SlideShare une entreprise Scribd logo

Rapid software testing and conformance with static code analysis

Télécharger en tant que PPTX, PDF
Rogue Wave Software
Rogue Wave Software

With growing connectivity between complex automotive software components, development teams are looking for new ways to verify code security and validate against standards. This explains an exciting new approach to software testing that combines the breadth and depth of static analysis with modern test automation to provide rapid feedback to developers on incremental code changes – continuous static code analysis. By connecting deep analysis to continuous integration workflows, testing is pulled forward earlier to eliminate defects and reduce rework costs. Walk away with knowledge of real defects, security vulnerabilities, and automotive standards (such as MISRA and ISO 26262) plus key steps to start immediate deployment of continuous static code analysis for testing. Presented at GENIVI All Member Meeting & Open Community Days.

Logiciels
1  sur  21
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 1 GENIVI is a registered trademark of the GENIVI Alliance in the USA and other countries. Copyright © GENIVI Alliance 2016. Rapid software testing and conformance with static code analysis October 2016 Walter Capitani Product Management, Rogue Wave Software
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 2 What we do Rogue Wave helps organizations simplify complex software development, improve code quality, and shorten cycle times
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 3 Company snapshot Founded: 1989 We are the largest independent provider of cross-platform software development tools and embedded components Our capabilities cover different languages, code bases, and platforms. We meet development where – and how – it happens. Headquarters: Louisville, CO Employees: 350 Offices Worldwide: 11
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 4 Used by 3,000 customers in over 57 countries across diverse industries to develop mission-critical applications and software Financial Services Telecom Gov’t / Defense Technology Other Verticals We enable mission-critical workloads
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 5 Rapid software testing and conformance with static code analysis
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 6 SOFTWARE NOW TO BLAME FOR 15 PERCENT OF CAR RECALLS
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 7 How can static code analysis improve software quality?
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 8 What are the factors affecting software quality, complexity, and security? • Greater use of software in vehicles • Pressure to release on time (or as soon as possible!) • Market demand for new features • Greater use of third-party libraries
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 9 How can static code analysis improve software quality? • Find common issues in code – Buffer overflows (security exploit or program crashes) – Null pointer dereferences (your program crashes) – Memory leaks (processor runs out memory and locks up) – Uninitialized data usage (data injection) – Platform/OS specifics (privilege escalation, etc…) – Concurrency (deadlock)
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 10 How does static code analysis work? • Automatically inspects source code to find potential defects • Different types of analysis – Walks down every path of your code – Inter-procedural – Inter-file • SCA runs the tests that your developers don’t (or won’t) write • SCA will find defects that other testing won’t
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 11 How can static code analysis find bugs my testing doesn’t? • Traditional testing tools require reproduction of the exact runtime conditions that cause the issue to occur • This in turn requires developers to write specific tests that will exercise the code in the specific way that reveals the defect at runtime – This is time-consuming for developers – Even comprehensive testing may not trigger the specific runtime conditions that cause the defect • Static code analysis helps by finding defects that are hard to find with the human eye – These defects are mot generally found by code review – Many are traditionally found with dynamic testing after a failure has occurred in testing or the field – but its too late!
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 12 Source code analysis benefits: security & quality • Significantly reduces the cost of reliable, secure software • Complements existing testing approaches • Automated and repeatable analysis • Enforces key industry standards • DISA STIG, CWE, MISRA • CERT, SAMATE • OWASP, DO-178B, FDA validation • ...and more
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 13 Continuous static code analysis
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 14 The faster you find a defect, the less costly to fix 1X 3X 5X 10X 100X Requirements Architecture Construction System Test Post Release $139 $455 $977 $7,136 $14,103 Requirements Design Coding Testing MaintenanceTime Detected CosttoFix Specification Design Code Unit Test System Test UAT Release CosttoFix Lifecycle Stage CosttoFix Development Unit Tests QA Testing Production Time
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 15 Traditional analysis done after compile/build Development Cycle Edit & Save Compile & Test Check In Build Analyze & Fix • Late stage “rework” reduces tool adoption • Timelines compromised • Issues are more expensive to fix
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 16 Why not perform analysis earlier in the cycle on the desktop?  Eliminates new defects from being checked back into the team level build  No extra work for developers  In-context checking and fixes  Continuity of development flow Edit & Save Analyze & Fix Compile & Test Check In Build Development Cycle
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 17 What about defects found during integration? Edit & Save Analyze & Fix Compile & Test Check In Developer 1 Edit & Save Analyze & Fix Compile & Test Check In Developer 2 Time Integrate Check In Compile & Test Check In Lots of issues found here!
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 18 Continuous static code analysis Edit & Save Analyze & Fix Compile & Test Check In Developer 1 Edit & Save Analyze & Fix Compile & Test Check In Integrate Developer 2 Time IntegrateIntegrate Check In Compile & Test Edit & Save Analyze & Fix Edit & Save Analyze & Fix Compile & Test Check InCheck In Integrate
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 19 Continuous static code analysis
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 20 Continuous static code analysis • Improves the predictability of software release schedules • Improves the quality and security of release software • Reduces the cost of finding and fixing software defects
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 21 Walter Capitani, Product Manager, Klocwork Rogue Wave Software Thank you!

