Coverity Unveils Next-Generation Static Analysis Technology for Web Application Security

June 11, 2012 - PRLog -- Coverity, the leader in development testing, today announced new innovations in static analysis technology that will empower development teams to effectively address security defects in Java web applications. These are the result of a joint collaboration between the Coverity Research and Development team and the Coverity Security Research Laboratory, building on Coverity’s core strength in static analysis technology and its multiple patents for accurate and scalable techniques in defect detection.

Coverity has extended static analysis to deeply understand both source code and modern web application architecture, providing greater accuracy and remediation guidance to help developers find and fix security defects that can lead to the most commonly exploited vulnerabilities including SQL injection and cross-site scripting. Designed from the ground up to analyse web applications from the developer’s point of view, Coverity’s new technology addresses the complexity of modern web applications and enables developer adoption of static application security testing in a way that the shallow, incomplete analysis of first-generation tools failed to achieve.

Coverity’s innovations in static analysis technology are the first to:

•   Augment static source code analysis with a framework analyser that minimises inaccuracies when data passes through application frameworks, thereby minimising false positives.

•   Incorporate a white box fuzzer inside static analysis to automatically validate that data sanitisation routines perform sufficient sanitisation of untrusted data and are used in the right context.

•   Provide precise, defect-specific remediation guidance to ensure developers understand how to fix security defects correctly and efficiently.

“Getting developers to fix security defects requires much more than just integrating static analysis into an IDE. Developers need evidence that the defects identified are real, and they need to understand how to fix those defects in their code,” said Andy Chou, Coverity co-founder and Chief Technology Officer. “First-generation static analysis tools are not effective in helping developers because they don’t credibly provide them with this information. We are making it easy for developers by taking the guesswork out of finding and fixing security defects.”

“We understand development—it’s our DNA as a company,” said Anthony Bettencourt, Chief Executive Officer at Coverity. “We are the undisputed market leader in the static analysis market for embedded software quality and security with over a decade of proven technology and broad developer adoption. Applying this expertise to the web application security market is a natural extension of our development testing strategy. With 75 percent of security attacks occurring at the application level, development is the gatekeeper to solving the application security problem. This innovation will transform how development and security teams work together to jointly address security moving forward.”

“To minimise the risks created by leaving critical business applications vulnerable to attack, application development and security specialists are in need of technologies capable of accurate testing for vulnerabilities such as SQL injection, cross-site scripting and buffer overflow. The next generation of application security testing technologies is capable of delivering it,” said Joseph Feiman, Ph.D., Research Vice President and Gartner Fellow at Gartner Research in the November 29, 2011 report, “Evolution of Application Security Testing: From Silos to Correlation and Interaction.”

Coverity’s new technology will be generally available in September 2012 as part of the Coverity Development Testing platform. Coverity is offering an early access program, which includes a free application security assessment, to select companies. To apply for the early access program, register here.

Additional Resources
•   Visit Coverity at the Gartner Security and Risk Management Summit, June 11-14 in National Harbor, Maryland, at booth #66.
•   Read about development testing for web application security.
•   Attend a webinar featuring Andy Chou, Coverity co-founder, CTO and head of the Security Research Laboratory.
•   Read the Coverity Security Research Laboratory blog.

About Coverity
Coverity, Inc., (www.coverity.com), the development testing leader, is the trusted standard for companies that need to protect their brands and bottom lines from software failures. More than 1,100 Coverity customers use Coverity's development testing suite of products to automatically test source code for software defects that could lead to product crashes, unexpected behavior, security breaches or catastrophic failure. Coverity is a privately held company headquartered in San Francisco. Coverity is funded by Foundation Capital and Benchmark Capital. Follow us on Twitter or check out our blog.