Coverity Review

Improves security by detecting vulnerabilities in code, but it needs integration with popular development environments

What is our primary use case?

I am the administrator and I use this solution to do the calibrating and security scanning of the code in my bank. We are trying to find any vulnerabilities in our code and we are integrating the process with our DevOps.

What is most valuable?

The most valuable feature is the ability to find vulnerabilities in our code.

What needs improvement?

I would like to see integration with popular IDEs, such as Eclipse. If Coverity were available as a plugin then developers could use it to find security issues while they are coding because right now, as we are using Coverity, it is a reactive way of finding vulnerabilities. We need to find these kinds of problems during the coding phase, rather than waiting for the code to be analyzed after it is written.

For how long have I used the solution?

I have been working with Coverity for about eight months.

What do I think about the stability of the solution?

Coverity is quite stable and we haven’t had any issues or any downtime.

What do I think about the scalability of the solution?

We did not have to scale drastically on any of our applications, so it would be difficult for me to judge how scalable it is. Because of the price, we only purchased 20 licenses. We do plan on scaling the number of users and increasing our usage.

How are customer service and technical support?

The technical support is quite responsive and most of the time, we received a response really quickly. We have not had any timeline-related issues with them.

Which solution did I use previously and why did I switch?

We did not use another solution before Coverty, although in my previous company, I used Veracode.

We also use SonarQube for code analysis.

Compared to SonarQube, Coverity finds more vulnerabilities. SonarQube is stronger on core quality, such as duplicate lines of code, but the security issues are found by Coverity.

SonarQube is available as a plugin for development environments such as Eclipse, which allows us to find vulnerabilities proactively.

SonarQube was easier to deploy and I did not require assistance from the vendor for installation or configuration.

How was the initial setup?

We found that during installation and configuration, it takes pipelines for continuous integration and continuous deployment. It was a bit challenging because the necessary base integration was not easy to configure.

It took us slightly over a week to deploy, whereas, with SonarQube, we were able to complete it in less than a day. It was due to complexities in Coverity that it took us more than a week. The complexities were related to missing API features and hooks.

What about the implementation team?

I had assistance from the vendor, Synopsys, during the deployment.

What's my experience with pricing, setup cost, and licensing?

Coverity is quite expensive. Generally, for security scanning products, the pricing is very expensive. Some solutions have pricing that is based on the number of millions of lines of code, but Coverity is priced based on the number of users.

I believe that pricing based on the number of lines of codes is cheaper than billing on a per-user basis. If we have 400 or 500 developers and each needs a license then it will be cheaper to have a solution where the cost depends on the size of the code.

What other advice do I have?

We also purchased Black Duck Binary Analysis and the Black Duck Hub from Synopsys.

My advice for anybody who is implementing this solution is to try to best capture security issues while the code is being written, rather than waiting until it is compiling. It’s easier and much more cost-effective to find vulnerabilities at the earlier, code-writing stage.

The other thing to keep in mind is that you should not rely on one approach to code security. You need to make sure that binary security is also in place, which is not done using Coverity. Any company that wants to secure its environment will need multiple levels of security scanning, and only one of these is handled by Coverity. The second one, binary scanning, can be done by using Black Duck or Veracode. This continues onto other security concerns, such as network scanning.

I would rate this solution a seven out of ten.

Which deployment model are you using for this solution?

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More Coverity reviews from users
...who work at a Comms Service Provider
...who compared it with SonarQube
Add a Comment