Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Coverity Releases Open Source Security Library For Developers

Open Source Library Aims To Help Developers Remediate Common Security Defects in Java Web Applications

Open Source Library Aims To Help Developers Remediate Common Security Defects in Java Web Applications

Software development testing firm Coverity this week released an open source library that provides developers with a lightweight set of escaping routines for fixing cross-site scripting (XSS), SQL injection, and other common security defects in Java web applications.

Coverity LogoDubbed the “Coverity Security Library”, the project is available through GitHub and Maven as a free library of escaping and encoding functions, something the company says has been well-tested and will help developers address some of the most common security holes that can lead to costly security breaches.

“Providing actionable remediation guidance for developers to fix security defects is critical, but it quickly becomes difficult to implement fixes without a secure and convenient security library,” the company explained.

Earlier this week, cloud hosting firm FireHost released the findings of its web application attack report for Q3 2012, which highlighted a significant rise in the number of cross-site attacks, in particular XSS and CSRF attacks. FireHost now says that XSS is the most common Web attack type, with CSRF now in second. 

“Large Java libraries and frameworks like Apache Commons, Java EE and Spring provide bits and pieces of data escaping and encoding routines, but they are often incomplete and don’t cover all of the cases required for complex defects such as XSS,” Coverity said.

While there are plenty of developers with solid coding skills, often times security is an afterthought, with functionality and time-to-market being the priority.

For developers with limited security expertise, the Coverity Security Library can assist in fixing commonly exploited security defects with development technologies like JSPs and Expression Language (EL).

“Asking developers to write their own data escaping routines is a recipe for getting it wrong,” said Andy Chou, Coverity co-founder and CTO at San Francisco-based Coverity. “The incomplete set of escapers in some libraries encourages developers to use the wrong ones. We need to empower developers to be part of the security solution with the right technologies and actionable information to help them fix defects quickly and without slowing them down.”

Advertisement. Scroll to continue reading.

The project is a work in progress, and the company hopes that community involvement will take the project further, but noted that its simplicity and small size is by design.

“Some might find it embarrassingly small to be called a ‘library’. To some extent that’s because we’re naming it looking forward to what it will become,” Chou noted in a blog post.

Coverity has made the library available via GitHub and Maven as a standalone repository.

“We’ll be expanding this library going forward, and we also welcome contributions from the community,” Chou said. “We’ll be carefully vetting changes, running them through a battery of tests and also static analysis, fuzzing, and manual code review. We hope to earn the trust of our users and believe that making this library available under a liberal BSD-like open source license helps increases the transparency that results in trust.”

While the Coverity Security Library is open source and free to use, it can also be used in conjunction with the company’s Coverity Security Advisor, a commercial product within the Coverity Development Testing Platform that can further analyze security defects and assist in remediation.

Free White PaperThe Great Security Divide Bridging the Chasm between Security and Development

On Demand Webcast: The Great Security Divide – How Security Can Work Better With Development

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.