SlideShare a Scribd company logo

685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final

Š
Šumadin Šumić

SWAT is working to maximize the effectiveness of static code analysis for IV&V projects. This includes identifying gaps, evaluating new tools, customizing tools, and leveraging historical data. Proper preparation is important, such as understanding the code, development environment, and target architecture. Choosing the right tools requires considering project characteristics and IV&V analysis needs. Maximizing tool effectiveness also requires properly configuring builds and enabling relevant analysis checks.

1 of 31
Download to read offline
SWAT Extending Benefits of Static Code Analysis Tools NASA IV&V Software Assurance Tools (SWAT)
SWAT Outline • Setting Context • Identifying Types of Code Defects • Preparing for Analysis • Maximizing Tool Effectiveness • Selecting Appropriate Tools • Customizing to Support Analysis • Leveraging Historical Analysis Data • Reviewing Ongoing Efforts • Taking Questions 2
SWAT Setting Context 3 • SWAT is now actively participating in the Static Code Analysis Working Group to help facilitate improvements in the use of static code analysis tools within the IV&V Program • SWAT is working with IV&V projects to gather representative source code and creating sample test code when necessary for a library to support evaluation of both current and additional tools • SWAT is responding to requests from projects regarding specific capabilities by verifying current tools with test code and evaluating additional tools for use SWAT is working to maximize the effectiveness of IV&V’s static code analysis capabilities. Identifying gaps in our current static analysis capabilities and evaluating solutions to improve IV&V’s analysis coverage Working to better understand the capabilities of current static code analysis tools Evaluating how current tools are being applied and identifying opportunities to improve the process of using them
SWAT Identifying Types of Code Defects 4 Syntax Run-timeLogic Categories of code defects
SWAT Identifying Types of Code Defects 5 Syntax Caught during compile time, e.g. code is attempting to use an undeclared variable May include style or certain coding standards violations that are caught through basic parsing and “pattern matching”
SWAT Identifying Types of Code Defects 6 Logic May be caught during functional requirements based testing, i.e. does the code do what it was supposed to? High value findings when IV&V is able to identify or confirm logic defects through either manual analysis or use of dynamic analysis resources such as the ITC JSTAR lab Analysts have indicated that, from their experience, digging deeper into understanding the code when reviewing static code analysis results can provide a side benefit of identifying other unrelated logic defects
SWAT Identifying Types of Code Defects 7 Occurs during program execution, e.g. out of bounds array access (“buffer overflow”), division by zero, non-initialized local variables, integer overflows, illegal dereferenced pointer High value findings, as these defects may result in program crash or undefined behavior that could ultimately result in the loss of the mission or impact the accomplishment of a mission objective Run-time Underlying tool technology (e.g. abstract interpretation) and project configuration impacts the effectiveness of identifying certain defects Static code analysis tools can help detect dangerous run-time defects in the code or even prove the absence of certain run-time defects when using formal methods-based approaches
SWAT Preparing for Analysis 8 What code do I expect to get and what does it do? What is the development environment for this build of code, and how will it affect my analysis?What are the characteristics of the target architecture on which this code was written to run?
SWAT Preparing for Analysis 9 What code do I expect to get and what does it do? Understanding of requirements implemented in the code Form an expectation of interfaces that should be present in the code build What are the characteristics of the target architecture on which this code was written to run? Identify the important characteristics of the architecture that could be reflected in the source code such as CPU, operating system, key addresses, and memory layout
SWAT Preparing for Analysis 10 Understanding of requirements implemented in the code Form an expectation of interfaces that should be present in the code build Identify the important characteristics of the architecture that could be reflected in the source code such as CPU, operating system, key addresses, and memory layout • Know what to expect when you receive code (or recognize if you didn’t get what was expected!) • Create a team “cheat sheet” of important characteristics of the architecture that could be reflected in the source code. • Determine what prior projects may be relevant to the analysis • Check with ITC JSTAR lab for any available project simulations that could support understanding of the architecture for analysis
SWAT Preparing for Analysis 11 Understand the characteristics of the developer’s environment Identify differences between the developer’s environment and your analysis environment Consider most appropriate tools to aid in analysis What is the development environment for this build of code, and how will it affect my analysis?
SWAT Preparing for Analysis 12 Understand the characteristics of the developer’s environment Identify differences between the developer’s environment and your analysis environment Consider most appropriate tools to aid in analysis • Identify dependencies that may exist in source code • Identify build artifacts and settings to expect, with respect to the build system used by the developer • Leverage previous experience with the same development environment if possible • Identify what static analysis tools the development project is using to prevent overlap where possible
SWAT Preparing for Analysis 13
