Protecode issued a new release of their tools the other day, and in this release they appear to have stepped beyond a strict focus on licensing: now they’re looking at security issues as well.
There are other companies with thorough analysis programs that focus on security and safety, so I wondered whether Protecode was either trying to duplicate those tools and methods or perhaps was partnering with one of them.
Turns out it’s neither of those two choices. Instead, they extend their license-checking methodology to security. The way they work for license review is to scan the code and match code snippets (or signatures of snippets) against a database of known code, from which they can find the license characteristics of that code. Now they do the same thing with respect to databases containing known security vulnerabilities.
It’s not clear that this makes more thorough analysis unnecessary, and, as far as I can tell, there’s no certification of any kind that comes out of it. It has something of an opportunistic, “While you’re checking, could you also look at security?” feel.
More details in their release…
