Coverity and Wind River alliance to squash bugs during development
Software security firms and assurance vendors see value in catching vulnerabilites early in development process
By George V. Hulme | CSO | Published: 11:27, 01 February 2012
Coverity and Wind River have integrated Coverity's security development testing platform with Wind River's embedded software system to bring security into the embedded development process and squash security-related bugs as the code is being written.
In addition, Coverity will provide an edition of Coverity Static Analysis, pre-configured for Wind River Workbench, which means it'll support both Wind River Linux and Wind River's VxWorks real-time operating system.
The idea, argues Zack Samocha, senior director, product management at software development testing firm Coverity, is that catching flaws early in the development process is more cost effective than letting them slip into production, a view that has been long held among software security and assurance vendors.
Related Articles on Techworld
"Development firms are always under pressure to produce, and get their products to market," says Samocha. "This integration helps them to catch and fix security vulnerabilities quickly and early in the process, without slowing down development," he explained.
Software is spreading like the plague. It's infecting phones, cars, household appliances, medical gear, office equipment and even TVs. And where software spreads - such as to Supervisory Control And Data Acquisition Systems (SCADA) - internet connectivity is sure to follow.
The challenge we've seen in recent years - even in highly controlled environments - is that these systems are susceptible to attack just as traditional applications are. This creates risk and opportunity. The risk is that critical systems will be found vulnerable, perhaps a Stuxnet-like attack strikes crucial systems in Europe or the US. And therein resides the opportunity for security and software quality and assurance firms to reach a growing new market.
Coverity Security Research Laboratory
Embedded developers are going to need all of the help they can get. VDC Research Group recently published a report that shows more than 50% of engineers who were surveyed expect the products they'll be developing in two years will have web components. That's a jump of 20% from current projects underway today.
"Anyone who develops embedded systems should take a lesson from what happened with software and operating system vendors in the past decade: they became targets of both bad guys and security researchers who evaluated those systems for flaws," says Pete Lindstrom, research director at Spire Security. "There's no reason to believe SCADA and other embedded systems will be any different."
With that in mind, Coverity also recently announced the formation of its Coverity Security Research Laboratory. The Coverity lab will investigate the cause of both existing and new security related defects, Samocha says.