SAN FRANCISCO, 11 Jan. 2006. Coverity, Inc. today announced its flagship product, Coverity Prevent, has been chosen to conduct daily security audits of leading open source software projects under a new federal Homeland Security Advanced Research Project Agency grant designed to help secure cyberspace.
The audit results will be published daily on the Web and are intended to help the development community, industry and government both identify and correct security vulnerabilities in some of the most important and widely-used software in the world.
The three-year grant, called the "Vulnerability Discovery and Remediation Open Source Hardening Project," is part of a broad federal initiative by the Department of Homeland Security's Science and Technology Directorate (DHS S&T) to foster the development and deployment of technologies to protect the nation's telecommunications infrastructure, including the Internet and other critical networks that depend on computer systems for their mission.
"The DHS grant is the latest proof of the tremendous traction we are seeing in the market with Coverity Prevent in the market," said David Park, vice president of marketing & business development at Coverity. "In less than two years we have successfully demonstrated the value of our solution by gaining more than 100 customers. What better validation of our technology than to be selected by the federal government for such a critical security initiative. The government has extremely high security standards and we are glad that Coverity meets their requirements."
Coverity Prevent finds more than 20 different types of security vulnerabilities at the source code level. Its static analysis methods provide 100 percent path coverage and uncover very hard-to-find bugs found in complex code. It can discover so-called "true vulnerabilities" as well as enforce secure coding practices. True vulnerabilities are errors accidentally or intentionally introduced into the software as developers write code, including buffer overflows, file-based race conditions, size and bounds checking errors, and more. Coverity also offers a library of secure coding best practices to help guide developers to produce more secure code.
A 2002 study by the Mitre Corporation for the National Institute of Standards and Technology identified more than 230 open source software packages already in use for critical operations within the federal government.
Professor Dawson Engler of the Computer Science Department at Stanford University, the original author of the technology behind Coverity Prevent, is the lead investigator on the grant.
"We're pleased to have the technology built at Stanford and Coverity recognized by the Department of Homeland Security," Engler said. "We are happy to help improve the security of technologies that run the government's global IT infrastructure."
Under the terms of the grant, Coverity and Stanford will build and maintain a system that automatically analyzes more than 40 open source software projects as a nightly regression and publishes defects it finds in a publicly-available bug database.
Coverity's technology uses static source code analysis to find various types of hidden security errors. Often such errors compromise system security for certain input values but may not crash the software. Coverity pinpoints the exact code location and root cause of each security vulnerability. In addition, static analysis catches errors without running the code. This feature helps to find errors in operating systems, for example, where many of its code paths are difficult and time-consuming to exercise in the testing phase.
Among the more than 40 open source software projects benefiting from the software security analysis from Coverity and Stanford are Apache, FreeBSD, GTK, Linux, Mozilla, MySQL, PostgreSQL, and many more.
Coverity, makers of the world's most advanced and scalable source code analysis solution for pinpointing software defects and security vulnerabilities, is a privately-held company based in San Francisco. Coverity was founded in 2002 by leading Stanford University scientists whose four-year research project resulted in a breakthrough approach for addressing the costliest problem in the software industry. That research breakthrough allows developers to quickly and precisely eliminate software defects and security vulnerabilities in tens of millions of lines of new or legacy code. Today, Coverity's solution is used by more than 85 leading companies to significantly improve the quality of their software, including Juniper Networks, McAfee, Synopsys, NASA, PalmOne, Sun Microsystems and Wind River. For more information, see www.coverity.com.