Detecting Critical Defects on the Developer s Desktop



Similar documents
Development Testing for Agile Environments

Linux Kernel. Security Report

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

Controlling Software Complexity. The Business Case for Static Source Code Analysis

How To Improve Your Software

How Virtual Compilation Transforms Code Analysis

Oracle Solaris Studio Code Analyzer

Effective Management of Static Analysis Vulnerabilities and Defects

Secure Software Programming and Vulnerability Analysis

Developers and the Software Supply Chain. Andy Chou, PhD Chief Technology Officer Coverity, Inc.

Application Code Development Standards

Benefits of Test Automation for Agile Testing

Controlling Software Complexity

Global Headquarters: 5 Speen Street Framingham, MA USA P F

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

Coverity White Paper. Effective Management of Static Analysis Vulnerabilities and Defects

Minimizing code defects to improve software quality and lower development costs.

COVERITY SCAN: 2013 OPEN SOURCE REPORT. Coverity Scan: 2013 Open Source Report

Operationalizing Application Security & Compliance

Coverity Services. World-class professional services, technical support and training from the Coverity development testing experts

IBM Rational AppScan: Application security and risk management

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Test Management Tools

Software Assurance Marketplace Use Case

Integrated Error-Detection Techniques: Find More Bugs in Java Applications

"Cloud Computing: Powering the Future of Testing"

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Launching great enterprise mobile apps that beat the compe::on. Gabriel Leiferman Sales Manager Spain

Grigore Rosu Founder, President and CEO Professor of Computer Science, University of Illinois

Accelerate Application Development through DevOps Automation

How to Avoid an Attack - Security Testing as Part of Your Software Testing Process

TOOL EVALUATION REPORT: FORTIFY

Source Code Review Using Static Analysis Tools

Understanding How to Choose a Database Platform for Siemens PLM Software s Teamcenter

Ensuring Code Quality in Multi-threaded Applications

Application Security Center overview

How to Build a Trusted Application. John Dickson, CISSP

Database Development Best Practices. Database Development Best Practices. Copyright 2006 Quest Software

STATIC CODE ANALYSIS Alexandru G. Bardas 1

DOT.Comm Oversight Committee Policy

Mobile Application Testing

Good Software. Lecture 6 GSL Peru 2014

Using Static Code Analysis Tools for Detection of Security Vulnerabilities

Controlling Risk Through Software Code Governance

Static Analysis for Software Verification. Leon Moonen

Accelerating Software Security With HP. Rob Roy Federal CTO HP Software

A framework for creating custom rules for static analysis tools

C++ (Senior) Developer for SAP HANA database kernel team

Testing Best Practices

Application Performance Testing Basics

Vulnerability Management in an Application Security World. AppSec DC November 12 th, The OWASP Foundation

X05. An Overview of Source Code Scanning Tools. Loulwa Salem. Las Vegas, NV. IBM Corporation IBM System p, AIX 5L & Linux Technical University

Web application security: automated scanning versus manual penetration testing.

IT Compliance Volume II

Metrics that Matter Security Risk Analytics

! Resident of Kauai, Hawaii

Improving RoI by Using an SDL

Percerons: A web-service suite that enhance software development process

High-Performance Batch Processing Framework

Coverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing

Learning objectives for today s session

Common Errors in C/C++ Code and Static Analysis

Top 10 Mistakes in Data Center Operations: Operating Efficient and Effective Data Centers

Stories From the Front Lines: Deploying an Enterprise Code Scanning Program

Towards practical reactive security audit using extended static checkers 1

There are a number of factors that increase the risk of performance problems in complex computer and software systems, such as e-commerce systems.

Static Code Analysis Procedures in the Development Cycle

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

Pattern Insight Clone Detection

How To Manage A System Vulnerability Management Program

Test-Driven Development and Unit Testing with Parasoft Concerto

BEST PRACTICES FOR SECURITY TESTING TOP 10 RECOMMENDED PRACTICES

HP Fortify Software Security Center

IBM QRadar as a Service

Cutting Edge Practices for Secure Software Engineering

Introduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions

HP Application Security Center

Vulnerability Management in an Application Security World. January 29 th, 2009

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS

The Next Generation of Static Analysis - So What is It?

Service Delivery Module

Implementing Database Development Best Practices for Oracle

Comparative Study of Load Testing Tools

Coverity White Paper. Managing Risk: Ensure Software Quality and Security Across the Automotive Supply Chain

Software Engineering Compiled By: Roshani Ghimire Page 1

Comprehensive Static Analysis Using Polyspace Products. A Solution to Today s Embedded Software Verification Challenges WHITE PAPER

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Why should I care about PDF application security?

Interactive Application Security Testing (IAST)

An Oracle White Paper February Rapid Bottleneck Identification - A Better Way to do Load Testing

Crossing the DevOps Chasm

How to Define SIEM Strategy, Management and Success in the Enterprise

Integrigy Corporate Overview

Code Review Best Practices. With Adam Kolawa, Ph.D.

