Embedded World 2019 Presentation: Static Analysis for Safety and SecurityTweet
Static analysis has been proven to improve the quality of software development for very little investment. Embedded software is not different, but it does pose a number of additional requirements on the static analysis tool around safety and security. This presentation will highlight those differences and how GrammaTech CodeSonar addresses them.
Time-to-market often compete with safety and security in embedded systems development. Static analysis improves the quality of your software the moment it is written and such, helps with all of these. Embedded systems puts a lot of requirements on our static analysis tool, so it is important that you pick the tool that properly supports you in your projects. This presentation will explain how safety and security concerns are important to consider.
From a safety perspective, you want a static analysis tool that aggressively finds warnings in your source code. The percentage of ‘recall’, that is, the amount of problems it finds is crucially important. Secondly, you want to make sure you are able to claim credit for your static analysis tool in your functional safety certification process. You may not have a functional safety need just yet, but for many embedded systems this is something that looms on the horizon.
From a security perspective, you want to analyze tainted data, data taken in from the environment and how it flows through your system. A small mistake is easily made and hard to find through manual inspection or testing once it has slipped into your source code base.
Lastly, 3rd party libraries are important. From the GNU C library, to OpenSSL, to Qt, to Glib or libXML. Usage of these libraries is not always uniform and it is easy to lose track of allocated memory, or properly inspect return codes.
Take a look below at Mark Hermeling, Senior Director of Product Marketing, discuss how CodeSonar provides coverage for all of these concerns and can easily be integrated into your existing, or new projects.