Developers are the gatekeepers

Coverity brings static analysis innovations to Java web apps

Chris Mayer
Coverity

Coverity have noticed a gaping hole in Java web application security and seek to plug it with Coverity Development Testing for Web Application Security

Development testing expert Coverity is expanding its security
tool arsenal by revealing new innovations to tackle even the most
elusive defects within the source code of Java web
applications.

Building upon their already solid grounding with static analysis
technology, Coverity will enter the Java web application world for
the first time, diversifying slightly away from providing testing
tools for C, C++, C# and Java programs and working in
the embedded technology space. 

Coverity co-founder and CEO, Andy Chou told JAXenter that this
first of its kind tool would help Java web app developers seek out
“Java defects earlier on in the development process before security
auditing teams can get involved”.

He added: “We think this is a commonly-held belief that
development teams are the gatekeepers for security in the following
sense – there’s large numbers of developers, they’re the only ones
who can modify the source code for security defects and ultimately
they can do a lot with that. If you look at a typical ratio between
development and security teams, there’s maybe a hundred to a
thousand for every security professional. Ultimately we have to
enable developers to find and fix security defects and that’s what
this product is about.”

Whilst realising that it is nigh on impossible to expect
developers to become security experts overnight, this Enterprise
Java Web application static analysis tool is a welcome step to
educate Java developers about the perils of such defects, and the
need to eliminate some very early on in the process.

The first of is a framework analyser that makes it possible to
augment static source code analysis. Modern web frameworks free
developers from the menial plumbing need to create large scalable
applications, but according to Chou, the first generation of static
analysis tools simply don’t have ‘the understanding to deal with
these frameworks at this level’. The analyser helps minimise
inaccuracies within data as it passes through the framework, and
how their source code interacts with it. This is truly a big leap
for static analysis, becoming immersive with the application.

The next that Coverity have built is a white box fuzzer,
incorporated into the tool, that automatically validates
data sanitization routines, so that these routines are correct and
used in the correct context, heavily reducing the amount of
configuration needed.

Chou said: “With a lot of defects, what you do to fix them
is you take a sanitization routine to cleanse tainted data coming
into the application from the user. Depending on the defect, you
have to cleanse it differently. Essentially this white box fuzzer
automatically infers these application sanitization
functions.”

Lastly and arguably the most important part to Coverity’s
announcement is through defect-specific remediation guidance, to
make developers understand how to fix defects efficiently, which
surprisingly no other tools fully offer currently.

Chou adds: “Most products in the space give you
documentation saying ‘here’s how to deal with this generically’ and
that’s not enough for developers. They need that generic advice
translated to the specific technology and the code they’ve written.
We’ve put in an analyser which looks for defects and the specific
context in which the code is being reported. This is something
developers really need because they’re not security
experts.
“ 

Chou believes that this trio of tools will give Java web
developers ‘accurate results with very few false positives’ and
precise advice so they can fix things and take decisive action in
their busy day. It should give developers the full picture into
what might be causing their problems in their web application and
eradicate the most hardy of Java bugs early on.

The first version of the static analysis tool will support two
of the biggest Java EE frameworks in Hibernate and Spring,
excellent acquisitions to push forward adoption.

Initial plans only stretch to Java EE, but there’s scope to
extend that more widely-used web technologies such as PHP and
JavaScript in the future should this product make a big splash,
when its final release arrives in September as Coverity
Development Testing for Web Application
 Security.
Currently, Coverity is offering an early access program,
which includes a free application security assessment, to select
companies. To apply for the early access program,
register 
here.

Coverity have tackled a breach within the Java web
security space, and the opening gambit looks a promising one to
build upon. 

Author
Comments
comments powered by Disqus