Securing applications with Coverity’s static analysis results

This is the third post in a three-part series on how you can maximize the impact of a static analysis solution by supporting developers and their goals.

As discussed in previous posts, developers are more likely to use SAST tools to improve application security when they integrate seamlessly into existing development workflows. While integration into workflows is crucial for developer adoption, static analysis results can also determine whether developers embrace SAST tools or dismiss them as shelfware.

Static analysis results influence developer adoption

Even static analysis that integrates perfectly into development workflows does not necessarily have an impact on application security—SAST tools must also produce results that are helpful. Static analysis results can contain either a stressful, paralyzing list of information or useful, actionable advice on how to improve code integrity. Whether SAST results are the former or the latter has significant consequences for developer adoption. More specifically, if developers perceive static analysis results to be unhelpful or confusing, it’s unlikely to have an impact on application security.

Static analysis results can contain either a stressful, paralyzing list of information or useful, actionable advice on how to improve code integrity.

How can SAST results help developers?

Static analysis results that are accurate, actionable, and relevant to modern codebases give developers the information they need to improve their code.

1. The accuracy of SAST results can determine whether developers adopt or ignore static analysis. Research shows a strong link between high false-positive rates and static analysis disuse—with false positives listed as the most common barrier to SAST adoption in many reports. While the exact rate of false positives that leads to static analysis disuse varies (the literature suggests 10%–20%), confirmation bias can cause developers to lose faith in SAST results entirely if there are too many false positives.
2. While accurate results are crucial, static analysis solutions should also provide actionable information to encourage developers to fix issues as soon as possible. SAST tools that provide a list of security weaknesses and quality defects without any information on how to fix them creates stress without a solution. Information such as the location of the flaw, how to fix it, and which developer is responsible can simplify the debugging process.
3. Finally, security weaknesses can vary dramatically in complexity and severity—which can determine how relevant they are to an organization. For example, some flaws may be easy to fix and have significant consequences should they be exploited; these should take priority over flaws that are difficult to fix but don’t pose a significant risk. Static analysis tools should provide developers with the flaws most relevant to the organization so development teams can reduce risk efficiently.

If developers don’t enjoy using static analysis, it’s unlikely SAST tools will have an impact on application security. With accurate, actionable, and relevant results, developers are likely not only to benefit from static analysis but also to enjoy using it.

Improving code quality and security with Coverity

Coverity makes debugging code faster and easier, which is a key reason developers across the world use it to improve code integrity. From financial services to telecommunications to aerospace and defense, developers in different verticals use Coverity to build quality and security into their code.

Embedded code in the automotive industry, for example, has different quality and security needs than code designed to store customer data for banks. For this reason, Coverity is easy to configure, producing relevant results for developers writing code in different languages, on different frameworks, and for different purposes. Developers can tailor Coverity’s analyses to find the security weaknesses and quality defects that matter most to them—making their debugging efforts efficient and easy.

Similarly, Coverity’s low false-positive rate allows developers to focus on real weaknesses and defects, rather than spending time separating false positives from important issues. False positives are simply incompatible with the pace of modern software development, which is why accuracy is crucial to development’s adoption of static analysis. When developers have confidence in the integrity of the results, static analysis can become an essential element of the SDLC.

False positives are simply incompatible with the pace of modern software development, which is why accuracy is crucial to development’s adoption of static analysis.

Accurate results paired with precise triage information and remediation advice enable developers to act quickly on issues. Coverity provides developers with actionable information to simplify code review. Security weaknesses and quality defects are not always an obvious fix, so if issues are to be solved, rather than just identified, information on remediation strategies is important.

Boosting developer productivity with static analysis

Application security review processes have a bad rap within development communities. This isn’t surprising, considering most review processes aren’t designed to support developers. Static analysis that provides helpful, relevant information about their code reduces debugging time, which contributes to their goal of producing secure, high-quality software quickly. This benefits security teams as well, because SAST will have a greater impact on application security when developers enjoy using it.

Coverity’s accurate, actionable, and relevant results ensure developers get a productivity boost from static analysis, rather than being held back by it. For this reason, organizations using Coverity can be sure static analysis has a significant impact on application security.

Manage risk, costs, and compliance by building better software.
Learn more about securing applications with Coverity.