If you have visited our PortalGuard.com homepage recently, you might have noticed that the PortalGuard product has been officially awarded the ‘VerAfied’ status by Veracode, a leading company in Application Risk Management and analysis. What this means, is that throughout the scrutiny of Veracode’s series of formal application assessments, the PortalGuard software had either met or exceeded the criteria outlined in their Risk Adjusted Verification Methodology for mission critical applications. What this means, is that you can rest assured that PortalGuard, from security and security compliance standpoints, front-end to back-end, is a truly rock-solid Authentication Platform solution.
In order to support this claim, allow me to describe in more detail what it means to be VerAfied, and the process it takes to attain this status. First, let’s go over the major types of assessments that had been performed, and the nature of the vulnerabilities they attempt to uncover. In part two of the post we will elaborate on the effectiveness and credibility of Veracode’s Risk Adjusted Verification Methodology System.
Static Binary Analysis
Static Binary Analysis, or “white-box” testing, is a meticulous look into the product’s source code. This method of analysis seeks to uncover vulnerabilities and flaws that may otherwise be concealed once the software is in a runtime environment. By automatedly walking through the application’s control and data flow, via its executable machine code, the examination is able to identify often difficult to find vulnerabilities relating to linked-libraries, APIs, compiler optimizations, and other areas that simple code debugging cannot. The approach goes beyond other source code tools, and is able to detect threats arising from possible malicious code and backdoors from within the core application, extending to those potentially in 3rd party libraries or other pre-packaged components. The result is the most intensive, accurate, and complete software security testing available. Having been reviewed by this process, the PortalGuard software has been rewarded the highest score available in Static Binary Analysis and by extension, regulatory compliance.
While “white-box” analysis performs examination on software outside of the runtime environment, the complement approach of Dynamic Analysis, or “black-box” testing, covers vulnerabilities best found by probing the application from within the runtime environment. Research by Gartner and the U.S Computer Emergency Response Team has shown that 75% of malicious attacks on web applications specifically target the application layer, seeking to exploit potential weaknesses hidden there. Veracode’s automated Dynamic Analysis vulnerability scanner takes a similar approach by conducting examination during runtime and detecting flaws within the application layer in much the same way a hacker would. The automated process can, however, map far more of the application than a hacker practically could, and so it identifies far greater numbers of vulnerability attack vectors, and in far less time. In addition, since Veracode’s Dynamic scanner keeps records of all the previous scans it has performed, it’s always applying the latest knowledge of common vulnerabilities and is always evolving to stay current with the latest web technologies. Whereas Static Analysis is the ultimate in terms of source code analysis, Dynamic scanning completes the picture by offering the ultimate vulnerability scan for web application front-end flaws and exploits. Having been rigorously tested by the Dynamic scanning processes first automatedly, and then with a comprehensive set of automation scripts to cover a large variety of unique usage scenarios, the PortalGuard software has been rewarded the highest score available for dynamic evaluation.
Remember to read Part Two tomorrow.