BLOG

  • Static Analysis in Automotive SPICE

    Static Analysis in Automotive SPICE

    The Automotive SPICE (software process improvement and capability determination) is a software development process standard that outlines the maturity model for software development,...

    Read Article
  • Using CodeSonar to Evaluate Software for the 2019 CWE Top 25 Most Dangerous Software Errors

    Using CodeSonar to Evaluate Software for the 2019 CWE Top 25 Most Dangerous Software Errors

    The Common Weakness Enumeration (CWE) Top 25 most dangerous software errors, a.k.a., the CWE Top 25 is a list of the most common weaknesses that lead to security vulnerabilities. It is...

    Read Article
  • Introducing MISRA C Coding Standard to an Existing Code Base

    Introducing MISRA C Coding Standard to an Existing Code Base

    The intent of the Motor Industry Software Reliability Association (MISRA) C coding standard was to define a subset of the C language that minimizes the possibilities of errors. Although...

    Read Article
  • The Role of Static Analysis in Assessing Trustworthiness of IIoT Software

    The Role of Static Analysis in Assessing Trustworthiness of IIoT Software

    In a previous post I introduced the Industrial Internet Consortium (IIC), the reference architecture and the concepts of trustworthiness used in their security framework. Since that...

    Read Article
  • How Sound Static Analysis Complements Heuristic Analysis

    How Sound Static Analysis Complements Heuristic Analysis

    Not all static analysis tools work the same, there are in fact a spectrum of tools that use a variety of techniques ranging from relatively simple syntactic analysis through very...

    Read Article
  • How Sound Static Analysis Complements Heuristic Analysis

    How Sound Static Analysis Complements Heuristic Analysis

    Not all static analysis tools work the same, there are in fact a spectrum of tools that use a variety of techniques ranging from relatively simple syntactic analysis through very...

    Read Article
  • Tainted Data and Format String Attack Strike Again

    Tainted Data and Format String Attack Strike Again

    A recent code execution vulnerability (we also call this a code injection vulnerably) was discovered in Palo Alto Networks’ GlobalProtect SSL VPN, a product that handles SSL handshakes...

    Read Article
  • The Role of Static Analysis in the SAE J3061 Cybersecurity Process Framework

    The Role of Static Analysis in the SAE J3061 Cybersecurity Process Framework

    The Society of Automotive Engineers (SAE) J3061 cybersecurity process framework was created to address a large disconnect between advances in automotive software and the increasing...

    Read Article
  • Shift Left Quality and Security with Automated Unit Testing, Dynamic and Static Analysis

    Shift Left Quality and Security with Automated Unit Testing, Dynamic and Static Analysis

    Our partner, Vector Software, recently announced the official release of the VectorCAST and GrammaTech CodeSonar integration. This prompted this post to discuss the role of static and...

    Read Article
  • What is Static Application Security Testing (SAST)?

    What is Static Application Security Testing (SAST)?

    We often get the question from developers and engineering managers: “What is SAST?” often followed by “Ok, what do SAST tools do exactly for security?” Many people know the acronym as...

    Read Article
  • Merging of the MISRA C++ and AUTOSAR C++ Guidelines is Good News for Safety Critical Software Development

    Merging of the MISRA C++ and AUTOSAR C++ Guidelines is Good News for Safety Critical Software Development

    The MISRA Consortium recently announced the merger of MISRA C++ 2008 and AUTOSAR C++14 into a common guideline. This is positive news since it combines two key standards for coding in...

    Read Article
  • Linux Foundation’s ELISA Project to Bring Linux to Safety Critical Systems

    Linux Foundation’s ELISA Project to Bring Linux to Safety Critical Systems

    The Linux Foundation’s announcement of the ELISA (Enabling Linux in Safety Applications) project was of interest to us because it requires a significant effort in evaluating open source...

    Read Article
  • Webinar Recording - What's New in CodeSonar 5.1?

    Webinar Recording - What's New in CodeSonar 5.1?

        Interested in upgrading to CodeSonar 5.1? In this webinar, Mark Hermeling, Senior Director of Product Marketing, will walk through all of the new features...

    Read Article
  • Static Analysis and UL 2900 Standard for Software Cybersecurity

    Static Analysis and UL 2900 Standard for Software Cybersecurity

    The UL 2900 is a software cybersecurity standard, specifically a Cybersecurity Assurance Program or CAP, released by Underwriter’s Laboratory (UL). Yes, this is the same company whose...

    Read Article
  • Using Static Analysis with Legacy Code

    Using Static Analysis with Legacy Code

    The adoption of any new tool into an existing software development process and established code base is always a challenge. Static analysis tools are no different but there are steps to...

    Read Article
  • FDA Updates Guidance for Managing Cybersecurity for Medical Devices

    FDA Updates Guidance for Managing Cybersecurity for Medical Devices

    In a previous post, I discussed the role of static analysis in managing cybersecurity for medical devices. It was in reaction to initial guidance published by the FDA in the document...

    Read Article
  • Open-source Tools for Binary Analysis and Rewriting

    Open-source Tools for Binary Analysis and Rewriting

    Unfortunately binary-only software is unavoidable; dependencies of active software projects, firmware and applications distributed without source access, or simply old software whose...

    Read Article
  • Memory Safety Issues Are Still the Leading Source of Security Vulnerabilities

    Memory Safety Issues Are Still the Leading Source of Security Vulnerabilities

    A recent headline was published in several technology news outlets, at ZDNet “Microsoft: 70 percent of all security bugs are memory safety issues” and Fudzilla, “More than 70 percent of...

    Read Article
  • The Industrial Internet Reference Architecture and Security Framework

    The Industrial Internet Reference Architecture and Security Framework

    The Industrial Internet Consortium (IIC) is a non-profit, industry group that is investigating and proposing the standards needed for a successful deployment of the Industrial Internet...

    Read Article
  • Static Analysis for Python in CodeSonar

    Static Analysis for Python in CodeSonar

    In a previous post we discussed the continuing popularity of C and C++ as a programming language, the surveys referenced there showed that Python is more popular each year and is now...

    Read Article
  • loading
    Loading More...