June 14, 2021

Coverity releases open source library to help developers fix XSS issues in Java web applications

(LiveHacking.Com) – A new, open source library has been released to help developers easily fix cross-site scripting (XSS) security defects in Java web applications. The library, which gives developers a range of  free escaping and encoding functions, has been released by Coverity, a development testing company who invented a new way to test source code to reveal critical software defects.

The idea is that the new library will enable developers with limited security expertise to quickly fix XSS security defects in Java web applications. It does this by providing a set of functions for data escaping and encoding.

“Asking developers to write their own data escaping routines is a recipe for getting it wrong,” said Andy Chou, Coverity co-founder, CTO and head of the Security Research Laboratory. “The incomplete set of escapers in some libraries encourages developers to use the wrong ones. We need to empower developers to be part of the security solution with the right technologies and actionable information to help them fix defects quickly and without slowing them down. With the Coverity Security Library, developers now have a powerful and easy-to-use library to help them plug some of the most common security holes early in the development process when they are easiest to fix.”

The company has released the Coverity Security Library to the open source community on  GitHub and Maven as a standalone repository. The important question is why do developers need another security library?  Coverity’s answer is that many existing libraries are incomplete and the one that are complete are too  complex and inefficient. The end result was that Coverity couldn’t find a freely available library that it felt comfortable recommending to users.

Coverity is also looking for contributions from the community as it expands the library in the future. It hopes to earn the trust of users and believes that making the library available under a liberal BSD-like open source license will help increase the transparency.

Although the library is open source, the advantage for Coverity is that the library can also be used in conjunction with the Coverity® Security Advisor, a commercial product within the Coverity Development Testing Platform that can further analyze security defects and assist in finding fixes.