Synopsys Improves Coverity Static Application Security Testing

A new version of Coverity Static Application Security Testing provides broader testing capabilities to help organizations find vulnerabilities in code.

Synopsys Coverity

Synopsys announced on Jan. 15 that a new version of its Coverity Static Application Security Testing (SAST) technology is now available, providing organizations with enhanced software vulnerability analysis capabilities.

Static analysis is an approach where code is examined for potential risks and vulnerabilities before operating in a runtime environment. With the Coverity 2018.12 update, organizations can examine code faster than in previous versions of Coverity, thanks to multiple enhancements. Synopsys has also expanded Coverity to enable broader scanning for more vulnerability types across a variety of programming languages.

"Historically, Coverity's strengths have been in its breadth and depth of code base analysis," Yatin Patil, product management manager and application security expert at Synopsys, told eWEEK. "In the latest release, Coverity extends these advantages to newer languages and frameworks."

Since acquiring Coverity in March 2014, Synopsys has steadily improved the static analysis technology. Coverity is part of the Synopsys Software Integrity Platform portfolio, which also includes technologies acquired from Cigital, Codiscope and Black Duck Software.

Analysis Without Build

One of the key new capabilities in the Coverity update is a feature that enables static code analysis without build. Typically in many programming languages, code needs to be compiled, or "built," before it is able to run. The process of software builds is often done at the final stages of development and can sometimes be time-consuming. 

"The new ‘analysis without build’ capability allows security teams to begin analyzing projects in seconds by simply pointing Coverity to a source code repository—this could be a local code repository or in a Git repository," Patil explained. "Coverity examines source code directly, without first having to do a full build operation." 

Patil said Coverity analyzes the project structure and automatically identifies and downloads any dependent packages for analysis. He added that analyzing builds is not always easy or convenient, especially for security teams tasked with testing many projects and that don't have ready access to the build system for every project. According to Patil, many security vulnerabilities, such as cross-site scripting, SQL injection, path manipulation and missing authorizations, can be identified directly by analyzing the code.

Pre-build analysis isn't for all types of applications. It is only ideal for apps written in languages such as Java, JavaScript, C# and other languages that are either interpretive in nature or where the code can be modeled fairly accurately without requiring compilation. Patil said that analysis without build is not suitable (and not supported) for languages like C/C++ that are heavily reliant on preprocessing and compilation to get an accurate picture for code modeling purposes. 

Framework Analysis

Modern software development isn't done with programming languages alone, as a growing number of applications are written on top of frameworks. A software development framework integrates a programming language with commonly used libraries, tools and configurations to enable more rapid deployment.

"In the context of application security testing, analyzing the framework is as essential as analyzing application code in order to get a comprehensive understanding of the application's security vulnerabilities," Patil said. "Coverity 2018.12 adds support for dozens of new frameworks for Java, JavaScript and C#, as well as improving support for frameworks that were previously supported." 

In supporting a framework, Patil explained that Coverity uses its awareness of the framework's behavior and significant characteristics to analyze the application code in context, which enables the identification of incorrect usage, or the use and/or manipulation of tainted data. He added that Coverity's array of checkers are used to analyze both application and framework code together. 

The new Coverity update also provides advanced JavaScript template analysis. Templates generate HTML on the fly for rendering in the browser, which is also analyzed by Coverity for completeness. 

"While Coverity has always been able to detect XSS vulnerabilities, the new Coverity release enables customers to detect instances of XSS that manifest as a result of the HTML dynamically generated by JavaScript templates," Patil said.

What's Next?

Looking forward, there are a number of things that Synopsys has planned for Coverity, including a new deployment option. Patil said that Coverity will soon be available as a software-as-a-service (SaaS)-based cloud deployment offering. 

"This solution will also integrate other Synopsys Software Integrity Group products for DAST [Dynamic Application Security Testing], IAST [Interactive Application Security Testing], along with Coverity," he said. "Until then, Coverity continues to expand languages and framework support, both in breadth and depth." 

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.