Security testing closes the backdoor

A new entrant to the UK security testing market has launched an internet-based application testing service it says is the first to test for backdoor vulnerabilities.

US venture capital-backed, on-demand application security testing provider Veracode today launched its SecureReview service first unveiled at the RSA security conference last year, using patented static binary analysis technology.

Veracode said its service has also been updated to help tackle the vulnerabilities that backdoors can introduce to an application. Often built in to programmes by developers, backdoors are increasingly being exploited by hackers for malicious purposes.

John Pescatore, vice president and security and privacy analyst for Gartner told IT PRO that backdoors are often written for ease of access to code and bugs in the development process. "But the intention to remove them before the software goes into production can get overlooked," he said.

He added that developers can also write backdoors for malicious purposes: "With the increase in outsourcing software development offshore, there is a worry developers in these countries could be persuaded to write in backdoors for money."

Following research into the risks backdoors pose to organisations, the vendor found that the average time it took to discover a backdoor inserted in open source software was measured in weeks, while they could remain undetected in commercial software for years, putting company and individuals' personal data at risk.

As a result, it said it had added new scanning capabilities and a taxonomy of backdoors to SecurityReview to provide better detection of special credential and hidden functionality backdoors, as well as root kits and unintended developer-introduced features that pose security risks.

"Although other application vulnerability testing providers can trace vulnerabilities through source code, Veracode does have the unique ability to test the binary code if the source code is not available," said Pescatore.

"Gartner has been urging IT organisations for some time now to test software before they pay for it or put it into production," he added. "But that's set to become more important with the introduction of the PCI DSS [payment card industry data security standard] requirement to test all transactional applications. So a service-based offering might be particularly attractive to smaller merchants and IT organisations without the skills of personnel to carry out this kind of testing in-house."