Coverity which already provides static code analysis solution for compiled C, C++, C# and Java programs has stepped into the web application testing domain with a bang. With this announcement the company claims to have taken the static analysis for web applications to new heights.
The edge that this offering provides to the developers is that it does complete static code analysis of the modern web application architecture along with the application source code, which was missing out from the tools that are available till date. Though these web frameworks alleviate the overhead associated with common activities performed in web development, their analysis is a tricky task as they consist of libraries. And static code analysis of the framework will point to the framework function but not the actual code executing in the live environment. This leaves the developers with half baked information when it comes to defect tracking.
The solution from Coverity minimizes inaccuracies when data passes through application frameworks, thereby minimizing false positives. Thus developers will get greater visibility, which will help them accurately find the security defects. The offering not only helps find the defects but also effectively fix them. The tool provides precise defect-specific remediation guidance to ensure developers understand the issue and fix it correctly and efficiently. So you can get rid of most commonly exploited vulnerabilities like SQL injection and cross-site scripting to a large extent in the development phase itself.
The tool Incorporate a white box fuzzer inside static analysis to automatically validate that data sanitization routines perform sufficient sanitization of untrusted data and are used in the right context.
Other products available in this space are KlockWork Solo for Java developers addresses defects and security vulnerabilities in Java source code like: Cross Site Scripting (XSS) vulnerabilities, Injection flaws (SQL, process, path, etc.), NULL pointer exceptions Resource leaks and resource lifetime management, Unvalidated inputs. Two others are VeraCode Web Application Security Testing provides an integrated dynamic web application testing and static binary analysis solution and an open source solution called RIPS, which is a static source code analyser for vulnerabilities in PHP web applications capable of detecting XSS, SQLi, File disclosure, LFI/RFI, RCE vulnerabilities and much more is also available.
Coverity’s new technology will be available for use in September 2012 as part of the Coverity Development Testing platform may be till then we will get to hear some more innovative developments in this league. Coverity is offering an early access for interested users and you can register for this early vision here.
