Coverity is well known in the enterprise and high reliability space that includes avionics and military applications. They provide a wide range of static and system analysis tools that target C and C++ applications (see Enterprise Development Tool Integrates With FindBugs) and I have talked with Rutul Dave at Coverity about their approach (see Can Static Analysis Address Security Issues?).
Their latest tool targets web applications. Its Web Application Security Analysis (Fig. 1) is designed to check the security of enterprise Java applications like those designed for J2EE (Java 2 Enterprise Edition). It also supports popular supporting frameworks used in Java development. This particular tools targets web application developers versus quality assurance groups. The tool is designed for use during the usual development process.
Figure 1. Coverity's Web App Security Analysis tools provides remediation advice when problems are detected.
At the core of the Coverity Web Application Security Analysis is the static analysis engine. It provides the usual static analysis features but it now includes "security checking." The tool provides remediation advice when problems are detected in an application. This allows developers to make changes as they see fit.
As noted, the tool supports Java frameworks like Spring MVC and Hibernate. The analysis does not actually scan the framework code. Instead it emulates its behavior. This speeds the use of the tool.
Coverity uses a whitebox fuzzer testing tool that checks interface with inputs that use unconventional or incorrect inputs. It looks for vulnerabilities like input injection attacks and cross site scripting errors. In addition to remediation recommendations, the tool shows where the error occurs and what path that data takes through the code. It is also possible to customize advice the tool provides so enterprisewide standards can be supported.
The tool is integrated with IDEs like Eclipse. It can also be added to the standard make process. Of course it works with Coverity Integrity Manager, a central server supported by other Coverity tools. This provides a web interface to tools and results.
Coverity is taking a new approach to securing Java web applications. Preventing attacks on web applications is best addressed as an application is designed and implemented. This tool makes this process easier.