By Cassimir Medford

Veracode, a March 2006 spinoff of security giant Symantec, said Monday it was officially open for business and announced that it has raised $19.5 million from three venture capital firms and its former parent.

The company, based in Burlington, Massachusetts, examines source code at the binary level, the most basic building block of software applications, for security flaws that can be exploited by hackers.

The company delivers its services using an automated, on-demand, software-as-a-service (SaaS) business model.

But Veracode is facing a rapidly changing security market in which large systems firms such as IBM, Cisco Systems, and EMC, driven by customer demand, are acquiring the more successful security startups.

This is creating a class of large systems vendors with leading-edge security units onboard. That puts increasing pressure on security startups and established pure-play security vendors, such as Symantec and Check Point, to either innovate or die.

Veracode’s management believes two factors set its technology apart in both the product and delivery categories: Veracode examines code at the binary rather than the application level, and it delivers its services online rather than using complex on-premise tools.

“The trend today is toward mash-up applications where some of the code comes from internal development, other parts of the code come from third parties, and other code comes from open source,” said Veracode CEO Matthew Moynahan, a former Symantec vice president.

“You can only do analysis on the code for which you have source code, but with Veracode we can look at 100 percent of the code because we analyze at the binary level,” Mr. Moynahan said.

Online Model

According to Mr. Moynahan, third-party components make up 30 to 60 percent of most modern applications. That makes it almost impossible for companies to make well-researched decisions about the software’s risk level.

“We examine all the code—whether you built it, outsourced it, or licensed it—and we will be able to tell you how secure it is with far more accuracy than any existing solution,” Mr. Moynahan said.

Veracode uses an online model in which customers send their compiled software to the company via the Internet. Veracode will then examine the software for security and other flaws, such as “backdoor” codes, and send a report back to the customer.

Veracode examines the software before it’s deployed or shipped, but also offers the option of scanning already deployed software at a later date.

“This is a situation where the business model and the technology go hand in hand, because too often you see people trying to force technology into an on-demand model that doesn’t work or vice versa,” said Jeff Fagnan, a partner with Atlas Venture and one of Veracode’s investors.

“It’s this convergence of the technology and the business model that attracted us to Veracode,” Mr. Fagnan added. “Veracode was built from the ground up on a true SaaS model.”

Veracode’s investors include Atlas Venture, .406 Ventures, and Polaris Venture Partners. Symantec and Macrovision are among Veracode’s strategic investors.