Coverity recently conducted an analysis of possible vulnerabilites in open source projects. The outcome of the analysis was a detailed comprehensive report with the name Coverity Scan Security Spotlight. The report consist of description of each threat followed by the number of issues detected during scan process.
In addition to the report, Coverity also announced the arrival of enhanced Scan service. It includes addition of Coverity Security Advisor solution to the service so that projects will be able to find critical Open Web Application Security Project (OWASP) Top 10 issues. The scan service has been expanded to include C# based open source projects.
The company found as many as 4000 defects in the projects which are scanned for the purpose of the study. The main purpose of Coverity Scan Project Spotlight is to identify several common defects and exposures (CVEs) in open source code. It also identifies GoToFail vulnerability during the scan process.
Coverity Scan service automatically trace and fix critical security issues which includes buffer and integer overflows. It also format string errors in C/C++ code.
With the release of the latest report, Coverity enable Java developers to find and fix security issues in their software code which includes all of the OWASP Top 10 and other web application security issues.
In addition to OWASP Top 10 security threats, Coverity Scan has been able to detect web application security defects in Java. Moreover, the service has identified 688 OWASP Top 10 issues in 37 open source projects, including big data, network management and blog server projects.
The OWASP Top 10 issues listed on the Coverity Scan Security Spotlight are listed below
- Injection – 135
- Broken Authentication and Session Management – 43
- Cross-site Scripting (XSS) – 139
- Insecure Direct Object References – 210
- Security Misconfiguration – 10
- Sensitive Data Exposure – 8
- Missing Function Level Access Control – 4
- Cross-Site Request Forgery (CSRF) – 139
- Using Components with Known Vulnerabilities – NA
- Unvalidated Redirects and Forwards – 0
“The road to application quality and security starts in development,” said Zack Samocha, Senior Director of Products, Coverity.
Coverity Scan Security Spotlight Report consist of comprehensive coverage of software security threats and has been explained with the help of source codes and tabular representation.
Coverity Scan service has analyzed more than 1,500 open source projects – including C/C++ projects such as NetBSD, FreeBSD, LibreOffice and Linux and Java projects such as Apache Hadoop, HBase and Cassandra.