We just raised a $30M Series A: Read our story

What advice do you have for others considering Coverity?


If you were talking to someone whose organization is considering Coverity, what would you say?

How would you rate it and why? Any other tips or advice?

ITCS user
77 Answers

author avatar
Top 20Real User

I would recommend this solution if you can afford it. If you have enough budget, it is one of the best solutions right now. There may be other cheaper solutions, but you get what you pay for. We have been using Coverity for several years. We would not have continued using it if it was not a good solution. We always have some minor questions or improvements for them, and they always give us a relatively fast response. I would rate Coverity a nine out of ten. Only its price should be improved.

author avatar
Top 20Consultant

My advice for anybody who is considering this product is to first look around your organization to see if it has already been implemented in another group. If you're a big organization then Coverity or a similar tool may already be in use. In cases like this, I would say that it is best to adopt the same tool because your organization has already gone down that path and there are no huge differences in the capabilities of these tools. Some of them do it in different ways and some do things that others don't, but you won't have the initial bump of the learning curve and you can leverage their experience. I would rate this solution a seven out of ten.

author avatar
Top 5Real User

In summary, this is a helpful product and the feedback that I have heard from the development team is good. I would rate this solution an eight out of ten.

author avatar
Top 5LeaderboardReal User

We also purchased Black Duck Binary Analysis and the Black Duck Hub from Synopsys. My advice for anybody who is implementing this solution is to try to best capture security issues while the code is being written, rather than waiting until it is compiling. It’s easier and much more cost-effective to find vulnerabilities at the earlier, code-writing stage. The other thing to keep in mind is that you should not rely on one approach to code security. You need to make sure that binary security is also in place, which is not done using Coverity. Any company that wants to secure its environment will need multiple levels of security scanning, and only one of these is handled by Coverity. The second one, binary scanning, can be done by using Black Duck or Veracode. This continues onto other security concerns, such as network scanning. I would rate this solution a seven out of ten.

author avatar
Real User

I would recommend this solution depending on the language you're using, Java and C++. I would rate it a five out of ten. Not a ten because it's not efficient for the language we use.

author avatar

I will suggest that when they use the program for a new project, they should just copy the data from a mature solution to the new project because the setup really takes a long time. We spent a lot of time to set Coverity up because I thought of creating the project in the Coverity server and use Coverity for the sonar part properly. But it took a long time. I will give the solution a 7.5 rating out of ten. When we officially use all the data, it will accumulate more experiences and then we will have different opinions.

author avatar
Real User

Try it out for yourself, and decide whether it's useful for you.

Find out what your peers are saying about Synopsys, SonarSource, Veracode and others in Application Security. Updated: October 2021.
540,984 professionals have used our research since 2012.