News

Coverity Testing Platform Expands Java Web App Coverage, Revamps C# Analysis Engine

• By John K. Waters
• January 8, 2014

Coverity this week released a new version of its namesake software development testing platform with expanded Java and C# testing capabilities and 17 new and enhanced analysis algorithms for Java and C/C++ codebases. Coverity Development Testing Platform 7.0 broadens Java Web application security coverage, adds new security audit views and reports, and revamps its C# analysis engine in what the company describes as a a major rewrite.

The platform combines code analysis, change-aware unit test analysis, and policy management across the three most widely used enterprise programming languages: Java, C/C++, and C#. It comprises the Code Advisor, which surfaces quality and security defects in the developer workflow; the Test Advisor, which focuses unit testing on the most critical parts of the code; and the Policy Manager, which enforces development testing standards across an organization.

This release provides Java developers with expanded coverage for the Open Web Application Security Project's (OWASP) Top 10 and Common Weakness Enumeration (CWE) security vulnerabilities in Java apps. The open-source OWASP identifies 10 of the most critical web app security risks each year. The CWE is a community project sponsored by the Mitre Corporation to create a catalog of software security vulnerabilities.

Coverity made something of a splash a year ago with its "developer-first security" effort, during which it began promoting the idea of putting security into the hands of developers, who are not security experts, with this kind of support.

This release has also been integrated with SonarQube, a Web-based, open-source platform (previously known as "Sonar") for managing code quality, mainly used in used in Java development. The integration allows critical defects identified by the Coverity platform to be imported into SonarQube. The aim is to allow developers to view and manage a broader range of defects in Java applications within a single workflow.

Probably the headline feature in this release is the major rewrite of the C# analysis engine, an effort lead by Eric Lippert, a C# expert and Coverity senior architect. Lippert joined the San Francisco-based Coverity last year, but before that spent 16 years at Microsoft, most recently as principal developer on the C# compiler team and member of the C# language design team.

The company began supporting C# in 2009 with a binary analysis tool, but found that that approached lacked precision, explained James Croall, Coverity's director of product management.

"You lose a lot of context when you go down to machine code," Croall told ADTmag. "Without context you end up making some rough guesses that lead to too many false positives. If you want a tool to be adopted by developers, it has to be accurate. For this release, we essentially rewrote our C# solution from the ground up. It's a new analysis engine with dramatically improved quality of results. It's finding more defects with a much lower false positive rate."

This release also integrates the Coverity Test Advisor tool with both the Eclipse and the Microsoft Visual Studeo integrated development environments.

"Integrating with these IDEs provides developers with intelligence into which unit tests they need to write and run based on the impact of a code change, right from the developer's desktop," Croall said. The new version of the Test Advisor also expands its support for unit test analysis on devices that run on the Android and Wind River platforms, an acknowledgement of the growing demand for mobile and embedded software.   

"We're seeing the embedded software space, which was traditionally heavy on C/C++, start to adopt languages like C#," Croall said. "Virtualized languages like C# and Java are much more appealing to developers for this kind of development.

Coverity 7.0 also adds new security audit and compliance views and reports within the Coverity Connect and Coverity Policy Manager tools. These features are designed to make it easy to zoom into critical security issues, as well as report on compliance with regulations and standards such as the Payment Card Industry (PCI) Data Security Standard and the OWASP Top 10.

"We're really building tools for developers, but we've learned that we have to build those tools so that they're useful for a security audience, as well," Croall said.

IDC analyst Melinda Ballou views tools like Coverity 7.0, which can put security considerations in place earlier in the software development process, as increasingly essential to ensure the high quality and security of a dev team's source code.

"And with increasing deployment complexity across mobile, cloud, and social platforms, and pressure for quick release cycles, it's more important than ever that teams have visibility into risk and use that intelligence to focus and prioritize their testing efforts," she said in a statement.