If you hate SQL injections and other malicious attacks, San Francisco-based Coverity has got you covered. Coverity, a developer of static code analysis tools, announced new methods for static analysis testing, which the company says “will empower development teams to effectively address security defects in Java web applications.”  

From the announcement:

Coverity has extended static analysis to deeply understand both source code and modern web application architecture, providing greater accuracy and remediation guidance to help developers find and fix security defects that can lead to the most commonly exploited vulnerabilities, including SQL injection and cross-site scripting. Designed from the ground up to analyze web applications from the developer's point of view, Coverity's new technology addresses the complexity of modern web applications and enables developer adoption of static application security testing in a way that the shallow, incomplete analysis of first-generation tools failed to achieve.

Joab Jackson of IDG News, via PC World has the details on what Coverity has up its sleeves and writes that the company is planning a September release of the new product tentatively titled “Coverity Development Testing for Web Application Security.”

From IDG News, via PC World:

Coverity's static code analyzer will tackle one of the heretofore trickiest issues of analyzing Web applications, that of dealing with frameworks. Frameworks are libraries of code from which developers often borrow to carry out common tasks in their programs. For static analysis, however, frameworks can be problematic, because the code being examined just points to a framework function, and, as a result, fails to offer the full picture of what actions are taking place when the program is executed. Coverity's approach is to design the tool in such a way that it also examines the full framework calls. The first version of the software will support the two most popular JEE frameworks, Hibernate and Spring.

The software will also include what the company calls a white box fuzzer, to check data sanitization routines. Data sanitizers are often used to check for malicious or otherwise harmful user input. Data sanitizers, however, could be incomplete or improperly configured; the fuzzer will check for weaknesses in the sanitizer.

Over at eSecurity Planet, Sean Michael Kerner talked to Andy Chou, CTO of Coverity, who explained how the new tool will deal with those pesky SQL injections.

From eSecurity Planet:

"Developers aren't security experts and they don't understand how to fix problems, even if they understand the problem," Chou said. "So we give them very actionable advice, so they know where the problem is in the code as well as how to fix the problem properly."

For example, with a SQL Injection vulnerability, fixing the problem in the source code often depends on the context. Chou noted that in general, the best practice when it comes to mitigating SQL Injection attacks is to change queries to prepared queries. With prepared queries, a SQL statement is specifically defined, which can limit the risk from random queries. Chou stressed that his company's new tool is going a step further by visually showing developers where the SQL statement is in their code and how they should actually go about changing it within the context of the application.