Software Integrity Blog

 

Coverity 2018.12: Securing enterprise applications

Coverity 2018.12 adds analysis without build, covers more languages and frameworks, finds more vulnerabilities, and supports enterprise application security goals.

Person looking through binoculars

On behalf of the product team at Synopsys Software Integrity Group, I’m excited to announce the availability of the Coverity 2018.12 release, which significantly expands Coverity’s value in the domain of enterprise application security testing. Coverity 2018.12 enables enterprise IT teams to exercise control over software vulnerabilities, and therefore promotes a robust security posture in applications before they are deployed into production.

“Enterprise application security teams need to be able to assess their growing and increasingly diverse application inventories for vulnerabilities, while minimizing impact to their development velocity and business operations,” says Andreas Kuehlmann, co-general manager of the Synopsys Software Integrity Group. “The latest Coverity release enables security teams to do just that by extending our world-class static analysis technology to a wider range of applications and making it easier than ever to implement and scale across large application portfolios.”

The development, deployment, and securing of enterprise applications involves several key stakeholders, including development teams and the security team under the CISO. Each team has their own unique objectives and needs. Developers want a static analysis tool that accurately flags vulnerabilities and is integrated into their existing development workflow. On the other hand, the security team needs a comprehensive view across the application portfolio to assess the organization’s risk profile and determine compliance. Coverity 2018.12 equips both stakeholders with the right tools to analyze source code and generate comprehensive results on a broad range of programming languages and application frameworks.

Several exciting new capabilities significantly broaden Coverity’s range and versatility for analysis of enterprise web and mobile applications.

Analysis without build

Security teams need to assess the vulnerability picture across hundreds of applications and meet compliance requirements, which requires a quick, easy way to scan application code for vulnerabilities. Analysis without build is exactly that: Point to your source code projects or GitHub URLs and analyze. There’s nothing to build, and therefore no build system integration required. Unlike competitors, the tool is capable of parsing the project files to automatically identify and download dependent packages before analyzing them. Compared to previous versions, Coverity 2018.12 significantly lowers the barriers for enterprise security teams to assess and govern security across their application portfolio.

Members of the security team reviewing application testing results

Expanded language and framework support

Many enterprises use a wide variety of languages across their development environments. Assessing the security picture across apps written in such diverse environments dictates that static analysis have broad language support to address the needs of these organizations. To broaden its coverage of these environments, Coverity 2018.12 supports TypeScript, .NET Core, Swift 4.1, and Ruby on Rails.

Let’s talk frameworks. Web and mobile apps are written on top of frameworks, which are collections of pre-written code used to make development easier and more efficient by freeing developers to concentrate on high-value features. Considering the pervasive use of frameworks, static analysis solutions must be able to identify and understand them to provide in-depth results across applications. Coverity now supports over 50 different frameworks for Java, JavaScript, C#, and other languages.

Some of the languages and frameworks Coverity supports

Finding more vulnerabilities that matter

The real value in any static analysis product is in its ability to find exploitable vulnerabilities in code and accurately distinguish nonissues and low-impact findings. Coverity’s analysis engine utilizes a variety of analysis techniques, some patented, each looking at the code in different ways to find the most actionable and critical security vulnerabilities.

Additionally, Coverity’s ability to understand and incorporate frameworks as a part of the analysis provides a deep, thorough assessment of the security risks that other SAST solutions may miss.

And one more thing about Coverity’s depth of analysis: JavaScript frameworks also have support templates, which are a popular means of data binding. Coverity scans the HTML generated on the fly from such templates for vulnerabilities such as cross-site scripting.

As you can see above, Coverity 2018.12 goes the extra mile to achieve an in-depth understanding of applications and their vulnerabilities.

Coverity 2018.12 supports enterprise application security goals

As weaknesses in the application layer continue to be exploited by attackers, enterprise security teams are adopting Coverity to find, prioritize, and remove critical vulnerabilities before they make it into the production environment.

Coverity 2018.12 helps enterprise security teams in three key ways:

  1. Usability. Analysis without build allows them to easily scan projects and quickly generate high-quality results.
  2. Broad language and framework support. Coverity can find vulnerabilities in most tech stacks used by modern development organizations.
  3. Comprehensive vulnerability analysis. Coverity can find more vulnerabilities in more places with its sophisticated and deep understanding of applications.

With that, Coverity 2018.12 helps enterprises make more informed decisions on maintaining and improving their application security posture.

Learn more about Coverity

This post was updated Jan. 15 to reflect information from the press release.