Coverity, Armorize to add security to software quality process

Integrated suite gives security teams greater visibility into the software development lifecycle while letting developers focus on creating code and fixing errors.

Two software vendors that aim to foster higher quality software are integrating their suites, bridging software quality and application security processes.

 There's somewhat of an overlap between software quality and software security because both of them deal with underlying flaws which cause the software to misbehave in some way.
Ramon Krikken,
principal analystGartner Inc.

Coverity Inc. and Armorize Technologies announced integration plans today. The two vendors plan to release a fully integrated suite that ties together the Coverity Static Analysis, for code analysis, with Armorize's security analysis suite. The two vendors said the combined suites will add security deeper into the software quality process without disrupting coding teams.

In an interview with SearchSecurity.com, Caleb Sima, CEO of Armorize Technologies said the integration puts less strain on developers, who, in some organizations, are forced to use security audit tools. Developers are already burdened with project deadlines, he said. Meanwhile, security teams gain more visibility into the development process gaining tools that enable them to detect high priority vulnerabilities earlier in the process and then track the progress of coders to fix them.

"We're allowing both security and development teams to have their own world," Sima said. "We're not forcing a security guy to log into development console and development guy to log into a security console."

As attackers continue to target software vulnerabilities, more companies are bolstering their software development lifecycles, attempting to inject security deeper into the process. But getting security earlier in the process has been difficult, as development teams are under pressure to get projects in on time, their focus has been to eliminate software defects, not necessarily detect high priority security flaws. Technology has played an important role to scan as much code as possible to detect security vulnerabilities.

Security and software development:
Should security tests be part of a software quality assurance program? Application security expert Michael Cobb reviews the essentials of any software quality assurance process. 

Which automated quality assurance tools can be used to test software? If your application development process is not yet addressing security at all six phases of the lifecycle, now is the time to start. 

Researchers aim to smarten Web application security scanners: Adding the "human element" to scanners could help pen testers evaluate a larger portion of an application's attack surface, according to two researchers at SOURCE Boston 2010.

More software assessment vendors are trying to broaden their suites with security analysis capabilities, attempting to increase the coverage in the security development lifecycle, said Ramon Krikken, a principal analyst at Gartner Inc. Fortify Software partners with Hewett-Packard. IBM, meanwhile, has bolstered its Rational software business.

"There's generally tension between goals of development organization want to deliver on time and on budget and the security team who says we'll do a security assessment and if there's something wrong this will have to be fixed," Krikken said. "But there's somewhat of an overlap between software quality and software security because both of them deal with underlying flaws which cause the software to misbehave in some way."

Implementing a software security program gets even more complicated with some firms managing multiple development teams and outsourced development projects. Creating an organizational foundation for getting everybody on the same page and making the process not only effective but also efficient is important to success, Krikken said.

"If you put in place assessments at the end of the lifecycle you're not going to make any friends in the development team or the business side," he said.

Coverity and Armorize's integration plans bring Armorize's CodeSecure into Coverity's existing development and triage workflow platform. The integration could get development teams and security teams to collaborate more closely on projects, Sima said. "It's no longer a manual process of talking or discussions of what new things are coming out of dev," Sima said. "It will get pulled right into CodeSecure's interface."

The resulting integration will enable CodeSecure to connect to the Coverity server and pull in the ongoing development project data. The combined suite tracks the developer's workflow, identifying code changes while providing resolution management capabilities for security vulnerabilities.

The integrated platform is planned to be released by the end of the year. The two firms are also establishing a beta program for early adopters of the combined software.

Dig deeper on Software Development Methodology

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close