Coverity’s core static analysis tools find common software flaws like null pointers and race conditionsthat can potentially lead to exploitation. The new web application security tool goes further, providing a white box fuzzer that can help developers find common web app vulnerabilities.
“What the white box fuzzer does is it validates data sanitization routines and it ensures that they are performing sanitization correctly for the context in which they are used,” Andy Chou, CTO of Coverity, told InternetNews.
Static analysis is sometimes referred to as ‘black box’ testing, while ‘white box’ refers to dynamic analysis of running code. Fuzzing is a technique that injects random code into an application in an effort to find vulnerabilities.
With SQL Injection and other types of injection attacks, the root cause is often a lack of input sanitization. Sanitization provides input checks to ensure the validity of the incoming query and the data set.
Simply doing the check isn’t enough, as a developer would still be on the hook to actually figure out how to implement the fix. To solve that problem, Coverity has included remediation advice.
“Developers aren’t security experts and they don’t understand how to fix problems, even if they understand the problem,” Chou said. “So we give them very actionable advice, so they know where the problem is in the code as well as how to fix the problem properly.”