Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Software Safety and Security Through Standards

309 views

Published on

Standards and static analysis applied properly prevent errors.
the cost of solid prevention methodology is less than the cost of dealing with bad software. The cost of quality, safe, and secure software is less than the cost of a recall.

Published in: Software
  • Be the first to comment

Software Safety and Security Through Standards

  1. 1. Copyright © 2016 Parasoft 1 15.09.2016 Software Safety and Security Through Standards Arthur Hicken - Parasoft
  2. 2. Copyright © 2016 Parasoft 22 Your Presenter Arthur Hicken is Chief Evangelist at Parasoft where he has been involved in automating various software development and testing practices for over 20 years. He has worked on projects including cybersecurity, database development, the software development lifecycle, web publishing and monitoring, and integration with legacy systems and maintains the IoT Hall-of-Shame http://bit.ly/iotshame Follow him @codecurmudgeon Blog: http://codecurmudgeon.com Web: http://parasoft.com
  3. 3. Copyright © 2016 Parasoft 33 Agenda Software is everywhere Software CAN hurt you Software should be engineering Good software costs less than bad software Standards drive improvement
  4. 4. Copyright © 2016 Parasoft 44 Things are Everywhere Industrial Automation Smart Health Smart Home Smart City
  5. 5. Copyright © 2016 Parasoft 55 Already on the Market
  6. 6. Copyright © 2016 Parasoft 66 Software is Eating the World Or is it infecting the world?
  7. 7. Copyright © 2016 Parasoft 77 The IoT Hall-of-shame http://codecurmudgeon.com http://bit.ly/iotshame
  8. 8. Copyright © 2016 Parasoft 88 One weak spot is all it takes
  9. 9. Copyright © 2016 Parasoft 99 Impact of Faulty Software -5.70% -1.9B
  10. 10. Copyright © 2016 Parasoft 1010 Software Failures = Headlines 2015 -$2.55 Bn -4.06% The day of the announcement companies lost an average of shareholder value Software failures make headline news— eroding customer confidence, shareholder value and brand equity
  11. 11. Copyright © 2016 Parasoft 1111 Escalating Cost of Failure: Public
  12. 12. Copyright © 2016 Parasoft 1212 Quality does not cost more
  13. 13. Copyright © 2016 Parasoft 1313 HOW QUALITY AFFECTS SOFTWARE COSTS Requirements Design Coding Testing Maintenance COST TIME Pathological Healthy Poor quality is cheaper until the end of the coding phase. After that, high quality is cheaper. Technical debt Software Quality 2011: A Survey of the State of the Art in Software – Capers Jones
  14. 14. Copyright © 2016 Parasoft 14Parasoft Proprietary and Confidential 14 Why find bugs early? Applied Software Measurement, Capers Jones, 1996 Building Security Into The Software Life Cycle, Marco M. Morana, 2006 Early code audit
  15. 15. Copyright © 2016 Parasoft 15Parasoft Proprietary and Confidential 15 Why find bugs early? Applied Software Measurement, Capers Jones, 1996 Building Security Into The Software Life Cycle, Marco M. Morana, 2006 Pentest Late code audit
  16. 16. Copyright © 2016 Parasoft 1616 Software Safety in a Nutshell § Software development is almost never engineering § Lack of repeatability § Lack of well-exercised best practices § Lack of reliance on building standards § Developer training unknown and inconsistent
  17. 17. Copyright © 2016 Parasoft 1717 Purpose of Coding Standards § “Proven programming practices leading to safe, reliable, testable, and maintainable code” § “Address potentially unsafe C language features, and provide programming rules to avoid those pitfalls” § “By providing “safer” alternatives to “unsafe” facilities, known problems … are avoided. In essence, programs are written in a “safer” subset of a superset.”
  18. 18. Copyright © 2016 Parasoft 1818 Standard Standards MISRA ISO 26262 DO 178 B/C SANS/CERT OWASP Top 10 JSF DISA STIG CWE
  19. 19. Copyright © 2016 Parasoft 1919 SEI Research Predicting Software Assurance Using Quality and Reliability Measures • Security and reliability go hand-in-hand • You can predict security based on defects • Static analysis is integral to improvement • Many (or most!) critical defects are coding mistakes http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=428589
  20. 20. Copyright © 2016 Parasoft 2020 Software Security Defined § Software security is the idea of engineering software so that it continues to function correctly under malicious attack. § Although the notion of protecting software is an important one, it’s just plain easier to protect something that is defect-free than something riddled with vulnerabilities. (Gary McGraw, Cigital) https://buildsecurityin.us-cert.gov/resources/building-security-in/software-security
  21. 21. Copyright © 2016 Parasoft 2121 Why MISRA for things that aren’t cars? § Coding Standards § Well-defined § Updated § Flexible § Deviation Strategy § Auditable § Why not?
  22. 22. Copyright © 2016 Parasoft 2222 Other Standards DIY DO-178 IEC 62304 Effective C++ CWE
  23. 23. Copyright © 2016 Parasoft 2323 INADEQUATE DEFECT REMOVAL IS MAIN CAUSE OF POOR SOFTWARE QUALITY • Individual programmers are only 35% efficient in finding bugs in their own software • The sum of all normal test steps is often less than 75% effective (1 of 4 bugs remains) • Design Reviews and Code Inspections however are often 65% effective; can top 85% • Static analysis are often 65% effective; can top 85%. • Reviews and Inspections can lower costs and schedules by as much as 30%
