Coverity, the Development Testing Company, provides tools and processes for developer organizations to fix defects, improve code quality, optimize the overall development process and reduce the product time to market. More than 1,100 Coverity customers use Coverity’s development testing suite of products to automatically test source code for software defects that could lead to product crashes, unexpected behavior, security breaches, or catastrophic failure.
What an enlightening conversation it was with the CEO of Coverity, Anthony Bettencourt, a very confidant CEO with crystal clear vision, a few weeks back on his visit to the India site. Here are the excerpts from the conversation.
Since past 10 years, after the inception of Coverity in 2003, how have security threats changed and how has Coverity evolved to help mitigate these security vulnerabilities?
Our initial focus was on C, C++ and then Java. As apps have become more complex we see more race conditions and buffer overflows, and until Coverity these defects were very difficult to find. We have seen, as apps have become more complex, these defects are very difficult to detect and we are continuing to evolve and tune our platform to be responsive to those kind of problems. On security front we started predominantly thinking about buffer overflows in C and C++, and they still become really big problems. As we moved towards Java, cue in security shifted to web apps. 75% of the security issues that hit a company can be resolved at web application level, things like SQL injection, Cross-Site Scripting are still very difficult to detect as they are five or six layers deeper in code and developers don’t even know about it. On security front there are constant threats coming, more innovative bad guys are forcing us to think differently on how to solve those problems, and on quality side it is just about the application complexity. But I think we really did a good job over the last 10 years in taking what was a neat product for static analysis, and building up this really important platform that looks at policy management, quality security, test analysis and more.
Coverity stresses on Development Testing which is beyond just Static Code Analysis, how important is it in today’s scenario?
If you find the defects early in the cycle you can move mountains, you can ship your product between 25% – 50% faster. You can save about 20% of your R&D cost, as it is cheaper to fix the defects in the development phase than to fix it when it gets peculated and reaches the field. What makes Coverity such a different beast around this science, thinking about this side of development testing vs static analysis is we take this holistic view from market place where you want to be able to put in place policies, you want to be able to think about supply chain, you want to able to look at open source, third party software and more. Those policies could be around the defect density, cyclomatic complexity, unit test coverage. Then you want to be able to think about cutting down quality defects, you want to use inter-procedural analysis, then you want to be able to think about the security aspect, the unit test aspect. For unit test, most companies want their developers to build unit tests, but the developers spend 25% of time to build unit test that finds only 30% of defects. Some companies use a code coverage, but that just gives the code coverage metrics. It is good to start there, but it is just a start because if you only test that 70% of your code, then what about the rest of 30% of your code that you are not touching. There might be a block of 8% of your code which is the fastest most evolving code which is not being unit tested. And then if we gauge the unit tests, how effective are they? With Coverity we can, because our engine opines on the efficacy of those unit tests and help provide the bull’s eye view of what code should be tested. And lastly we could even look at the firing order. You may have 10k unit tests, it may take a week to execute all of them, we could look at all of them with the science of our engine, that will tell you run these 50 test cases in this order, you will give get 80% of the yield that you are looking for. This is our view of development testing, which is automating the development part of SDLC.
Are there any plans to come up with an in-house dynamic app security solution, so that combined IAST solutions can be offered to enterprises,in line with tie-up of Coverity with NT Objectives?
We think NT Objectives was a great partner for the dynamic part of security. We are really going to focus our efforts on building around our core platform and also we are going to make it easier for our customers to add in their own security rules.
In addition to C/C++ and Java, last year Coverity introduced support for Modern Web Apps, is there any other language joining the list of supported technologies this year?
Today we have C/C++, Java and C#. We are looking at mobile platforms. A lot of companies are building mobile apps, they are doing really quick versions of them and we believe the mobile app market place when you look at it today, most of the large companies are going to mobilize about 50% of their customer facing apps. Most of the large companies want the development to happen in-house, inside their SDLC, not in some oblique cloud where you have small companies jail breaking phones to figure out security and BYOD.
So, mobile is coming and we have started the work for Android and iOS.
Coveriy has been named in 2013 SD Times 100, as a recognition of its efforts in the field of QA and Security, what would you to say about that?
We are honored! It is a nice thing. Those are the words that really focus on our tech, and they make us happy. We are called the ‘geniuses behind the geniuses’, whether it is DirectEdge or Adobe, these large companies build upon our Software to get their products in the market faster, safer cheaper.
Are there any plans for the SaaS availability of the solution? Today we have got a product called Scan which is free for Open Source community. It is about 375 projects, 2000 users and it is growing at about 22% quarter over quarter, so that’s a pretty rapid growth. That is our SaaS version today. We had discussions with many companies about their desire to put their code in the cloud and not many are ready to do that. Big companies do not want to put their IP’s on stake, small companies might want to and we are trying to figure out how to reach out to them. About the current market state of Coverity Anthony said, Coverity has revenues about $73 million and is growing about 30% per year. Coverity has 300+ employees, with more than one third of its work force working on R&D. We want to keep expanding going forward. We are happy to expand in India , we have put up a office in Bejing , China . We are looking at different geographies for revenue and business expansion. On product side we continue to build our platform. To sum it all Anthony said, As a company we are quite confident, we have got the cash assets for running the business, there is a big market momentum a world class customer base and it is a big market opportunity. Nothing is easy, it is a lot of hard work, but we are happy with the progress so far.