Coverity looks to the future

Written By: Nigel Stanley
Published:
Content Copyright © 2009 Bloor. All Rights Reserved.

Application
security—the notion of tightening up software code—should now form a major
part of any corporate IT security strategy.

As detailed
in a recent Coverity has been around
application security for a number of years. The company was born out of some in-depth
work at Stanford University to analyse source code which in turn has been
productised to give them a range of software integrity products.

Talking to
Ben Chelf (Coverity CTO and co-founder) recently I was interested in where the application security
market was going and in particular where Coverity saw their future.

Enterprise
readiness is focusing minds at Coverity as they look at scaling up their
products to meet the needs of 1000’s of users rather than the smaller workgroup
level that has traditionally been associated with software code testing. As
executives ‘get’ the importance of the code security issue so comes the
requirement for an enterprise dashboard that provides senior staff with an
overall risk assessment at any given moment in time. That way the CxO community
can be assured that there is one less IT security issue for them to be worried
about—hopefully.

The software
build process has, in the past, gained almost mystical powers as development
teams rush to check in their final lines of code before the routine build.
Unfortunately there is some real pain to be had in the build process as it is
often left to a black box to produce the final cut of the code. Coverity are
uncomfortable with this and are taking steps to look into the build process to
detect configuration and build issues sooner in the software development
lifecycle than may normally be the case. Build failures can cause release
delays and sometimes produce oddities such as an incremental build that doesn’t
produce the right executables.

Combined
with the notion of parallel builds, what was the nightly build can hopefully be
reduced to an hourly build with better quality control. This will be a real
boon to development shops.

Couple
enterprise readiness, improved build quality and more checking for specific
threats and you end up with quite an interesting view of what Coverity have
planned in the next year. I for one will be watching with interest.