  24. 24. Copyright © 2016 Parasoft 2424 EXAMPLES OF TYPICAL CODE DEFECTS SOURCES: SANS INSTITUTE AND MITRE (www.SANS.org and www.CWE-MITRE.org) § Errors in SQL queries § Failure to validate inputs § Failure to validate outputs § Race conditions § Leaks from error messages § Unconstrained memory buffers § Loss of state data § Incorrect branches; hazardous paths § Careless initialization and shutdown § Errors in calculations and algorithms § Hard coding of variable items § Reusing code without validation or context checking § Changing code without changing comments that explain code
  25. 25. Copyright © 2016 Parasoft 25Parasoft Proprietary and Confidential 25 Fix or Prevent
  26. 26. Copyright © 2016 Parasoft 2626 Preventative standards examples Object-Oriented •Avoid "public"/"protected"/package-private instance fields •Do not override an instance "private" method •Do not hide inherited fields •… Best Practices •Avoid returning "handles" to internal data from const member functions. •Declare at least one constructor to prevent the compiler from doing so. •Declare reference parameters as const references whenever possible •… Unused Code •Avoid unused local variables •Avoid unused "private" fields •… Class Metrics •Follow the limit for Cyclomatic Complexity (default<30) •Follow the limit for number of “<type>" fields (private,etc.) •Follow the limit on class hierarchy depth •… …
  27. 27. Copyright © 2016 Parasoft 2727 § Analysis of computer program that is performed without executing software § Key impact: prevent or reduce risk of erroneous coding § Advantages: § comprehensive and unbiased § results are available way before application runs § Typically includes: § Compiler warnings § Coding standards / policies § Flow analysis / path simulation § Metrics (e.g. complexity) Static analysis
  28. 28. Copyright © 2016 Parasoft 2828 What is: Pattern-Based SA § What: § Identify specific patterns in the code § Why: § Find bugs § Ensure inclusion of required items § Security § Branding § Prevent Problems § Improve Developers
  29. 29. Copyright © 2016 Parasoft 2929 Pattern-Based Static Analysis § Quick scan to list possible problems § Fixing violations prevents certain classes of errors § Each source file is analyzed separately § Static analysis categories include: § Logical Errors § API Misuse § Typographical Errors § Security § Threads and Synchronization § Performance and Optimization
  30. 30. Copyright © 2016 Parasoft 3030 What is: Data Flow Analysis § What: § Simulate execution to find patterns § Why: § Find real bugs
  31. 31. Copyright © 2016 Parasoft 3131 Data Flow Analysis § Simulate hypothetical execution paths § Detect possible errors along those paths § Data flow analysis error categories include: § Exceptions § Optimization § Resource Leaks § API misuse § Security
  32. 32. Copyright © 2016 Parasoft 3232 Static analysis – what it can do § Identify defective code - runtime bugs § Flag defect-prone code (possible bugs and “gotchas”) § Suggest defensive programming practices § Monitor application-specific guidelines (e.g. portability) § Enable policy enforcement (security) § Flag unmaintainable / poorly readable / “dialect” code § Train developers to code better
  33. 33. Copyright © 2016 Parasoft 3333 Static Analysis Prevention § Relationship of automated analysis § Preventative static analysis § Flow analysis § Runtime error detection § Uninitialized memory example § Runtime will find it IF the test suite is thorough § Flow analysis may find it depending on complexity § Pattern to prevent: Initialize variables upon declaration § Much of MISRA is designed to prevent rather than detect
  34. 34. Copyright © 2016 Parasoft 3434 How to choose rules § Based on why you’re using static analysis § Study expected issues § Analyze bug-tracking system § Don’t just turn on rules because it’s a good idea § Pick few enough to use sustainably
  35. 35. Copyright © 2016 Parasoft 3535 Being Successful § Choose rules carefully § Implement progressively § Fewer to more rules § Extend date backward § Suppressions to manage noise QUALITY Code Review and Regression Testing
  36. 36. Copyright © 2016 Parasoft 3636 Conclusion Standards and static analysis applied properly prevent errors Cost of solid prevention methodology is less than the cost of dealing with bad software Cost of good software is less than bad software Cost of quality, safe, secure software is less than the cost of a recall
  37. 37. Copyright © 2016 Parasoft 3737 Security Resources CWE – Common Weakness Enumeration • http://cwe.mitre.org CERT - Secure Coding Guidelines • https://www.securecoding.cert.org Build Security In – Collaborative security effort • https://buildsecurityin.us-cert.gov Parasoft • http://www.parasoft.com
  38. 38. Copyright © 2016 Parasoft 3838 § Email: codecurmudgeon@gmail.com § Web: § http://www.parasoft.com/ § http://codecurmudgeon.com § Facebook: § https://facebook.com/parasoftcorporation § https://facebook.com/codecurmudgeon § Twitter: @Parasoft @CodeCurmudgeon § LinkedIn: http://www.linkedin.com/company/parasoft § Google+ Community: Static Analysis for Fun and Profit

×