Aside from safety properties, can static analysis tools be used to detect security issues? Yes, as we will show by discussing a programming error in uftpd, an ftp server implemented in…
Compliance with CERT Secure Coding Standards
The CERT C/C++ Secure Coding Standards are compiled by the Computer Emergency Response Team Coordination Center (CERT/CC) of the Software Engineering Institute (SEI) to achieve functional safety, reliability and security of software systems during software development. For this purpose, the CERT C and C++ guideline checkers of Axivion Suite cover many of the decidable CERT rules which are relevant for embedded safety functions in embedded software.
Sharpened eye for security risks and clean code
The CERT C/C++ guideline checkers automatically uncover code constructs susceptible to security problems. This enables your development team to apply safe coding practices according to CERT C/C++ in a targeted manner. During development, all team members sharpen their eye for pitfalls and risks in the code: From array out-of-bounds to return value from all exit paths.
Easy focus in day-to-day business reduces risks
Axivion’s unique delta mechanism helps you and your team focus on the daily work: writing safe code. In reviews, the delta analysis can easily identify CERT rule violations caused by work done on sprints, releases, feature branches, etc.
Easy integration into IDEs and CI environments
Axivion’s CERT Check results integrate with a wide range of IDEs and CI environments. This allows easy integration into your processes from local checks to full-blown automated checks in the CI. All with the same configuration and results. The CLI and scripting capabilities of the Axivion Suite allow the CERT Check to integrate into virtually all practical environments.
Simple process integration into Security Quality Management
Axivion Suite provides you with central building blocks for the code-related areas of your security quality management: The severity classification of rules and rule groups allows you to prioritise your work. By means of justifications, deviations from the CERT rules can be handled in a structured and systematic way in the work process in order to develop in conformity with the standards. By applying different delta intervals, progressions over the development can be viewed and evaluated. Automatically generated reports on the CERT compliance of your code facilitate documentation.
The Delta Mechanism in Practice
This is how the developer-level delta mechanism looks in the example: The list shows changes to CERT breaches in the selected time window. In the selected period between the beginning and the end of 2010, 40 new violations were introduced, but six CERT violations were also fixed. In the code view, the new violations are highlighted in colour.
Axivion Suite’s static analyses help you to identify and reduce security risks during development.