Veracode Looks to Close 'Backdoors' in Code

Leave a backdoor in a program and it won't be a draft coming in but a hacker, followed by his friends, fraud and massive customer settlement.

Leave a backdoor in a program and it won't be a draft coming in-it will be a hacker, who will be followed by his friends fraud and massive customer settlement. With this in mind, Veracode has expanded its on-demand scanning services to include new technology for detecting backdoors in application code.

The move extends Veracode's on-demand SecurityReview offering, which uses static binary analysis to scan applications for security vulnerabilities such as SQL injection. The company is leveraging that technology to provide extra protection against backdoors, which though sometimes placed in software for good reasons, can pose a serious threat if discovered by hackers, said Veracode Chief Technology Officer Chris Wysopal.

"Our software doesn't know whether it's intentional by the developer for a particular reason or if it was put there for malicious intent," he said. "There are legitimate reasons a developer might put a hard-coded password in-maybe they put it so that when they are debugging the program and they get locked out somehow they can get back in. The problem with that is if the bad guy finds out about these mechanisms the bad guy can exploit them."

Officials at Veracode have focused on a number of types of backdoors, including those they call special credential and hidden functionality backdoors. Of all the categories of backdoors, those subverting the authentication process are most common, Wysopal said.

To view an eWEEK slideshow about the seven signs your kid may be a hacker, click here.

"The person inserts a bypass of the authentication that goes and checks against a baked in, static password that's embedded in the system itself," he explained. "We can look for where the authentication mechanism is in the program, and then we can look for static values that are part of the software. If it's checking against the static value we know that is an irregularity...(and) we have a high confidence that is a backdoor. So we run a scan that looks at the kind of crypto functions that password mechanisms use to hash passwords and we see if there is ever a static value going into there."

With hidden functionality backdoors, developers put in extra commands that, if known by others, allows for unauthorized code execution. In Web applications, hidden functionality backdoors are often invisible parameters for Web requests, and can also include undocumented commands, hard-coded IP addresses and leftover debug code.

The company also scans for telltale signs such as self-modifying code or code obfuscation, as well as rootkits and unintended network activity, which includes listening on undocumented ports, making outbound connections to establish a command and control channel, or leaking sensitive information over the network via SMTP, HTTP, UDP, ICMP or other protocols.

Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.