Frequentis Standardizes on Coverity Static Analysis for Safety-Critical Software Integrity Business Overview and Challenge

Similar documents
case study Coverity Maintains Software Integrity of Sun Microsystems Award-Winning Storage Products

Controlling Risk Through Software Code Governance

Coverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing

Development Testing for Agile Environments

Coverity Services. World-class professional services, technical support and training from the Coverity development testing experts

Meeting DO-178B Software Verification Guidelines with Coverity Integrity Center

Key Insight 5 Marketing Goals and Objectives You Should Set. By WalkMe

Measuring and. Communicating. Security's Value. A Compendium of Metrics. for Enterprise Protection

Are you listening to your customers?

Solihull Clinical Commissioning Group

True Cost of Tape Backup

10 Reasons Why Project Managers Need Project Portfolio Management (PPM)

IoT Security Concerns and Renesas Synergy Solutions

Chap 1. Software Quality Management

Implement a unified approach to service quality management.

How To Optimize Your Wholesale Business

Warwick Analytics: Building Powerful Software Certified to Integrate with SAP HANA

Coverity Scan. Big Data Spotlight

Applying Software Quality Models to Software Security

BUSINESS INTELLIGENCE ANALYTICS

Chief Information Security Officer

KLEINPILOT MEETING THE DEMANDS OF MARITIME PILOTAGE ORGANIZATIONS

HiSoftware Policy Sheriff. SP HiSoftware Security Sheriff SP. Content-aware. Compliance and Security Solutions for. Microsoft SharePoint

Static Analysis Best Practices

The Proven ROI of Development Testing: An in-depth analysis of Coverity customer experiences

Global Trends: Unified SOA Performance Management Matters

Optimizing the Data Center for Today s State & Local Government

Coverity White Paper. Effective Management of Static Analysis Vulnerabilities and Defects

Spirent CLEAR Mobility. End-to-End Mobile Network Infrastructure Test and Lab Automation Solutions

AS9100 B to C Revision

REDUCE YOUR OPEN SOURCE SECURITY RISK: STRATEGIES, TACTICS, AND TOOLS

White Paper. Making the case for PPM

The Benefits of Continuous Data Protection (CDP) for IBM i and AIX Environments

Advanced Risk Analysis for High-Performing Organizations

Software Engineering. Introduction. Software Costs. Software is Expensive [Boehm] ... Columbus set sail for India. He ended up in the Bahamas...

Data Governance Baseline Deployment

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

The IBM Solution Architecture for Energy and Utilities Framework

The fact is that 90% of business strategies are not implemented through operations as intended. Overview

A CPA recounts exponential growth in Compliance. Mary Ellen McLaughlin

Cisco Advanced Malware Protection for Endpoints

SAIC Corporate and Small Business Introduction

Controlling Risks Safety Lifecycle

An Introduction to. Metrics. used during. Software Development

Oracle Advanced Customer Support Services Slavko Rožič Support Director

Real-Time Security for Active Directory

GETTING THE BIGGEST BANG FOR YOUR SOURCE CODE ANALYSIS BUCK

Avaya Stress Testing Service. Providing Confidence and Assurance for Every Deployment

Understanding Linux Migrations: How easy is it to change distributions?

Smart Data Center Solutions

Physical Infrastructure Management Solutions

White Paper 6 Steps to Enhance Performance of Critical Systems

RSA ARCHER OPERATIONAL RISK MANAGEMENT

HP and netforensics Security Information Management solutions. Business blueprint

A Foundation for System Availability

March 21, Dear Ranking Member Costello:

Best Practices in Contract Migration

The top ten reasons your organization needs Snow Optimizer for SAP Software. Snow optimizer for SAP software

QUALITY MANUAL CUSTOMERS ARE AT THE CENTER OF EVERYTHING WE DO

Test Automation. Full service delivery for faster testing at optimum cost

TRANSFORM YOUR HOTEL PROGRAM USING LANYON

TOP 3 STRATEGIES TO REDUCE RISK IN AUTOMOTIVE/IN-VEHICLE SOFTWARE DEVELOPMENT

Application Outsourcing: The management challenge

Satisfying ASIL Requirements with Parasoft C++test Achieving Functional Safety in the Automotive Industry

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:

The 7 Deadly Sins of Failed Cloud Projects A WHITE PAPER

PRIORITIZING CYBERSECURITY

Data Center Solutions

Proven deployments across different Industry verticals; Being used by leading brands

State Agency Reduces Time to Set Up New Users by 85 to 90 Percent

Managing Agile Projects in TestTrack GUIDE

Accelerating Software Security With HP. Rob Roy Federal CTO HP Software

Business Continuity Planning. Presentation and. Direction

Accelerate Development Velocity and Reduce Costs with Automated Code Testing

Securing the Microsoft Cloud

Surveillance and Security Systems

Mission-Critical Java. An Oracle White Paper Updated October 2008

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

The Engagement Outliers

COMPUWARE CHANGEPOINT

Boosting Customer Loyalty and Bottom Line Results

How to select the right Marketing Cloud Edition

Retention & Destruction

Guide to Instantis EnterpriseTrack for Multi- Initiative EPPM:

