Coverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing



Similar documents
Controlling Risk Through Software Code Governance

Development Testing for Agile Environments

Coverity Services. World-class professional services, technical support and training from the Coverity development testing experts

Coverity White Paper. Managing Risk: Ensure Software Quality and Security Across the Automotive Supply Chain

Minimizing code defects to improve software quality and lower development costs.

Coverity White Paper. Effective Management of Static Analysis Vulnerabilities and Defects

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

How To Improve Your Software

Why should I care about PDF application security?

HP Fortify Software Security Center

Linux Kernel. Security Report

Pattern Insight Clone Detection

IBM Security Intelligence Strategy

Web application security: automated scanning versus manual penetration testing.

BlackStratus for Managed Service Providers

Optimizing Network Vulnerability

Product Lifecycle Sourcing enabled by Teamcenter s SRM solutions

IT Security & Compliance. On Time. On Budget. On Demand.

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Seven Practical Steps to Delivering More Secure Software. January 2011

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

The Path Ahead for Security Leaders

IBM Tivoli Netcool network management solutions for SMB

Open Source and the New Software Supply Chain. Mark Tolliver, CEO Palamida Inc.

IBM Rational AppScan: Application security and risk management

nfx One for Managed Service Providers

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

SELECTING THE RIGHT HOST INTRUSION PREVENTION SYSTEM:

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

The Proven ROI of Development Testing: An in-depth analysis of Coverity customer experiences

Continuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Protecting against cyber threats and security breaches

Application Security Center overview

Symantec Control Compliance Suite. Overview

REDUCE YOUR OPEN SOURCE SECURITY RISK: STRATEGIES, TACTICS, AND TOOLS

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Total Protection for Compliance: Unified IT Policy Auditing

Attack Intelligence: Why It Matters

Leveraging a Maturity Model to Achieve Proactive Compliance

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

VOLUME 4. State of Software Security Report. The Intractable Problem of Insecure Software

Optimize Brand Asset Management with Enterprise Content Management

Application Security in the Software Development Lifecycle

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

Coverity Scan. Big Data Spotlight

Issue in Focus: Integrating Cloud PLM. Considerations for Systems Integration in the Cloud

Business Resilience Communications. Planning and executing communication flows that support business continuity and operational effectiveness

Improving Network Security Change Management Using RedSeal

THOMSON IP MANAGER KNOWING IS INGENIOUS

Payment Card Industry (PCI) Terminal Software Security. Best Practices

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

Application Security Testing as a Foundation for Secure DevOps

can you improve service quality and availability while optimizing operations on VCE Vblock Systems?

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

Orchestrated. Release Management. Gain insight and control, eliminate ineffective handoffs, and automate application deployments

Closing the Vulnerability Gap of Third- Party Patching

Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD

The Value of Vulnerability Management*

Streamlining Patch Testing and Deployment

Auditing a Web Application. Brad Ruppert. SANS Technology Institute GWAS Presentation 1

Application Code Development Standards

The ROI from Optimizing Software Performance with Intel Parallel Studio XE

Testing the Security of your Applications

Altiris Asset Management Suite 7.1 from Symantec

Align IT Operations with Business Priorities SOLUTION WHITE PAPER

Meeting DO-178B Software Verification Guidelines with Coverity Integrity Center

Realizing the Business Value of Master Data Management (MDM)

8 Key Requirements of an IT Governance, Risk and Compliance Solution

how can I deliver better services to my customers and grow revenue?

Manufacturing Efficiency Guide

Vistara Lifecycle Management

Testing the Security of your Applications

The IBM Solution Architecture for Energy and Utilities Framework

Moderator: Benjamin McGee, CISSP Cyber Security Lead SAIC

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

YOUR DATA UNDER SIEGE: GUARD THE GAPS WITH PATCH MANAGEMENT. With Kaspersky, now you can. kaspersky.com/business Be Ready for What s Next

Oracle Solaris Studio Code Analyzer

Continuous Network Monitoring

How To Standardize Itil V3.3.5

Combating a new generation of cybercriminal with in-depth security monitoring

Transcription:

Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing

The Stakes Are Rising Security breaches in software and mobile devices are making headline news and costing companies millions in lost revenue and damage to brand equity. As more people conduct increasingly sophisticated and sensitive transactions, the stakes around software security are rising. Plus, the software and platforms are becoming increasingly complex with multiple components coming from third-party suppliers. Companies often have little visibility into the security or quality of the third-party code which can introduce multiple points of failure and blame. Traditional approaches to security are no longer sufficient. For too many organizations, security is left to an isolated security audit team with limited resources to conduct at the end of the software development lifecycle. And the later the issues are raised in the lifecycle, the more expensive and time consuming they are to address. Compounding this issue is the fact that security audit and development teams have different goals. Security audit teams are focused on risk meeting audit and compliance requirements by ensuring security vulnerabilities are identified and remediated prior to release. Development teams, on the other hand, are driven by speed and innovation delivering new products to market, faster, at the least possible cost. All too often, the security audit team will perform an audit at the end of the development lifecycle with a tool designed specifically for them, meaning it is designed to find every possible issue, and produces a large number of false positive results. Then, a PDF report containing the long list of potential security vulnerabilities without context or guidance of where they exist in the code and how to fix them makes its way to the developers desk as they are racing to get the product out the door on-schedule. The information is neither actionable, nor presented in the developer s workflow. Developers do not like working outside of their standard workflow so often potential issues raised by security auditors are ignored. To properly address security risks and vulnerabilities without jeopardizing speed or cost, companies must bring security into the development process. Organizations cannot bring security into development by giving developers a security auditing tool. The developer will simply ignore the results in time because of the high false positive rate. The tool also will not work well within the developer s workflow and often requires too much security expertise. From a developer s perspective, a defect is a defect. They simply want to be pointed to the defect so they can quickly address it. Developers must be able to address defects that can lead to security vulnerabilities in the same way they manage quality defects. This means adapting security to the way the developers work, not the other way around. 2

Development Testing: The Perfect Complement to Security Auditing Testing for security defects during development is the perfect complement to the testing conducted by security auditors at the end of the lifecycle. By testing the code during development, organizations can eliminate the majority of defects that can lead to security vulnerabilities and allow the security auditing team to focus on the edge cases and apply their resources more effectively. This combination of development testing and security audit testing can help organizations save time, money and resources. To properly address security during development, organizations need an automated approach for identifying defects. Existing testing methods and manual processes are no longer sufficient to address the problems given the increasing size and complexity of codebases. Automated code testing via static analysis provides developers with a means to automatically examine all of the code paths in minutes in many cases. This means more defects found overall, including ones on rarely executed paths that can be hard to reproduce and happen only infrequently. This is also helps improve the security of the code as fewer defects in the product mean fewer potential places for an attacker to discover and exploit. And finding and fixing defects early reduces overall costs. The top three defects found with static analysis that can lead to security vulnerabilities include: Defect Description Potential Impact Buffer Overflow Integer Overflow Format String Vulnerability A buffer overflow occurs when a program or process tries to store more data in a buffer, temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Integer overflow is the result of trying to place into computer memory a whole number that is too large for the integer data type in a given system. Format string vulnerability denial of service attacks are characterized by utilizing multiple instances of the %s format specifier to read data off of the stack until the program attempts to read data from an illegal address, which will cause the program to crash. Format string vulnerability reading attacks typically utilize the %x format specifier to print sections of memory to which one does not typically have access. Format string vulnerability writing attacks utilize the %d, %u or %x format specifiers to overwrite the Instruction Pointer and force execution of user-supplied shell code. Denial of service Arbitrary code execution Disclosure of sensitive information Denial of service Arbitrary code execution Disclosure of sensitive information Allows an attacker to install a backdoor to a system gaining access to sensitive information, files and programs on that machine 3

