Making Sure Java Web Applications Are Secure

June 26, 2012

Coverity's Web Application Security Analysis is a development tool uses static analysis to check the security of enterprise Java applications.

William G. Wong

Coverity is well known in the enterprise and high reliability space that includes avionics and military applications. They provide a wide range of static and system analysis tools that target C and C++ applications (see Enterprise Development Tool Integrates With FindBugs) and I have talked with Rutul Dave at Coverity about their approach (see Can Static Analysis Address Security Issues?).

Their latest tool targets web applications. Its Web Application Security Analysis (Fig. 1) is designed to check the security of enterprise Java applications like those designed for J2EE (Java 2 Enterprise Edition). It also supports popular supporting frameworks used in Java development. This particular tools targets web application developers versus quality assurance groups. The tool is designed for use during the usual development process.

Figure 1. Coverity's Web App Security Analysis tools provides remediation advice when problems are detected.

At the core of the Coverity Web Application Security Analysis is the static analysis engine. It provides the usual static analysis features but it now includes "security checking." The tool provides remediation advice when problems are detected in an application. This allows developers to make changes as they see fit.

As noted, the tool supports Java frameworks like Spring MVC and Hibernate. The analysis does not actually scan the framework code. Instead it emulates its behavior. This speeds the use of the tool.

Coverity uses a whitebox fuzzer testing tool that checks interface with inputs that use unconventional or incorrect inputs. It looks for vulnerabilities like input injection attacks and cross site scripting errors. In addition to remediation recommendations, the tool shows where the error occurs and what path that data takes through the code. It is also possible to customize advice the tool provides so enterprisewide standards can be supported.

The tool is integrated with IDEs like Eclipse. It can also be added to the standard make process. Of course it works with Coverity Integrity Manager, a central server supported by other Coverity tools. This provides a web interface to tools and results.

Coverity is taking a new approach to securing Java web applications. Preventing attacks on web applications is best addressed as an application is designed and implemented. This tool makes this process easier.

About the Author

William G. Wong | Senior Content Director - Electronic Design and Microwaves & RF

I am Editor of Electronic Design focusing on embedded, software, and systems. As Senior Content Director, I also manage Microwaves & RF and I work with a great team of editors to provide engineers, programmers, developers and technical managers with interesting and useful articles and videos on a regular basis. Check out our free newsletters to see the latest content.

You can send press releases for new products for possible coverage on the website. I am also interested in receiving contributed articles for publishing on our website. Use our template and send to me along with a signed release form.

Check out my blog, AltEmbedded on Electronic Design, as well as his latest articles on this site that are listed below.

You can visit my social media via these links:

I earned a Bachelor of Electrical Engineering at the Georgia Institute of Technology and a Masters in Computer Science from Rutgers University. I still do a bit of programming using everything from C and C++ to Rust and Ada/SPARK. I do a bit of PHP programming for Drupal websites. I have posted a few Drupal modules.

I still get a hand on software and electronic hardware. Some of this can be found on our Kit Close-Up video series. You can also see me on many of our TechXchange Talk videos. I am interested in a range of projects from robotics to artificial intelligence.