SWAT Preparing for Analysis 14 Development Environment Characteristics • Developed in Wind River Workbench • Uses the GNU toolchain • Windows desktop environment • Regular source code Linting during builds • Source code with VxWorks dependencies and version information • Makefiles to build the code with the VxWorks GNU make tool • Source code and makefiles with file references that assume case insensitivity • Source code that may be more effectively analyzed with some tool other than FlexeLint (because of the developer-initiated lint during the build process) • Create cheat sheet with processor, memory, and VxWorks characteristics • Evaluate projects with similar mission characteristics to get an idea of what will be delivered
SWAT Maximizing Tool Effectiveness 15 That wasn’t too bad. I guess I’ll… !!!!! Incoming Code! Now that I have code, what do I need to know to maximize the effectiveness of my static code analysis tools?
SWAT Maximizing Tool Effectiveness 16 Understand the developer’s build process and gather build information Ensure that macros and other information are defined correctly within your build Review the checks enabled for your build to ensure that the checks of interest for the IV&V effort have been selected Now that I have code, what do I need to know to maximize the effectiveness of my static code analysis tools? Preparing for the static code analysis effort adequately and properly configuring the build are necessary for the most complete and accurate analysis results
SWAT Maximizing Tool Effectiveness 17 Build Understand the developer’s build process and gather build information INC ? INC INC Build Logs
SWAT Maximizing Tool Effectiveness 18 Understand the developer’s build process and gather build information • Once missing files have been identified, the analyst should: • Request missing files from the developer (common with third party libraries) as the ideal solution • Use other available library code if necessary • Stub out the missing code if absolutely necessary • Inspect any build logs or other status produced by our tools, looking carefully for warning or error messages such as missing header files, make any necessary adjustments and execute the build again • Inspect developer build artifacts given by the project to get a feel for the build process • Consider utilizing tools to help determine if we have the needed files for analysis, in addition to the build information (e.g., Understand, Eclipse, and SWAT script for creating a Klocwork build specification file)
SWAT Maximizing Tool Effectiveness 19 Ensure that macros and other information are defined correctly within your build so that we are analyzing the correct code Not only does the build tell us WHICH files need to be analyzed, but it also tells HOW those files should be analyzed based on macro definitions passed to the compiler. void Fsw::setupTimer( void ) { bool setupSuccessful; #ifdef TARGETCPU setupSuccessful = false; // Perform setup of interrupt handling routine. // Lines snipped that do the work... // Create a task to handle the interrupt. // More lines snipped... #endif }
SWAT Maximizing Tool Effectiveness 20 Ensure that macros and other information are defined correctly within your build • Make sure that macro definitions and other information relative to the software being analyzed are added to the build information passed to our static code analyzers. Failure to do so may produce invalid or misleading results. Most tools can: • Operate with incomplete information and provide potential issues • Execute the build and produce some output
SWAT Maximizing Tool Effectiveness 21 Review the checks enabled for your build to ensure that the checks of interest for the IV&V effort have been selected • Review the specific checks enabled for your build in the static analysis tool to ensure that the checks of interest for the IV&V effort have been selected • Consider also documenting what is NOT being checked for, if applicable • Consider running multiple builds with different sets of checks enabled • Consider enabling MISRA checks for critical flight software, but separate builds may be warranted in this instance due to the potential for a significant number of resulting messages
SWAT Selecting Appropriate Tools 22 Which of the available tools are appropriate for my task?
SWAT Selecting Appropriate Tools 23 Project software characteristics Project development characteristics IV&V team analysis requirements Which of the available tools are appropriate for my task? IV&V Project scope
SWAT Selecting Appropriate Tools 24 Project software characteristics Project development characteristics Ground vs. Flight software Size of code base Source code language Overlapping analysis with project Availability and completeness of project artifacts
SWAT Selecting Appropriate Tools 25 IV&V team analysis requirements Turn-around time Targeted defect types Characteristics of tools available Level of assurance and verification needed Experience of the team with specific tools IV&V Project scope Mission criticality
SWAT Selecting Appropriate Tools 26
SWAT Customizing to Support Analysis 27 Zzzzz Zzzzz Zzzzz!!! SWAT is doing things to help you too!
SWAT Customizing to Support Analysis 28 Additional benefits from static code analysis tools can be realized from customization Understand Perl API Metrics, best practices, other rules or conventions Standards verification Klocwork Abstract Syntax Tree checks such as unnecessary negative value testing for unsigned integers Steep learning curve Polyspace Support ICD verification Simulate normal working conditions of software Data range specification
SWAT Leveraging Historical Analysis Data 29 Historical data can be used to further extend the benefits of static code analysis tools Code level metrics and quality attributes Focus future analysis SWAT is researching prior code defects that have been identified by IV&V to determine what tool or approach was utilized
SWAT Reviewing Ongoing Efforts 30 Static Code Analysis Working Group Documenting lists of checks that can be safely disabled or output ignored per tool given the target domain Documenting lists of required checks that should be enabled per tool given the target domain SWAT New Tool Evaluation Continuing evaluation of tools based on both additional capability (e.g. formal methods-based abstract interpretation) and target language support (e.g. Ada) Current Tool Evaluation Comparing tool setup, use and resulting output for the same source code drop across various tools
SWAT Taking Questions 31 Contact us at: ivv-swat@lists.nasa.gov

