SlideShare a Scribd company logo

Why Static Analysis is mandatory for IoT device software

Duncan Purves
Duncan Purves

Why Static Analysis is mandatory for IoT device software by Alan Hall, Valbrio

Technology
1 of 9
Download to read offline
WHY STATIC ANALYSIS IS MANDATORY FOR IOT DEVICE SOFTWARE WWW.VALBRIO.COM ALAN.HALL@VALBRIO.COM
THE EVOLVING IOT LANDSCAPE • >30 billion connected ‘things’ • $3 trillion of h/w spend • Cost and impact of security or reliability failures are high. • Developer dependency on 3rd party code, libraries or binaries that can’t be ignored
THE PERFECT STORM FOR DEVELOPERS • Teams need to eliminate both design and coding errors in their own and 3rd party code • Developers need to adopt code analysis tools than can effectively uncover defects that are hard to find during testing such as concurrency issues, hazardous information flows and many types of security vulnerabilities
STATIC ANALYSIS A range of tools are available - Some focus just on coding standard such as MISRA, others include the ability to find reliability and security defects and are extendable Mandated by many safety standards e.g. DO178-C, IEC 61508, ISO 26262 Data Races, Deadlock, sThread Starvation, Buffer Overruns, Buffer Overflow, Leaks, Null Pointer Dereferences, Divides By Zero, Uses After Free, Frees of Non-Heap Variables, Uninitialized Variables, Returns of Pointers to Local, Returns of Pointers to Free, Frees of Null Pointers, Unreachable Code, Try-locks that Cannot Succeed, Misuse of Memory Allocation, Misuse of Memory Copying, Misuse of Libraries, Command Injection, Runtime Error, Double Free Bug
EXAMPLE: A NULL POINTER DEREFERENCE IN MQQT IOT CONNECTIVITY PROTOCOL - CWE-476 Scope Impact Availability Technical Impact: DoS: Crash, Exit, or Restart NULL pointer dereferences usually result in the failure of the process unless exception handling (on some platforms) is available and implemented. Even when exception handling is being used, it can still be very difficult to return the software to a safe state of operation. Integrity Confidentiality Availability Technical Impact: Execute Unauthorized Code or Commands In very rare circumstances and environments, code execution is possible.
TRADE OFFS FOR STATIC ANALYSIS TOOLS • Conflict between: • Recall • Precision • Performance
THE COST IMPACT OF THE TOOL • Assume there are 100 defects in an application. • Tool A is reasonably good at finding defects, with a recall of 60%. Half of the results it reports are false positives. • Tool B has a precision of 80%, meaning it is very good at suppressing false positives. However, it finds only 30% of the real defects. • Tool C has a recall of 95%, so is extremely good at finding defects, but its precision is only 10%.
HOW TO MITIGATE RISK IN IOT DEVICES USING STATIC ANALYSIS 1. Mandate the use of source code analysis across development projects and the supply chain. 2. Utilise binary analysis where possible for 3rd-party and system code analysis. 3. Incorporate software hardening technologies– including software monitors, binary transformations, and more as they become available.
QUESTIONS ?

Recommended

SecPod Saner
SecPod SanerSecPod Saner
SecPod SanerChandrashekhar B
 
Vulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewVulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewSusan Rantall
 
SanerNow Vulnerability Management
SanerNow Vulnerability ManagementSanerNow Vulnerability Management
SanerNow Vulnerability ManagementSecPod Technologies
 
Practioners Guide to SOC
Practioners Guide to SOCPractioners Guide to SOC
Practioners Guide to SOCAlienVault
 
Engineering Security Vulnerability Prevention, Detection, and Response
Engineering Security Vulnerability Prevention, Detection, and ResponseEngineering Security Vulnerability Prevention, Detection, and Response
Engineering Security Vulnerability Prevention, Detection, and ResponseJinnah University for Women
 
Penetration testing overview
Penetration testing overviewPenetration testing overview
Penetration testing overviewSupriya G
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 
ARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management PlatformARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management PlatformTieu Luu
 

