Powered by HTML5 and jQuery
ComponentOne has announced the 2012 release of Wijmo: a kit of UI widgets for HTML5 and jQuery development
|
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists
|
|
Not so fast when it comes to testing in the cloud
Developers face outsourcing, virtual lab management and mobile devices as obstacles
|
|
Xceed releases UX-focused suite for Microsoft’s WPF
"Blendables" helps match user experiences to developer visions
|
Are you at risk for burnout?
Burnout is a severe problem and it can strike at any time. Here's how to tell if you are nearing the edge.
|
|
Agility, mom, and apple pie
If we're to evaluate the state-of-the-art in software development, we should start with the values espoused in the Agile Manifesto.
|
|
RIM woos developers with free tablet
How do you get more apps ported to the BlackBerry PlayBook? By giving every developer a free tablet, of course!
|
|
GitHire: Use Headhunters to Find Your Perfect Programmer
Are you a hiring manager tired of scouring the job boards? Check out this new service that will find 5 people interested in your jobs.
|
The Hidden Costs of Software Licensing
Moving beyond paper-based software licensing to more flexible, software-based licensing is a business decision. There is a growing trend tow...
|
|
Case Study: You May Need a Development Mechanic
As a contractor for a major financial player in Germany, SOBEGE, a German-based consultancy specializing in embedded IT and web services, wa...
|
|
Ensuring Software Quality at a Major International Bank
One of the world’s leading international banks has adopted AgitarOne technology for delivering generated unit tests for their Java software...
|
|
Load Testing Adobe Flex Applications
Adobe Flex applications may be different from applications you’ve worked with before. For classic HTML web applications, the server does all...
|