Recommended

Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
Geneva, Switzerland
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOps
Wouter de Kort
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
scmGalaxy Inc
 
Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery ...
Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery ...Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery ...
Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery ...
RootedCON
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis
Perforce
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
Rushana Bandara
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
Orest Ivasiv
 

Recommended

Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
Geneva, Switzerland
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOps
Wouter de Kort
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
scmGalaxy Inc
 
Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery ...
Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery ...Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery ...
Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery ...
RootedCON
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis
Perforce
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
Rushana Bandara
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
Orest Ivasiv
 
Java Code Review Checklist
Java Code Review ChecklistJava Code Review Checklist
Java Code Review Checklist
Mahesh Chopker
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
Rune Sundling
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
Coverity
 
Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzer
n|u - The Open Security Community
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
Coverity
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
Сергей Гоменюк
 
Codingstandards matiar
Codingstandards matiarCodingstandards matiar
Codingstandards matiar
Matiar Rahman
 
Sonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysisSonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysis
Prashant Gupta
 
Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)
Aditya Bhuyan
 
Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...
Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...
Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...
The University of Adelaide
 
Finding Defects in C#: Coverity vs. FxCop
Finding Defects in C#: Coverity vs. FxCopFinding Defects in C#: Coverity vs. FxCop
Finding Defects in C#: Coverity vs. FxCop
Coverity
 
Code review for secure web applications
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applications
silviad74
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
Obika Gellineau
 
Using HPC Resources to Exploit Big Data for Code Review Analytics
Using HPC Resources to Exploit Big Data for Code Review AnalyticsUsing HPC Resources to Exploit Big Data for Code Review Analytics
Using HPC Resources to Exploit Big Data for Code Review Analytics
The University of Adelaide
 
Static Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoverityStatic Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with Coverity
Samsung Open Source Group
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLC
Parasoft_Mitchell
 
Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...
The University of Adelaide
 
Adopting Agile
Adopting AgileAdopting Agile
Adopting Agile
Coverity
 
BlueHat v18 || Go build a tool - best practices for building a robust & e...
BlueHat v18 || Go build a tool - best practices for building a robust & e...BlueHat v18 || Go build a tool - best practices for building a robust & e...
BlueHat v18 || Go build a tool - best practices for building a robust & e...
BlueHat Security Conference
 
Ponchado de cable. luz
Ponchado de cable. luzPonchado de cable. luz
Ponchado de cable. luz
luzr131
 
Trabajo de diagnostico financiero
Trabajo de diagnostico financieroTrabajo de diagnostico financiero
Trabajo de diagnostico financiero
jorgemarioibarra
 

More Related Content

What's hot

Java Code Review Checklist
Java Code Review ChecklistJava Code Review Checklist
Java Code Review Checklist
Mahesh Chopker
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
Rune Sundling
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
Coverity
 
Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzer
n|u - The Open Security Community
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
Coverity
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
Сергей Гоменюк
 
Codingstandards matiar
Codingstandards matiarCodingstandards matiar
Codingstandards matiar
Matiar Rahman
 
Sonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysisSonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysis
Prashant Gupta
 
Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)
Aditya Bhuyan
 
Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...
Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...
Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...
The University of Adelaide
 
Finding Defects in C#: Coverity vs. FxCop
Finding Defects in C#: Coverity vs. FxCopFinding Defects in C#: Coverity vs. FxCop
Finding Defects in C#: Coverity vs. FxCop
Coverity
 
Code review for secure web applications
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applications
silviad74
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
Obika Gellineau
 
Using HPC Resources to Exploit Big Data for Code Review Analytics
Using HPC Resources to Exploit Big Data for Code Review AnalyticsUsing HPC Resources to Exploit Big Data for Code Review Analytics
Using HPC Resources to Exploit Big Data for Code Review Analytics
The University of Adelaide
 
Static Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoverityStatic Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with Coverity
Samsung Open Source Group
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLC
Parasoft_Mitchell
 
Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...
The University of Adelaide
 
Adopting Agile
Adopting AgileAdopting Agile
Adopting Agile
Coverity
 
BlueHat v18 || Go build a tool - best practices for building a robust & e...
BlueHat v18 || Go build a tool - best practices for building a robust & e...BlueHat v18 || Go build a tool - best practices for building a robust & e...
BlueHat v18 || Go build a tool - best practices for building a robust & e...
BlueHat Security Conference
 

What's hot (20)

Java Code Review Checklist
Java Code Review ChecklistJava Code Review Checklist
Java Code Review Checklist
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
 
Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzer
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
 
Codingstandards matiar
Codingstandards matiarCodingstandards matiar
Codingstandards matiar
 
Sonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysisSonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysis
 
Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)
 
Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...
Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...
Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...
 
Finding Defects in C#: Coverity vs. FxCop
Finding Defects in C#: Coverity vs. FxCopFinding Defects in C#: Coverity vs. FxCop
Finding Defects in C#: Coverity vs. FxCop
 
Code review for secure web applications
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applications
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
 
Using HPC Resources to Exploit Big Data for Code Review Analytics
Using HPC Resources to Exploit Big Data for Code Review AnalyticsUsing HPC Resources to Exploit Big Data for Code Review Analytics
Using HPC Resources to Exploit Big Data for Code Review Analytics
 
Static Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoverityStatic Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with Coverity
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLC
 
Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...
 
