Category: Uncategorized

The HKMC Secure Coding Guidelines is a set of coding standards and best practices for developing secure software applications. It is developed and maintained by the Hong Kong Mortgage Corporation (HKMC) as a part of their security framework to ensure the confidentiality, integrity, and availability of their applications and data.

The guidelines cover various topics such as input validation, authentication, authorization, session management, error handling, cryptography, and secure coding practices for specific programming languages such as C, C++, Java, etc..,. The guidelines are intended to be used by software developers, architects, and quality assurance professionals to help them build secure software applications that can withstand various forms of cyber-attacks.

The benefits of using the HKMC Secure Coding Guidelines include:

• Improved security: The guidelines provide developers with best practices and standards for building secure applications that can help prevent security vulnerabilities such as buffer overflows, SQL injection, cross-site scripting, and other types of attacks.

• Compliance: Adherence to the HKMC Secure Coding Guidelines can help ensure that software applications meet regulatory and industry security requirements and standards, such as ISO 27001 and OWASP.

• Reduced risk: By using the guidelines to develop secure software, organizations can reduce the risk of data breaches, loss of confidential information, and reputational damage caused by security incidents.

• Cost savings: Building secure applications from the ground up can be more cost-effective than fixing security vulnerabilities after the fact, which can be much more expensive and time-consuming.

• Increased stakeholder trust: Adherence to the guidelines can help build stakeholder trust, as it demonstrates a commitment to security and protecting sensitive information.

• Improved collaboration: By providing a common set of guidelines and best practices, the HKMC Secure Coding Guidelines can improve collaboration between developers, security professionals, and other stakeholders involved in the software development process.

The HKMC Secure Coding Guidelines can help organizations build secure software applications that are resilient to cyber attacks, compliant with regulatory and industry standards, and cost-effective to develop and maintain.

How to verify HKMC Secure Coding Guidelines

The HKMC Secure Coding Guidelines can be verified through a number of methods, including:

• Code reviews: Conducting a code review can help identify any areas of the software application that may not adhere to the guidelines. This can be done manually or using automated tools.

• Penetration testing: Conducting penetration testing can help identify any security vulnerabilities in the application that may not have been identified during the development process.

• Compliance audits: Conducting compliance audits can help ensure that the software application meets regulatory and industry security requirements and standards, such as ISO 27001 and OWASP.

• Training and awareness programs: Providing training and awareness programs to developers and other stakeholders can help ensure that they understand the guidelines and are able to follow them effectively.

• Self-assessment tools: The HKMC Secure Coding Guidelines may also include self-assessment tools that can be used to assess the compliance of the software application against the guidelines.

It is important to note that verifying adherence to the guidelines is an ongoing process that should be integrated into the software development lifecycle. This can help ensure that the software application remains secure and compliant with changing security threats and regulations.

How to verify HKMC Secure Coding Guidelines with Klocwork – Static Code Analysis Tool

Klocwork is a static code analysis tool that can be used to verify compliance with the HKMC Secure Coding Guidelines. Here are the general steps you can follow:

• Install Klocwork: First, you will need to install Klocwork and configure it to work with your software development environment.

• Compile your source code: Next, you will need to compile your software application’s source code with Klocwork.

• Configure the HKMC Secure Coding Guidelines: Klocwork includes built-in rulesets that can be used to check compliance with the HKMC Secure Coding Guidelines. You will need to configure Klocwork to use these rulesets.

• Run the analysis: Once Klocwork is set up and configured, you can run the analysis on your software application’s source code.

• Review the results: Klocwork will generate a report that lists any violations of the HKMC Secure Coding Guidelines. You should review these results and work with your development team to address any identified issues.

• Verify fixes: After fixing any issues, you can run the analysis again to verify that the issues have been addressed and that the application now complies with the HKMC Secure Coding Guidelines.

It’s worth noting that Klocwork is just one tool that can be used to verify compliance with the HKMC Secure Coding Guidelines. Other static code analysis tools, such as Veracode and SonarQube, can also be used for this purpose. Additionally, manual code reviews and other forms of testing should be used in conjunction with automated tools to ensure comprehensive verification of compliance.

Klocwork is a well-known and widely used static code analysis tool that can help identify potential security vulnerabilities and other code quality issues in software applications. It includes built-in rulesets, such as the HKMC Secure Coding Guidelines, that can be used to check compliance with specific coding standards and best practices.

Klocwork uses a combination of data flow analysis, control flow analysis, and semantic analysis to identify potential issues in the source code. It can analyze a wide range of programming languages and can be customized to support specific coding standards or requirements. Overall, Klocwork is a powerful tool for identifying code quality issues and potential security vulnerabilities in software applications. Get your free trail copy of Klocwork from here.

A memory leak is any part of an application that consumes memory without eventually releasing it. A condition caused by a program that fails to release the extra memory it allocates.