Recommended

SecPod Saner
SecPod SanerSecPod Saner
SecPod SanerChandrashekhar B
 
Vulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewVulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewSusan Rantall
 
SanerNow Vulnerability Management
SanerNow Vulnerability ManagementSanerNow Vulnerability Management
SanerNow Vulnerability ManagementSecPod Technologies
 
Practioners Guide to SOC
Practioners Guide to SOCPractioners Guide to SOC
Practioners Guide to SOCAlienVault
 
Engineering Security Vulnerability Prevention, Detection, and Response
Engineering Security Vulnerability Prevention, Detection, and ResponseEngineering Security Vulnerability Prevention, Detection, and Response
Engineering Security Vulnerability Prevention, Detection, and ResponseJinnah University for Women
 
Penetration testing overview
Penetration testing overviewPenetration testing overview
Penetration testing overviewSupriya G
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 
ARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management PlatformARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management PlatformTieu Luu
 
Penetration testing services
Penetration testing servicesPenetration testing services
Penetration testing servicesAlisha Henderson
 
Itis pentest slides hyd
Itis pentest slides hydItis pentest slides hyd
Itis pentest slides hydRama krishna
 
Compliance in the 2016 Future of Open Source
Compliance in the 2016 Future of Open SourceCompliance in the 2016 Future of Open Source
Compliance in the 2016 Future of Open SourceBlack Duck by Synopsys
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Network Intelligence India
 
Vulnerability management today and tomorrow
Vulnerability management today and tomorrowVulnerability management today and tomorrow
Vulnerability management today and tomorrowJonathan Sinclair
 
Penetration Testing Services, Penetration Testing
Penetration Testing Services, Penetration TestingPenetration Testing Services, Penetration Testing
Penetration Testing Services, Penetration TestingeNinja Technologies
 
Five Common Mistakes made when Conducting a Software FMECA
Five Common Mistakes made when Conducting a Software FMECAFive Common Mistakes made when Conducting a Software FMECA
Five Common Mistakes made when Conducting a Software FMECAAnn Marie Neufelder
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding PracticesThomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Bossrbrockway
 
The Problem Tracking System
The Problem Tracking SystemThe Problem Tracking System
The Problem Tracking SystemSonali Chawla
 
Primer: The top ten automotive cybersecurity vulnerabilities of 2015
Primer: The top ten automotive cybersecurity vulnerabilities of 2015Primer: The top ten automotive cybersecurity vulnerabilities of 2015
Primer: The top ten automotive cybersecurity vulnerabilities of 2015Rogue Wave Software
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability ManagementVicky Ames
 
Vulnerability Management: How to Think Like a Hacker to Reduce Risk
Vulnerability Management: How to Think Like a Hacker to Reduce RiskVulnerability Management: How to Think Like a Hacker to Reduce Risk
Vulnerability Management: How to Think Like a Hacker to Reduce RiskBeyondTrust
 
Centraleyezer
CentraleyezerCentraleyezer
Centraleyezer👨🏼‍💻Radu Stanescu
 
SanerNow platform-datasheet
SanerNow platform-datasheetSanerNow platform-datasheet
SanerNow platform-datasheetSecPod Technologies
 
Penetration testing
Penetration testingPenetration testing
Penetration testingNameen Singh
 
Blue Ocean IT Security
Blue Ocean IT SecurityBlue Ocean IT Security
Blue Ocean IT SecurityJonathan Sinclair
 
Introduction to Penetration testing and tools
Introduction to Penetration testing and toolsIntroduction to Penetration testing and tools
Introduction to Penetration testing and toolsVikram Khanna
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedAshley Zupkus
 
Program security
Program securityProgram security
Program securityG Prachi
 

More Related Content

What's hot

Penetration testing services
Penetration testing servicesPenetration testing services
Penetration testing servicesAlisha Henderson
 
Itis pentest slides hyd
Itis pentest slides hydItis pentest slides hyd
Itis pentest slides hydRama krishna
 
