Developers are the gatekeepers

Coverity brings static analysis innovations to Java web apps

Chris Mayer

Coverity have noticed a gaping hole in Java web application security and seek to plug it with Coverity Development Testing for Web Application Security

Development testing expert Coverity is expanding its security tool arsenal by revealing new innovations to tackle even the most elusive defects within the source code of Java web applications.

Building upon their already solid grounding with static analysis technology, Coverity will enter the Java web application world for the first time, diversifying slightly away from providing testing tools for C, C++, C# and Java programs and working in the embedded technology space. 

Coverity co-founder and CEO, Andy Chou told JAXenter that this first of its kind tool would help Java web app developers seek out “Java defects earlier on in the development process before security auditing teams can get involved”.

He added: “We think this is a commonly-held belief that development teams are the gatekeepers for security in the following sense – there’s large numbers of developers, they’re the only ones who can modify the source code for security defects and ultimately they can do a lot with that. If you look at a typical ratio between development and security teams, there’s maybe a hundred to a thousand for every security professional. Ultimately we have to enable developers to find and fix security defects and that’s what this product is about.”

Whilst realising that it is nigh on impossible to expect developers to become security experts overnight, this Enterprise Java Web application static analysis tool is a welcome step to educate Java developers about the perils of such defects, and the need to eliminate some very early on in the process.

The first of is a framework analyser that makes it possible to augment static source code analysis. Modern web frameworks free developers from the menial plumbing need to create large scalable applications, but according to Chou, the first generation of static analysis tools simply don’t have ‘the understanding to deal with these frameworks at this level’. The analyser helps minimise inaccuracies within data as it passes through the framework, and how their source code interacts with it. This is truly a big leap for static analysis, becoming immersive with the application.

The next that Coverity have built is a white box fuzzer, incorporated into the tool, that automatically validates data sanitization routines, so that these routines are correct and used in the correct context, heavily reducing the amount of configuration needed.

Chou said: “With a lot of defects, what you do to fix them is you take a sanitization routine to cleanse tainted data coming into the application from the user. Depending on the defect, you have to cleanse it differently. Essentially this white box fuzzer automatically infers these application sanitization functions.”

Lastly and arguably the most important part to Coverity’s announcement is through defect-specific remediation guidance, to make developers understand how to fix defects efficiently, which surprisingly no other tools fully offer currently.

Chou adds: “Most products in the space give you documentation saying ‘here’s how to deal with this generically’ and that’s not enough for developers. They need that generic advice translated to the specific technology and the code they’ve written. We’ve put in an analyser which looks for defects and the specific context in which the code is being reported. This is something developers really need because they’re not security experts.“ 

Chou believes that this trio of tools will give Java web developers ‘accurate results with very few false positives’ and precise advice so they can fix things and take decisive action in their busy day. It should give developers the full picture into what might be causing their problems in their web application and eradicate the most hardy of Java bugs early on.

The first version of the static analysis tool will support two of the biggest Java EE frameworks in Hibernate and Spring, excellent acquisitions to push forward adoption.

Initial plans only stretch to Java EE, but there’s scope to extend that more widely-used web technologies such as PHP and JavaScript in the future should this product make a big splash, when its final release arrives in September as Coverity Development Testing for Web Application Security. Currently, Coverity is offering an early access program, which includes a free application security assessment, to select companies. To apply for the early access program, register here.

Coverity have tackled a breach within the Java web security space, and the opening gambit looks a promising one to build upon. 

Inline Feedbacks
View all comments