Veracode rates the security of software

Company bills new service Consumer Reports for applications

Software security testing company Veracode announced on Monday a rating service designed to help enterprises determine the security level of the software they are developing and buying.

Called the Veracode Software Security Ratings Service, it is likened by the company to ratings from Moody’s, Standard and Poor’s or Consumer Reports. This service, however, focuses on quantifying the security level of commercial and homegrown applications, in part by using techniques the company developed for its SecurityReview application testing service.

Veracode, a spinoff from Symantec, says there has been no standardized rating of software security because it requires 100% of the application code be made available to the analyst, which software developers are reluctant to do. Still, there is $350 billion worth of commercial software sold annually, according to the company, much of that to enterprises that take serious security risks by deploying code that hasn’t been fully tested.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Software security testing company Veracode announced on Monday a rating service designed to help enterprises determine the security level of the software they are developing and buying.

Called the Veracode Software Security Ratings Service, it is likened by the company to ratings from Moody’s, Standard and Poor’s or Consumer Reports. This service, however, focuses on quantifying the security level of commercial and homegrown applications, in part by using techniques the company developed for its SecurityReview application testing service.

Veracode, a spinoff from Symantec, says there has been no standardized rating of software security because it requires 100% of the application code be made available to the analyst, which software developers are reluctant to do. Still, there is $350 billion worth of commercial software sold annually, according to the company, much of that to enterprises that take serious security risks by deploying code that hasn’t been fully tested.

The company’s binary security analysis inspects entire applications and components for security vulnerabilities without requiring the software developer to expose the source code of an application, officials say. Analyzing compiled binary code in its final form is the most effective way to test and rate the security of an application, including its linked libraries, inline assembly code, and code inserted by compiler-specific interpretations, they say.

The new service is based on industry standards for classifying software vulnerabilities, such as the Common Weakness Enumeration for classification of software weaknesses by Mitre and the National Institute of Standards and Technology, and the Common Vulnerability Scoring System from the Forum of Incident Response and Security Teams, officials say.

Veracode’s Software Security Ratings Service is priced at $5,000 per application.

Read more about security in Network World's Security section.