Recommandé

Legal and Practical Concerns with Software Development
Legal and Practical Concerns with Software DevelopmentLegal and Practical Concerns with Software Development
Legal and Practical Concerns with Software Development
Rogue Wave Software
 
Test parallelization using Jenkins
Test parallelization using JenkinsTest parallelization using Jenkins
Test parallelization using Jenkins
Rogue Wave Software
 
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Sauce Labs
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
Gene Gotimer
 
Building Security in Using CI
Building Security in Using CIBuilding Security in Using CI
Building Security in Using CI
Coveros, Inc.
 
Increasing Quality with DevOps
Increasing Quality with DevOpsIncreasing Quality with DevOps
Increasing Quality with DevOps
Coveros, Inc.
 
Continuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a TimeContinuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a Time
Gene Gotimer
 

Recommandé

Legal and Practical Concerns with Software Development
Legal and Practical Concerns with Software DevelopmentLegal and Practical Concerns with Software Development
Legal and Practical Concerns with Software Development
Rogue Wave Software
 
Test parallelization using Jenkins
Test parallelization using JenkinsTest parallelization using Jenkins
Test parallelization using Jenkins
Rogue Wave Software
 
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Compatibility Testing of Your Web Apps - Tips and Tricks for Debugging Locall...
Sauce Labs
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
Gene Gotimer
 
Building Security in Using CI
Building Security in Using CIBuilding Security in Using CI
Building Security in Using CI
Coveros, Inc.
 
Increasing Quality with DevOps
Increasing Quality with DevOpsIncreasing Quality with DevOps
Increasing Quality with DevOps
Coveros, Inc.
 
Continuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a TimeContinuous Delivery in a Legacy Shop - One Step at a Time
Continuous Delivery in a Legacy Shop - One Step at a Time
Gene Gotimer
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)
Nagaraju Repala
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Automated Testing Using Selenium
Automated Testing Using SeleniumAutomated Testing Using Selenium
Automated Testing Using Selenium
TechWell
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Building a high quality+ products with SCA
Building a high quality+ products with SCABuilding a high quality+ products with SCA
Building a high quality+ products with SCA
Suman Sourav
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)
Arjun Comar
 
Agile Engineering Sparker GLASScon 2015
Agile Engineering Sparker GLASScon 2015Agile Engineering Sparker GLASScon 2015
Agile Engineering Sparker GLASScon 2015
Stephen Ritchie
 
Mobile Apps development best practices. TDD, CI, CD
Mobile Apps development best practices. TDD, CI, CDMobile Apps development best practices. TDD, CI, CD
Mobile Apps development best practices. TDD, CI, CD
GlobalLogic Ukraine
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
CloudPassage
 
10 Things You Might Not Know: Continuous Integration
10 Things You Might Not Know: Continuous Integration10 Things You Might Not Know: Continuous Integration
10 Things You Might Not Know: Continuous Integration
Coveros, Inc.
 
Securing Apache Web Servers
Securing Apache Web ServersSecuring Apache Web Servers
Securing Apache Web Servers
Information Technology
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
drluckyspin
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
IoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really DifferentIoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really Different
TechWell
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Abdessamad TEMMAR
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
Checkmarx
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis
Perforce
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
Verification at scale: Fitting static code analysis into continuous integration
Verification at scale: Fitting static code analysis into continuous integrationVerification at scale: Fitting static code analysis into continuous integration
Verification at scale: Fitting static code analysis into continuous integration
Rogue Wave Software
 

Contenu connexe

Tendances

Automated Testing Using Selenium
Automated Testing Using SeleniumAutomated Testing Using Selenium
Automated Testing Using Selenium
TechWell
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)
Arjun Comar
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
CloudPassage
 
IoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really DifferentIoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really Different
TechWell
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Abdessamad TEMMAR
 

