Interview with David Lindsay on Coverity Scan Security Spotlight Report

Coverity recently released a scan security spotlight report for open source projects. They analysed several open source applications and compiled them into a report with relevant source code.

Coverity Open Source Security Scan

Learnxpress had a chat with David Lindsay, Senior Security Product Manager, Coverity to know more information about the scan security spotlight report.

Learnxpress: Did Coverity find more security issues in 2014 than 2013 scan?

The latest Coverity Scan Spotlight is focused on Java application security.  Many of the relevant security checkers for a Java web application were introduced to Scan just recently in 2014.

Learnxpress: Does Coverity scan service support Microsoft SQL Server based applications?

Coverity has language support for any application written in C, C++, Java, or C#.

Learnxpress: Can you elaborate more about cross site scripting (XSS)?

Cross-site scripting is one of the most common defects found in modern web applications. A web application vulnerable to cross-sitescripting may find that user accounts can be taken over by attackers and sensitive information stolen from victim users’ accounts. Given the prevalence and high impact of this issue, Coverity strongly recommends that all web application developers adopt testing techniques into their daily workflow which can help identify such issues.

Learnxpress: From your point of view, what will be primary source for security threats?

Applications are a rich target for would-be attackers as they often contain sensitive information that an attacker might be targeting. They are also intrinsically complex systems which makes securing them all the more difficult. Security defects in an application can take a wide range of forms such as weak authentication, missing authorization, or improper data sanitization.

The results of a malicious attack on an application will vary depending on the application. Generally speaking, a malicious attack can lead to disclosure of sensitive information like passwords, credit card numbers, etc., theft, fraud, or the compromise of the underlying systems (which can in turn lead to additional attacks on internal systems).

Learnxpress: Does Coverity provide suggestions to avoid security threats in future?

In order to avoid security attacks in the future, Coverity recommends that applications be tested continuously and that the testing itself begin as early as is reasonable in the software development lifecycle.  By taking a proactive approach to addressing an application’s security, the risk posed to an organization via application-level attacks can be significantly reduced.

Learnxpress: Does Coverity believe reduction in number of potential security threats in 2015 scan?

Signups for new projects into Coverity Scan has been growing exponentially and we expect this fantastic growth rate to continue into 2015 and beyond.  Details on our past and current growth rate can be downloaded from the official site of Coverity.

As such, the total number of defects found through Coverity Scan should also grow at a similar rate.  Individual projects within Coverity Scan can expect the quality and security of their code to improve overtime and this can be seen by tracking the Defect Density for a project over time.

For example, the Linux project has been making steady improvements over the past few years by finding and fixing both quality and security related defects.  In 2011, the Linux project had a defect density of .95 defects per thousand lines of code.

In 2012 the defect density dropped to .76. In 2013 the defect density dropped again to .61 and the present Defect Density for Linux now stands around .51.  This is a strong indicator that the overall quality and security of the Linux code base has been steadily improving. Other projects have experienced similar improvements.

For example, Apache Hadoop had a Defect Density of 1.71 in 2013; currently, they are now at 1.63.  Given the ongoing prioritization that the Hadoop developers place on finding and fixing issues, we expect their overall security posture to continue improving into 2015.

Learnxpress: Is it not possible to prevent SQL injection vulnerability during software/web development phase?

SQL Injection, along with many other common high-impact vulnerabilities can be found using a variety of testing techniques. Static Analysis is one of the best methods for detecting such issues as it allows the issues to be identified earlier in the Software Development Lifecycle. In other words, as soon as the defect gets introduced, Static Analysis techniques can quickly identify the issue and the developer can fix the issue while the associated code is still fresh in their mind.

Learnxpress: Can you share future roadmap of Coverity Scan Service?

Over time, Coverity plans to improve the Coverity Scan service by improving the developer workflow. Coverity is looking to improve our existing integration with GitHub and Travis CI. We also plan to increase visibility into a project for OSS projects while allowing OSS projects to have more data to drive adoption. Additionally, Coverity will continue to add new checkers for all of our supported languages including C, C++, Java and C#.

Learnxpress: Nowadays, websites are hacked. Is it possible to trace the root cause of hacking with your scan service?

Coverity’s SCAN service and associated static analysis technology are leading edge tools for identifying security defects in source code. When an application is compromised by an attacker, our analysis platform can help pinpoint the root cause defect in the code which allowed the compromise to occur. Further security analysis using the Coverity platform can then help prevent additional compromises from occurring in the future.


Leave a Comment