The mission of ZeroDay Labs is to host a dedicated website and shared resource where visitors can interact, contribute and learn how to identify new security gaps, improve the accuracy of real-world application vulnerability detection, and communicate findings in order to improve the state of software security. ZeroDay Labs is led by members of Veracode’s core research team including Chris Wysopal, co-founder and CTO; Chris Eng, senior director, security research; and Tyler Shields, senior security researcher.
ZeroDay Labs Calls for Binary and Source Code Submissions
Core to its community-building goals, ZeroDay Labs will offer code-level examples of vulnerabilities drawn from member experiences. As the community grows, based on voluntary submissions, Veracode will accelerate awareness and remediation efforts by sharing real-world examples among participants.
Code submissions are not limited to Veracode customers. Organizations are encouraged to submit one application, free of charge, to the VerAfied Software Directory, a list of Independent Software Vendors (ISVs), service providers and enterprises that have successfully completed the Veracode Security Verification Process for their software product and/or infrastructure, and achieved the VerAfied™ security mark. The VerAfied mark indicates that an application has received an independent security verification from Veracode and the provider has resolved or mitigated any vulnerabilities identified by automated static binary analysis and automated dynamic analysis (if applicable).
Submissions can be made two ways: known vulnerabilities, where organizations can then use the assessment to automate detection across their portfolio; or unknown, where manual source code review is used to augment and improve static binary analysis. For known and unknown vulnerabilities, Veracode will use the results to automate detection. To date, Veracode has analyzed more than 1,600 applications across 15 industries, representing billions of lines of code. To learn more about the submission process, visit http://www.veracode.com/directory.
“Think of ZeroDay Labs and our VerAfied Software Directory like the Centers for Disease Control. With the more patient information and case detail submitted to the CDC, the more effective physicians around the world can become in terms of prescribing treatments,” said Chris Wysopal, co-founder and CTO, Veracode, Inc. “In the case of our Software Directory, the richer the database of software vulnerabilities across industries, languages and technical platforms, the more security and development teams can learn about ensuring the highest degree of application risk management and performance in their own environments.”
The ZeroDay Community
ZeroDay Labs is home to Veracode’s ZeroDay Labs blog as well as technical articles, whitepapers and other information available for download, organized by technical architecture and language such as Java, C/C++ and .NET. The site is also a source of information about the company’s involvement with the extended security-aware community, detailing its participation in regional events associated with organizations like ISACA, ISSA, OWASP and .NET User Groups.
ZeroDay Labs will continue to evolve with the addition of an aggregate of RSS and other feeds from relevant sites, companies and partners. The ZeroDay community forum will serve as a social network connection where security software professionals can discuss newly identified vulnerabilities, such as those recently reported in widely used Open Source software solutions to mitigate vulnerabilities, and other technical topics. It will also be connected to other social network capabilities such as LinkedIn, Facebook and Twitter.
Veracode is the world’s leader in cloud-based application risk management. With patented binary code analysis, dynamic Web assessments and developer e-learning, Veracode SecurityReview' is the most accurate and cost-effective way to independently verify application security in both internally developed applications and third-party software without requiring source code or expensive tools. Veracode provides the most simple, complete way to implement security best practices, reduce operational cost and comply with internal security policies or external standards such as OWASP Top 10, CWE/SANS Top 25 and PCI. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com, follow on Twitter @Veracode or read the ZeroDay Labs blog.