Standards and static analysis applied properly prevent errors. the cost of solid prevention methodology is less than the cost of dealing with bad software. The cost of quality, safe, and secure software is less than the cost of a recall.

1. Copyright © 2016 Parasoft 1
15.09.2016
Software Safety and Security Through
Standards
Arthur Hicken - Parasoft

2. Copyright © 2016 Parasoft 22
Your Presenter
Arthur Hicken is Chief Evangelist at Parasoft
where he has been involved in automating
various software development and testing
practices for over 20 years.
He has worked on projects including
cybersecurity, database development, the
software development lifecycle, web publishing
and monitoring, and integration with legacy
systems and maintains the IoT Hall-of-Shame
http://bit.ly/iotshame
Follow him @codecurmudgeon
Blog: http://codecurmudgeon.com
Web: http://parasoft.com

3. Copyright © 2016 Parasoft 33
Agenda
Software is everywhere
Software CAN hurt you
Software should be engineering
Good software costs less than bad software
Standards drive improvement

4. Copyright © 2016 Parasoft 44
Things are Everywhere
Industrial Automation Smart Health
Smart Home Smart City

5. Copyright © 2016 Parasoft 55
Already on the Market

6. Copyright © 2016 Parasoft 66
Software is Eating the World
Or is it infecting the world?

7. Copyright © 2016 Parasoft 77
The IoT Hall-of-shame
http://codecurmudgeon.com http://bit.ly/iotshame

8. Copyright © 2016 Parasoft 88
One weak spot is all it takes

9. Copyright © 2016 Parasoft 99
Impact of Faulty Software
-5.70%
-1.9B

10. Copyright © 2016 Parasoft 1010
Software Failures = Headlines 2015
-$2.55 Bn
-4.06%
The day of the
announcement companies
lost an average
of shareholder value
Software failures make headline news—
eroding customer confidence, shareholder value and brand equity

11. Copyright © 2016 Parasoft 1111
Escalating Cost of Failure: Public

12. Copyright © 2016 Parasoft 1212
Quality does not cost more

13. Copyright © 2016 Parasoft 1313
HOW QUALITY AFFECTS SOFTWARE COSTS
Requirements Design Coding Testing Maintenance
COST
TIME
Pathological
Healthy
Poor quality is cheaper until
the end of the coding phase.
After that, high quality is
cheaper.
Technical debt
Software Quality 2011: A Survey of the State of the Art in Software – Capers Jones

14. Copyright © 2016 Parasoft 14Parasoft Proprietary and Confidential 14
Why find bugs early?
Applied Software Measurement, Capers Jones, 1996
Building Security Into The Software Life Cycle, Marco M. Morana, 2006
Early code audit

15. Copyright © 2016 Parasoft 15Parasoft Proprietary and Confidential 15
Why find bugs early?
Applied Software Measurement, Capers Jones, 1996
Building Security Into The Software Life Cycle, Marco M. Morana, 2006
Pentest
Late code audit

16. Copyright © 2016 Parasoft 1616
Software Safety in a Nutshell
§ Software development is almost never
engineering
§ Lack of repeatability
§ Lack of well-exercised best practices
§ Lack of reliance on building standards
§ Developer training unknown and inconsistent

17. Copyright © 2016 Parasoft 1717
Purpose of Coding Standards
§ “Proven programming practices leading to safe,
reliable, testable, and maintainable code”
§ “Address potentially unsafe C language features,
and provide programming rules to avoid those
pitfalls”
§ “By providing “safer” alternatives to “unsafe”
facilities, known problems … are avoided. In
essence, programs are written in a “safer” subset
of a superset.”

18. Copyright © 2016 Parasoft 1818
Standard Standards
MISRA
ISO 26262
DO 178 B/C
SANS/CERT
OWASP Top 10
JSF
DISA STIG
CWE

19. Copyright © 2016 Parasoft 1919
SEI Research
Predicting Software Assurance Using
Quality and Reliability Measures
• Security and reliability go hand-in-hand
• You can predict security based on defects
• Static analysis is integral to improvement
• Many (or most!) critical defects are coding mistakes
http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=428589

20. Copyright © 2016 Parasoft 2020
Software Security Defined
§ Software security is the idea of engineering
software so that it continues to function
correctly under malicious attack.
§ Although the notion of protecting software is
an important one, it’s just plain easier to
protect something that is defect-free than
something riddled with vulnerabilities.
(Gary McGraw, Cigital)
https://buildsecurityin.us-cert.gov/resources/building-security-in/software-security

21. Copyright © 2016 Parasoft 2121
Why MISRA for things that aren’t cars?
§ Coding Standards
§ Well-defined
§ Updated
§ Flexible
§ Deviation Strategy
§ Auditable
§ Why not?