Adopting Agile
Adopting AgileAdopting Agile
Adopting Agile
 
BlueHat v18 || Go build a tool - best practices for building a robust & e...
BlueHat v18 || Go build a tool - best practices for building a robust & e...BlueHat v18 || Go build a tool - best practices for building a robust & e...
BlueHat v18 || Go build a tool - best practices for building a robust & e...
 

Viewers also liked

Ponchado de cable. luz
Ponchado de cable. luzPonchado de cable. luz
Ponchado de cable. luz
luzr131
 
Trabajo de diagnostico financiero
Trabajo de diagnostico financieroTrabajo de diagnostico financiero
Trabajo de diagnostico financiero
jorgemarioibarra
 
Best Practices Guide: Messaging for Coworking Spaces
Best Practices Guide: Messaging for Coworking SpacesBest Practices Guide: Messaging for Coworking Spaces
Best Practices Guide: Messaging for Coworking Spaces
FrontlineSMS
 
Jonathan Basden Resume Sept 2016 w TelAid
Jonathan Basden Resume Sept 2016 w TelAidJonathan Basden Resume Sept 2016 w TelAid
Jonathan Basden Resume Sept 2016 w TelAid
Jonathan Basden
 
Contaminacion del aire
Contaminacion del aireContaminacion del aire
Contaminacion del aire
jennyfergl
 
nutrientes
nutrientesnutrientes
nutrientes
Danitza Rodriguez Gutierrez
 
Slideshow Relaciones Jurídicas
Slideshow Relaciones Jurídicas Slideshow Relaciones Jurídicas
Slideshow Relaciones Jurídicas
Nayelis Jaimes Garrido
 
Weather Data Analytics Using Hadoop
Weather Data Analytics Using HadoopWeather Data Analytics Using Hadoop
Weather Data Analytics Using Hadoop
Najima Begum
 
Experiencia innovadora
Experiencia innovadoraExperiencia innovadora
Experiencia innovadora
Instituto Técnico José Rueda
 
Upute za otključavanje uređaja
Upute za otključavanje uređajaUpute za otključavanje uređaja
Upute za otključavanje uređaja
Šumadin Šumić
 
Adm britez giorgio- romero
Adm britez giorgio- romeroAdm britez giorgio- romero
Adm britez giorgio- romero
Carina Britez
 
Arvind skylands
Arvind skylandsArvind skylands
Arvind skylands
propladder
 
Auxiliares del comerciante 2...
Auxiliares del comerciante 2...Auxiliares del comerciante 2...
Auxiliares del comerciante 2...
22096505
 
Tributario..
Tributario..Tributario..
Tributario..
22096505
 
Weather Data Analytics Using Hadoop
Weather Data Analytics Using HadoopWeather Data Analytics Using Hadoop
Weather Data Analytics Using Hadoop
Najima Begum
 

Viewers also liked (16)

Ponchado de cable. luz
Ponchado de cable. luzPonchado de cable. luz
Ponchado de cable. luz
 
Trabajo de diagnostico financiero
Trabajo de diagnostico financieroTrabajo de diagnostico financiero
Trabajo de diagnostico financiero
 
Best Practices Guide: Messaging for Coworking Spaces
Best Practices Guide: Messaging for Coworking SpacesBest Practices Guide: Messaging for Coworking Spaces
Best Practices Guide: Messaging for Coworking Spaces
 
portfolio_2016
portfolio_2016portfolio_2016
portfolio_2016
 
Jonathan Basden Resume Sept 2016 w TelAid
Jonathan Basden Resume Sept 2016 w TelAidJonathan Basden Resume Sept 2016 w TelAid
Jonathan Basden Resume Sept 2016 w TelAid
 
Contaminacion del aire
Contaminacion del aireContaminacion del aire
Contaminacion del aire
 
nutrientes
nutrientesnutrientes
nutrientes
 
Slideshow Relaciones Jurídicas
Slideshow Relaciones Jurídicas Slideshow Relaciones Jurídicas
Slideshow Relaciones Jurídicas
 
Weather Data Analytics Using Hadoop
Weather Data Analytics Using HadoopWeather Data Analytics Using Hadoop
Weather Data Analytics Using Hadoop
 
Experiencia innovadora
Experiencia innovadoraExperiencia innovadora
Experiencia innovadora
 
Upute za otključavanje uređaja
Upute za otključavanje uređajaUpute za otključavanje uređaja
Upute za otključavanje uređaja
 
Adm britez giorgio- romero
Adm britez giorgio- romeroAdm britez giorgio- romero
Adm britez giorgio- romero
 
Arvind skylands
Arvind skylandsArvind skylands
Arvind skylands
 
Auxiliares del comerciante 2...
Auxiliares del comerciante 2...Auxiliares del comerciante 2...
Auxiliares del comerciante 2...
 