Compliance in the 2016 Future of Open Source
Compliance in the 2016 Future of Open SourceCompliance in the 2016 Future of Open Source
Compliance in the 2016 Future of Open SourceBlack Duck by Synopsys
 
Vulnerability management today and tomorrow
Vulnerability management today and tomorrowVulnerability management today and tomorrow
Vulnerability management today and tomorrowJonathan Sinclair
 
Penetration Testing Services, Penetration Testing
Penetration Testing Services, Penetration TestingPenetration Testing Services, Penetration Testing
Penetration Testing Services, Penetration TestingeNinja Technologies
 
Five Common Mistakes made when Conducting a Software FMECA
Five Common Mistakes made when Conducting a Software FMECAFive Common Mistakes made when Conducting a Software FMECA
Five Common Mistakes made when Conducting a Software FMECAAnn Marie Neufelder
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Bossrbrockway
 
The Problem Tracking System
The Problem Tracking SystemThe Problem Tracking System
The Problem Tracking SystemSonali Chawla
 
Primer: The top ten automotive cybersecurity vulnerabilities of 2015
Primer: The top ten automotive cybersecurity vulnerabilities of 2015Primer: The top ten automotive cybersecurity vulnerabilities of 2015
Primer: The top ten automotive cybersecurity vulnerabilities of 2015Rogue Wave Software
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability ManagementVicky Ames
 
Vulnerability Management: How to Think Like a Hacker to Reduce Risk
Vulnerability Management: How to Think Like a Hacker to Reduce RiskVulnerability Management: How to Think Like a Hacker to Reduce Risk
Vulnerability Management: How to Think Like a Hacker to Reduce RiskBeyondTrust
 
Penetration testing
Penetration testingPenetration testing
Penetration testingNameen Singh
 
Introduction to Penetration testing and tools
Introduction to Penetration testing and toolsIntroduction to Penetration testing and tools
Introduction to Penetration testing and toolsVikram Khanna
 

What's hot (20)

Penetration testing services
Penetration testing servicesPenetration testing services
Penetration testing services
 
Itis pentest slides hyd
Itis pentest slides hydItis pentest slides hyd
Itis pentest slides hyd
 
Compliance in the 2016 Future of Open Source
Compliance in the 2016 Future of Open SourceCompliance in the 2016 Future of Open Source
Compliance in the 2016 Future of Open Source
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 
Vulnerability management today and tomorrow
Vulnerability management today and tomorrowVulnerability management today and tomorrow
Vulnerability management today and tomorrow
 
Penetration Testing Services, Penetration Testing
Penetration Testing Services, Penetration TestingPenetration Testing Services, Penetration Testing
Penetration Testing Services, Penetration Testing
 
Five Common Mistakes made when Conducting a Software FMECA
Five Common Mistakes made when Conducting a Software FMECAFive Common Mistakes made when Conducting a Software FMECA
Five Common Mistakes made when Conducting a Software FMECA
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Boss
 
The Problem Tracking System
The Problem Tracking SystemThe Problem Tracking System
The Problem Tracking System
 
Primer: The top ten automotive cybersecurity vulnerabilities of 2015
Primer: The top ten automotive cybersecurity vulnerabilities of 2015Primer: The top ten automotive cybersecurity vulnerabilities of 2015
Primer: The top ten automotive cybersecurity vulnerabilities of 2015
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability Management
 
Vulnerability Management: How to Think Like a Hacker to Reduce Risk
Vulnerability Management: How to Think Like a Hacker to Reduce RiskVulnerability Management: How to Think Like a Hacker to Reduce Risk
Vulnerability Management: How to Think Like a Hacker to Reduce Risk
 
Centraleyezer
CentraleyezerCentraleyezer
Centraleyezer
 
SanerNow platform-datasheet
SanerNow platform-datasheetSanerNow platform-datasheet
SanerNow platform-datasheet
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Blue Ocean IT Security
Blue Ocean IT SecurityBlue Ocean IT Security
Blue Ocean IT Security
 
