You’ve been using source code analysis on your integration build or your desktop, or (ideally) both. And then there’s “a situation”. The situation Either you: Noticed a false negative you want detected, or Need a way to enforce a corporate coding standard, such as the requirement for the use of a compound statement block rather than single statements as the body of a loop. Now what? Time to create a custom checker, that’s what. But what kind of checker? Source code analysis involves two families of checkers, those that involve: Abstract Syntax Tree (AST) validation,
Read More »
As a pretty avid Apple user (2 iPhones, 1 iPad2, iMac, iPod Touch, MacBook Pro, etc.), and the fact that I work in the business of software quality and security, I must admit that this article caught my attention. The article outlines how a well-known security researcher, who focuses on Apple, has found a software flaw in the iPhone and iPad, which could allow hackers to build malicious apps.What makes this even more scary is that the Apple Store may not catch these malicious apps. To add another twist to this story, the researcher in
Read More »
The question of “what’s the right iteration length” may not be as interesting as any of the questions found here (gum really doesn’t stay in you for 7 years. Who knew?), but it is a common question from organizations moving to agile development. You can certainly get a lot of different opinions on this from a Google search, but since you’re reading this now, I’ll give you mine, based on personal experience. A number of years ago, one of the projects I was PM on decided to try out Scrum. I had attended some Product
Read More »Compiler configuration is a problem with static analysis tools. In the past, a static analysis (or source code analysis) tool simply worked by pointing it at the source code and hitting “go”. Now it is very different. Without a complete understanding of the software build, including the compiler specifics, you will get inaccurate results. Under the covers, do you really know what is happening with your compiler? Not usually. You make changes to your code, call your compiler or build command to compile your code, and then fix the issues. Rinse and repeat. But what
Read More »Company posts global year-over-year bookings growth of more than 60 percent Burlington, Mass – Oct 12, 2011 – Klocwork, Inc, the global leader in automated source code analysis solutions for improving developer productivity, today announced it achieved strong bookings growth for the quarter ending September 30, 2011. The company posted a 62 percent growth in bookings compared to Q3 2010. Additionally, year-over-year bookings from the company’s network of international reseller partners grew by 69 percent.. "Increasingly, software security and reliability are being adopted as ‘must deliver’ requirements by agile software development teams," said Mike Laginski,
Read More »No-charge eLearning courses for software developers cover key secure coding and development topics BURLINGTON, Mass – Oct 05, 2011 – Klocwork, Inc, the global leader in automated source code analysis solutions for improving developer productivity, and Security Innovation, a leading provider of secure software development and training products and services, today announced the availability of a newly developed security eLearning course for professional software developers. This is the latest course to be released as a result of the Klocwork and Security Innovation partnership, which is focused on providing high-quality educational resources to the software development
Read More »
Over the past few years I’ve talked to a number of customers in the embedded software and medical devices industries, and I continue to see a significant number of these organizations either moving to, or planning on moving to agile development processes. With all of the inherent challenges for agile in these organizations such as standards/regulatory compliance, hardware changes and integration, security issues, etc. I must say that I’m a little shocked that customers are moving away from their current processes towards something like agile. Add to this the fact that the Agile Manifesto specifically
Read More »
We have blogged before about software security guidelines, but there is one we haven’t discussed. Several years ago Microsoft published the “Security Development Lifecycle (SDL) Banned Function Calls” list. These banned functions can be a good way to remove a significant number of potential code vulnerabilities from C and C++ code. They provide recommendations on better or safer functions to use with the caveat that even these “safer” function should be used with care. You can use the banned.h file to identify and obtain deprecation warnings or, even better, use this as part of your
Read More »
Klocwork Developer Network presents Klocwork University, which consolidates all our online learning resources onto a single page. Klocwork University is your one stop for self-paced online learning and how-tos about: Setting up and using our static analysis tools on your desktop or integration build The latest trends in software security Agile coding practices and how they intersect with static analysis Klocwork product overviews At Klocwork University you’ll see helpful descriptions of: In-house and partner-generated e-learning courses Video how-tos Webinars After you browse our offerings on the Klocwork University page, click your selection and access your
Read More »I often hear that closing resources properly is way too verbose in Java, especially considering that resource freeing methods such as ‘close()’ are often throwing some type of an exception. However, if you handle resources properly it might turn out to be less of a burden than one might think. Let’s start with the following snippet, where I use an SQL driver to retrieve the list of “codes” matching the given “id”: 09 List<String> requestCodes(String dbUrl, String id) { 10 List<String> result = new ArrayList<String>(); 11 try { 12 Connection conn = DriverManager.getConnection(dbUrl); 13 PreparedStatement
Read More »