In programming languages like C/C++, the programmer can dynamically allocate additional memory to hold data and variables that are needed now but will not be used later in the program. The programmer must remember to deallocate those memory areas when they are no longer required. When you failed to deallocate the memory which you have allocated dynamically leads to MEMORY LEAKAGE.

Significance of Memory Leak

An application that consumes more memory without releasing any will eventually deplete the server’s memory pool. When an application repeatedly fails to return allocated memory that it has obtained for temporary use, it causes a gradual loss of available memory. As a result, the application’s available memory is depleted, and the application can no longer function.

So, memory leaks are a serious problem for applications that run continuously (servers), because even a small memory leak can cause the application to crash. Failed to deallocate the memory which is no longer needed can exhaust the amount of available memory, which in turn reduces the performance of the application as well as system.

How To Avoid Memory Leak :

• Every malloc or calloc should have the following free function:

>> It’s a good idea to include a free function after each malloc (or calloc) function. Assume you need to create an array of characters in an application to store some dynamic data. Because we know that to create a dynamic array in C programming, we use the memory management function (malloc or calloc).

>> It is a good practise to write the free function immediately after the malloc or calloc. It avoids the situation in which the developer forgets to write the free function. Using free() function, we can deallocate the allocated memory.

                                SYNTAX ::

                              void free(void *ptr);

   Frees the allocated memory which has been created by malloc(), calloc() or realloc() functions.

   Freeing an already freed block or any other block, would lead to UNDEFINED BEHAVIOUR

   Freeing NULL pointer has no effect.

Vulnerable code example ::

/* Function with memory leak */

#include <stdlib.h>

void func()

{

int *ptr = (int *) malloc(sizeof(int));

ptr = NULL; /* Assigned NULL address to ptr */

free(ptr); /* Freeing the NULL ptr, but WE ARE NOT FREEING THE ALLOCATED MEMORY  leads to memory leak */

                return;

}

If free is not called after dynamic memory allocation when memory is no longer needed, will lead to memory leakage. In this case Klocwork reports a Memory Leak vulnerability as below,

Memory leak. Dynamic memory stored in ‘ptr’ allocated through function ‘malloc’ at line 5 is lost at line 6

  * sample.c:5: Dynamic memory stored in ‘ptr’ is allocated by calling function ‘malloc’.

  * sample.c:6: Dynamic memory stored in ‘ptr’ is lost.

These kind of issues at complex code also can be detected by Klocwork at the time of development itself which will help developer to write a better code.

Fixed code example

/* Function without memory leak */

#include <stdlib.h>

void func()

{

int *ptr = (int *) malloc(sizeof(int));

free(ptr); /* Freeing the ptr */

ptr = NULL; /* Assign the NULL to ptr */

return;

}

About Klocwork

Klocwork is an ISO, IEC certified static source code analysis tool from Perforce and widely adopted by more than 2,200 customers worldwide, allows developers to identify code defects, at developer’s desktop, while they are coding.

Klocwork static application security testing (SAST) for C, C++, Java and C# can identify software security, quality, and reliability issues and it can help organisations to enforce compliance with industry standards.

Klocwork can perform Dataflow Analysis, Syntax Analysis and Symbolic Logic Analysis to analyse the source code for vulnerabilities. Register here for Klocwork Trail, or send a mail to siva@meteonic.com

Static code analysis (SCA) or Source code analysis is the process of analyzing the source code without executing it. Static Analysis Tools can detect possible vulnerabilities in the source code.

Apart from detecting vulnerabilities in the source code, SCA includes work with project architecture.

Static Code Analysis,

• Can review source code methodically
• Can follow Coding standards and RCA learning
• Can find most common defects at desktop before you even run code
• Help to Understand complex code
• 100% Code coverage
• Manual Code review effectiveness shoots up
• Reverse Engineering code becomes easy
• You can focus on functionality in code review

How to select a Static Code Analysis Tool

What kind of coding defects can be captured by Static Code Analysis Tool?

Being an advanced Static Code Analysis tool Klocwork can detect and help developer to fix coding vulnerabilities that includes,

• Attempt to use Memory after Free
• Banned recommended APIs
• Banned required APIs
• Buffer overflow
• C/C++ Warnings
• COM defects
• Calculated values never used
• Concurrency
• DNS spoofing
• Hard-coded credentials
• Ignored return values
• Improper memory deallocation
• Inappropriate iterator usage
• Invalid Arithmetic Operations
• Localized string
• Lowest possible privilege
• Memory leaks
• Mismatched return types
• Null pointer dereference
• Parse warning defects
• Pipe hijacking
• Porting issues
• Possible DLL hijacks
• Print functions format
• Registry manipulation
• Resource handling issues
• Scan functions format
• Speculative execution issues
• Strong type checkers
• Suspicious code practices
• Unnecessary or missing includes
• Unreachable code
• Unused local variables
• Unvalidated user input
• Use of uninitialized data
• Weak encryption

Klocwork – Static Code Analyser

Klocwork is an ISO, IEC certified static source code analysis tool from Perforce and widely adopted by more than 2,200 customers worldwide, allows developers to identify code defects, at developer’s desktop, while they are coding.

