Deeply-Understanding Static Analysis Testing For Developers

Developer testing company Coverity has announced new static analysis technology designed to empower development teams to address security defects in Java web applications.

Combining the firm’s static analysis technology and its defect detection tools, the new product aims to extend static analysis to “deeply understand” both source code and modern web application architecture.

The sum result of this so-termed deep understanding is, Coverity says, an opportunity to provide greater accuracy and remediation guidance to help developers find and fix security defects that can lead to the most commonly exploited vulnerabilities including SQL injection and cross-site scripting.

Designed to analyze web applications from the developer’s point of view, Coverity’s new technology sets out to encourage developer adoption of static application security testing in a way that the company likes to call the “shallow and incomplete analysis” of first-generation tools failed to achieve.

Coverity’s tools then augment static source code analysis with a framework analyzer that minimizes inaccuracies when data passes through application frameworks, thereby minimizing false positives. It incorporates a white box fuzzer inside static analysis to automatically validate that data sanitization routines perform sufficient sanitization of untrusted data and are used in the right context.

“Getting developers to fix security defects requires much more than just integrating static analysis into an IDE. Developers need evidence that the defects identified are real, and they need to understand how to fix those defects in their code,” said Andy Chou, Coverity cofounder and chief technology officer. “First-generation static analysis tools are not effective in helping developers because they don’t credibly provide them with this information. We are making it easy for developers by taking the guesswork out of finding and fixing security defects.”