Open Source Library Aims To Help Developers Remediate Common Security Defects in Java Web Applications
Software development testing firm Coverity this week released an open source library that provides developers with a lightweight set of escaping routines for fixing cross-site scripting (XSS), SQL injection, and other common security defects in Java web applications.
Dubbed the “Coverity Security Library”, the project is available through GitHub and Maven as a free library of escaping and encoding functions, something the company says has been well-tested and will help developers address some of the most common security holes that can lead to costly security breaches.
“Providing actionable remediation guidance for developers to fix security defects is critical, but it quickly becomes difficult to implement fixes without a secure and convenient security library,” the company explained.
Earlier this week, cloud hosting firm FireHost released the findings of its web application attack report for Q3 2012, which highlighted a significant rise in the number of cross-site attacks, in particular XSS and CSRF attacks. FireHost now says that XSS is the most common Web attack type, with CSRF now in second.
“Large Java libraries and frameworks like Apache Commons, Java EE and Spring provide bits and pieces of data escaping and encoding routines, but they are often incomplete and don't cover all of the cases required for complex defects such as XSS,” Coverity said.
While there are plenty of developers with solid coding skills, often times security is an afterthought, with functionality and time-to-market being the priority.
For developers with limited security expertise, the Coverity Security Library can assist in fixing commonly exploited security defects with development technologies like JSPs and Expression Language (EL).
"Asking developers to write their own data escaping routines is a recipe for getting it wrong," said Andy Chou, Coverity co-founder and CTO at San Francisco-based Coverity. "The incomplete set of escapers in some libraries encourages developers to use the wrong ones. We need to empower developers to be part of the security solution with the right technologies and actionable information to help them fix defects quickly and without slowing them down."
The project is a work in progress, and the company hopes that community involvement will take the project further, but noted that its simplicity and small size is by design.
“Some might find it embarrassingly small to be called a ‘library'. To some extent that's because we're naming it looking forward to what it will become,” Chou noted in a blog post.
Coverity has made the library available via GitHub and Maven as a standalone repository.
“We'll be expanding this library going forward, and we also welcome contributions from the community,” Chou said. “We'll be carefully vetting changes, running them through a battery of tests and also static analysis, fuzzing, and manual code review. We hope to earn the trust of our users and believe that making this library available under a liberal BSD-like open source license helps increases the transparency that results in trust."
While the Coverity Security Library is open source and free to use, it can also be used in conjunction with the company’s Coverity Security Advisor, a commercial product within the Coverity Development Testing Platform that can further analyze security defects and assist in remediation.
On Demand Webcast: The Great Security Divide - How Security Can Work Better With Development