Security

Static Application
Security Testing (SAST)

We are the market leader for Static Application Security Testing (SAST). We find OWASP Top 10 and CWE Top 25 issues in Java and C/C++ code such as injection issues, cross site scripting, buffer overflows, integer overflows, format string errors and incorrect authorization issues during development — without requiring developers to become security experts.

Our unique SAST capabilities:

Intelligent Code Analysis: Our SAST solution, Coverity Security Advisor, utilizes the Coverity SAVE Static Analysis Verification Engine, the award-winning analysis engine for the Coverity Development Testing platform. Coverity SAVE applies multiple patented techniques for accurate issue detection, based on a decade of research and development and analysis of more than 5 billion lines of proprietary and open source code.

Highly Accurate Analysis: One of the primary reasons that legacy security tools have failed in development is high false positives, or inaccurate results. We designed and built our engine from the ground up to address the complexity of today's modern applications, which leads to more accurate results. Coverity SAVE intelligently tests code with a deep understanding of its behavior, criticality and change impact, to focus testing on high-risk areas and accurately detect defects often difficult to find through traditional testing.

Additional technology innovations for Java web application security:

Enterprise Framework Analyzer: Augment source code analysis by providing a deep understanding of modern web applications including dependency injection, entry points and the MVC paradigm.

White Box Fuzzer: Automatically validate that data sanitization routines perform sufficient sanitization of untrusted data and are used in the right context.

Prescriptive Remediation Advice: Provide precise and prescriptive remediation advice. Developers no longer require deep security expertise to resolve top OWASP issues. We show them exactly where the defect exists and where in the code to fix it. In many cases, we provide the code they can use to fix the issue versus providing generic remediation advice.

Coverity Security Library: An open source project initiated by the Coverity Security Research Lab that provides a free, simple, secure and well-tested library of escaping and encoding functions. This enables developers to quickly plug some of the most common security holes that can lead to brand damaging and costly security breaches.

Integrated Quality and Security Management: We enable developers to manage quality and security defects from a single console and with one workflow, which improves overall development efficiency.

Mobile Application Security Testing: We find critical security and quality defects in leading mobile platforms such as Android, Symbian and Windows Mobile. We provide android-specific analysis algorithms and API models to flag Google Android-SDK specific issues that can lead to reduced battery life, usability and performance slowdowns, as well as potential security weaknesses.

Interactive Application
Security Testing (IAST)

We have partnered with NT OBJECTives (NTO) to offer our customers the first developer-ready Interactive Application Security Testing (IAST) solution. This enables us to improve the collaboration between security and development teams and allows organizations to address security earlier in the lifecycle. Now, results from NTO's Dynamic Application Security Testing (DAST) solution, NTOSpider, are integrated into the development workflow through Coverity Connect, our centralized issue management console, and automatically correlated with our SAST findings.

Benefits of the IAST solution include:

Higher Confidence Results: By integrating NTO's DAST solution with our SAST solution, we're enhancing our already highly accurate analysis by combining the detection of a potential vulnerability found through SAST, with verification through a real-time exploit attempt provided by DAST. IAST determines whether the vulnerability is real and where in the code is located.

Comprehensive Analysis: A common concern for users of DAST technology is whether or not the complete application has been analyzed. By leveraging Coverity's state-of-the-art static analysis engine and Enterprise Framework Analyzer, which has a precise understanding of the application's entry points and parameters, teams can tune the analysis of the NTOSpider solution to ensure the complete application is analyzed.

Improved Efficiency: Developers can prioritize the proven vulnerabilities more quickly and easily. Now, quality and security issues found by the Coverity Development Testing Platform and those found by the NTOSpider solution can be managed from a single pane of glass and unified workflow.

Improved Visibility into Testing: As an application is under test by the NTOSpider solution, our instrumentation captures coverage data which provides visibility into every line of code exercised by a test. This provides critical information needed to tune the parameters of the DAST testing. Organizations can also establish and enforce consistent policies for what areas of the code must be tested and automatically assign missing tests to the appropriate owner for resolution with Coverity Test Advisor.

• View the Demo

Security
Team Benefits

We help security teams lower their risk of security breaches by providing more visibility into potential areas of risk in development and with supply chain partners. Now development teams can manage security and quality issues from a single workflow, which helps improve development adoption.

Policy Lifecycle Management: Coverity Policy Manager enables security teams to work with developers to create consistent policies for code security as part of the standard development process. Code acceptance criteria can be established such that the code cannot ship, or the code will not be accepted from a supplier, if there are uninspected or critical security defects present such as overflow or injection issues.

Improve Visibility into Risk: Security teams then quickly view which teams or projects are out of compliance with the established policies and track overall security trends over time.

Empower Developers to Find and Fix Critical Defects: The Coverity Development Testing Platform enables developers to find and fix critical defects that could lead to security vulnerabilities without requiring security expertise and within the same workflow they use to manage quality, which helps improve development adoption. With our remediation engine, we show developers exactly where the issue exists and where to fix it. By empowering development teams, organizations can scale security efforts while consistently managing and measuring the overall secure development lifecycle.

Seamless Integration with Your Existing Process: Our development testing platform is an open and extensible solution which is designed to integrate with existing tools and processes. We help mitigate security risks through focused development testing without getting in the way or slowing development down.

Development
Team Benefits

According to Forrester Consulting, the top three issues developers encounter when working with web application security tools and technologies are:

1. They don't integrate well with the development environment
2. They are too complex or require too much security expertise
3. They have high false positive rates

The Coverity Development Testing Platform was specifically designed to overcome the challenges developers face with legacy tools. We provide a solution purpose-built for developers, which enables them to efficiently and effectively manage quality and security of C/C++ and Java code as part of their standard workflow.

The development team benefits of our security solution include:

Improved Developer Productivity: Two of the primary reasons that legacy security tools have failed in development are 1) high number of false positives and 2) too much security expertise required. We designed and built our engine from the ground up to address the complexity of today's modern applications, which leads to more accurate results. As a result, we have one of the industry's most accurate solutions and lowest false positive rates. Coverity SAVE applies multiple patented technologies for its analysis accuracy to intelligently test code with a deep understanding of its behavior, criticality and change impact, to focus testing on high-risk areas and accurately detect defects often difficult to find through traditional testing. In addition, the remediation engine provides developers with specific guidance on how to fix issues without requiring deep security expertise, so organizations can be confident that developers are efficiently fixing the identified security issues.

Faster Time-to-Market and Reduced Costs: One of the largest risks for a schedule delay is finding defects late in the cycle; it requires additional time and costs to fix defects when they are identified after development is done. This is especially problematic for security, as many issues aren't identified until the security audit near the end of the cycle. By surfacing both quality and security defects in the developer workflow, with actionable remediation guidance, developers can quickly and efficiently remediate the security defects that matter, as code is written—without requiring deep security expertise. This not only decreases the risk of production and field failures but actually helps reduce the time and cost of fixing issues, to help deliver software faster and more reliably.

Improved Collaboration with Security: While security and development typically have different objectives and incentives, they need to work together to minimize the security risks in an application. By providing organizations with a single platform and standardized, unified process for assuring code quality and security during development, security and development have a common language and visibility to work together to effectively build security into development. With technology that developers will actually adopt and a way to manage security in the same way they manage quality today, developers can build security into their process, and security can get their requirements built into the development process, with ease.