Static analysis is standard practice these days. No one questions the value of having the code base compliant with safety-oriented standards like MISRA, AUTOSAR or security standards like CERT or UL2900. Majority of the organizations developing functional safety-oriented products have this practice established and well grounded. Despite the fact that static analysis tools are relatively simple to implement, organizations very often settle on suboptimal processes for achieving compliance. Frequently, violations are being removed in firefighting mode just before the release, and teams rarely analyze how to do it efficiently and get the most value out of invested time. Especially problematic is cleaning legacy code bases or open source libraries which were created without compliance in mind. Where to start? which violations shall be removed first? What is the estimated cost? Do we have enough resources? These are all very important questions, that can help in improving efficiency of the compliance process. In addition, organizations struggle with defining the outputs of the compliance process, how do I demonstrate my compliance? What kind of documents shall I prepare?
During this session, we would like to demonstrate Parasoft static analysis solution with dedicated compliance reporting and workflow management which streamlines the process of achieving compliance and automatically generates all required documentation.
3. Parasoft at a Glance
• 30 years of experience
• Global presence and capabilities
• Independent, noVC funding
• Broad portfolio of products focused
on automated software testing
• Participating in standards
organization
• CERT, UL2900, MITRE CWE, …
• Embedded / Safety Critical
• C & C++
• Compliance, Safety-Critical, Security
• Security
• Enterprise IT
• Java, C#
• API testing, service virtualization
• Security
5. Do I need to be compliant with the coding standard?
• Why do we need Coding Standards Compliance?
• Which coding standard to choose?
• Industry sentiment:
• Safety Focus: MISRA, AUTOSAR, JSF, …
• Security Focus: CERT, UL2900, CWE, OWASP, ..
• Shall I comply with more than one standard?
• Select, deploy and customize …
• Example!
MISRA C 2012
60%CERT C
17%
CUSTOM
23%
EXEMPLARY RULE SET
PARASOFT’S AUTOMOTIVE CUSTOMER
JAPANESE MARKET
MISRA C 2012 CERT C CUSTOM
6. How to accelerate compliance?
• What is the overhead for achieving compliance?
• How much extra time does it cost?
• What activities are required?
• What kind of documentation shall be prepared?
• Before we tackle this question…
• Lets think: what does it mean to be compliant?
7. What does it mean to be compliant?
• Term compliance used to be loosely defined in the industry
• General understanding is: free from violations
• Clear definition of compliance is very important
• Acquirer <-> Supplier business agreement
• Helps in closing the contract
• Coding standards usually define what is required for
compliance
• MISRA 2016 Achieving compliance
• CERT C / CERT C++
8. MISRA Compliance
• MISRA assumes that the development process is
• Documented
• Disciplined
• Defining compliance strategy
• Guidelines Enforcement Plan
• Introducing re-categorizations
• Guideline Re-categorization Plan (GRP)
• Managing deviations
• Deviation records/permits
• Claiming compliance (CCS)
• Guidelines Compliance Summary
MISRA Compliance 2016: Achieving compliance with MISRA coding guidelines
9. Accelerating MISRA C 2012 Compliance Build
Server/Test
Server
C/C++test Desktop Edition
Automation Edition
(Headless Mode)
Lead Architect/Technical Lead
Team Policy
(e.g. Coding Standards)
Developer/Tester
Quality
Tasks
Role: Program Manager /
Architect
Test Configurations
DTP
Source
Control
Pre-Commit
Compliance
Scan
Post-Commit
Compliance
Scan
Compliance
Reports
10. CERT C Conformance
• CERT conformance
• No rules violated
• Recommendations are allowed
• Conformance levels: L1, L2, L3
• Risk assessment framework
• Severity
• Likelihood
• Remediation cost
• Deviations
• Predefined exceptional conditions
• All cases documented
Conforming with CERT standards
11. Accelerating CERT C Compliance Build
Server/Test
Server
C/C++test Desktop Edition
Automation Edition
(Headless Mode)
Lead Architect/Technical Lead
Team Policy
(e.g. Coding Standards)
Developer/Tester
Quality
Tasks
Role: Program Manager /
Architect
Test Configurations
DTP
Source
Control
Pre-Commit
Compliance
Scan
Post-Commit
Compliance
Scan
Compliance
Reports
12. Summary
• Demonstrating coding standards compliance
• Compliance workflow
• Central management of the compliance configuration
• Value of compliance scans at the time of code creation
• Value of compliance scans in the CI/CD pipeline
• Dedicated reporting
• Compliance documentation
• Risk assessment framework