Tendances (20)

Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Automated Testing Using Selenium
Automated Testing Using SeleniumAutomated Testing Using Selenium
Automated Testing Using Selenium
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Building a high quality+ products with SCA
Building a high quality+ products with SCABuilding a high quality+ products with SCA
Building a high quality+ products with SCA
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)DevOps in a Regulated and Embedded Environment (AgileDC)
DevOps in a Regulated and Embedded Environment (AgileDC)
 
Agile Engineering Sparker GLASScon 2015
Agile Engineering Sparker GLASScon 2015Agile Engineering Sparker GLASScon 2015
Agile Engineering Sparker GLASScon 2015
 
Mobile Apps development best practices. TDD, CI, CD
Mobile Apps development best practices. TDD, CI, CDMobile Apps development best practices. TDD, CI, CD
Mobile Apps development best practices. TDD, CI, CD
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
10 Things You Might Not Know: Continuous Integration
10 Things You Might Not Know: Continuous Integration10 Things You Might Not Know: Continuous Integration
10 Things You Might Not Know: Continuous Integration
 
Securing Apache Web Servers
Securing Apache Web ServersSecuring Apache Web Servers
Securing Apache Web Servers
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
IoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really DifferentIoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really Different
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security AssuranceSec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 

Similaire à Rapid software testing and conformance with static code analysis

Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
Verification at scale: Fitting static code analysis into continuous integration
Verification at scale: Fitting static code analysis into continuous integrationVerification at scale: Fitting static code analysis into continuous integration
Verification at scale: Fitting static code analysis into continuous integration
Rogue Wave Software
 
Five ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecksFive ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecks
Rogue Wave Software
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
Rogue Wave Software
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 
Agile Strategies for Traditional Software Development Teams
Agile Strategies for Traditional Software Development TeamsAgile Strategies for Traditional Software Development Teams
Agile Strategies for Traditional Software Development Teams
TechWell
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 

Similaire à Rapid software testing and conformance with static code analysis (20)

Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 
Verification at scale: Fitting static code analysis into continuous integration
Verification at scale: Fitting static code analysis into continuous integrationVerification at scale: Fitting static code analysis into continuous integration
Verification at scale: Fitting static code analysis into continuous integration
 
How enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open sourceHow enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open source
 
Five ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecksFive ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecks
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
Autos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoTAutos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoT
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Agile Strategies for Traditional Software Development Teams
Agile Strategies for Traditional Software Development TeamsAgile Strategies for Traditional Software Development Teams
Agile Strategies for Traditional Software Development Teams
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
 
Driving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareDriving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive Software
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
 
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOpsDOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suite
 
postdev.pptx
postdev.pptxpostdev.pptx
postdev.pptx
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
 
Three Interviews About Static Code Analyzers
Three Interviews About Static Code AnalyzersThree Interviews About Static Code Analyzers
Three Interviews About Static Code Analyzers
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source software
 

Plus de Rogue Wave Software

Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...
Rogue Wave Software
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case study
Rogue Wave Software
 
Advanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsAdvanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applications
Rogue Wave Software
 
Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices
Rogue Wave Software
 
Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)
Rogue Wave Software
 
How to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to LinuxHow to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to Linux
Rogue Wave Software
 
Approaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsApproaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC apps
Rogue Wave Software
 

Plus de Rogue Wave Software (20)

The Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data PerspectiveThe Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data Perspective
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failure
 
Disrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformationDisrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformation
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...
 
Adding layers of security to an API in real-time
Adding layers of security to an API in real-timeAdding layers of security to an API in real-time
Adding layers of security to an API in real-time
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case study
 
Advanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsAdvanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applications
 
The forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for youThe forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for you
 
Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?
 
Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices
 
5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success
 
PSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliancePSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliance
 
Java 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the futureJava 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the future
 
How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)
 
Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)
 
How to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to LinuxHow to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to Linux
 
Approaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsApproaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC apps
 
Enterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOSEnterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOS
 
Walk through an enterprise Linux migration
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migration
 
How to keep developers happy and lawyers calm
How to keep developers happy and lawyers calmHow to keep developers happy and lawyers calm
How to keep developers happy and lawyers calm
 

Dernier

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
masabamasaba
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 

Dernier (20)

