Veracode Spotlights Software Backdoors as Emerging Threat

12/18/2007

Veracode Inc., a provider of on-demand application security testing solutions, today announced comprehensive support for detecting backdoors and malicious code as part of Veracode’s SecurityReview® solution for developers and purchasers of software.

ebizQ received the following:

Based on research conducted by the Veracode security team, Veracode has added new scanning capabilities as well as deeper support for detection of backdoors and malicious code using Veracode’s patented static binary analysis technology.

As the complexity of modern software applications increases, with components assembled from reusable binary components, backdoors can easily circumvent even the best of QA cycles, resulting in the need for a more complete and accurate approach to software security testing. Veracode’s binary software testing, which provides 100% coverage as opposed to the partial coverage of today’s source code-only analysis solutions, is uniquely positioned to tackle the backdoors and malicious code challenge by offering a complete, independent security verification of an entire software application.

To combat the risks backdoors pose to organizations, Veracode conducted extensive research and developed the first comprehensive taxonomy of backdoors so that organizations and application developers can better understand how to detect these hidden threats. In the course of the research, Veracode found that the average time to discovery of a backdoor inserted in open source software was measured in weeks. Backdoors in commercial “closed source” applications went undetected for years, putting company and individuals’ personal data at risk.

In order to better protect Veracode customers from these often undetected threats, Veracode has augmented its SecurityReview application testing solution to provide better detection of backdoors and malicious code, including: special credential backdoors, hidden functionality backdoors, rootkits, as well as unintended developer-introduced features that pose security risks. (See definitions below.)

"Backdoors and malicious code pose significant operational risk to enterprises and software that are just too significant to ignore,” said Matt Moynahan, chief executive officer of Veracode. “Given the complexity of modern application development, the common practice of outsourcing and increasing use of third party libraries, it is nearly impossible for an enterprise to identify the pedigree and security level of the software running their business-critical applications and handling their customer’s personally identifiable information. As a result, we expect backdoors and malicious code insertion to become an increasingly prevalent attack vector against the enterprise. Because the binary (compiled code) represents the actual attack surface for the hacker, testing the application binaries is the most accurate and complete way to conduct final, independent security validation and verification."

The Depository Trust & Clearing Corporation (DTTC), which provides custody and asset servicing for 2.8 million securities issues from the United States and 107 other countries and territories, valued at $36 trillion, understands that backdoors and malicious code pose unique threats to the enterprise. "Veracode offers a unique method for testing software that provides software providers with effective security controls to assess and manage the risk of malicious code," said James Routh, CISO of Depository Trust & Clearinghouse Corporation.

For more information on Veracode’s software backdoor capabilities, please visit us at www.veracode.com or call us at 781-425-6040.

Multimedia

• Download the podcast to hear more from Veracode on backdoors



• Download a technical white paper to read about the taxonomy of backdoors



• Download a white paper that examines the risks associated with backdoors

Definitions

• Special Credential Backdoors – These occur when an attacker inserts logic and special credentials into the program code. The special credentials are in the form of a username, password, password hash, or key which is usually hardcoded. Special credentials are also inserted by developers for the purpose of customer support or for debugging. These pose a similar risk since once they are discovered attackers can use them as a backdoor.



• Hidden Functionality Backdoors – These allow the attacker to issue commands or authenticate without performing the designed authentication procedure. Hidden functionality backdoors often use special parameters to trigger logic within the program that is not intended. In web applications these are often invisible parameters for web requests (not to be confused with hidden fields). Other hidden functionality includes undocumented commands, hardcoded IP addresses and/or leftover debug code.



• Rootkits – Rootkit behavior in an application can be a warning that a backdoor or other malicious code may be present. Typically rootkits subvert functions of the operating system and are used to hide the backdoor. This helps attackers subsequently access the system and avoid detection.



• Unintended Network Activity – Unintended network activity is a common characteristic of backdoors. This may involve a number of techniques, including listening on undocumented ports, making outbound connections to establish a command and control channel, or leaking sensitive information over the network via SMTP, HTTP, UDP, ICMP, or other protocols. Occasionally this will be an intended feature of the software for use as a support mechanism but it can carry security and privacy risks and should be detected.




Our Popular Webinars

Best Practices in Moving Processes to the Clouds

How Can the Cloud Fit Into Your Applications Strategy?

Cloud Data Integration Best Practices

The Economics of Cloud Computing

Data Services Insight: Successful implementation of Canonical Information Models

More Webinars

More Top Stories

Identity Networking: Where Security and Compliance Meet

Get Smart About Database Security

SQL Injection Rears Its Ugly Head Again

Data Warehouses and Disaster Recovery

Expect the Unexpected with Data Security

Is Big the New Small in Application Security?

More Top Stories

Related News

Open Group Forms 'Trusted Technology Forum' for Supply Chain Security

Metalogix Announces SharePoint-to-Cloud Migration Manager

HP Unveils Business Assessment to Help CIOs Set IT Priorities

More News

Home
Webinars
Blogs
ebizQ Forum
All Topics
Subscriptions
White Papers
Analyst Corner
Follow us on Twitter
Fan us on Facebook

Explore Our Topics

BPM Strategy
BPM Solutions
Event Processing Strategy
Content-Centric & Collaborative BPM
Process-Centric BPM

About Us
Editorial Submissions
Feedback
FAQ
Advertise With Us
Site Map
Privacy Policy
Unsubscribe