Tag: klocwork meteonic

Categories
Uncategorized

Handling Software Security Risks

Hackers are tireless, innovative, motivated.  They are an unfortunate reality of the software and applications industry today.  From automotive to medical to consumer products and more.

The potential for their efforts to result in real risks and failures is well documented. If your software fails, people are going to hear about it.  It will cost your company time, money, reputation, etc.  And it goes without saying that you would not want to be the individual or team responsible for any of that. Klocwork can help you mitigate those risks, cost effectively.

Software Security Vulnerability attacks

Software Security Risks are Well Documented,

  • Patriot missile specification called for aircraft speeds and was designed to work continuously for 14 hours
  • In gulf war it was used continuously for 100 hours against missiles which have speeds up-to Mach 6.
  • Iraqi missile escaped this system because of low precision and resulted in 28 deaths and 90 wounded
  • On June 3, 1980, NORAD reported that US was under missile attack. This happened because of an incorrect signal being generated, this could have triggered Nuclear war between US and USSR
  • Several cancer patients die due to overdose of radiation resulting from a race condition between concurrent tasks in Therac-25 software

An advanced powerful Static Code Analysis Tool can detect the real security vulnerabilities at the time of development.

Software Defects can be Dangerous

Possible World war 3 : In 1980, NORAD reported that the US was under missile attack. The problem was caused by a faulty circuit, a possibility the reporting software hadn’t taken into account. In 1983, a Soviet satellite reported incoming US missiles, but the officer in charge decided to follow his gut feeling that it was a false alarm and decided to do nothing.

Medical Devices: The Therac-25 medical radiation therapy device was involved in several cases where massive overdoses of radiation were administered to patients in 1985-87 due to software defect Many patients died due to overdoses.

“How do we improve code quality and how to improve code security: Easiest one is “Static Code analysis“”

What is Static Code analysis

Static code analysis is a method of debugging by examining source code before a program is run. It’s done by analyzing a set of code against a set (or multiple sets) of coding rules.

Why Static code analysis,

  • Can review source code methodically and find real defects in the code
  • Can follow Coding standards and RCA learning
  • Can find most common defects at desktop
  • 100% Code coverage
  • Manual Code review effectiveness goes up

Klocwork is an advanced static code analysis tool that can detect almost all the real coding vulnerabilities in the code.

Klocwork Introduction

Klocwork – Kilo lines Of Code Work

  • Klocwork is a static code analysis tool used to identify security, safety and reliability issues in C, C++, Java and C# code. The product includes numerous desktop plug-ins for developers, metrics and reporting.
  • Static Code Analysis on-the-fly, to identify issues at the earliest possible point
  • Continuous Integration to maximize scalability and performance for multiple concurrent analysis at a time
  • Application Security to prevent malicious attacks
  • Validation of Industrial standards to check the industry (Misra, Autosar, CERT, etc..,) and internal coding guidelines
  • Reporting and Metrics to understand and prioritize issues across the entire team
  • Code Review to get teams working faster towards delivering the best code possible

Klocwork – Advanced 3rd Generation Static code analyser

It starts at the developer’s desktop. It’s here where code is written, tested, reviewed, and written again. Finding problems here, at the earliest possible point before the build, means less testing later on and fewer downstream impacts to cost and schedule.

Klocwork has direct plugin available for Visual Studio, Eclipse, Windriver, IntelliJIidea and Eclipse based IDEs*. Klocwork has its own IDE/GUI as well that can help developer to find and fix the possible vulnerabilities at the time of creation.

Evaluation of Static Code Analysis – Klocwork is compatible to be used as any generation Static Code Analysis Tool .

Advantages of Klocwork at desktop,

  • Improves coding practices
    • Alerts the developer immediately when they enter a defect
    • Provides entire path from “source to sink” of how the issue occurs
    • Provide help on how to remedy
    • Provides links to the specific coding standards that may be violated
    • Allows you to edit and customize that advice with simple HTML editing.
    • The key is that not only do we help the developer, by telling them immediately it is an excellent “teachable moment.”    
  • Finally, since the developer makes the fix immediately, your code base is never impacted.
What not to do in this modern world

These days, we are used to having a spell-checker that works away, in the background, as we work on within our document editors. It would now seem rather alien and rather inefficient to return to having to spell-check a document on a button press, only when we were finished writing it. The same applies for code writing and SCA.

