ANTenna Blog -- Hardware & Software

Two prominent open-source projects recently got a thumbs-up from Veracode, a company that applies a standards-based approach to software vulnerability testing.

The two open-source apps, OpenVPN and the Sendmail Mail Transfer Agent, are both extremely popular among business users. According to a Veracode press release, its "A" rating indicates that a software developer has "developed a secure application that has been independently evaluated for software vulnerabilities against industry standards."

Security is a major concern for both projects. OpenVPN is a widely used tool for creating point-to-point encrypted network connections, and Sendmail MTA is the single most widely used application of its type -- open-source or proprietary -- in use today.

Third-party software vulnerability testing is a growth market, and Veracode is one of the companies at the forefront of this industry. The company tests both open-source and proprietary applications using several independent software-security standards.

The idea is to provide an impartial, objective source of software security assessments. Veracode is a for-profit company that charges software developers for its assessments; the idea is that companies whose products receive a high security rating will be able to market themselves more effectively to customers.

Since Veracode's tests are applied to compiled code, proprietary software vendors are able to submit their products for testing without being forced to reveal their source code to an outside organization. (Of course, this isn't a problem for open-source software such as OpenVPN and Sendmail.)

This approach offers some obvious benefits. First and foremost, it assures software users that a product has been tested extensively against a consistent set of standard software-security criteria. That doesn't guarantee that an application is completely free of potential security flaws, but it certainly offers an additional measure of assurance.

On the other hand, it is possible to argue that a for-profit company like Veracode might face pressure to adjust its results to satisfy its paying customers -- that is, the companies that submit their software for testing. It's an obvious concern, although Veracode's implementation of industry-standard software security benchmarks provides an obvious way to avoid the problem.

Software vulnerability testing isn't a totally effective way to detect potential security flaws. It is, however, an important new addition to the software security arsenal. And for business users, these types of third-party testing and rating schemes are definitely worth considering as part of any software evaluation process.