We get many questions from medical devices customers on how they should validate the use of Klocwork’s static analysis tools for the FDA. I suspect the situation would be similar for most vendors of software development tools. As we’ve done before, we thought it would be a good idea to ask Bruce Swope from SterlingTech Software to clarify this whole topic for us. [Brendan] First, what is tool validation? [Bruce] Tool validation is the act of demonstrating that a tool will consistently produce expected results. [Brendan] How can a medical device company know whether they
Read More »
With the recent story that the iPad has inherent security vulnerabilities, I thought it might be an appropriate time to delve into the world of software security guidelines…but I must warn you, this blog will contain an abnormal amount of acronyms, and may not be suitable for all audiences. When talking about software security guidelines, there are really 5 or 6 organizations that are leading the charge, and they include: - OWASP - SANS Institute - MITRE - PCI Security Standards Council - SEI Let’s first look at OWASP. OWASP stands for Open Web Application
Read More »Previously I posted the value of using coding standards, specifically MISRA C and MISRA C++. This time I wanted to go through some general experiences we had with some of the checkers, specifically the ones that seem to throw a lot of violated rules, to the point that on some code bases MISRA flagged more than one error per LOC! There are still tons of great rules you can apply even if you don’t make an embedded product. But as I said before, it doesn’t make sense to turn on all the MISRA rules. After
Read More »What is MISRA? More Irrelevant Software Requirements Again…uh no but certainly the sentiment of many developers. MISRA (Motor Industry Software Reliability Association) is a coding standard, which first released MISRA C in 1998 and has since been revised. Obviously, this came out of the automotive sector with a clear focus on helping software systems to be more reliable and maintainable. MISRA has since grown. Now you see more and more industries adopting these standards. In 2008, MISRA released the C++ equivalent standard. So the obvious question is, should I apply this to my software source
Read More »Just came across this post about the 5 code metrics you need to watch. I thought it was worth mentioning as I just blogged about this below (including something similar a while back). These are interesting metrics and more high level, but certainly important. I like labeling duplicated code as something important. I think we often forget how much we reuse code and have the same mistakes in many places
Read More »In a previous post, I talked about different types of metrics and how they can apply. These were mostly focused on a system level and provided insight into system complexity from release to release or build after build. Now, let’s take a look at some other metrics and how they can be used effectively with the developers. There are literally hundreds of metrics you can measure, so what is really important? That’s a tough question because it depends on your organization. Perhaps you have some coding standards in place or simply want to measure some
Read More »
Part II – Joy is the word… OK, so Grease is really the word, but it didn’t fit my theme, gimme a break… Anyway, back on topic, since Joy of code review – part one of this series was published last year we’ve seen our new code review product in action in a variety of customer and prospect situations, and much like the eponymous hair product in the musical mentioned above, what we thought of as an interesting twist on an existing paradigm has turned into a bit of a barn burner. I refer, in
Read More »How do you measure your software? There are simple metrics that help with quality, such as keeping track of the number of bugs or security vulnerabilities in your system. Trending these metrics is a no-brainer. When trending is in place, action can be taken because everyone knows 6 security vulnerabilities is worse than 5. But what about other types of software metrics (and there are many)? Have you ever heard of a maintainability metric? Halstead program volume? McCabe cyclomatic complexity? Coupling/Cohesion? The question becomes what do you do with these metrics and are they valuable
Read More »In my previous blog post, we talked about the value of compiler warnings and reasons to have source code analysis. Now, I’d like to get into the value of coding standards and touch on how you can fit this altogether. Coding standards are a set of rules or guidelines usually created as part of an industry. The goal is simple, provide guidelines, so you can create better code and increase your code quality. Probably the most common coding standard I run into is called MISRA C. This is a standard created for C code in
Read More »
I had a chance to speak with Bruce Swope, the VP of Engineering at SterlingTech, an ISO13485 Registered full-service medical device software organization offering software development and validation services. SterlingTech has developed software for an array of medical products including implantable devices as well as external support and monitoring equipment. Their team has worked on Class I, II, and III devices that resulted in successful FDA 510(k)s, PMAs, and CE submissions. Bruce has extensive experience in medical device software development and he is an expert in leading Class III medical software products to commercial release. His depth
Read More »