Introduction to Penetration testing and tools
Introduction to Penetration testing and toolsIntroduction to Penetration testing and tools
Introduction to Penetration testing and tools
 

Similar to Why Static Analysis is mandatory for IoT device software

Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedAshley Zupkus
 
Program security
Program securityProgram security
Program securityG Prachi
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securityNicholas Davis
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 
BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!Parasoft
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
Introduction to Software Testing
Introduction to Software TestingIntroduction to Software Testing
Introduction to Software TestingHenry Muccini
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Decisions
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
snug_europe_2016_FCA_concepts_and_practicalities
snug_europe_2016_FCA_concepts_and_practicalitiessnug_europe_2016_FCA_concepts_and_practicalities
snug_europe_2016_FCA_concepts_and_practicalitiesSergio Marchese
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsAshley Zupkus
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
 
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...Mark Underwood
 
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...owasplondon
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Safety on the Max: How to Write Reliable C/C++ Code for Embedded SystemsSafety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Safety on the Max: How to Write Reliable C/C++ Code for Embedded SystemsAndrey Karpov
 

Similar to Why Static Analysis is mandatory for IoT device software (20)

Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically Guaranteed
 
Program security
Program securityProgram security
Program security
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical security
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
 
Introduction to Software Testing
Introduction to Software TestingIntroduction to Software Testing
Introduction to Software Testing
 
Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015Scalar Security Roadshow April 2015
Scalar Security Roadshow April 2015
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
snug_europe_2016_FCA_concepts_and_practicalities
snug_europe_2016_FCA_concepts_and_practicalitiessnug_europe_2016_FCA_concepts_and_practicalities
snug_europe_2016_FCA_concepts_and_practicalities
 
Proving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEsProving the Security of Low-Level Software Components & TEEs
Proving the Security of Low-Level Software Components & TEEs
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
 
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Safety on the Max: How to Write Reliable C/C++ Code for Embedded SystemsSafety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
 

More from Duncan Purves

Supporting Elderly Independent Living with IOT devices
Supporting Elderly Independent Living with IOT devicesSupporting Elderly Independent Living with IOT devices
Supporting Elderly Independent Living with IOT devicesDuncan Purves
 
The Internet of Trees (IoTr) and is the IoT really sustainable?
The Internet of Trees (IoTr) and is the IoT really sustainable?The Internet of Trees (IoTr) and is the IoT really sustainable?
The Internet of Trees (IoTr) and is the IoT really sustainable?Duncan Purves
 
Insights into the IoT market
Insights into the IoT marketInsights into the IoT market
Insights into the IoT marketDuncan Purves
 
Meeting the NIS Directive with Distributed Ledgers
Meeting the NIS Directive with Distributed LedgersMeeting the NIS Directive with Distributed Ledgers
Meeting the NIS Directive with Distributed LedgersDuncan Purves
 
Extending the reach of IoT to address global scale challenges
Extending the reach of IoT to address global scale challengesExtending the reach of IoT to address global scale challenges
Extending the reach of IoT to address global scale challengesDuncan Purves
 
Smart Cities: A new development
Smart Cities: A new developmentSmart Cities: A new development
Smart Cities: A new developmentDuncan Purves
 
Can you trust your smart building
Can you trust your smart buildingCan you trust your smart building
Can you trust your smart buildingDuncan Purves
 
Saving lives on British Railways with IQRF
Saving lives on British Railways with IQRFSaving lives on British Railways with IQRF
Saving lives on British Railways with IQRFDuncan Purves
 
5G and Connected Communities
5G and Connected Communities5G and Connected Communities
5G and Connected CommunitiesDuncan Purves
 
AWS IoT and Alexa in the connected home
AWS IoT and Alexa in the connected homeAWS IoT and Alexa in the connected home
AWS IoT and Alexa in the connected homeDuncan Purves
 
PSA Certified – building trust in IoT
PSA Certified – building trust in IoTPSA Certified – building trust in IoT
PSA Certified – building trust in IoTDuncan Purves
 
