Homeland Security funds an audit project

Coverity Selected In Department of Homeland Security Software Initiative

Coverity joins Stanford University in multi-year DHS grant to fund  
daily security audits of more than 40 leading open source software  
projects


SAN FRANCISCO, January 11, 2006 – Coverity, Inc., makers of the  
world's most advanced and scalable source code analysis solution,  
today announced its flagship product, Coverity Prevent, has been  
chosen to conduct daily security audits of leading open source  
software projects under a new federal Homeland Security Advanced  
Research Project Agency grant designed to help secure cyberspace. The  
audit results will be published daily on the Web and are intended to  
help the development community, industry and government both identify  
and correct security vulnerabilities in some of the most important  
and widely-used software in the world.

The three-year grant, called the “Vulnerability Discovery and  
Remediation
Open Source Hardening Project,” is part of a broad federal initiative  
by the Department of Homeland Security’s Science and Technology  
Directorate (DHS S&T) to foster the development and deployment of  
technologies to protect the nation’s telecommunications  
infrastructure, including the Internet and other critical networks  
that depend on computer systems for their mission.

“The DHS grant is the latest proof of the tremendous traction we are  
seeing in the market with Coverity Prevent™ in the market,” said  
David Park, VP of marketing & business development at Coverity. “In  
less than two years we have successfully demonstrated the value of  
our solution by gaining more than 100 customers. What better  
validation of our technology than to be selected by the federal  
government for such a critical security initiative.  The government  
has extremely high security standards and we are glad that Coverity  
meets their requirements.”

Coverity Prevent finds more than 20 different types of security  
vulnerabilities at the source code level. Its static analysis methods  
provide 100% path coverage and uncover very hard-to-find bugs found  
in complex code.  It can discover so-called “true vulnerabilities” as  
well as enforce secure coding practices. True vulnerabilities are  
errors accidentally or intentionally introduced into the software as  
developers write code, including buffer overflows, file-based race  
conditions, size and bounds checking errors, and more. Coverity also  
offers a library of secure coding best practices to help guide  
developers to produce more secure code.

A 2002 study by the Mitre Corporation for the National Institute of  
Standards and Technology identified more than 230 open source  
software packages already in use for critical operations within the  
federal government.

Professor Dawson Engler of the Computer Science Department at  
Stanford University, the original author of the technology behind  
Coverity Prevent, is the lead investigator on the grant.

“We’re pleased to have the technology built at Stanford and Coverity  
recognized by the Department of Homeland Security,” Engler said. “We  
are happy to help improve the security of technologies that run the  
government’s global IT infrastructure."

Under the terms of the grant, Coverity and Stanford will build and  
maintain a system that automatically analyzes more than 40 open  
source software projects as a nightly regression and publishes  
defects it finds in a publicly-available bug database.

Coverity’s technology uses static source code analysis to find  
various types of hidden security errors. Often such errors compromise  
system security for certain input values but may not crash the  
software.  Coverity pinpoints the exact code location and root cause  
of each security vulnerability. In addition, static analysis catches  
errors without running the code. This feature helps to find errors in  
operating systems, for example, where many of its code paths are  
difficult and time-consuming to exercise in the testing phase.

Among the more than 40 open source software projects benefiting from  
the software security analysis from Coverity and Stanford are Apache,  
FreeBSD, GTK, Linux, Mozilla, MySQL, PostgreSQL, and many more.


About Coverity
Coverity (www.coverity.com), makers of the world's most advanced and  
scalable source code analysis solution for pinpointing software  
defects and security vulnerabilities, is a privately-held company  
based in San Francisco. Coverity was founded in 2002 by leading  
Stanford University scientists whose four-year research project  
resulted in a breakthrough approach for addressing the costliest  
problem in the software industry. That research breakthrough allows  
developers to quickly and precisely eliminate software defects and  
security vulnerabilities in tens of millions of lines of new or  
legacy code. Today, Coverity's solution is used by more than 85  
leading companies to significantly improve the quality of their  
software, including Juniper Networks, McAfee, Synopsys, NASA,  
PalmOne, Sun Microsystems and Wind River.

Coverity is a registered trademark, and Coverity Extend and Coverity  
Prevent are trademarks of Coverity, Inc. All other company and  
product names are the property of their respective owners.