The Hindu Business Line : 0…1.... code-testing

Wouldn’t it be strange if you had to employ one contractor to build your kitchen, another to build your bedroom and a third to build the hall and dining area? Well, this is how software testing has been happening around the world.

The battery of tests conducted on software — compatibility testing, conformance testing (with industry standards), functional testing (to see if an application performs all the required functions), load testing and unit testing (to evaluate system integration aspects) — are usually done so by different parties using different sets of tools. Later, all modules tested successfully are pieced together.

Little wonder then that most code floating in the world is insecure and of unknown pedigree (source code is untraceable), says Matt Moynahan, Chief Executive Officer, Veracode. This makes it difficult to write secure code resulting in secure applications.

“Applications must be developed based on security requirements and not just functionality, usability or performance criteria as they are done now,” he said at a recent interaction organised by the Indo-American Chamber of Commerce.

This line of thought led Moynahan, formerly employed at Symantec, to set up Veracode, an on-demand application security testing and assessment solutions company.

Veracode aims to solve the issue of disparate testing practices by offering binary testing to clients.

Binary testing refers to testing of the binary code (zeroes and ones) that forms the basis of any computer application, irrespective of where the source code came from. This makes it possible for one to test aspects of communication between two or more computers/ applications linked via the Internet — otherwise impossible.

One does not need to share one’s source code with Veracode for application testing. “We only look at the compiled code, which is closest to the executable code,” Moynahan told eWorld.

Users have to upload any application they want tested to Veracode’s Web site. The company then simulates the application and runs a set of tests on it, including hacking techniques.

These tests take 24-72 hours depending on the application size.

The results, published online, contain comprehensive information such as the type of flaw, the reason for it, how it affects the application capabilities, location of the flaw and how to fix it.

Flaws discovered are also mapped against top industry flaws/threats and clients are advised on which flaws to rectify immediately and which to handle at a later time.

“We tell people what needs urgent attention and how to fix the problem, rather than merely put out a report and expect them to fix all flaws,” he says.

The pre and post-testing details are stored on the Veracode Web site for future reference by the client.

Bagging the deal

Networking major Cisco took Veracode’s help to analyse the quality of code being developed by a small Indian firm to which it planned to outsource some application development work.

Veracode’s tests revealed about 16 flaws, giving the code a ‘D’ rating. “We told the company to address two major flaws that would improve their rating to ‘A’,” he says. The company did so and bagged the Cisco deal.

India is an important market for Veracode and the company is contemplating setting up offices here.

“We are thinking of setting up centres at client locations before establishing our own premises,” Moynahan says.

Of the about $350 billion (about Rs 14 lakh crore) worth of code sold globally every year, about $50 billion (about Rs 2 lakh crore) worth of code is developed in India.

The company is currently looking at partnering with IT companies to propagate its software.

“We are working out pricing to suit the small and medium businesses in India,” Moynahan says.

A trial test package is likely to be priced between $1,000 and $2,000 (Rs 40,000-Rs 80,000), while regular packages would range between $20,000 (Rs 8 lakh) and $60,000 (Rs 24 lakh).

archana@thehindu.co.in