Klocwork static application security testing (SAST) for C, C++, Java and C# can identify software security, quality, and reliability issues and it can help organisations to enforce compliance with industry standards.

Klocwork can perform Dataflow Analysis, Syntax Analysis and Symbolic Logic Analysis to analyse the source code for vulnerabilities. Register here for Klocwork Trail, https://meteonic.com/contact-us or send a mail to support@meteonic.com

“Meteonic Innovation” takes care of end to end process automation and software tools consultation. Meteonic provides automation & Integrations solutions to simplify complex software development process across SDLC, help develop quality & secure code and all of that with reduced cycle times especially for Telecom, Automotive, Defence & Aerospace, Healthcare companies. Below are some of our offerings,

1. Klocwork – SAST for C, C++, C#, and Java
   • Klocwork is an advanced Static code analyser to find out the critical vulnerabilities like Memory leak, Array overflow, Concurrency violation, Security and Reliability vulnerabilities in the source code.
   • Klocwork can be used to verify industry standard compliance like MISRA, Autosar, CERT, CWE, OWASP, DISA-STIG, etc..,

2. Understand – Source code visualisation and analysis
   • Understand from SciTools is a static analysis tool for maintaining, measuring and visualizing code bases in the form of Dependency graphs, Butterfly Diagram, State Diagram Etc..,
   • Understand can help you in visualising the entire project and find out the actual code flow.

3. Squish – The GUI Test Automation Tool for all kinds of cross-platform desktop, mobile, embedded and web applications.
   • Squish is the tool of choice for several thousand companies worldwide to automate the functional regression tests and system tests of their graphical user interface (GUIs) and human machine interfaces (HMIs). The Squish GUI testing tool, a 100% cross-platform tool, features.
   • Squish can work on all desktop, mobile, web and embedded platforms with Test script recording feature includes Powerful and reliable object identification and verifications.

4. Neuralegion – AI-powered Application Security Testing
   • NeuraLegion is a high-tech company based in Tel-Aviv, Israel. We help companies secure web applications with AI powered application security testing that quickly uncovers security and business logic flaws in application.
   • With our innovative state of the art AIAST technology, even complex vulnerabilities are detected in modern applications that no other solution is able to find.

5. WhiteSource – Open source security and license compliance management platform.
   • WhiteSource can help You Secure Your Open Source Components. WhiteSource is the only all-­in-one security, compliance, and reporting solution for managing open source components, and the only one that operates in real-­time, by automatically and continuously scanning dozens of open source repositories, and cross-­referencing this data directly against the open source components in your build.
   • WhiteSource helps you find optimal components, automatically alerts you about known security vulnerabilities, bugs, new versions, patches, and fixes in the components you’re using. It automates the creation and enforcement of your company’s licensing policies, and centralizes inter-­departmental communications and approval processes. It keeps detailed inventories and due diligence reports.

6. Kiuwan – Kiuwan is a software as a service (SaaS) static program analysis multi-technology software for software analytics, quality and security measurement and management.
   • As a multi-technology tool, Kiuwan supports many programming languages, such as: ABAP, C, C++, C#, Objective-C, COBOL, Java, JavaServer Pages (JSP), JavaScript, JCL, PHP, PL/SQL, Transact-SQL, SQL, Visual Basic, Visual Basic .NET, RPG, SQL*Forms, Android or Hibernate.
   • Kiuwan Automatically scans your code to identify and remediate vulnerabilities. Compliant with the most stringent security standards, such as OWASP and CWE, Kiuwan Code Security covers all important languages and integrates with leading DevOps tools.

7. Tiobe – Measure Your Software Code Quality. TIOBE checks more than 1056 million lines of software code for its customers world-wide, real-time, each day.
   1. Based on the ISO 25010 standard about software quality
   2. Measuring 350 standardized aspects automatically
   3. Result is a score between 100 (level A) and 0 (level F)
   4. Methodology is called TIOBE Quality Indicator

• 8. Incredibuild – Shorten development cycle time by 90% or more
  1. “IncrediBuild” that can dramatically accelerate the performance of a full range of compilation tasks and development tools, shortening development time and speeding product delivery.
  2. IncrediBuild works by providing every workstation the ability to use idle CPU’s of other machines available across your local network or in the public cloud as though they reside on your local workstation, effectively transforming every workstation to become a super computer with hundreds of cores and gigs of memory.

• 9. Squish COCO – Coco is a multi-language code coverage tool. Automatic source code instrumentation is used to measure test coverage of statements, branches and conditions.
  • No changes to the application are necessary.
  • Executing a test suite against an instrumented application produces data that can later be analyzed.
  • This analysis can be used to understand how much of the source code has been hit by tests, which additional tests need to be written, how the test coverage changed over time and more.

You can go ahead and have a check on our Tools offering from the following link: http://meteonic.com/solution.html

Register here for Demo or trial license, https://www.meteonic.com/contact-us or send a mail to support@meteonic.com