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

Intrusion Tolerance to Mitigate Attacks that Persist

How To Improve Software Quality

A Guide to Open Source Transformation Services. How and Why Organizations are Making the Move to Open Source

Align IT Operations with Business Priorities SOLUTION WHITE PAPER

Brocade Network Monitoring Service (NMS) Helps Maximize Network Uptime and Efficiency

WHITE PAPER Using SAP Solution Manager to Improve IT Staff Efficiency While Reducing IT Costs and Improving Availability

Business Continuity Management - A Guide to the Italian Premier Control System

Software-based medical devices from defibrillators

Big Data Services From Hitachi Data Systems

Software Engineering Compiled By: Roshani Ghimire Page 1

POSITION QUALIFICATIONS. Minimum Experience (Yrs)

Router and Vetting G-Cloud Service Definition

8 Minute Overview. The Premier Agentless License Management Solution. Modern IT & The Importance of Software Asset Management

The ITIL v.3. Foundation Examination

USING SECURITY METRICS TO ASSESS RISK MANAGEMENT CAPABILITIES

Transcription:

case study Frequentis Standardizes on Coverity Static Analysis for Safety-Critical Software Integrity It s not so much that Coverity is our only safety net we have other means to ensure safety such as code reviews and testing. But the real benefit of Coverity is that it can find specific defects which are very hard, if not impossible, to find by other means. These defects are also the ones that rarely occur, and in the worst case are identified in the field, but are the most expensive and highest risk defects to Frequentis and our customers. Coverity is a good compliment to our existing processes and tools to ensure the highest levels of product safety and quality. Andreas Gerstinger, Software Quality and Software Safety Engineer Business Overview and Challenge Frequentis develops highly reliable communication and information systems for safety-critical applications. Its market leading control centre solutions, products and services are used by customers in a variety of missioncritical public and private fields such as air traffic control (civil and military); emergency services (police, fire departments, and ambulances); maritime systems; and railways and public transport. Safety and freedom of failure is the single most important objective for Frequentis. In fact, safety is so engrained in Frequentis brand that its company mission is Communication and Information Solutions - For a Safer World! Air traffic management is the core of Frequentis business. Frequentis voice communication systems, used for communication between pilots and ground personnel, catapulted it to a global market leader position for air traffic control. This complex system is a combination of both hardware and software, and because of its safety-critical nature, Frequentis has a zero tolerance policy for any type of system failure. Frequentis has also expanded its air traffic management product offering in recent years with innovations such as an electronic flight strip system, which has helped fuel the transformation from paper to digital flight information. This system displays real-time information on the flight to the air traffic control centre, such as flight number, flight levels, speed, and direction. High availability of this system is essential any system disruption which restricts information and communication could be catastrophic.

Given the criticality of product safety and quality, Frequentis development organization and processes are based on a variety of quality and safety related compliance regulations and standards, such as IEEE12207 - Standard for Information Technology - Software Life Cycle Processes: a standard that establishes a common framework for software life cycle processes for a software system, from initial conception to retirement. In 1998, this standard officially replaced MIL-STD-498 for the development of Department of Defense software systems. IEC 61508 - Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems: an international safety standard covering the complete safety lifecycle, relating to equipment under control and the control system itself. ISO 9000 a family of standards for Quality Management systems. Some of these standards provide general guidelines but leave the interpretation and implementation up to the development organization, while some standards are very prescriptive in nature and mandate tools and techniques such as static analysis to ensure quality and safety. Compliance with safety standards are audited by Frequentis internal audit team, customers, and external auditing bodies such as the Austrian Quality Society. Given its commitment to quality and safety, Frequentis established a centralized software quality organization, directly reporting to the CTO, to oversee the seven development teams across the company. The centralized software quality team is now chartered with monitoring product quality and safety for each of the development teams, comprised of approximately 10 developers per team. Although Frequentis has a top-down corporate initiative and commitment to quality, the demand for investing in static analysis was driven by the development organization from the bottom-up. The development teams approached the software quality organization to invest in an automated solution to help them find defects in their code during the development cycle that may impact quality and security. Frequentis development organization had experience using productivity tools in the past, but developer adoption was never realized. According to Andreas Gerstinger, Software Quality and Software Safety Engineer, who drove the evaluation and introduction of Coverity Static Analysis into the organization, We had used other analysis tools in the past but they did not go as deep as Coverity--they only provided metrics such as complexity measurement--but did not go as far as finding faults and pinpointing where they reside in the code. Developers didn t want a tool that only showed them abstract metrics, but would instead show them exactly where they made a coding error.

