APPLICATION SECURITY
Knowledge Base
Search Our Knowledge Base
Malicious Code
What Is Malicious Code?
Malicious code is the term used to describe any code in any part of a software system or script that is intended to cause undesired effects, security breaches or damage to a system. Malicious code is an application security threat that cannot be efficiently controlled by conventional antivirus software alone. Malicious code describes a broad category of system security terms that includes attack scripts, viruses, worms, Trojan horses, backdoors and malicious active content.
Malicious code may also include time bombs, hardcoded cryptographic constants and credentials, deliberate information and data leakage, rootkits and anti-debugging techniques. These targeted malicious code threats are hidden in software and mask their presence to evade detection by traditional security technologies.
Once inside your environment, malicious code can enter network drives and propagate. Malicious code can also cause network and mail server overload by sending email messages; stealing data and passwords; deleting document files, email files or passwords; and even reformatting hard drives.
Malicious Code Threatens Enterprise Security
Malicious code can give a user remote access to a computer. This is known as an application backdoor. Backdoors may be created with malicious intent, to gain access to confidential company or customer information. But they can also be created by a programmer who wants quick access to an application for troubleshooting purposes. They can even be created inadvertently through programming errors. Regardless of their origin, all backdoors and malicious code can become a security threat if they are found and exploited by hackers or unauthorized users. As applications today tend to be built more and more often with reusable components from a variety of sources with varying levels of security, malicious code can pose a significant operational risk to the enterprise.
How to Avoid Malicious Code
One way to avoid malicious code in your applications is to add static analysis (also called “white-box” testing) to your software development lifecycle to review your code for the presence of malicious code. Veracode’s static code analysis looks at applications in non-runtime environment. This method of security testing has distinct advantages in that it can evaluate both web and non-web applications and, through advanced modeling, can detect malicious code in the software’s inputs and outputs that cannot be seen through other testing methodologies.