RTI Routing Service. Release Notes

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

Transcription:

Detecting Critical Defects on the Developer s Desktop Seth Hallem CEO Coverity, Inc. Copyright Coverity, Inc. 2006. All Rights Reserved. This publication, in whole or in part, may not be reproduced, stored in a computerized, or other retrieval system or transmitted in any form, or by any means whatsoever without the prior written permission of Coverity, Inc.

Significant Challenge: High Quality Software Code is increasingly complex The cost of Failure is high Software bugs are costly Code is increasing in size and complexity A single defect or security vulnerability can have an enormous impact on the customer Bugs delay development efforts and impact new feature development MLOC Exponential LOC growth in typical GM car 0.1 1 10 100 1970 1990 2000 2010 Source: Tony Scott CIO, GM Application-level security attacks on the rise # applicationlevel attacks Source: Gartner 80% increase 2005 2008 Developers spend significant time testing & fixing bugs Product time on projects 24% Time on canceled projects 15% Source: Caper Jones Testing, Repairs 61% 2

Software Complexity is Rising By 2010, cars will have 100 million lines of code Exponential LOC growth in typical GM car 100 10 MLOC 0.1 1 1970 1990 2000 2010 Source: Tony Scott CIO, GM 3

Rising Cost The cost of inadequate software testing is rising In the United States: The annual cost to software developers is over 22 billion dollars The annual cost to end-users is over 35 billion dollars Annual Software Testing Cost to US Economy (Millions of Dollars) 45,000 40,000 35,000 30,000 25,000 20,000 15,000 10,000 5,000 0 Development Cost End-user Cost NIST Planning Report 02-3. May, 2002. 4

The Promise of Static Analysis Tools Software Development Process Design Code Integrate QA Release Static Analysis BENEFITS Bugs Detects problems early in SDLC Security Vulnerabilities No test cases required Points to specific LOC Systematic 5

Traditional Challenges in Static Analysis Software Development Process Design Code Integration QA Release Static Analysis TRADITIONAL FAILURES Warnings False Positives High Cost Of Ownership Poor Results Hard to integrate Significant configuration & tuning Does not scale Partial code path coverage Shallow analysis Uninteresting results Rife with False Positives 6

Coverity: Breakthrough Technology Breakthrough Research At Stanford University Computer Systems Lab Analysis Depth Analysis Accuracy Scalability 100% of all code paths Interprocedural analysis 20% false positive rate Millions of lines of code 7

Coverity: Core Technologies Build C/C++ Source Code Byte Code Java Source Code C/C++ Virtual Build Java Parser Quality Prevent Checkers Security Interprocedural Dataflow Analysis Statistical Analysis Concurrency Analysis Platform False path pruning 100% of all paths Incremental analysis Extend Custom Checks Defect Manager Developer Dashboard Management Reporting Open Standard Interfaces Uses innovative source code analysis algorithms originating from compiler research Performs a whole program analysis Integrates easily into the software development process Integrated database application enables complete workflow and reporting 8

Coverity: Core Features What defects can it find? Security Vulnerabilities System and Process Crashes Infinite Loops Performance Degradations Denial of Service Privilege Escalation How does it work? Do not run the code Zero test cases Runs at compile time Data, Memory and File Corruption Unpredictable Behavior Concurrency issues 9

Coverity: Market Leader Accuracy Finds the most valuable flaws in your software Integration Minimal impact on the development process False Positives Likelihood of use Avoids reporting costly noise Built for developers to use and appreciate 10

Sample of Coverity Customers 11

Coverity History 158 Customers Number 98 53 43 35 Employees 19 7 4 4 1 1999-2003 2003 2004 2005 2006 2007 Stanford Checker Finds 2000+ bugs In Linux 1.0 release C analysis C++ analysis released DHS Vulnerability Initiative Contract Awarded Java analysis introduced 12

Customer Success: Wall Street Journal Many companies, including RIM, are teaching programmers to write safer code and test their security as software is built, not afterward. 13

Coverity Success: Wall Street Journal Many companies, including RIM, are teaching programmers to write safer code Now, Mr. Little uses Coverity every and test their security as software is built, not night afterward. to scan the WSJ code 05/04/06 turned in by engineers. The tool sends Mr. Little an email listing red flags. WSJ 05/04/06 14

Coverity Success: Quality improvement is top priority designated by executive management Complex requirements for development tools: Had to fit into the existing infrastructure Had to fit into the Capability Maturity Model (CMM) According to WindRiver s s Director of Engineering: We compared and evaluated a number of programming and error detection tools and Coverity was superior. 15

Coverity Success: Ease of integration was critical integration with Coverity Prevent is seamless and the usage is straightforward. We went from trial to purchase in 3 weeks. Coverity s impact: Immediate We found several important defects. It does validate the purchase of the tool. Ongoing Development productivity up 30% Time to market cut by 20% 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information