Bill Graham

The Role of Static Analysis in the EU Medical Devices Regulation (MDR)

The move to digitization and automation is happening in the medical industry as it is in others – almost every medical device requires software. Wireless connectivity is becoming...

Bug-Injector Research Receives IEEE SCAM 2019 Distinguished Paper

During the International Working Conference on Source Code Analysis & Manipulation (SCAM), a GrammaTech research publication was awarded the Institute of Electrical and Electronics...

C was Programming Language of the Year 2019

About a year and a half ago, I was discussing the relative popularity of C and C++ in the face of relative newcomers Python, Java and C#. Surprisingly, the TIOBE index for 2019 shows...

Static Analysis in Automotive SPICE

The Automotive SPICE (software process improvement and capability determination) is a software development process standard that outlines the maturity model for software development,...

Using CodeSonar to Evaluate Software for the 2019 CWE Top 25 Most Dangerous Software Errors

The Common Weakness Enumeration (CWE) Top 25 most dangerous software errors, a.k.a., the CWE Top 25 is a list of the most common weaknesses that lead to security vulnerabilities. It is...

Tainted Data and Format String Attack Strike Again

A recent code execution vulnerability (we also call this a code injection vulnerably) was discovered in Palo Alto Networks’ GlobalProtect SSL VPN, a product that handles SSL handshakes...

The Role of Static Analysis in the SAE J3061 Cybersecurity Process Framework

The Society of Automotive Engineers (SAE) J3061 cybersecurity process framework was created to address a large disconnect between advances in automotive software and the increasing...

Shift Left Quality and Security with Automated Unit Testing, Dynamic and Static Analysis

Our partner, Vector Software, recently announced the official release of the VectorCAST and GrammaTech CodeSonar integration. This prompted this post to discuss the role of static and...

Merging of the MISRA C++ and AUTOSAR C++ Guidelines is Good News for Safety Critical Software Development

The MISRA Consortium recently announced the merger of MISRA C++ 2008 and AUTOSAR C++14 into a common guideline. This is positive news since it combines two key standards for coding in...

Linux Foundation’s ELISA Project to Bring Linux to Safety Critical Systems

The Linux Foundation’s announcement of the ELISA (Enabling Linux in Safety Applications) project was of interest to us because it requires a significant effort in evaluating open source...

Static Analysis and UL 2900 Standard for Software Cybersecurity

The UL 2900 is a software cybersecurity standard, specifically a Cybersecurity Assurance Program or CAP, released by Underwriter’s Laboratory (UL). Yes, this is the same company whose...

Using Static Analysis with Legacy Code

The adoption of any new tool into an existing software development process and established code base is always a challenge. Static analysis tools are no different but there are steps to...

FDA Updates Guidance for Managing Cybersecurity for Medical Devices

In a previous post, I discussed the role of static analysis in managing cybersecurity for medical devices. It was in reaction to initial guidance published by the FDA in the document...

Memory Safety Issues Are Still the Leading Source of Security Vulnerabilities

A recent headline was published in several technology news outlets, at ZDNet “Microsoft: 70 percent of all security bugs are memory safety issues” and Fudzilla, “More than 70 percent of...

Integrating Clang Static Analyzer with CodeSonar using SARIF

We have discussed the benefits of using SARIF, an open standard for exchanging static analysis results, in a previous post. Integration between tools is simplified by using this open...

Using Static Analysis to Detect API Usage Anomalies

CodeSonar in the SWAMP

INTRODUCTION: The Software Assurance Marketplace (SWAMP) is an open tool set designed to improve quality and security started by the Department of Homeland Security Science and...

The Role of Static Application Security Tools (SAST) in DevSecOps

The term DevSecOps is a contraction of DevOps, itself a contraction of Developer Operations, and Security. It’s the in-vogue buzzword for 2018 that, despite the hype, does have positive...

How Does the OWASP Top 10 Apply to C/C++ Development?

The Open Web Application Security Project (OWASP) is a non-profit organization focused on improving web software security. Each year they publish a top ten list of the most critical web...