Not all types of static-analysis tools are looking for the same types of software defects. Some defects affect overall code quality and performance, while others may look to tighten up security.
In a new effort to pair the two, software vendors Coverity and Armorize Technologies are partnering to deliver a two-pronged static-analysis solution that both improves code quality and remediates security defects.
[login] Coverity already has its own suite of static-analysis tools targeted at developers, while Armorize, a new company, offers its own analysis product geared for security professionals.
The two software vendor hope that by integrating their solutions, they can obtain a better result for developers than either could on its own.
“Coverity has a focus on functional and performance defects,” Armorize CEO Caleb Sima told InternetNews.com. “When you look at us, we focus on Web-based languages for security issues.”
Though Armorize is a new company, Sima is no stranger to the security industry: he cofounded security vendor SPI Dynamics, which was acquired by HP in 2007.
An example of a discrepancy in the static-analysis methods of the two vendors’ solution can be found in how they identify Null pointer issues. Null pointers are among the most common and severe security defects found in open source software and can result in major vulnerabilities.
“We don’t detect Null pointer issues,” Sima said. “When you look at security vulnerabilities, there is a class of base problems, then the ramifications of that base.”
To Sima, a Null pointer is a base defect in the code, which can trigger the ramification that becomes the security problem. In contrast with an issue like SQL injection, another common type of security vulnerability, he noted that the base problem is an input validation issue.
“It’s the difference between quality analysis and security analysis with different classes of issues,” explained Coverity CTO Andy Chou. “By combining the two solutions you get detection for all of the above.”
While the joint Coverity-Armorize solution looks at static analysis from two different scanning engines, Sima said he would not call it a hybrid. He added that the tool isn’t simply about finding more things for developers to look at.HP has a partnership with static analysis vendor Fortify that combines dynamic and static analysis. The HP hybrid solution includes dynamic analysis which involves leveraging penetration testing tools.
“I want to find more things that are relevant,” Sima said. “For us the ability to combine functional and security scans and to be able to create a better workflow is what is more important to me.”
A dynamic analysis scan, for example, could find multiple instances of a cross-site scripting (XSS) vulnerability. But the root cause of that issue might only be discovered with a static-code scan that could identify the single line of code that is responsible for the multiple dynamic instances.
The scans from both the Coverity and Armorize engines can be combined into a developer workflow to assign and prioritize tasks for fixing the code.
From a production server perspective, the results of a scan can also be leveraged to defend live assets. Armorize has a Web Application Firewall (WAF) product that can learn from the results of static-analysis scans.
“Smart WAF is a host-based Web app firewall and we create a rule-set for it based on the vulnerabilities that we find,” Sima said.
While both the Coverity and Armorize scanning products are in market now, the integrated solution is a work in progress, and isn’t expected to be generally available until the end of the year. Chou explained that users will still need to buy both products separately, but the integration between the two will be free and straightforward to set up.
Suggested Tags: Coverity, Armorize, security, developer, static-code analysis