Tributario..
Tributario..Tributario..
Tributario..
 
Weather Data Analytics Using Hadoop
Weather Data Analytics Using HadoopWeather Data Analytics Using Hadoop
Weather Data Analytics Using Hadoop
 

Similar to 685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final

Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening
Maven Logix
 
boughtonalexand jdjdjfjjfjfjfjnfjfjjjfkdifij
boughtonalexand jdjdjfjjfjfjfjnfjfjjjfkdifijboughtonalexand jdjdjfjjfjfjfjnfjfjjjfkdifij
boughtonalexand jdjdjfjjfjfjfjnfjfjjjfkdifij
akd3143
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
kiansahafi
 
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis ToolsGNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
AdaCore
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
Tao Xie
 
Visual Studio Profiler
Visual Studio ProfilerVisual Studio Profiler
Visual Studio Profiler
Betclic Everest Group Tech Team
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Perforce
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
Felipe Prado
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST Tool
Checkmarx
 
Enter the mind of an Agile Developer
Enter the mind of an Agile DeveloperEnter the mind of an Agile Developer
Enter the mind of an Agile Developer
BSGAfrica
 
Code Inspection
Code InspectionCode Inspection
Code Inspection
Fáber D. Giraldo
 
black-box testing is a type of software testing in which the tester is not co...
black-box testing is a type of software testing in which the tester is not co...black-box testing is a type of software testing in which the tester is not co...
black-box testing is a type of software testing in which the tester is not co...
KrishnaVeni451953
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
PVS-Studio
 
Sdlc model
Sdlc modelSdlc model
Sdlc model
aligarhking
 
Unit Testing in JavaScript
Unit Testing in JavaScriptUnit Testing in JavaScript
Unit Testing in JavaScript
Rob Scaduto
 
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald BelchamGetting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
.NET Conf UY
 
Tech Days 2015: Static Analysis CodePeer
Tech Days 2015: Static Analysis CodePeer Tech Days 2015: Static Analysis CodePeer
Tech Days 2015: Static Analysis CodePeer
AdaCore
 
Building A Product Assortment Recommendation Engine
Building A Product Assortment Recommendation EngineBuilding A Product Assortment Recommendation Engine
Building A Product Assortment Recommendation Engine
Databricks
 

Similar to 685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final (20)

Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening
 
boughtonalexand jdjdjfjjfjfjfjnfjfjjjfkdifij
boughtonalexand jdjdjfjjfjfjfjnfjfjjjfkdifijboughtonalexand jdjdjfjjfjfjfjnfjfjjjfkdifij
boughtonalexand jdjdjfjjfjfjfjnfjfjjjfkdifij
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis ToolsGNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
Visual Studio Profiler
Visual Studio ProfilerVisual Studio Profiler
Visual Studio Profiler
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST Tool
 
Enter the mind of an Agile Developer
Enter the mind of an Agile DeveloperEnter the mind of an Agile Developer
Enter the mind of an Agile Developer
 
Code Inspection
Code InspectionCode Inspection
Code Inspection
 
black-box testing is a type of software testing in which the tester is not co...
black-box testing is a type of software testing in which the tester is not co...black-box testing is a type of software testing in which the tester is not co...
black-box testing is a type of software testing in which the tester is not co...
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
 
Sdlc model
Sdlc modelSdlc model
Sdlc model
 
Unit Testing in JavaScript
Unit Testing in JavaScriptUnit Testing in JavaScript
Unit Testing in JavaScript
 
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald BelchamGetting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
 
Tech Days 2015: Static Analysis CodePeer
Tech Days 2015: Static Analysis CodePeer Tech Days 2015: Static Analysis CodePeer
Tech Days 2015: Static Analysis CodePeer
 
Building A Product Assortment Recommendation Engine
Building A Product Assortment Recommendation EngineBuilding A Product Assortment Recommendation Engine
Building A Product Assortment Recommendation Engine
 

Recently uploaded

DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODELDEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
ijaia
 
1FIDIC-CONSTRUCTION-CONTRACT-2ND-ED-2017-RED-BOOK.pdf
1FIDIC-CONSTRUCTION-CONTRACT-2ND-ED-2017-RED-BOOK.pdf1FIDIC-CONSTRUCTION-CONTRACT-2ND-ED-2017-RED-BOOK.pdf
1FIDIC-CONSTRUCTION-CONTRACT-2ND-ED-2017-RED-BOOK.pdf
MadhavJungKarki
 
Engineering Standards Wiring methods.pdf
Engineering Standards Wiring methods.pdfEngineering Standards Wiring methods.pdf
Engineering Standards Wiring methods.pdf
edwin408357
 
Data Driven Maintenance | UReason Webinar
Data Driven Maintenance | UReason WebinarData Driven Maintenance | UReason Webinar
Data Driven Maintenance | UReason Webinar
UReason
 
