Coverity
Coverity discovers and manages Software quality and Security vulnerability rsiks in source code mapped to OWASP, CWE and MISRA coding stansards. It's closely integrated into the developer workflow.
Features
- Test without disrupting development
- Arm developers with remediation guidance
- Gain breadth, depth, speed, and scale
- Customize analysis for corporate requirements and industry standards
- Implement a solution customized to your organization
Benefits
- Better manage security risks with open source within your code
- Understand what open source is in your code
- Better manage operational risks with open source within your code
- Better manage licensing risks with open source within your code
- Understand where Open Source code is located
- Understand what open source security/operational and licensing risks are present
Pricing
£1,846.56 a user a year
- Free trial available
Service documents
Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format,
email the supplier at psitq@softcat.com.
Tell them what format you need. It will help if you say what assistive technology you use.
Framework
G-Cloud 11
Service ID
3 7 8 1 1 2 5 7 4 5 7 5 1 7 9
Contact
Softcat Limited
Charles Harrison
Telephone: 01612725766
Email: psitq@softcat.com
Service scope
- Software add-on or extension
- Yes, but can also be used as a standalone service
- What software services is the service an extension to
- Coverity can integrate with Bug Tracking, Source Control Management, IDE's and the Build of applications
- Cloud deployment model
- Hybrid cloud
- Service constraints
- No large constraints apart from meeting the required HW, SW and connectivity requirements.
- System requirements
- Coverity has minimal system requirements.
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Synopsys has a set menu of response times for the support of it's products. https://www.synopsys.com/company/legal/software-integrity/product-license-v2016-2.html
- User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- None or don’t know
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
- All support levels are documented here: https://www.synopsys.com/software-integrity/support/sca-support-plans.html
- Support available to third parties
- No
Onboarding and offboarding
- Getting started
- We will help new customers with an implementation plan that includes Onsite (if needed), on phone/web and also full self paced web training.
- Service documentation
- Yes
- Documentation formats
-
- HTML
- End-of-contract data extraction
- User would generate reports of the data to extract data at the end of the contract.
- End-of-contract process
- At the end of the contract the software will remain running and installed but will not be able to be accessed as the registration key will be inactive.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Microsoft Edge
- Firefox
- Chrome
- Safari 9+
- Application to install
- Yes
- Compatible operating systems
-
- Android
- IOS
- Linux or Unix
- Windows
- Windows Phone
- Other
- Designed for use on mobile devices
- No
- Service interface
- Yes
- Description of service interface
- https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/ds-polaris.pdf
- Accessibility standards
- None or don’t know
- Description of accessibility
- It's a web based interface
- Accessibility testing
- Basic testing has been done, more details on this can be provied at a later date.
- API
- Yes
- What users can and can't do using the API
- Every function within the application is available via the RestAPI. The API is avilable on the same server as the Black Duck Hib is isntalled on.
- API documentation
- Yes
- API documentation formats
-
- Open API (also known as Swagger)
- HTML
- ODF
- API sandbox or test environment
- Yes
- Customisation available
- No
Scaling
- Independence of resources
- The service is Dockerized and therefore has scalability to support many different users at the same time. Black Duck would be happy to discuss this in more detail as we move forward.
Analytics
- Service usage metrics
- Yes
- Metrics types
- There are different level of metrics from basic, how many projects created, how much code scanned, how many vulnerabilities discovered, to more complex metrics like how many vulnerabilities and the current status of them, how many policies have been violated. The user can also create their own metrics with the reporting database.
- Reporting types
-
- API access
- Real-time dashboards
- Regular reports
Resellers
- Supplier type
- Reseller providing extra support
- Organisation whose services are being resold
- Synopsys
Staff security
- Staff security clearance
- Staff screening not performed
- Government security clearance
- None
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- Other locations
- User control over data storage and processing locations
- Yes
- Datacentre security standards
- Managed by a third party
- Penetration testing frequency
- At least once a year
- Penetration testing approach
- Another external penetration testing organisation
- Protecting data at rest
- Other
- Other data at rest protection approach
- Coverity Synopsys does not store any data, data would only be stored by the local installed software within the customers control.
- Data sanitisation process
- No
- Equipment disposal approach
- In-house destruction process
Data importing and exporting
- Data export approach
- Reports/Exports can be done in 3 differetn way. 1. Through running reports through the UI. 2. Using the reportign database to extract data through any standard reporting/BI tool that supports ODBC ro 3. through the API's
- Data export formats
-
- CSV
- Other
- Other data export formats
- PDF or through the reporting database.
- Data import formats
- CSV
Data-in-transit protection
- Data protection between buyer and supplier networks
- TLS (version 1.2 or above)
- Data protection within supplier network
- TLS (version 1.2 or above)
Availability and resilience
- Guaranteed availability
- There are different SLA's for different parts fo the product, we would be happy to supply them as needed.
- Approach to resilience
-
"The data center is hosted by a 3rd party and is certified. There is are physcial and technology resttictions on it to preevent access to the servers. These include badging, fiorewalls and many other methods. More details are available upon request.
" - Outage reporting
- Outages are reporting in email and on the public customer forum
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- Public key authentication (including by TLS client certificate)
- Other
- Other user authentication
- Managed by customer for example their own SSO/MFA/LDAP
- Access restrictions in management interfaces and support channels
- All management dashbaords and interfaces are controlled by role based access which is either manually assigned or is associetd with LDAP groups.
- Access restriction testing frequency
- At least once a year
- Management access authentication
- 2-factor authentication
Audit information for users
- Access to user activity audit information
- No audit information available
- Access to supplier activity audit information
- No audit information available
- How long system logs are stored for
- User-defined
Standards and certifications
- ISO/IEC 27001 certification
- No
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Other security certifications
- No
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- No
- Security governance approach
- https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/sig-product-security-program.pdf
- Information security policies and processes
- https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/sig-product-security-program.pdf
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
- All changes are requested and logged in JIRA & other bug tracking systems and approved by management before any change can be made.Part of the approval process is approval by a securoty architect.
- Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
- Vulnerabilties are discovered using a number of 3rd party software packages, both commercail and Open Source. The vulnerabilities are then ranked and based on the level of risk and how critical they are, they are remediated within a specified time period. For example, zero day vulns are fixed same day.
- Protective monitoring type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Protective monitoring approach
- Synopsys, uses NextGen Firewall by Palo Alto Netwrorks with IDS/IPS to identify potentail compromises and respond based upon how critcal the threat is.
- Incident management type
- Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
- Incident management approach
- All incidents are managed through JIRA ticketign system to guive a full audit history for each incident.
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Public sector networks
- Connection to public sector networks
- No
Pricing
- Price
- £1,846.56 a user a year
- Discount for educational organisations
- No
- Free trial available
- Yes
- Description of free trial
- There is a fully functional limited time offer available when engaged with Black Duck by Synopsys
- Link to free trial
- Please contact jfenton@synopsys.com
Service documents
Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format,
email the supplier at psitq@softcat.com.
Tell them what format you need. It will help if you say what assistive technology you use.