CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Coverity Releases Open Source Security Library For Developers

Open Source Library Aims To Help Developers Remediate Common Security Defects in Java Web Applications

Open Source Library Aims To Help Developers Remediate Common Security Defects in Java Web Applications

Software development testing firm Coverity this week released an open source library that provides developers with a lightweight set of escaping routines for fixing cross-site scripting (XSS), SQL injection, and other common security defects in Java web applications.

Coverity LogoDubbed the “Coverity Security Library”, the project is available through GitHub and Maven as a free library of escaping and encoding functions, something the company says has been well-tested and will help developers address some of the most common security holes that can lead to costly security breaches.

“Providing actionable remediation guidance for developers to fix security defects is critical, but it quickly becomes difficult to implement fixes without a secure and convenient security library,” the company explained.

Earlier this week, cloud hosting firm FireHost released the findings of its web application attack report for Q3 2012, which highlighted a significant rise in the number of cross-site attacks, in particular XSS and CSRF attacks. FireHost now says that XSS is the most common Web attack type, with CSRF now in second. 

“Large Java libraries and frameworks like Apache Commons, Java EE and Spring provide bits and pieces of data escaping and encoding routines, but they are often incomplete and don’t cover all of the cases required for complex defects such as XSS,” Coverity said.

While there are plenty of developers with solid coding skills, often times security is an afterthought, with functionality and time-to-market being the priority.

For developers with limited security expertise, the Coverity Security Library can assist in fixing commonly exploited security defects with development technologies like JSPs and Expression Language (EL).

“Asking developers to write their own data escaping routines is a recipe for getting it wrong,” said Andy Chou, Coverity co-founder and CTO at San Francisco-based Coverity. “The incomplete set of escapers in some libraries encourages developers to use the wrong ones. We need to empower developers to be part of the security solution with the right technologies and actionable information to help them fix defects quickly and without slowing them down.”

Advertisement. Scroll to continue reading.

The project is a work in progress, and the company hopes that community involvement will take the project further, but noted that its simplicity and small size is by design.

“Some might find it embarrassingly small to be called a ‘library’. To some extent that’s because we’re naming it looking forward to what it will become,” Chou noted in a blog post.

Coverity has made the library available via GitHub and Maven as a standalone repository.

“We’ll be expanding this library going forward, and we also welcome contributions from the community,” Chou said. “We’ll be carefully vetting changes, running them through a battery of tests and also static analysis, fuzzing, and manual code review. We hope to earn the trust of our users and believe that making this library available under a liberal BSD-like open source license helps increases the transparency that results in trust.”

While the Coverity Security Library is open source and free to use, it can also be used in conjunction with the company’s Coverity Security Advisor, a commercial product within the Coverity Development Testing Platform that can further analyze security defects and assist in remediation.

Free White PaperThe Great Security Divide Bridging the Chasm between Security and Development

On Demand Webcast: The Great Security Divide – How Security Can Work Better With Development

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.