Solution Evaluation Gerstinger and team researched and identified a short-list of companies that were best suited to meet Frequentis stringent safety and quality standards, and were also the most likely to gain mainstream adoption by the development teams. A key requirement was a robust analysis engine to not only find safety-critical defects but also provide actionable information to the developers on the type of defect and where it resided in the code. Multi-language and platform support was also critical for Frequentis, as its products were developed in a variety of programming languages, including C, C++, C#, and Java, and the solution had to work on both the Linux and Windows operating system. Implementing a single solution that supported all of these languages and platforms was critical for developer adoption. Frequentis included Coverity, Klocwork and FindBugs in its evaluation. FindBugs was immediately eliminated as it was a Java solution, lacking language support for C, C++, and C#, as well as heterogeneous operating system support. Frequentis had initially evaluated Klocwork one year prior to this evaluation, but Klocwork s tool earned a bad reputation within the Frequentis development team for not providing real value due to its high false positive rate. Klocwork received a second chance during this evaluation, but produced similar results. The Coverity evaluation encompassed four development projects and 350,000 lines of code. Coverity s solution produced a 10% false positive rate, significantly less than that of Klocwork, and by surfacing real, relevant defects the developers immediately saw value. Coverity analyzed code that was already considered to be of high quality, identifying defects such as memory leaks which had previously gone undetected. In a single project, 80 critical or high priority defects were identified, with overall defect density measured at one fault per 3,000 lines of code. Due to the nature of the defects identified and the low false positive rate, Frequentis development teams overwhelmingly selected Coverity as their solution of choice. Coverity Deployment and Benefits Realized Since initial deployment in 2007, five of the seven development teams have introduced and are actively using Coverity Static Analysis as part of their daily work. Adoption has not been an issue within Frequentis, as the developers view Coverity as a tool to help them increase their productivity and enhance their coding skills. After evaluating the benefits realized by the five development teams using Coverity, the two remaining development teams were astonished by the results and are now in the process of introducing the solution into their development cycle. According to Gerstinger, It s hard to quantify the cost of a single defect, but we do know that it was less expensive to purchase Coverity than not to purchase Coverity. It may take six months for critical defects to be

identified and resolved if identified in the field, so if Coverity can find even one of these defects it reduces the cost to Frequentis. Frequentis is not able to provide quantitative ROI metrics but has realized the following qualitative benefits, such as: Product safety assurance: Coverity Static Analysis continually finds defects that are hard, if not impossible, to find in other testing and code review processes. Quality process improvement: With Coverity, quality enforcement has been moved to the individual development teams, so by the time the code gets to the centralized software quality team the code is already clean. Quick time to value: After only six months of set-up and implementation time across five development teams, Coverity was fully built into the development process; including integration with their IDE s and nightly builds. Developer efficiency improvements: By providing accurate analysis with less than a 10% false positive rate, developers are able to focus their triage efforts on the real, potentially crash-causing defects, as well as spend more time on innovation projects. Adoption of coding best practices: Coverity has helped the developers improve their coding skills by highlighting where they are most susceptible to error, and in the process teaches new techniques and best practices which has reduced the number of defects which occur in the first place. Developer satisfaction: Coverity s technical support team has been responsive to Frequentis needs, a direct contributor to the high rate of developer adoption. Frequentis has built Coverity into its audit process to demonstrate compliance with internal and external standards. It s also mandated that each development team must provide a Coverity report to all internal customers with every product release. Frequentis has an internal supply chain whereby internal customers order software from one or more development teams, which is then integrated into a larger project for release to external customers. Upon receipt of the Coverity report, the internal customer has the option of accepting or rejecting the project status based upon the quality criteria set in their contract with the software development project. This not only provides Frequentis development teams with objective metrics and a quantifiable goal to work towards to ensure product quality and safety, but also increases customer confidence and satisfaction.

According to Gerstinger It s not so much that Coverity is our only safety net we have other means to ensure safety such as code reviews and testing. But the real benefit of Coverity is that it can find specific defects which are very hard, if not impossible, to find by other means. These defects are also the ones that rarely occur, and in the worst case are identified in the field, but are the most expensive and highest risk defects to Frequentis and our customers. Coverity is a good compliment to our existing processes and tools to ensure the highest levels of product safety and quality. Conclusion Frequentis mission and commitment to safety is engrained into every part of the company, and the software quality organization is a direct reflection of this commitment. Coverity has helped Frequentis ensure a high level of software integrity to support its product mission of freedom from failure, while continually improving the productivity of its developers. About Coverity Coverity is the trusted standard for companies that have a zero tolerance policy for software failure, problems, and security breaches. Coverity s award-winning portfolio of software integrity products enables customers to prevent software problems throughout the application lifecycle Coverity Inc. Headquarters Coverity Inc. Headquarters 185 Berry Street, Suite 1600 San Francisco, CA 94107 USA www.coverity.com sales@coverity.com (800) 873-8193 2010 Coverity, Inc. All rights reserved.

Coverity Inc. Headquarters Coverity Inc. Headquarters 185 Berry Street, Suite 1600 San Francisco, CA 94107 USA www.coverity.com sales@coverity.com (800) 873-8193

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information