22. Copyright © 2016 Parasoft 2222
Other Standards
DIY DO-178 IEC 62304
Effective C++ CWE

23. Copyright © 2016 Parasoft 2323
INADEQUATE DEFECT REMOVAL IS MAIN
CAUSE OF POOR SOFTWARE QUALITY
• Individual programmers are only 35% efficient in
finding bugs in their own software
• The sum of all normal test steps is often less than
75% effective (1 of 4 bugs remains)
• Design Reviews and Code Inspections however are
often 65% effective; can top 85%
• Static analysis are often 65% effective; can top 85%.
• Reviews and Inspections can lower costs and
schedules by as much as 30%

24. Copyright © 2016 Parasoft 2424
EXAMPLES OF TYPICAL CODE DEFECTS
SOURCES: SANS INSTITUTE AND MITRE
(www.SANS.org and www.CWE-MITRE.org)
§ Errors in SQL queries
§ Failure to validate inputs
§ Failure to validate outputs
§ Race conditions
§ Leaks from error messages
§ Unconstrained memory buffers
§ Loss of state data
§ Incorrect branches; hazardous paths
§ Careless initialization and shutdown
§ Errors in calculations and algorithms
§ Hard coding of variable items
§ Reusing code without validation or context checking
§ Changing code without changing comments that explain code

25. Copyright © 2016 Parasoft 25Parasoft Proprietary and Confidential 25
Fix or Prevent

26. Copyright © 2016 Parasoft 2626
Preventative standards examples
Object-Oriented
•Avoid "public"/"protected"/package-private instance fields
•Do not override an instance "private" method
•Do not hide inherited fields
•…
Best Practices
•Avoid returning "handles" to internal data from const member functions.
•Declare at least one constructor to prevent the compiler from doing so.
•Declare reference parameters as const references whenever possible
•…
Unused Code
•Avoid unused local variables
•Avoid unused "private" fields
•…
Class Metrics
•Follow the limit for Cyclomatic Complexity (default<30)
•Follow the limit for number of “<type>" fields (private,etc.)
•Follow the limit on class hierarchy depth
•…
…

27. Copyright © 2016 Parasoft 2727
§ Analysis of computer program that is performed without executing
software
§ Key impact: prevent or reduce risk of erroneous coding
§ Advantages:
§ comprehensive and unbiased
§ results are available way before application runs
§ Typically includes:
§ Compiler warnings
§ Coding standards / policies
§ Flow analysis / path simulation
§ Metrics (e.g. complexity)
Static analysis

28. Copyright © 2016 Parasoft 2828
What is: Pattern-Based SA
§ What:
§ Identify specific patterns in the code
§ Why:
§ Find bugs
§ Ensure inclusion of required items
§ Security
§ Branding
§ Prevent Problems
§ Improve Developers

29. Copyright © 2016 Parasoft 2929
Pattern-Based Static Analysis
§ Quick scan to list possible problems
§ Fixing violations prevents certain classes of errors
§ Each source file is analyzed separately
§ Static analysis categories include:
§ Logical Errors
§ API Misuse
§ Typographical Errors
§ Security
§ Threads and Synchronization
§ Performance and Optimization

30. Copyright © 2016 Parasoft 3030
What is: Data Flow Analysis
§ What:
§ Simulate execution to find patterns
§ Why:
§ Find real bugs

31. Copyright © 2016 Parasoft 3131
Data Flow Analysis
§ Simulate hypothetical execution paths
§ Detect possible errors along those paths
§ Data flow analysis error categories include:
§ Exceptions
§ Optimization
§ Resource Leaks
§ API misuse
§ Security

32. Copyright © 2016 Parasoft 3232
Static analysis – what it can do
§ Identify defective code - runtime bugs
§ Flag defect-prone code (possible bugs and
“gotchas”)
§ Suggest defensive programming practices
§ Monitor application-specific guidelines (e.g.
portability)
§ Enable policy enforcement (security)
§ Flag unmaintainable / poorly readable /
“dialect” code
§ Train developers to code better

33. Copyright © 2016 Parasoft 3333
Static Analysis Prevention
§ Relationship of automated analysis
§ Preventative static analysis
§ Flow analysis
§ Runtime error detection
§ Uninitialized memory example
§ Runtime will find it IF the test suite is thorough
§ Flow analysis may find it depending on complexity
§ Pattern to prevent: Initialize variables upon declaration
§ Much of MISRA is designed to prevent rather than
detect

34. Copyright © 2016 Parasoft 3434
How to choose rules
§ Based on why you’re using static analysis
§ Study expected issues
§ Analyze bug-tracking system
§ Don’t just turn on rules because it’s a good
idea
§ Pick few enough to use sustainably

35. Copyright © 2016 Parasoft 3535
Being Successful
§ Choose rules carefully
§ Implement progressively
§ Fewer to more rules
§ Extend date backward
§ Suppressions to manage noise
QUALITY
Code Review and
Regression Testing

36. Copyright © 2016 Parasoft 3636
Conclusion
Standards and static analysis applied properly prevent
errors
Cost of solid prevention methodology is less than the
cost of dealing with bad software
Cost of good software is less than bad software
Cost of quality, safe, secure software is less than the
cost of a recall

37. Copyright © 2016 Parasoft 3737
Security Resources
CWE – Common Weakness Enumeration
• http://cwe.mitre.org
CERT - Secure Coding Guidelines
• https://www.securecoding.cert.org
Build Security In – Collaborative security effort
• https://buildsecurityin.us-cert.gov
Parasoft
• http://www.parasoft.com

38. Copyright © 2016 Parasoft 3838
§ Email: codecurmudgeon@gmail.com
§ Web:
§ http://www.parasoft.com/
§ http://codecurmudgeon.com
§ Facebook:
§ https://facebook.com/parasoftcorporation
§ https://facebook.com/codecurmudgeon
§ Twitter: @Parasoft @CodeCurmudgeon
§ LinkedIn: http://www.linkedin.com/company/parasoft
§ Google+ Community: Static Analysis for Fun and Profit