This technology is only possible with Klocwork – Static Code Analysis Tool. Thanks to Klocwork’s ability to perform partial, incremental, connected builds.

Klocwork static application security testing (SAST) for C, C++, Java and C# can identify software security, quality, and reliability issues and it can help organisations to enforce compliance with industry standards. Klocwork can perform Dataflow Analysis, Syntax Analysis and Symbolic Logic Analysis to analyse the source code for vulnerabilities. Register here for Klocwork Trail, https://meteonic.com/contact-us or send a mail to support@meteonic.com

Categories
Uncategorized

Static Code Analysis in an Agile World

To keep pace with ever-increasing customer demands on software functionality and time-to-market expectations, software developers have had to evolve the way they develop code to be both faster and higher quality. As part of this trend, the Waterfall method of software development began to give way in the late 1990s to a more lightweight method of software development: Agile.

And as the use of Agile has continued to grow in the last decade, it continues to mature as well. Software organizations are constantly looking for ways to improve their Agile environments and minimizing software bugs is one area of focus. This paper will demonstrate that several of the core principles of Agile cannot be fully realized without implementing a repeatable process for ensuring code that is as bug-free as possible.

The approach recommended in this paper is the use of automated static code analysis (SCA) technology to locate and describe areas of weakness in software source code, such as security vulnerabilities, logic errors, implementation defects, concurrency violations, rare boundary conditions, or any number of other types of problem causing code.

Agile development — A brief history

Simply put, Agile software development is an approach that provides flexibility to accommodate continuous change throughout the software development cycle. It stresses rapid delivery of working software, empowerment of developers, and emphasizes collaboration between developers and the rest of the team, including business people.

Agile contrasts with the still-popular Waterfall development approach, which is front-end loaded with comprehensive scope and requirements definitions, and which employs clear, consecutive hand-offs from requirements definition to design to coding and then to quality assurance. In contrast, Agile incorporates a continuous stream of requirements gathering that flows throughout the development process. Business people

are involved throughout the release cycle, ensuring that the software being developed meets the true needs of both the end-user and the business. Change to the requirements and to the overall feature set is expected to occur as outside opportunities or threats arise.

In short, Agile fully embraces change and Agile teams are structured in such a way that they can receive and act on constant feedback provided by the build process, by other developers, from QA, and from business stakeholders.

Agile is based upon a number of guiding principles that all Agile teams follow. For the purposes of this discussion, four principles — or values — are of particular interest:

  • Quality software development
  • Iterative flexibility
  • Continuous improvement
  • Collaboration and communication

Quality software development

The primary focus of Agile development is to enable the development of quality software that satisfies a customer need — i.e. provides a functioning feature or capability — within a specific period of time (typically no more than a few weeks) called an “iteration” or “sprint” in a Scrum.

Iterative flexibility

With a focus on speed and nimbleness, Agile is open to changes that inevitably arise throughout the development cycle. The iterative process is flexible, based on an understanding that original requirements may (or will likely) need to change due to customer demand, market conditions, or other reasons. Because business users are involved throughout the process, and because each iteration is short, new requirements can be introduced and prioritized very quickly.

Continuous improvement

An Agile environment provides developers with an opportunity to learn new skills and to exercise greater autonomy to do their jobs. The iterative framework is empowering because it enables continuous improvement, with testing/quality assurance occurring as part of the iterative process, rather than only periodically or at the end of a long process when it is often difficult or not cost effective to fix coding defects or to incorporate lessons learned along the way. Agile also makes the testing and QA process transparent to the developers who originate the code, further contributing to their learning and facilitating future improvements and coding efficiencies.