Software Engineering and Project Management - Software Testing + Agile Method...
Software Engineering and Project Management - Software Testing + Agile Method...Software Engineering and Project Management - Software Testing + Agile Method...
Software Engineering and Project Management - Software Testing + Agile Method...
Prakhyath Rai
 
Gas agency management system project report.pdf
Gas agency management system project report.pdfGas agency management system project report.pdf
Gas agency management system project report.pdf
Kamal Acharya
 
Mechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdfMechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdf
21UME003TUSHARDEB
 
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
IJECEIAES
 
Curve Fitting in Numerical Methods Regression
Curve Fitting in Numerical Methods RegressionCurve Fitting in Numerical Methods Regression
Curve Fitting in Numerical Methods Regression
Nada Hikmah
 
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
IJECEIAES
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
kandramariana6
 
一比一原版(uofo毕业证书)美国俄勒冈大学毕业证如何办理
一比一原版(uofo毕业证书)美国俄勒冈大学毕业证如何办理一比一原版(uofo毕业证书)美国俄勒冈大学毕业证如何办理
一比一原版(uofo毕业证书)美国俄勒冈大学毕业证如何办理
upoux
 
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Sinan KOZAK
 
Welding Metallurgy Ferrous Materials.pdf
Welding Metallurgy Ferrous Materials.pdfWelding Metallurgy Ferrous Materials.pdf
Welding Metallurgy Ferrous Materials.pdf
AjmalKhan50578
 
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
Yasser Mahgoub
 
TIME TABLE MANAGEMENT SYSTEM testing.pptx
TIME TABLE MANAGEMENT SYSTEM testing.pptxTIME TABLE MANAGEMENT SYSTEM testing.pptx
TIME TABLE MANAGEMENT SYSTEM testing.pptx
CVCSOfficial
 
22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt
KrishnaveniKrishnara1
 
Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...
IJECEIAES
 
AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...
AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...
AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...
Paris Salesforce Developer Group
 
VARIABLE FREQUENCY DRIVE. VFDs are widely used in industrial applications for...
VARIABLE FREQUENCY DRIVE. VFDs are widely used in industrial applications for...VARIABLE FREQUENCY DRIVE. VFDs are widely used in industrial applications for...
VARIABLE FREQUENCY DRIVE. VFDs are widely used in industrial applications for...
PIMR BHOPAL
 

Recently uploaded (20)

DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODELDEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODEL
 
1FIDIC-CONSTRUCTION-CONTRACT-2ND-ED-2017-RED-BOOK.pdf
1FIDIC-CONSTRUCTION-CONTRACT-2ND-ED-2017-RED-BOOK.pdf1FIDIC-CONSTRUCTION-CONTRACT-2ND-ED-2017-RED-BOOK.pdf
1FIDIC-CONSTRUCTION-CONTRACT-2ND-ED-2017-RED-BOOK.pdf
 
Engineering Standards Wiring methods.pdf
Engineering Standards Wiring methods.pdfEngineering Standards Wiring methods.pdf
Engineering Standards Wiring methods.pdf
 
Data Driven Maintenance | UReason Webinar
Data Driven Maintenance | UReason WebinarData Driven Maintenance | UReason Webinar
Data Driven Maintenance | UReason Webinar
 
Software Engineering and Project Management - Software Testing + Agile Method...
Software Engineering and Project Management - Software Testing + Agile Method...Software Engineering and Project Management - Software Testing + Agile Method...
Software Engineering and Project Management - Software Testing + Agile Method...
 
Gas agency management system project report.pdf
Gas agency management system project report.pdfGas agency management system project report.pdf
Gas agency management system project report.pdf
 
Mechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdfMechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdf
 
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
 
Curve Fitting in Numerical Methods Regression
Curve Fitting in Numerical Methods RegressionCurve Fitting in Numerical Methods Regression
Curve Fitting in Numerical Methods Regression
 
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
 
一比一原版(uofo毕业证书)美国俄勒冈大学毕业证如何办理
一比一原版(uofo毕业证书)美国俄勒冈大学毕业证如何办理一比一原版(uofo毕业证书)美国俄勒冈大学毕业证如何办理
一比一原版(uofo毕业证书)美国俄勒冈大学毕业证如何办理
 
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
 
Welding Metallurgy Ferrous Materials.pdf
Welding Metallurgy Ferrous Materials.pdfWelding Metallurgy Ferrous Materials.pdf
Welding Metallurgy Ferrous Materials.pdf
 
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
 
TIME TABLE MANAGEMENT SYSTEM testing.pptx
TIME TABLE MANAGEMENT SYSTEM testing.pptxTIME TABLE MANAGEMENT SYSTEM testing.pptx
TIME TABLE MANAGEMENT SYSTEM testing.pptx
 
22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt
 
Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...
 
AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...
AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...
AI + Data Community Tour - Build the Next Generation of Apps with the Einstei...
 
