Coverity 2018.12 adds analysis without build, covers more languages and frameworks, finds more vulnerabilities, and supports enterprise application security goals.
Posted in Announcements, Static Analysis (SAST)
In our on-demand webinar with Meera Rao (Synopsys), you’ll learn how to integrate SAST into DevOps using automation to find issues early in the SDLC and support DevOps velocity.
Posted in Agile, CI/CD & DevOps, Static Analysis (SAST), Webinars
If you read the previous installment, you’ll recall that we boosted ourselves to low earth orbit using CodeXM to write a Coverity checker to help enforce a naming convention (which, of course, you can tweak to suit your needs). Our progress so far: local variables and function names (including method names). Now we’ll push higher up, […]
Posted in Static Analysis (SAST)
All systems are go. We have liftoff. Let’s write some CodeXM. If you’ve read the previous two posts, you should come away with a sense that writing a CodeXM checker isn’t rocket science. Let’s put that to the test. In order to get this hands-on experience, you should have access to an installed version of […]
Posted in Static Analysis (SAST)
This is the third post in a three-part series on how you can maximize the impact of a static analysis solution by supporting developers and their goals. As discussed in previous posts, developers are more likely to use SAST tools to improve application security when they integrate seamlessly into existing development workflows. While integration into […]
Posted in Agile, CI/CD & DevOps, Static Analysis (SAST)
What you need to know, and (more importantly) what you don’t, about the CodeXM checkers. When you develop your software, you may not be aware of what the compiler is doing to transform source into an executable. The neat thing is you don’t need to. Just know things like what a variable declaration is, what a […]
Posted in Static Analysis (SAST)
This is the second post in a three-part series on how you can maximize the impact of a static analysis solution by supporting developers and their goals. As discussed in the previous blog post, static analysis is more likely to have a significant impact on application security when it supports the goals of developers, rather […]
Posted in Agile, CI/CD & DevOps, Static Analysis (SAST)
In a recent blog post, Detecting Spectre vulnerability exploits with static analysis, we showed how developers can use static analysis to help protect their applications from the Spectre variant 1 vulnerability (bounds check bypass). Synopsys Software Integrity Group released a checker for Coverity (AUDIT.SPECULATIVE_EXECUTION_DATA_LEAK) that helps developers identify vulnerable code. The result is increased protection against Spectre […]
Posted in Static Analysis (SAST)
With apologies to the late Adams Douglas Adams, writing a checker is hard. You just won’t believe how vastly, hugely, mind-bogglingly hard it is. I mean, you may think it’s difficult to pull together a purchase order for a new bit of software, but that’s just peanuts to writing a checker. Truth be told, writing […]
Posted in Static Analysis (SAST)
Every application security testing tool—SAST, IAST, DAST, and RASP—has its distinct advantages, but you’ll get the best results when you use them together.
Posted in Infographic, Interactive Application Security Testing (IAST), Static Analysis (SAST), Web Application Security
Get the latest Software Integrity news, thought leadership, and more.
