Static analysis technology for web application security

Coverity has extended static analysis to deeply understand both source code and modern web application architecture, providing greater accuracy and remediation guidance to help developers find and fix security defects that can lead to the most commonly exploited vulnerabilities including SQL injection and cross-site scripting.

Designed from the ground up to analyze web applications from the developer’s point of view, Coverity’s new technology addresses the complexity of modern web applications and enables developer adoption of static application security testing in a way that the shallow, incomplete analysis of first-generation tools failed to achieve.

Coverity’s innovations in static analysis technology are the first to:

• Augment static source code analysis with a framework analyzer that minimizes inaccuracies when data passes through application frameworks, thereby minimizing false positives.
• Incorporate a white box fuzzer inside static analysis to automatically validate that data sanitization routines perform sufficient sanitization of untrusted data and are used in the right context.
• Provide precise, defect-specific remediation guidance to ensure developers understand how to fix security defects correctly and efficiently.

“Getting developers to fix security defects requires much more than just integrating static analysis into an IDE. Developers need evidence that the defects identified are real, and they need to understand how to fix those defects in their code,” said Andy Chou, Coverity co-founder and CTO.

“First-generation static analysis tools are not effective in helping developers because they don’t credibly provide them with this information. We are making it easy for developers by taking the guesswork out of finding and fixing security defects,” Chou added.