VARIABLE FREQUENCY DRIVE. VFDs are widely used in industrial applications for...
VARIABLE FREQUENCY DRIVE. VFDs are widely used in industrial applications for...VARIABLE FREQUENCY DRIVE. VFDs are widely used in industrial applications for...
VARIABLE FREQUENCY DRIVE. VFDs are widely used in industrial applications for...
 

685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final

  • 1. SWAT Extending Benefits of Static Code Analysis Tools NASA IV&V Software Assurance Tools (SWAT)
  • 2. SWAT Outline • Setting Context • Identifying Types of Code Defects • Preparing for Analysis • Maximizing Tool Effectiveness • Selecting Appropriate Tools • Customizing to Support Analysis • Leveraging Historical Analysis Data • Reviewing Ongoing Efforts • Taking Questions 2
  • 3. SWAT Setting Context 3 • SWAT is now actively participating in the Static Code Analysis Working Group to help facilitate improvements in the use of static code analysis tools within the IV&V Program • SWAT is working with IV&V projects to gather representative source code and creating sample test code when necessary for a library to support evaluation of both current and additional tools • SWAT is responding to requests from projects regarding specific capabilities by verifying current tools with test code and evaluating additional tools for use SWAT is working to maximize the effectiveness of IV&V’s static code analysis capabilities. Identifying gaps in our current static analysis capabilities and evaluating solutions to improve IV&V’s analysis coverage Working to better understand the capabilities of current static code analysis tools Evaluating how current tools are being applied and identifying opportunities to improve the process of using them
  • 4. SWAT Identifying Types of Code Defects 4 Syntax Run-timeLogic Categories of code defects
  • 5. SWAT Identifying Types of Code Defects 5 Syntax Caught during compile time, e.g. code is attempting to use an undeclared variable May include style or certain coding standards violations that are caught through basic parsing and “pattern matching”
  • 6. SWAT Identifying Types of Code Defects 6 Logic May be caught during functional requirements based testing, i.e. does the code do what it was supposed to? High value findings when IV&V is able to identify or confirm logic defects through either manual analysis or use of dynamic analysis resources such as the ITC JSTAR lab Analysts have indicated that, from their experience, digging deeper into understanding the code when reviewing static code analysis results can provide a side benefit of identifying other unrelated logic defects
  • 7. SWAT Identifying Types of Code Defects 7 Occurs during program execution, e.g. out of bounds array access (“buffer overflow”), division by zero, non-initialized local variables, integer overflows, illegal dereferenced pointer High value findings, as these defects may result in program crash or undefined behavior that could ultimately result in the loss of the mission or impact the accomplishment of a mission objective Run-time Underlying tool technology (e.g. abstract interpretation) and project configuration impacts the effectiveness of identifying certain defects Static code analysis tools can help detect dangerous run-time defects in the code or even prove the absence of certain run-time defects when using formal methods-based approaches
  • 8. SWAT Preparing for Analysis 8 What code do I expect to get and what does it do? What is the development environment for this build of code, and how will it affect my analysis?What are the characteristics of the target architecture on which this code was written to run?
  • 9. SWAT Preparing for Analysis 9 What code do I expect to get and what does it do? Understanding of requirements implemented in the code Form an expectation of interfaces that should be present in the code build What are the characteristics of the target architecture on which this code was written to run? Identify the important characteristics of the architecture that could be reflected in the source code such as CPU, operating system, key addresses, and memory layout
  • 10. SWAT Preparing for Analysis 10 Understanding of requirements implemented in the code Form an expectation of interfaces that should be present in the code build Identify the important characteristics of the architecture that could be reflected in the source code such as CPU, operating system, key addresses, and memory layout • Know what to expect when you receive code (or recognize if you didn’t get what was expected!) • Create a team “cheat sheet” of important characteristics of the architecture that could be reflected in the source code. • Determine what prior projects may be relevant to the analysis • Check with ITC JSTAR lab for any available project simulations that could support understanding of the architecture for analysis
  • 11. SWAT Preparing for Analysis 11 Understand the characteristics of the developer’s environment Identify differences between the developer’s environment and your analysis environment Consider most appropriate tools to aid in analysis What is the development environment for this build of code, and how will it affect my analysis?
  • 12. SWAT Preparing for Analysis 12 Understand the characteristics of the developer’s environment Identify differences between the developer’s environment and your analysis environment Consider most appropriate tools to aid in analysis • Identify dependencies that may exist in source code • Identify build artifacts and settings to expect, with respect to the build system used by the developer • Leverage previous experience with the same development environment if possible • Identify what static analysis tools the development project is using to prevent overlap where possible
  • 14. SWAT Preparing for Analysis 14 Development Environment Characteristics • Developed in Wind River Workbench • Uses the GNU toolchain • Windows desktop environment • Regular source code Linting during builds • Source code with VxWorks dependencies and version information • Makefiles to build the code with the VxWorks GNU make tool • Source code and makefiles with file references that assume case insensitivity • Source code that may be more effectively analyzed with some tool other than FlexeLint (because of the developer-initiated lint during the build process) • Create cheat sheet with processor, memory, and VxWorks characteristics • Evaluate projects with similar mission characteristics to get an idea of what will be delivered
