Coverity unveils next-generation static analysis technology for Web application security

Coverity, the leader in development testing, today announced new innovations in static analysis technology that will empower development teams to effectively address security defects in Java web applications. These are the result of a joint collaboration between the Coverity Research and Development team and the Coverity Security Research Laboratory, building on Coverity’s core strength in static analysis technology and its multiple patents for accurate and scalable techniques in defect detection.

Coverity has extended static analysis to deeply understand both source code and modern web application architecture, providing greater accuracy and remediation guidance to help developers find and fix security defects that can lead to the most commonly exploited vulnerabilities including SQL injection and cross-site scripting. Designed from the ground up to analyze web applications from the developer’s point of view, Coverity’s new technology addresses the complexity of modern web applications and enables developer adoption of static application security testing in a way that the shallow, incomplete analysis of first-generation tools failed to achieve.

Coverity’s innovations in static analysis technology are the first to:
• Augment static source code analysis with a framework analyzer that minimizes inaccuracies when data passes through application frameworks, thereby minimizing false positives.
• Incorporate a white box fuzzer inside static analysis to automatically validate that data sanitization routines perform sufficient sanitization of untrusted data and are used in the right context.
• Provide precise, defect-specific remediation guidance to ensure developers understand how to fix security defects correctly and efficiently. 

“Getting developers to fix security defects requires much more than just integrating static analysis into an IDE. Developers need evidence that the defects identified are real, and they need to understand how to fix those defects in their code,” said Andy Chou, Coverity co-founder and Chief Technology Officer. “First-generation static analysis tools are not effective in helping developers because they don’t credibly provide them with this information. We are making it easy for developers by taking the guesswork out of finding and fixing security defects.”

“We understand development—it’s our DNA as a company,” said Anthony Bettencourt, Chief Executive Officer at Coverity. “We are the undisputed market leader in the static analysis market for embedded software quality and security with over a decade of proven technology and broad developer adoption. Applying this expertise to the web application security market is a natural extension of our development testing strategy. With 75 percent of security attacks occurring at the application level, development is the gatekeeper to solving the application security problem. This innovation will transform how development and security teams work together to jointly address security moving forward.”

“To minimize the risks created by leaving critical business applications vulnerable to attack, application development and security specialists are in need of technologies capable of accurate testing for vulnerabilities such as SQL injection, cross-site scripting and buffer overflow. The next generation of application security testing technologies is capable of delivering it,” said Joseph Feiman, Ph.D., Research Vice President and Gartner Fellow at Gartner Research in the November 29, 2011 report, “Evolution of Application Security Testing: From Silos to Correlation and Interaction.”

Coverity’s new technology will be generally available in September 2012 as part of the Coverity Development Testing platform. Coverity is offering an early access program, which includes a free application security assessment, to select companies. To apply for the early access program, register here.