Smart City Challenge calls
Smart City Challenge callsSmart City Challenge calls
Smart City Challenge callsDuncan Purves
 
Vodafone's NB-IoT Rollout
Vodafone's NB-IoT RolloutVodafone's NB-IoT Rollout
Vodafone's NB-IoT RolloutDuncan Purves
 
Are you prepared for R&D funding
Are you prepared for R&D fundingAre you prepared for R&D funding
Are you prepared for R&D fundingDuncan Purves
 
Thames Valley Berkshire Smart City Cluster Challenge
Thames Valley Berkshire Smart City Cluster ChallengeThames Valley Berkshire Smart City Cluster Challenge
Thames Valley Berkshire Smart City Cluster ChallengeDuncan Purves
 
World Bee Project - The Connected Hive & The Future of Farming
World Bee Project - The Connected Hive & The Future of FarmingWorld Bee Project - The Connected Hive & The Future of Farming
World Bee Project - The Connected Hive & The Future of FarmingDuncan Purves
 
Bridging the gap between hardware and the cloud
Bridging the gap between hardware and the cloudBridging the gap between hardware and the cloud
Bridging the gap between hardware and the cloudDuncan Purves
 
Cyber Academic Startup Accelerator Programme
Cyber Academic Startup Accelerator ProgrammeCyber Academic Startup Accelerator Programme
Cyber Academic Startup Accelerator ProgrammeDuncan Purves
 
The University of Sheffield AMRC
The University of Sheffield AMRCThe University of Sheffield AMRC
The University of Sheffield AMRCDuncan Purves
 

More from Duncan Purves (20)

Supporting Elderly Independent Living with IOT devices
Supporting Elderly Independent Living with IOT devicesSupporting Elderly Independent Living with IOT devices
Supporting Elderly Independent Living with IOT devices
 
The Internet of Trees (IoTr) and is the IoT really sustainable?
The Internet of Trees (IoTr) and is the IoT really sustainable?The Internet of Trees (IoTr) and is the IoT really sustainable?
The Internet of Trees (IoTr) and is the IoT really sustainable?
 
Insights into the IoT market
Insights into the IoT marketInsights into the IoT market
Insights into the IoT market
 
Meeting the NIS Directive with Distributed Ledgers
Meeting the NIS Directive with Distributed LedgersMeeting the NIS Directive with Distributed Ledgers
Meeting the NIS Directive with Distributed Ledgers
 
Extending the reach of IoT to address global scale challenges
Extending the reach of IoT to address global scale challengesExtending the reach of IoT to address global scale challenges
Extending the reach of IoT to address global scale challenges
 
Smart Cities: A new development
Smart Cities: A new developmentSmart Cities: A new development
Smart Cities: A new development
 
Can you trust your smart building
Can you trust your smart buildingCan you trust your smart building
Can you trust your smart building
 
Saving lives on British Railways with IQRF
Saving lives on British Railways with IQRFSaving lives on British Railways with IQRF
Saving lives on British Railways with IQRF
 
5G and Connected Communities
5G and Connected Communities5G and Connected Communities
5G and Connected Communities
 
AWS IoT and Alexa in the connected home
AWS IoT and Alexa in the connected homeAWS IoT and Alexa in the connected home
AWS IoT and Alexa in the connected home
 
PSA Certified – building trust in IoT
PSA Certified – building trust in IoTPSA Certified – building trust in IoT
PSA Certified – building trust in IoT
 
Smart City Challenge calls
Smart City Challenge callsSmart City Challenge calls
Smart City Challenge calls
 
Vodafone's NB-IoT Rollout
Vodafone's NB-IoT RolloutVodafone's NB-IoT Rollout
Vodafone's NB-IoT Rollout
 
Are you prepared for R&D funding
Are you prepared for R&D fundingAre you prepared for R&D funding
Are you prepared for R&D funding
 