  • 15. SWAT Maximizing Tool Effectiveness 15 That wasn’t too bad. I guess I’ll… !!!!! Incoming Code! Now that I have code, what do I need to know to maximize the effectiveness of my static code analysis tools?
  • 16. SWAT Maximizing Tool Effectiveness 16 Understand the developer’s build process and gather build information Ensure that macros and other information are defined correctly within your build Review the checks enabled for your build to ensure that the checks of interest for the IV&V effort have been selected Now that I have code, what do I need to know to maximize the effectiveness of my static code analysis tools? Preparing for the static code analysis effort adequately and properly configuring the build are necessary for the most complete and accurate analysis results
  • 17. SWAT Maximizing Tool Effectiveness 17 Build Understand the developer’s build process and gather build information INC ? INC INC Build Logs
  • 18. SWAT Maximizing Tool Effectiveness 18 Understand the developer’s build process and gather build information • Once missing files have been identified, the analyst should: • Request missing files from the developer (common with third party libraries) as the ideal solution • Use other available library code if necessary • Stub out the missing code if absolutely necessary • Inspect any build logs or other status produced by our tools, looking carefully for warning or error messages such as missing header files, make any necessary adjustments and execute the build again • Inspect developer build artifacts given by the project to get a feel for the build process • Consider utilizing tools to help determine if we have the needed files for analysis, in addition to the build information (e.g., Understand, Eclipse, and SWAT script for creating a Klocwork build specification file)
  • 19. SWAT Maximizing Tool Effectiveness 19 Ensure that macros and other information are defined correctly within your build so that we are analyzing the correct code Not only does the build tell us WHICH files need to be analyzed, but it also tells HOW those files should be analyzed based on macro definitions passed to the compiler. void Fsw::setupTimer( void ) { bool setupSuccessful; #ifdef TARGETCPU setupSuccessful = false; // Perform setup of interrupt handling routine. // Lines snipped that do the work... // Create a task to handle the interrupt. // More lines snipped... #endif }
  • 20. SWAT Maximizing Tool Effectiveness 20 Ensure that macros and other information are defined correctly within your build • Make sure that macro definitions and other information relative to the software being analyzed are added to the build information passed to our static code analyzers. Failure to do so may produce invalid or misleading results. Most tools can: • Operate with incomplete information and provide potential issues • Execute the build and produce some output
  • 21. SWAT Maximizing Tool Effectiveness 21 Review the checks enabled for your build to ensure that the checks of interest for the IV&V effort have been selected • Review the specific checks enabled for your build in the static analysis tool to ensure that the checks of interest for the IV&V effort have been selected • Consider also documenting what is NOT being checked for, if applicable • Consider running multiple builds with different sets of checks enabled • Consider enabling MISRA checks for critical flight software, but separate builds may be warranted in this instance due to the potential for a significant number of resulting messages
  • 22. SWAT Selecting Appropriate Tools 22 Which of the available tools are appropriate for my task?
  • 23. SWAT Selecting Appropriate Tools 23 Project software characteristics Project development characteristics IV&V team analysis requirements Which of the available tools are appropriate for my task? IV&V Project scope
  • 24. SWAT Selecting Appropriate Tools 24 Project software characteristics Project development characteristics Ground vs. Flight software Size of code base Source code language Overlapping analysis with project Availability and completeness of project artifacts
  • 25. SWAT Selecting Appropriate Tools 25 IV&V team analysis requirements Turn-around time Targeted defect types Characteristics of tools available Level of assurance and verification needed Experience of the team with specific tools IV&V Project scope Mission criticality
  • 27. SWAT Customizing to Support Analysis 27 Zzzzz Zzzzz Zzzzz!!! SWAT is doing things to help you too!
  • 28. SWAT Customizing to Support Analysis 28 Additional benefits from static code analysis tools can be realized from customization Understand Perl API Metrics, best practices, other rules or conventions Standards verification Klocwork Abstract Syntax Tree checks such as unnecessary negative value testing for unsigned integers Steep learning curve Polyspace Support ICD verification Simulate normal working conditions of software Data range specification
  • 29. SWAT Leveraging Historical Analysis Data 29 Historical data can be used to further extend the benefits of static code analysis tools Code level metrics and quality attributes Focus future analysis SWAT is researching prior code defects that have been identified by IV&V to determine what tool or approach was utilized
  • 30. SWAT Reviewing Ongoing Efforts 30 Static Code Analysis Working Group Documenting lists of checks that can be safely disabled or output ignored per tool given the target domain Documenting lists of required checks that should be enabled per tool given the target domain SWAT New Tool Evaluation Continuing evaluation of tools based on both additional capability (e.g. formal methods-based abstract interpretation) and target language support (e.g. Ada) Current Tool Evaluation Comparing tool setup, use and resulting output for the same source code drop across various tools
  • 31. SWAT Taking Questions 31 Contact us at: ivv-swat@lists.nasa.gov