One of the common challenges we hear from customers regarding their software security assurance programs is developer education. Sure, there are many great tools out there that can help with security, but when it comes down to it, if you’re going to truly build a culture of secure software (and not just audit your system now and then), your development team needs to be well versed on key security concepts, defensive coding principles, common attack vectors, not to mention the ins and outs of specific coding vulnerabilities like buffer overflows. Well, we agree. That’s why
Read More »
If you’re an organization that cares about security and the repercussions that come with that, then you probably already know all about Common Weakness Enumeration (CWE). CWE is a community project sponsored by the MITRE Corporation. As a software vendor providing security vulnerability detection, it’s important to be part of the CWE Compatibility Program. This program identifies vendors that are officially CWE-compatible. This means you can count on the vendor to provide guidance in their product with respect to CWE identifiers, including direct links to the wealth of information that is kept up to date
Read More »
Software security assurance for embedded software is a big challenge. This article on embedded systems and automobile security summarizes it nicely: White hats are increasingly looking beyond PCs and data centres for security vulnerabilities that have plagued the computer industry for decades and focusing on products like cars, medical devices and electricity meters that run on tiny computers embedded in those products. For embedded software teams to become the target of hackers is a big change. While website owners and developers of cloud applications or PC software are used to all this attention from hackers,
Read More »Wow, what a week last week. We’ve been busy spreading the word about Klocwork Insight 9.5 and all its on-the-fly-analysis goodness since late January and the reaction has been amazing, but last week took the cake. First, Klocwork Insight 9.5 won its first award: the Military Embedded Systems Editor’s Choice. Here’s an excerpt from their write-up: Software developers have enough on their plates without having to spend undue time analyzing their code. Sure, there is traditional source code analysis, whether done manually or by using techniques such as static or dynamic analysis, but Klocwork’s Insight
Read More »
As a pretty avid Apple user (2 iPhones, 1 iPad2, iMac, iPod Touch, MacBook Pro, etc.), and the fact that I work in the business of software quality and security, I must admit that this article caught my attention. The article outlines how a well-known security researcher, who focuses on Apple, has found a software flaw in the iPhone and iPad, which could allow hackers to build malicious apps.What makes this even more scary is that the Apple Store may not catch these malicious apps. To add another twist to this story, the researcher in
Read More »
I read an interesting post on electronic imports that could contain security threats. I can only speak from the software perspective, but I can say that most customers I’ve dealt with usually integrate some sort of software security audit process with any 3rd-party integrator and from my experience that means adopting static analysis. How many organizations are there that haven’t jumped on board with static analysis? Probably more than I can count. It would be very interesting to hear of some of the Armed Services and Intelligence cyber threats that the government has not publicly
Read More »
The U.S. Department of Homeland Security, in conjunction with the SANS Institute and Mitre have been hard at work again. See the article. There are two new programs called the Common Weakness Risk Analysis Framework (CWRAF) and the Common Weakness Scoring System (CWSS). Using these two in conjunction will help users identify the most important weaknesses for their business. It will be interesting to see adoption in the upcoming weeks. In addition to CWRAF and CWSS the 2011 CWE/SANS Top 25 list has been updated. There has been a number of position changes and a
Read More »
My first 2 posts looked at 2 different eras of Static Code Analysis, the Early Years and the Early 21st Century. The SCA solutions of these times were revolutionary, and helped software development teams a great deal. But they had their warts. In the final post in this series, I’m going to introduce you to the present day Static Code Analysis technology and how it is impacting developers. The Present Day I’m a huge fan of Reece’s Peanut Butter Cups. I love them. I keep active so I don’t feel guilty eating them. In a
Read More »
Creating a source code analysis (SCA) engine is a balancing act, a decision process of where you believe the most value can be found along the spectrum that is the signal-to-noise ratio of the detection process. At one end lies the realm of massive noise and hopefully complete coverage, whilst at the other is the quiet calm of the theoretically useful but ultimately useless realm of no noise, but ultimately no signal either. That may sound counter-intuitive. Shouldn’t a zero noise point on the spectrum be accompanied by an infinitely strong signal? Perhaps in the
Read More »
Crying into your wadded Kleenex about how your vulnerabilities were exploited may make for compelling TV, but when it comes to software security, they’ll cost you a lot more than your personal dignity. Or maybe they’ll cost you millions of dollars in lost business and your personal dignity. Why not toughen up your code by implementing software security best practices that prevent or mitigate the risks? That’s why you should head on over to the Klocwork Developer Network and check out the free eLearning courses provided by Security Innovation, an industry leader in software security
Read More »