%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 

Rapid software testing and conformance with static code analysis

  • 1. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 1 GENIVI is a registered trademark of the GENIVI Alliance in the USA and other countries. Copyright © GENIVI Alliance 2016. Rapid software testing and conformance with static code analysis October 2016 Walter Capitani Product Management, Rogue Wave Software
  • 2. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 2 What we do Rogue Wave helps organizations simplify complex software development, improve code quality, and shorten cycle times
  • 3. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 3 Company snapshot Founded: 1989 We are the largest independent provider of cross-platform software development tools and embedded components Our capabilities cover different languages, code bases, and platforms. We meet development where – and how – it happens. Headquarters: Louisville, CO Employees: 350 Offices Worldwide: 11
  • 4. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 4 Used by 3,000 customers in over 57 countries across diverse industries to develop mission-critical applications and software Financial Services Telecom Gov’t / Defense Technology Other Verticals We enable mission-critical workloads
  • 5. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 5 Rapid software testing and conformance with static code analysis
  • 6. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 6 SOFTWARE NOW TO BLAME FOR 15 PERCENT OF CAR RECALLS
  • 7. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 7 How can static code analysis improve software quality?
  • 8. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 8 What are the factors affecting software quality, complexity, and security? • Greater use of software in vehicles • Pressure to release on time (or as soon as possible!) • Market demand for new features • Greater use of third-party libraries
  • 9. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 9 How can static code analysis improve software quality? • Find common issues in code – Buffer overflows (security exploit or program crashes) – Null pointer dereferences (your program crashes) – Memory leaks (processor runs out memory and locks up) – Uninitialized data usage (data injection) – Platform/OS specifics (privilege escalation, etc…) – Concurrency (deadlock)
  • 10. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 10 How does static code analysis work? • Automatically inspects source code to find potential defects • Different types of analysis – Walks down every path of your code – Inter-procedural – Inter-file • SCA runs the tests that your developers don’t (or won’t) write • SCA will find defects that other testing won’t
  • 11. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 11 How can static code analysis find bugs my testing doesn’t? • Traditional testing tools require reproduction of the exact runtime conditions that cause the issue to occur • This in turn requires developers to write specific tests that will exercise the code in the specific way that reveals the defect at runtime – This is time-consuming for developers – Even comprehensive testing may not trigger the specific runtime conditions that cause the defect • Static code analysis helps by finding defects that are hard to find with the human eye – These defects are mot generally found by code review – Many are traditionally found with dynamic testing after a failure has occurred in testing or the field – but its too late!
  • 12. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 12 Source code analysis benefits: security & quality • Significantly reduces the cost of reliable, secure software • Complements existing testing approaches • Automated and repeatable analysis • Enforces key industry standards • DISA STIG, CWE, MISRA • CERT, SAMATE • OWASP, DO-178B, FDA validation • ...and more
  • 13. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 13 Continuous static code analysis
  • 14. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 14 The faster you find a defect, the less costly to fix 1X 3X 5X 10X 100X Requirements Architecture Construction System Test Post Release $139 $455 $977 $7,136 $14,103 Requirements Design Coding Testing MaintenanceTime Detected CosttoFix Specification Design Code Unit Test System Test UAT Release CosttoFix Lifecycle Stage CosttoFix Development Unit Tests QA Testing Production Time
  • 15. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 15 Traditional analysis done after compile/build Development Cycle Edit & Save Compile & Test Check In Build Analyze & Fix • Late stage “rework” reduces tool adoption • Timelines compromised • Issues are more expensive to fix
  • 16. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 16 Why not perform analysis earlier in the cycle on the desktop?  Eliminates new defects from being checked back into the team level build  No extra work for developers  In-context checking and fixes  Continuity of development flow Edit & Save Analyze & Fix Compile & Test Check In Build Development Cycle
  • 17. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 17 What about defects found during integration? Edit & Save Analyze & Fix Compile & Test Check In Developer 1 Edit & Save Analyze & Fix Compile & Test Check In Developer 2 Time Integrate Check In Compile & Test Check In Lots of issues found here!
  • 18. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 18 Continuous static code analysis Edit & Save Analyze & Fix Compile & Test Check In Developer 1 Edit & Save Analyze & Fix Compile & Test Check In Integrate Developer 2 Time IntegrateIntegrate Check In Compile & Test Edit & Save Analyze & Fix Edit & Save Analyze & Fix Compile & Test Check InCheck In Integrate
  • 19. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 19 Continuous static code analysis
  • 20. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 20 Continuous static code analysis • Improves the predictability of software release schedules • Improves the quality and security of release software • Reduces the cost of finding and fixing software defects
  • 21. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 21 Walter Capitani, Product Manager, Klocwork Rogue Wave Software Thank you!