We have just upgraded the Coverity Scan service to Coverity 7.5. With this upgrade, we’re now enabling Coverity Scan members to utilize Coverity Security Advisor to help them eliminate security defects in Java web applications.
Since Heartbleed, GoToFail bug and recently the shellshock, we have aimed to provide the latest technology that will enable open source projects to be more secure and address the most critical OWASP Top 10 issues. Our analysis algorithms cover about 34 CWE. In addition to XSS and SQli, were able to address CSRF, Hard coded credentials and more. In fact, in our latest Coverity Scan Security Spotlight we found more than 680 OWASP Top issues in open source projects.
The Coverity Scan service is built for open source developers as such you should expect low false positive rate and advanced remediation advice.
There’s a strong need for increased awareness security in open source software. In a visit to OSCON (the Open Source convention), I was surprised to see the security track was nearly empty. I hope to see more organizations like the Linux Foundation arise, but eventually the open source evangelist community will need to take action to bring awareness to the issue.
In other conference news, at Black Hat in August, the show seemed mostly to be a commercial and an enterprise game. I noticed Codenomicon, (the company that discovered Heartbleed) was talking about open source and security, but I didn’t see many others taking it on. For Scan, we also added a new algorithm that checks for issues like Heartbleed.
On a side note, we have seen a substantial uptick of interest in the OpenSSL project. Since Heartbleed, the project has fixed 221 numbers of defects – with special thanks to Neel Mehta, who took the lead working with the OpenSSL team.
I am still wondering how Open source projects will handle security. When I compare open source with a typical Coverity commercial customer I see a gap. The gap is easily described in budget, people and compliance requirements. Every large company typically has a security application team. This team buys tools mostly oriented toward security auditing, and they also drive compliance requirements such as PCI and others. In more advanced companies these teams are more of enablers to the many developments teams rather than security auditors that provide defects to developers.
However I don’t observe a similar team or some other formal way in which the Open source community tackles security. There are a few forward thinking individuals who are doing a great job like Dave Jones (Linux) , Michael Rash or Neel Mehta for Open SSL but can that scale?
The post Coverity Scan, Application Security and Open Source appeared first on Software Testing Blog.
