Coverity Security Advisor

Intelligent
Code Analysis

Security Advisor helps organizations lower their risk and decrease project costs by identifying critical defects that could lead to security vulnerabilities during development.

Security Advisor utilizes the Coverity^® Static Analyis Verification Engine (Coverity SAVE^®) to intelligently test code with a deep understanding of behavior and criticality to accurately identify defects in both C/C++ embedded applications and Java web applications, including buffer overflows, integer overflows, format string errors, injection errors such as SQL injection and cross-site scripting (XSS).

One of the primary reasons that legacy security tools have failed in development is due to high false positives, or inaccurate results. We designed and built our engine from the ground up to address the complexity of today's modern applications which leads to more accurate results.

Coverity SAVE analysis innovations for Java web application security include:

• Enterprise Framework Analyzer: augment source code analysis by providing a deep understanding of modern web applications including dependency injection, entry points and the MVC paradigm.
• White Box Fuzzer: automatically validate that data sanitization routines perform sufficient sanitization of untrusted data and are used in the right context.

Efficient Issue
Management

Coverity^® Connect is the collaborative issue management console to efficiently manage all issues surfaced by Quality Advisor, Security Advisor and Test Advisor to resolution within a unified workflow.

This includes:

• Prioritization and filtering based on criticality and impact.
• Source code navigation to identify the exact path to the defect.
• Automatic identification of every occurrence of a defect across branches.
• CWE Compatible mapping and knowledge base for each defect.
• Automatic assignment of defects to the appropriate developer.

To learn more, visit Coverity Connect.

Remediation Engine – Patent Pending:

Another key reason legacy security tools have failed in development is because they require security expertise and lack actionable remediation guidance. Through a deep understanding of the code and application, the Security Advisor remediation engine provides precise guidance with specific information about the right way to fix a defect and the best place to fix it in the code. This ensures your developers remediate defects faster, and ‘get it right the first time’.

SDLC
Integrations

Security Advisor provides bi-directional integration with existing lifecycle tools to make development testing a natural part of the SDLC process.

Coverity supports integrations with the critical tools and systems used to support the development process, including:

• IDEs to surface and remediate defects before code check in, right at the desktop.
• Source control management to map defects to code changes and responsible developers.
• Bug tracking to link security defects to your overall defect management process.
• Build and continuous integration to automatically test for defects with every build or as part of an Agile process.
• IBM Rational Team Concert surfaces Security Advisor defects within a unified workflow for increased traceability and collaboration.
• HP Application Lifecycle Management (ALM) to surface Security Advisor issues within the HP ALM workflow for increased traceability and collaboration with QA.

Check out our full list of SDLC integrations.

Get
Started