With the rising complexity of applications and the increasing threat of attacks, security risks can no longer be left to the security auditors to tackle on their own. With development teams outnumbering security audit teams by 1,000 to 1, security is no longer an option, but an imperative for software development organizations. By addressing application security beginning in development, organizations can lower their overall risk and reduce the time and cost of security risk mitigation.

Static Application
Security Testing

We are the market leader for Static Application Security Testing (SAST). We enable developers to find and fix OWASP Top 10 issues and other security-related CWE issues in Java and C/C++ code—without requiring them to become security experts.

Our unique SAST capabilities:

Identify High-Impact Vulnerabilities: We accurately identify a wide range of security issues including cross-site scripting (XSS), SQL injection (SQLi), path manipulation, buffer overflows, integer overflows, race conditions, memory leaks, hard-coded credentials, security misconfiguration and many more.

Highly Accurate Analysis: One of the primary reasons that legacy security tools have failed in development is high false positives, or inaccurate results. We designed and built our engine to address the complexity of today’s modern applications, which leads to more accurate results.

Prescriptive Remediation Advice: We provide developers with precise and prescriptive remediation advice. They no longer require deep security expertise to resolve top OWASP issues. We show them exactly where the defect exists and where in the code to fix it.

Coverity Security Library: An open source project initiated by the Coverity Security Research Lab, the Coverity Security Library provides a free, simple, secure and well-tested library of escaping and encoding functions.

Integrated Quality and Security Management: We enable developers to manage quality and security defects from a single console and with one workflow, which improves overall development efficiency.

Interactive Application
Security Testing

We have partnered with NT OBJECTives (NTO) to offer our customers the first developer-ready Integrated Application Security Testing (IAST) solution. This enables us to improve the collaboration between security and development teams and allows organizations to address security earlier in the lifecycle. Now, results from NTO’s Dynamic Application Security Testing (DAST) solution, NTOSpider, are integrated into the development workflow through Coverity Connect, our centralized issue management interface, and automatically correlated with our SAST findings.

Benefits of the IAST solution include:

Higher Confidence Results: Combine the detection of a potential vulnerability found through SAST, with verification through a real-time exploit attempt provided by DAST. IAST determines whether the vulnerability is real and where in the code is located.

Comprehensive Analysis: Tune the DAST analysis based on Coverity’s deep understanding of the application’s entry points and parameters.

Improved Efficiency: Address proven vulnerabilities more quickly and easily from within a unified workflow.


We help security teams lower their risk of security breaches by providing more visibility into potential areas of risk much earlier in the lifecycle and without requiring access to the code. Teams can quickly filter, view and report on outstanding security vulnerabilities and track improvements to the security posture across development sprints or cycles.


Establish and Enforce Security Compliance Policies: Coverity Policy Manager enables security teams to create consistent policies for code security and monitor compliance against the OWASP Top 10, PCI and internally developed compliance standards.

Improve Visibility into Risk: Security teams then quickly view which teams or projects are out of compliance with the established policies and track overall security trends over time.

Empower Developers to Find and Fix Critical Defects: The Coverity Development Testing Platform enables developers to find and fix critical security vulnerabilities such as OWASP Top 10 and PCI compliance issues, without requiring security expertise and within the same workflow they use to manage quality. With our remediation engine, we show developers exactly where the issue exists and where to fix it. This enables organizations to scale security efforts while consistently managing and measuring the overall secure development lifecycle.

Seamless Integration with Your Existing Process: Our development testing platform is an open and extensible solution which is designed to integrate with existing tools and processes. We help mitigate security risks through focused development testing without getting in the way or slowing development down.


Our platform helps developers build-in security from the start, effectively and efficiently, and builds a bridge between development and security teams.

Connect_SA_OWASP2 web

Find Critical Defects: Automatically identify critical defects as the code is written, without getting slowed down by noisy results.

Fix Problems Quickly: Use Coverity’s patent-pending remediation engine to quickly fix vulnerabilities, without requiring deep expertise.

Avoid Re-Work and Delays: Identify defects as the code is written, to avoid costly re-work and delays caused by issues found late in the development cycle.

Improved Collaboration with Security: Work together to ensure security policies are clear and teams are meeting internal security standards.

Coverity Coverage
for OWASP Top 10:

OWASP Top 10 2013 CWE Mapping CWE Name
A1: Injection CWE-77 Improper Neutralization of Special Elements used in a Command (Command Injection)
A1: Injection CWE-78 Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)
A1: Injection CWE-88 Argument Injection or Modification
A1: Injection CWE-89 Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
A1: Injection CWE-90 LDAP Injection
A1: Injection CWE-564 SQL Injection: Hibernate
A1: Injection CWE-917 Expression Language Injection
A2: Broken Authentication and Session Management CWE-259 Use of Hardcoded Passwords
A2: Broken Authentication and Session Management CWE-321 Use of a Hardcoded Cryptographic Key
A2: Broken Authentication and Session Management CWE-384 Session Fixation
A2: Broken Authentication and Session Management CWE-798 Use of Hard Coded Credentials
A3: Cross-site Scripting (XSS) CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
A3: Cross-site Scripting (XSS) CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
A3: Cross-site Scripting (XSS) CWE-81 Improper Neutralization of Script in an Error Message Web Page
A3: Cross-site Scripting (XSS) CWE-82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
A3: Cross-site Scripting (XSS) CWE-83 Improper Neutralization of Script in Attributes in a Web Page
A3: Cross-site Scripting (XSS) CWE-84 Improper Neutralization of Encoded URI Schemes in a Web Page
A3: Cross-site Scripting (XSS) CWE-86 Improper Neutralization of Invalid Characters in Identifiers in a Web Page
A3: Cross-site Scripting (XSS) CWE-87 Improper Neutralization of Alternate XSS Syntax
A4: Insecure Direct Object References CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
A4: Insecure Direct Object References CWE-23 Relative Path Traversal
A4: Insecure Direct Object References CWE-36 Absolute Path Traversal
A5: Security Misconfiguration CWE-4 J2EE Environment Issues
A5: Security Misconfiguration CWE-7 J2EE Misconfiguration: Missing Custom Error Page
A5: Security Misconfiguration CWE-86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
A5: Security Misconfiguration CWE-650 Trusting HTTP Permission Methods on the Server Side
A6: Sensitive Data Exposure CWE-321 Use of Hard-coded Cryptographic Key
A7: Missing Function Level Access Control CWE-425 Direct Request (‘Forced Browsing’)
A7: Missing Function Level Access Control  CWE- 862 Missing Authorization
A7: Missing Function Level Access Control CWE-863 Incorrect Authorization
A8: Cross-Site Request Forgery (CSRF) CWE-352 Cross-Site Request Forgery (CSRF)
A10: Unvalidated Redirects and Forwards CWE-938 Unvalidated Redirects and Forwards


Contact Sales

Contact Sales

To learn more about the Coverity Development Testing Platform, please contact us directly.

U.S. Toll Free: (800) 873-8193

International Sales: +1 (415) 321-5237


Ask a Question

Ask a Question

Network, collaborate, and share with a community of experts.


Request a Free Trial

Request a Free Trial

The trial process provides a similar experience to a real-world deployment, without disrupting your current processes or production environment.


Schedule a Demo

Schedule a Demo

Register for a 30-minute demo. Talk to our development testing experts. See how we can help your organization.




Development Testing for Security



Fixing XSS: A Practical Guide for Developers




Security Research Lab Blog