The usually separated tasks of quality and security analysis are unified with the Coverity-Armorize Product Integration, a new solution announced today that combines Coverity Static Analysis and Armorize CodeSecure.
Bringing to the table its static analysis offering, Coverity enables development teams to see and resolve quality defects, as well as see false positives and the severity of security vulnerabilities detected by security teams. This way, “developers are fixing security and quality problems side by side and are treated the same way,” said Andy Chou, Coverity’s CTO.
“It’s hard for security and development teams to collaborate with each other,” he added, “and it’s one challenge I think we can solve with this partnership of unified quality and security static analysis.”
Armorize’s CodeSecure, a static source code analysis platform, aids in the collaboration of security and development teams. Each security team is given its own CodeSecure console where projects from Coverity are pulled in, explained Caleb Sima, Armorize’s CEO and the former founder of code analysis software maker SPI Dynamics, which was acquired by HP in 2007.
With the console, security teams can assess the risks of the applications, apply security policies such as scanning for cross-site scripting, and prioritize the vulnerabilities, Sima said. The vulnerabilities are then automatically routed to the right developer in the defect management interface, Coverity Integrity Manager, to be fixed, he added. CodeSecure also shows security teams when vulnerabilities are resolved on the development side.
“Traditionally, security has had to force its way into development and has always had to work to produce secure applications without delaying a project,” Sima said. But with this solution, the two teams can work seamlessly together, reducing development time, he said.
The solution is expected to be out of beta by the end of this year.