Veracode has expanded its coverage for detecting backdoors and malicious code embedded in legitimate software.


As part of its SecurityReview solution for developers and purchasers of software, Veracode has added the ability to detect growing threats such as time bombs, hardcoded cryptographic constants and credentials, deliberate information and data leakage, rootkits and anti-debugging techniques in applications.


The Defense Science Board Task Force has warned of this significant threat, stating that ‘high-end attackers will not be content to exploit opportunistic vulnerabilities, which might be fixed and therefore unavailable at a critical juncture. They may seek to implant a vulnerability for later exploitation'.


Matt Moynahan, CEO of Veracode, said: “Modern software development is complex and comprised of outsourced code, open source and third party libraries, which makes the insertion of backdoors and malicious code difficult to detect by traditional source code analysis and thus, an attractive attack vector.


“Unfortunately due to economic conditions and corporate downsizing, backdoors are becoming an increasing threat not only from external attackers, but from privileged insiders.


“Verifying the binaries as part of the SDLC or purchase process is the easiest and most effective way to manage risk from backdoor and malicious code vulnerabilities.”