Collaboration and communication

Communication and collaboration is critical in software development in general, but in an Agile development environment, it’s paramount. In fact, the Agile Manifesto (widely recognized as the de facto definition of Agile) emphasizes individuals and interactions as a key concept. Ultimately, its open communication and collaboration that facilities efficiencies in the development process. Having access to the right individuals, data, and feedback when needed allows the team to deliver working software in short iterations, as the Agile process demands.

Klocwork for Agile development

Powered by a comprehensive static analysis engine, Klocwork helps developers increase their agility and development velocity. The key principles of Agile development are supported in the following ways:

  • On-the-fly desktop analysis
  • Klocwork Plugins for IDE
  • Software metrics and reporting
  • Integration with CI/CD

On-the-fly desktop analysis

Klocwork desktop analysis is like spell-check for developers, giving instant, accurate, and continuous feedback on security vulnerabilities and critical defects being introduced into code, as its being written. Highlighting critical coding issues within the developer’s IDE the instant they’re created makes fixing defects part of the natural development workflow and ensures the most secure and reliable code is created before check-in. This approach reduces both the number of problems reported downstream in the dev cycle and the time developers need to spend going back and fixing those issues. This boost in productivity is important in an Agile environment.

Klocwork Desktop – Sample report

On-the-fly desktop analysis allows developers to find and fix critical coding issues before code check-in from within their IDEs. This reduces the time developers have to spend going back and fixing issues not detected until late in the dev process.

Klocwork Plugins for IDE

Klocwork offers a variety of C/C++, C# and Java desktop solutions to help you detect and fix issues as early as possible in the development cycle. You have several options that you can use to run your analysis:

If you use one of our supported IDEs, you can run analysis directly from within your IDE. Currently, there is Klocwork Desktop Plug-ins available for Visual Studio, Eclipse and IntelliJ IDEA across multiple languages.

Klocwork integration with Visual Studio

If you prefer to work on the command line, kwcheck is a desktop analysis tool for C/C++ and Java developers using IDEs and text editors that aren’t supported by Klocwork in the form of an IDE plug-in.

Software metrics and reporting

Klocwork provides a robust suite of more than 100 objective and actionable product metrics, which are derived directly from your software code (Figure 4). With drag and drop reporting capabilities, development team managers can quickly and easily answer key questions about their organization’s software development process. For example, a key question for Agile is whether bugs are being found and fixed at the developer desktop, or whether they are leaking to the integration build. Klocwork automatically aggregates information about what is being found and fixed at the desktop even though it is never propagated into the source stream. This unique capability allows teams to better understand the bug reduction activity that is happening before code checkin, generating a bottom-up view of how well defect containment is working.

Klocwork sample report – Metric report

This — combined with custom ownership models that allow metrics to be organized by people, groups, geography, components, and any other attribute that works for your organization — allows teams early in an iteration to identify the areas of greatest risk within their code base.

Klocwork Integration with CI/CD

Klocwork’s Continuous Integration (CI) capability enables your organization to identify and communicate errors faster, without waiting for nightly builds. By identifying and communicating issues faster, developers can fix problematic code earlier.

Klocwork with Jenkins integration

As developers update and commit code, the CI build system picks up the changes and performs many small, incremental builds throughout the day. Instead of waiting for nightly builds, Klocwork CI analyzes the new code and notifies developers of problems right away.

CONCLUSION

The ubiquitous nature of software today, coupled with the pressure to rapidly develop market-ready features and products in just weeks, has led to two related phenomena:

• The widespread adoption of Agile software development principles

• The adoption of various tools by Agile teams designed to help streamline and de-risk development projects

SCA may be right for your Agile team, particularly if you are finding your process being impacted by quality issues or security vulnerabilities, non-Agile friendly processes, and hard to maintain code. Implementing source code analysis within your Agile environment does not have to be disruptive. You can start small and analyze only a small project or a portion of a project. Compare the results against a similar project where these tools were not used. You’ll undoubtedly find opportunities to save significant time and money by using SCA in your Agile development process.