Arming Your Developers The Coverity development testing platform is used by 3 of the top 5 security software companies in the world to solve their security issues. With over 1,100 customers and five billion lines of code currently under management, Coverity is the market leader for development testing. We ve served as the quality and security gate to the shipment of over 11 billion products in the market. Coverity is a recognized expert in the area of security for C/C++ code. We ve been working closing with CERT to evolve their secure coding standards and we ve been deeply involved in the development of the C Secure Coding Rules which is a set of rules intended to be automatically enforced by analysis tools. Coverity s industry-leading analysis engines find critical defects articulated in the C Secure Coding Rules including buffer overflow, integer overflow, and format string errors. Coverity provides accurate, actionable information about security and quality risks, prioritized together in a single interface which is part of the developer s existing workflow. Developers can view information about the severity of defects, the likely impact and where they exist in the code. This helps developers prioritize what defects to fix first, and provides them with guidance on how to fix the problems so they don t have to become security experts. They can quickly spot potential security issues such buffer overflows and API error handling and prioritize those along with quality defects for the fastest time to resolution. And developers can find the defect once and then fix it everywhere it occurs across the code base. Developers can find and fix defects as the code is being written and as part of their standard workflow which is critical to speed of resolution and developer adoption. Test for Quality Defects and Security Vulnerabilities in Development 4

Improved Visibility and Control Across the Software Supply Chain With the increasing complexity of software products, companies commonly rely on a myriad of software suppliers, from internal teams that share and re-use code to third-party commercial software suppliers and outsourcing development partners. Companies are increasingly being held accountable by their customers for the quality and security of the complete product. Yet according to a recent industry report, third-party code typically isn t tested with the same level of rigor as internally developed code. That means a defect could be lurking in the third-party code that could cause significant security breach or quality issue. This increased risk has resulted in the demand for better visibility into all of the software components that make up a product. Coverity Integrity Control enables managers to establish and enforce consistent measures for quality and security across the organization and across the supply chain. Organizations could set a policy for zero uninspected defects prior to launch since any one of those defects could contain a security vulnerability. Policies could also be established for zero security defects such as buffer overflow, integer overflow and format string errors. Coverity Integrity Control Enables Consistent Enforcement of Quality and Security Standards 5

Once the policies have been established and tested against, organizations can quickly visualize the quality and security risk in their projects. Managers can quickly see which areas of their code are out of compliance with the established policies and drill down into detailed reports to pinpoint the issue. This information is critical for making decisions about whether the product is ready to be released and whether there is a quality or security issue with a third-party code provider that needs to be resolved prior to release. Coverity Integrity Control Provides Visibility into Project Risk 6

Summary Security must be addressed early in the software development lifecycle to minimize project and business risk and cost. We believe that the only effective way to do this is to bring security to the developer, not the other way around, in the same way they manage quality today. This means presenting developers with actionable information, in their existing workflow, so they can fix vulnerabilities in the same way as quality defects, as the code is written. While the security audit team should perform its audit throughout the development project, waiting until the end of the development cycle to identify vulnerabilities and pass them back to developers who are under time-to-market pressure, is ineffective. In addition, with the increasingly complex software stack and reliance on third-party suppliers, companies need better visibility into the security, quality and safety of their code. Coverity provides developers with actionable information that enables them to manage security and quality defects early in the lifecycle, in their existing workflow, without requiring them to become security experts. Coverity Integrity Control provides companies with the visibility they need to feel confident about the third party code they are shipping as part of their product and under their brand to reduce the real business risk of becoming the latest front page news headline related to software failure. To find out more about Coverity can help your company address its security, quality and safety requirements contact your local sales representative or visit us at www.coverity.com. About Coverity Coverity, Inc. (www.coverity.com), the development testing leader, is the trusted standard for companiesthat need to protect their brands and bottom lines from software failures. More than 1,100 Coverity customersuse Coverity s development testing suite of products to automatically test source code for software defects that could lead to product crashes, unexpected behavior, security breaches, or catastrophic failure. For More Information: sales@coverity.com Coverity Inc. Headquarters 185 Berry Street, Suite 6500 San Francisco, CA 94107 USA U.S. Sales: (800) 873-8193 International Sales: +1 (415) 321-5237 www.coverity.com Coverity and the Coverity logo are trademarks or registered trademarks of Coverity, Inc. in the U.S. and other countries. All other company and product names are the property of their respective owners. 2008-2011 Coverity, Inc. All rights reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information