Thames Valley Berkshire Smart City Cluster Challenge
Thames Valley Berkshire Smart City Cluster ChallengeThames Valley Berkshire Smart City Cluster Challenge
Thames Valley Berkshire Smart City Cluster Challenge
 
World Bee Project - The Connected Hive & The Future of Farming
World Bee Project - The Connected Hive & The Future of FarmingWorld Bee Project - The Connected Hive & The Future of Farming
World Bee Project - The Connected Hive & The Future of Farming
 
Bridging the gap between hardware and the cloud
Bridging the gap between hardware and the cloudBridging the gap between hardware and the cloud
Bridging the gap between hardware and the cloud
 
Cyber Academic Startup Accelerator Programme
Cyber Academic Startup Accelerator ProgrammeCyber Academic Startup Accelerator Programme
Cyber Academic Startup Accelerator Programme
 
Digital buildings
Digital buildingsDigital buildings
Digital buildings
 
The University of Sheffield AMRC
The University of Sheffield AMRCThe University of Sheffield AMRC
The University of Sheffield AMRC
 

Recently uploaded

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 

Recently uploaded (20)

The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 

Why Static Analysis is mandatory for IoT device software

  • 1. WHY STATIC ANALYSIS IS MANDATORY FOR IOT DEVICE SOFTWARE WWW.VALBRIO.COM ALAN.HALL@VALBRIO.COM
  • 2. THE EVOLVING IOT LANDSCAPE • >30 billion connected ‘things’ • $3 trillion of h/w spend • Cost and impact of security or reliability failures are high. • Developer dependency on 3rd party code, libraries or binaries that can’t be ignored
  • 3. THE PERFECT STORM FOR DEVELOPERS • Teams need to eliminate both design and coding errors in their own and 3rd party code • Developers need to adopt code analysis tools than can effectively uncover defects that are hard to find during testing such as concurrency issues, hazardous information flows and many types of security vulnerabilities
  • 4. STATIC ANALYSIS A range of tools are available - Some focus just on coding standard such as MISRA, others include the ability to find reliability and security defects and are extendable Mandated by many safety standards e.g. DO178-C, IEC 61508, ISO 26262 Data Races, Deadlock, sThread Starvation, Buffer Overruns, Buffer Overflow, Leaks, Null Pointer Dereferences, Divides By Zero, Uses After Free, Frees of Non-Heap Variables, Uninitialized Variables, Returns of Pointers to Local, Returns of Pointers to Free, Frees of Null Pointers, Unreachable Code, Try-locks that Cannot Succeed, Misuse of Memory Allocation, Misuse of Memory Copying, Misuse of Libraries, Command Injection, Runtime Error, Double Free Bug
  • 5. EXAMPLE: A NULL POINTER DEREFERENCE IN MQQT IOT CONNECTIVITY PROTOCOL - CWE-476 Scope Impact Availability Technical Impact: DoS: Crash, Exit, or Restart NULL pointer dereferences usually result in the failure of the process unless exception handling (on some platforms) is available and implemented. Even when exception handling is being used, it can still be very difficult to return the software to a safe state of operation. Integrity Confidentiality Availability Technical Impact: Execute Unauthorized Code or Commands In very rare circumstances and environments, code execution is possible.
  • 6. TRADE OFFS FOR STATIC ANALYSIS TOOLS • Conflict between: • Recall • Precision • Performance
  • 7. THE COST IMPACT OF THE TOOL • Assume there are 100 defects in an application. • Tool A is reasonably good at finding defects, with a recall of 60%. Half of the results it reports are false positives. • Tool B has a precision of 80%, meaning it is very good at suppressing false positives. However, it finds only 30% of the real defects. • Tool C has a recall of 95%, so is extremely good at finding defects, but its precision is only 10%.
  • 8. HOW TO MITIGATE RISK IN IOT DEVICES USING STATIC ANALYSIS 1. Mandate the use of source code analysis across development projects and the supply chain. 2. Utilise binary analysis where possible for 3rd-party and system code analysis. 3. Incorporate software hardening technologies– including software monitors, binary transformations, and more as they become available.