In-Q-Tel invests in Veracode
- By William Jackson
- Jul 29, 2008
In-Q-Tel, the U.S. intelligence community's strategic investment arm, has entered into an investment agreement with Veracode Inc. of Burlington, Mass., to accelerate development of the company's commercial software analysis tools.
Veracode offers its SecurityReview as an on-demand service for analyzing binary code for vulnerabilities and other flaws. The In-Q-Tel support will help speed the advancement of the tool's performance and functionality, said Kimberly Baker, Veracode's vice president of government and international markets.
'The capabilities are directly in line with what In-Q-Tel's customers are looking for in code review,' Baker said.
Those customers include the civilian and defense intelligence agencies, which are eager to take advantage of the development of commercial tools to get the functionality they need for their own missions in cost-effective, off-the-shelf products.
'We know the gaps we want to fill,' but finding vendors able to fill those gaps quickly and efficiently is not always easy, said Donald Tighe, In-Q-Tel's vice president of external affairs. When a vendor with promising technology is found, In-Q-Tel can help advance its development. This benefits both the public and private sectors because the government's needs typically are in line with those of most large companies, he said.
The SecurityReview service uses static binary testing technology and dynamic Web scanning analysis to assess application security threats, including vulnerabilities such as cross-site scripting, SQL injection, buffer overflows and malicious code. It is able to do the analysis without exposing a company's source code, which often is not available.
'We analyze compiled code and do not require the source code,' Baker said. 'That puts us in a position to analyze 100 percent of an application that might include in-house or other custom code.'
It was the ability to work without source code and to analyze software that contains code from multiple sources that attracted the intelligence community, Tighe said.
Baker would not provide details of the development roadmap for SecurityReview, but said it included expanding the types of application code examined and the ability to offer a product as well as a service. Currently, SecurityReview exists as a single instance of the software residing in Veracode's Boston hosting center. Customers compile the code to be analyzed and upload it to a Veracode portal. Results usually are returned in 24 hours to 72 hours. There is a demand from both commercial and government users to get the program as a software product for specific purposes.
In-Q-Tel did not release the details of the Veracode agreement, but Tighe said most of its investments are in the $1 million to $3 million range. 'That does match this deal,' he said. There is no time limit on the relationship. In-Q-Tel does not take an equity stake in the company, but does assist in product development.
Most of In-Q-Tel's investments are in products past the research and development stage. The goal is to speed commercialization rather than engage in research, Tighe said. To date, In-Q-Tel has engaged with more than 100 companies and delivered more than 140 technology solutions to the intelligence community.
William Jackson is a Maryland-based freelance writer.