Making Sure Java Web Applications Are Secure

June 26, 2012
Coverity's Web Application Security Analysis is a development tool uses static analysis to check the security of enterprise Java applications.

Coverity is well known in the enterprise and high reliability space that includes avionics and military applications. They provide a wide range of static and system analysis tools that target C and C++ applications (see Enterprise Development Tool Integrates With FindBugs) and I have talked with Rutul Dave at Coverity about their approach (see Can Static Analysis Address Security Issues?).

Their latest tool targets web applications. Its Web Application Security Analysis (Fig. 1) is designed to check the security of enterprise Java applications like those designed for J2EE (Java 2 Enterprise Edition). It also supports popular supporting frameworks used in Java development. This particular tools targets web application developers versus quality assurance groups. The tool is designed for use during the usual development process.

Figure 1. Coverity's Web App Security Analysis tools provides remediation advice when problems are detected.

At the core of the Coverity Web Application Security Analysis is the static analysis engine. It provides the usual static analysis features but it now includes "security checking." The tool provides remediation advice when problems are detected in an application. This allows developers to make changes as they see fit.

As noted, the tool supports Java frameworks like Spring MVC and Hibernate. The analysis does not actually scan the framework code. Instead it emulates its behavior. This speeds the use of the tool.

Coverity uses a whitebox fuzzer testing tool that checks interface with inputs that use unconventional or incorrect inputs. It looks for vulnerabilities like input injection attacks and cross site scripting errors. In addition to remediation recommendations, the tool shows where the error occurs and what path that data takes through the code. It is also possible to customize advice the tool provides so enterprisewide standards can be supported.

The tool is integrated with IDEs like Eclipse. It can also be added to the standard make process. Of course it works with Coverity Integrity Manager, a central server supported by other Coverity tools. This provides a web interface to tools and results.

Coverity is taking a new approach to securing Java web applications. Preventing attacks on web applications is best addressed as an application is designed and implemented. This tool makes this process easier.

Sponsored Recommendations

Understanding Thermal Challenges in EV Charging Applications

March 28, 2024
As EVs emerge as the dominant mode of transportation, factors such as battery range and quicker charging rates will play pivotal roles in the global economy.

Board-Mount DC/DC Converters in Medical Applications

March 27, 2024
AC/DC or board-mount DC/DC converters provide power for medical devices. This article explains why isolation might be needed and which safety standards apply.

Use Rugged Multiband Antennas to Solve the Mobile Connectivity Challenge

March 27, 2024
Selecting and using antennas for mobile applications requires attention to electrical, mechanical, and environmental characteristics: TE modules can help.

Out-of-the-box Cellular and Wi-Fi connectivity with AWS IoT ExpressLink

March 27, 2024
This demo shows how to enroll LTE-M and Wi-Fi evaluation boards with AWS IoT Core, set up a Connected Health Solution as well as AWS AT commands and AWS IoT ExpressLink security...

Comments

To join the conversation, and become an exclusive member of Electronic Design, create an account today!