HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS EDITORIALS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON ESDC IPHONEDEVCON PRIVACY POLICY CONTACT US

Printable version

HOME >> LATEST NEWS

Most Read Latest News Blog Resources

Mono brings .NET to Android
At Microsoft MIX, Mono will unveil the ability to port .NET applications to the Android op...

Does Windows cost Microsoft opportunities?
Microsoft's decision to focus .NET on Windows is stifling innovation due to the specter of...

Scrum Planning Board adds automation to Axosoft OnTime
Illustrations are also included to assist Scrum-using developers a better view of what the...

Maven Studio for Eclipse gets developers up to speed
Sonatype tool simplifies onboarding by giving developers a way to easily deploy fully conf...

nVidia updates CUDA tools
Latest version helps developers turn desktops and servers with high-end GPUs into more pow...

Scrum Planning Board adds automation to Axosoft OnTime
Illustrations are also included to assist Scrum-using developers a better view of what the...

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.

Overcoming Development Challenges with Open Source Open source software can help you with your application development challenges. It doesn’t...

Accelerate Services and the Cloud Business units, functional groups, and different divisions of companies across industries...

Enterprise Mashup Platforms for Today’s Increasingly Complex and Real-Time Context Enterprise Mashups offer your company a new way to connect data from inside and outside yo...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

Veracode Tightens Guard at Backdoor

Software-as-a-service tool handles new forms of intrusions

By Jeff Feinman

January 15, 2008 —

Veracode has updated its SecurityReview software security testing service to offer new back-door detection capabilities.

Veracode executives say it can take several weeks to discover a back door inserted into software, leaving the application vulnerable to intruders. The new version of SecurityReview, released in mid-December, provides better detection of back-door intrusions and malicious code, according to Veracode. SecurityReview is a software-as-a-service security offering that Veracode officials claim is the industry’s first on-demand security services on the market.

Some of the back-door techniques that the updated Veracode service can help guard against include special credential back doors, which occur when an attacker inserts logic and special credentials into the program code, and hidden functionality back doors, which allow attackers to issue commands without proper authentication, Veracode officials said.

“The special credential back door is definitely the most commonly found, and it could be because it’s fairly simple,” said Chris Wysopal, CTO of Veracode. “At some point, it goes through the normal authorization functionality of the program, so you can trace back from there to find static values in the program.

“The hidden functionality is a little bit more difficult to find. We look for signs that someone is trying to obfuscate the changes they made to the code. This is a common technique people use. Instead of putting the password in an embedded string, they might make it look like it’s random data, and when data is obfuscated within the binary, that sort of raises the flag in our analysis that there could be something there.”

Wysopal said that one common hidden functionality technique that Veracode frequently finds in customer code is when debugged code is left enabled in the binary; whether intentional or otherwise, it's still a large vulnerability, he said.

The updated Veracode service also defends against rootkits, which can signal that a back door may be present. Rootkits can subvert functions of the operating system and are used to hide back doors. Additionally, Veracode can now scan for unintended network activity such as listening on undocumented ports, making outbound connections to establish a command and control channel, or leaking sensitive information over the network via SMTP, HTTP or other protocols.

Wysopal said that code audits are a good way to find back doors, but that automated activities can also be a great help in uncovering them. Simply prepping the source base for back-door vulnerabilities can serve as a useful test before building an application, he added.

Share this link: http://www.sdtimes.com/link/31663

Apache Qpid M3 improves Java broker, tightens code The messaging protocol contains an implementation of the AMQP standard that is compatible with C++, Java, .NET, Python and Ruby. The improved Java message broker is written in both C++ and Java, avoiding difficulties associated with JMS.

Microsoft Begins Changing of the Guard Three prominent Microsoft executives announced this week that they would be leaving the company, the most notable among them being...

Mono Team Tightens Ties To Microsoft Mono, the open source .NET runtime project run by Novell, has gone back to basics. In February, the Mono team...

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST