Synopsys announced on Jan. 15 that a new version of its Coverity Static Application Security Testing (SAST) technology is now available, providing organizations with enhanced software vulnerability analysis capabilities.
Static analysis is an approach where code is examined for potential risks and vulnerabilities before operating in a runtime environment. With the Coverity 2018.12 update, organizations can examine code faster than in previous versions of Coverity, thanks to multiple enhancements. Synopsys has also expanded Coverity to enable broader scanning for more vulnerability types across a variety of programming languages.
"Historically, Coverity's strengths have been in its breadth and depth of code base analysis," Yatin Patil, product management manager and application security expert at Synopsys, told eWEEK. "In the latest release, Coverity extends these advantages to newer languages and frameworks."
Since acquiring Coverity in March 2014, Synopsys has steadily improved the static analysis technology. Coverity is part of the Synopsys Software Integrity Platform portfolio, which also includes technologies acquired from Cigital, Codiscope and Black Duck Software.
One of the key new capabilities in the Coverity update is a feature that enables static code analysis without build. Typically in many programming languages, code needs to be compiled, or "built," before it is able to run. The process of software builds is often done at the final stages of development and can sometimes be time-consuming.
"The new ‘analysis without build’ capability allows security teams to begin analyzing projects in seconds by simply pointing Coverity to a source code repository—this could be a local code repository or in a Git repository," Patil explained. "Coverity examines source code directly, without first having to do a full build operation."
Patil said Coverity analyzes the project structure and automatically identifies and downloads any dependent packages for analysis. He added that analyzing builds is not always easy or convenient, especially for security teams tasked with testing many projects and that don't have ready access to the build system for every project. According to Patil, many security vulnerabilities, such as cross-site scripting, SQL injection, path manipulation and missing authorizations, can be identified directly by analyzing the code.
Modern software development isn't done with programming languages alone, as a growing number of applications are written on top of frameworks. A software development framework integrates a programming language with commonly used libraries, tools and configurations to enable more rapid deployment.
In supporting a framework, Patil explained that Coverity uses its awareness of the framework's behavior and significant characteristics to analyze the application code in context, which enables the identification of incorrect usage, or the use and/or manipulation of tainted data. He added that Coverity's array of checkers are used to analyze both application and framework code together.
Looking forward, there are a number of things that Synopsys has planned for Coverity, including a new deployment option. Patil said that Coverity will soon be available as a software-as-a-service (SaaS)-based cloud deployment offering.
"This solution will also integrate other Synopsys Software Integrity Group products for DAST [Dynamic Application Security Testing], IAST [Interactive Application Security Testing], along with Coverity," he said. "Until then, Coverity continues to expand languages and framework support, both in breadth and depth."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.