Archive for 2011

  • It’s time to create a custom checker, but what kind?

    on Nov 15, 11 • by Patti Murphy • with 1 Comment

    You’ve been using source code analysis on your integration build or your desktop, or (ideally) both. And then there’s “a situation”. The situation Either you: Noticed a false negative you want detected, or Need a way to enforce a corporate coding standard, such as the requirement for the use of  a compound statement block rather than single statements as the body of a loop. Now what? Time to create a custom checker, that’s what. But what kind of checker? Source code analysis involves two families of checkers, those that involve: Abstract Syntax Tree (AST) validation,

    Read More »
  • Security Issues with Apple iOS?

    on Nov 8, 11 • by Todd Landry • with No Comments

    Security Issues with Apple iOS?

    As a pretty avid Apple user (2 iPhones, 1 iPad2, iMac, iPod Touch, MacBook Pro, etc.), and the fact that I work in the business of software quality and security, I must admit that this article caught my attention. The article outlines how a well-known security researcher, who focuses on Apple, has found a software flaw in the iPhone and iPad, which could allow hackers to build malicious apps.What makes this even more scary is that the Apple Store may not catch these malicious apps. To add another twist to this story, the researcher in

    Read More »
  • What’s the Right Iteration Length?

    on Nov 1, 11 • by Todd Landry • with 1 Comment

    What’s the Right Iteration Length?

    The question of “what’s the right iteration length” may not be as interesting as any of the questions found here (gum really doesn’t stay in you for 7 years. Who knew?), but it is a common question from organizations moving to agile development. You can certainly get a lot of different opinions on this from a Google search, but since you’re reading this now, I’ll give you mine, based on personal experience. A number of years ago, one of the projects I was PM on decided to try out Scrum. I had attended some Product

    Read More »
  • Compiler configuration

    on Oct 25, 11 • by Alen Zukich • with No Comments

    Compiler configuration is a problem with static analysis tools.  In the past, a static analysis (or source code analysis) tool simply worked by pointing it at the source code and hitting “go”.  Now it is very different.  Without a complete understanding of the software build, including the compiler specifics, you will get inaccurate results. Under the covers, do you really know what is happening with your compiler?  Not usually.  You make changes to your code, call your compiler or build command to compile your code, and then fix the issues.  Rinse and repeat. But what

    Read More »
  • Klocwork Delivers Exceptional Q3 Bookings Growth

    on Oct 12, 11 • by Meranda Powers • with No Comments

    Company posts global year-over-year bookings growth of more than 60 percent Burlington, Mass — Oct 12, 2011 — Klocwork, Inc, the global leader in automated source code analysis solutions for improving developer productivity, today announced it achieved strong bookings growth for the quarter ending September 30, 2011. The company posted a 62 percent growth in bookings compared to Q3 2010. Additionally, year-over-year bookings from the company’s network of international reseller partners grew by 69 percent.. "Increasingly, software security and reliability are being adopted as ‘must deliver’ requirements by agile software development teams," said Mike Laginski,

    Read More »
  • Klocwork and Security Innovation Offer Software Security Assurance Learning Resources

    on Oct 5, 11 • by Meranda Powers • with 1 Comment

    No-charge eLearning courses for software developers cover key secure coding and development topics BURLINGTON, Mass — Oct 05, 2011 — Klocwork, Inc, the global leader in automated source code analysis solutions for improving developer productivity, and Security Innovation, a leading provider of secure software development and training products and services, today announced the availability of a newly developed security eLearning course for professional software developers. This is the latest course to be released as a result of the Klocwork and Security Innovation partnership, which is focused on providing high-quality educational resources to the software development

    Read More »
  • Is Pure Agile Always an Option?

    on Oct 4, 11 • by Todd Landry • with 2 Comments

    Is Pure Agile Always an Option?

    Over the past few years I’ve talked to a number of customers in the embedded software and medical devices industries, and I continue to see a significant number of these organizations either moving to, or planning on moving to agile development processes. With all of the inherent challenges for agile in these organizations such as standards/regulatory compliance, hardware changes and integration, security issues, etc. I must say that I’m a little shocked that customers are moving away from their current processes towards something like agile. Add to this the fact that the Agile Manifesto specifically

    Read More »
  • Microsoft banned function list

    on Sep 27, 11 • by Alen Zukich • with 1 Comment

    Microsoft banned function list

    We have blogged before about software security guidelines, but there is one we haven’t discussed.  Several years ago Microsoft published the “Security Development Lifecycle (SDL) Banned Function Calls” list.  These banned functions can be a good way to remove a significant number of potential code vulnerabilities from C and C++ code.  They provide recommendations on better or safer functions to use with the caveat that even these “safer” function should be used with care. You can use the banned.h file to identify and obtain deprecation warnings or, even better, use this as part of your

    Read More »
  • Klocwork University consolidates learning resources into a single roster

    on Sep 7, 11 • by Patti Murphy • with No Comments

    Klocwork University consolidates learning resources into a single roster

    Klocwork Developer Network presents Klocwork University, which consolidates all our online learning resources onto a single page. Klocwork University is your one stop for self-paced online learning and how-tos about: Setting up and using our static analysis tools on your desktop or integration build The latest trends in software security Agile coding practices and how they intersect with static analysis Klocwork product overviews At Klocwork University you’ll see helpful descriptions of: In-house and partner-generated e-learning courses Video how-tos Webinars After you browse our offerings on the Klocwork University page, click your selection and access your

    Read More »
  • Squeezing max from the ‘try/finally’ blocks

    on Aug 23, 11 • by Mikhail Ksenzov • with 3 Comments

    I often hear that closing resources properly is way too verbose in Java, especially considering that resource freeing methods such as ‘close()’ are often throwing some type of an exception. However, if you handle resources properly it might turn out to be less of a burden than one might think. Let’s start with the following snippet, where I use an SQL driver to retrieve the list of “codes” matching the given “id”: 09 List<String> requestCodes(String dbUrl, String id) { 10   List<String> result = new ArrayList<String>(); 11   try { 12     Connection conn = DriverManager.getConnection(dbUrl); 13     PreparedStatement

    Read More »
Scroll to top