About a year and a half ago, I was discussing the relative popularity of C and C++ in the face of relative newcomers Python, Java and C#. Surprisingly, the TIOBE index for 2019 shows significant growth for C after some years of decline in popularity (which TIOBE is keen to point out is not based on existing lines of code) C has made a comeback and continues to grow. TIOBE explains this as follows:
The major drivers behind this trend are the Internet of Things (IoT) and the vast amount of small intelligent devices that are released nowadays. C excels when it is applied to small devices that are performance-critical. It is easy to learn and there is a C compiler available for every processor.
The popularity of C grew by 2.44% according to TIOBE with C++ making up for that gain with a loss of 2.58%. The two languages combined, however, are more popular than Java and Python (if one can simply add “percentage of popularity” together.)
Reinforces the Need for Static Analysis
As I stated in my previous blog, C, C++ and Objective-C have higher defect rates that Java, for example. In fact, Bjarne Stroustroup, the inventor of C++, famously said “C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off. “
With its continued popularity and associated risks, it makes sense that static analysis continues to have continued relevance in the 2020’s. With the growth in C’s popularity arising from development of IoT devices of varying applications including safety critical applications in medical, automotive and industrial automation, the need to maintain and improve quality, safety and security grows equally.
In past posts, I focused on how static analysis helps developers root out hard to find problems, works well integrated into the developer’s work environment and works on large bodies of code quickly and efficiently. However, I think it’s important this time focus on security since it’s becoming more important every day.
Doubling Down on Security
A recent example of how IoT security continues to be a dominant issue is the recent controversy surrounding hijacked Ring doorbells. Although this issue isn’t related to a code security vulnerability (it’s a credential stuffing attack) it is the most recent high-profile case of IoT security woes. As the proliferation of devices continues in the IoT ecosystem. At the C code level there are things that can be done to reduce vulnerabilities and static analysis is an important part of an overall security improvement program. Consider some of the capabilities that advanced static analysis tools provide to improve security:
- Detection of security vulnerabilities: Testing and reviewing for security defects is difficult and involves a different mindset than testing for correct functionality. Static analysis tools can point out vulnerabilities and insecure coding practices.
- Tainted data detection and analysis: Analysis of the dataflows from sources (i.e. interfaces) to "sinks" (where data gets used in a program) is critical in detecting potential vulnerabilities from tainted data (containing potential exploit payloads).
- Narrow down the root cause of errors quickly: Errors in C and C++ can be harder to debug compared to other languages. Luckily, defects detected by static analysis include trace information back to the root cause of the warning. If the warning turns out be real (aka a true positive), the fix is usually evident in the trace information.
- Continuous source-code quality and security assurance: As each new code block is written (file or function), it can be scanned by static analysis tools, detecting errors and vulnerabilities (and maintaining secure coding standards, discussed below) in the source before it enters the build system.
- Assessing the quality and security of third-party code: Most projects are not greenfield development and require the use of existing code within a company or from a third party. Performing testing and dynamic analysis on a large existing codebase is hugely time consuming and may exceed the limits on the budget and schedule. Static analysis is particularly suited to analyzing large codebases and providing meaningful errors and warnings that indicate both security and quality issues. CodeSonar's binary analysis can analyze binary-only libraries and provide similar reports as source analysis when source is not available. In addition, binary analysis can work in a mixed source and binary mode to detect errors in the usage of external binary libraries from the source code.
- Secure coding standard enforcement: Static analysis tools analyze source syntax and can be used to enforce coding standards. Various code security guidelines are available such as SEI CERT C and Microsoft's Secure Coding Guidelines.
We’re happy C and C++ continues to grow; it means more customers for us. However, we remain concerned about quality, safety and security in C/C++ applications. If this new growth in popularity is the result of growth in IoT devices then more emphasis on security is needed. Hastily developed products with poor security are going to hinder the success of IoT. The right development approach and an investment in security will differentiate IoT products of the 2020s.
Interested in learning more? Read our guide on "Advanced Static Analysis for C/C++"