SlideShare une entreprise Scribd logo

How Virtual Compilation Transforms Static Code Analysis

Checkmarx
Checkmarx

Many assume that code analysis requires code compilation as a prerequisite. Today, all major static code analyzers are built on this assumption and only scan post compilation - requiring buildable code. The reliance on compilation has major and negative implications for all stake holders: developers, auditors, CISOs, as well as the organizations that hope to build a secure development lifecycle (SDLC). Historically, static code analysis required a complete and buildable project to run against, which made the logical place to do the analysis at the build server and in-line with the entire build process. The “buildable” requirement also forced the execution of the scan nearer the end of the development process, making security repairs to code more expensive and greatly reducing any benefits.

Technologie
1  sur  7
Télécharger pour lire hors ligne
How Virtual Compilation Transforms Code Analysis © 2009 Checkmarx. All intellectual property rights in this publication are owned by Checkmarx Ltd. and are protected by United States copyright laws, other applicable copyright laws and international treaty provisions. Checkmarx Ltd. retains all rights not expressly granted. For further information, contact Checkmarx or your local distributor or reseller. www.Checkmarx.com. www.checkmarx.com
Checkmarx – How Virtual Compilation Transforms Code Analysis 2 Executive Summary Secure software development has become a priority for all organizations whether they build their own software or outsource. And code analysis is becoming the de facto choice to introduce secure development as well as measure inherent software risk. Many assume that code analysis requires code compilation as a prerequisite. Today, all major static code analyzers are built on this assumption and only scan post compilation— requiring buildable code. The reliance on compilation has major and negative implications for all stake holders: developers, auditors, CISOs, as well as the organizations that hope to build a secure development lifecycle (SDLC). Historically, static code analysis required a complete and buildable project to run against, which made the logical place to do the analysis at the build server and in-line with the entire build process. The “buildable” requirement also forced the execution of the scan nearer the end of the development process, making security repairs to code more expensive and greatly reducing any benefits. There is evidence that compilation-based code analysis tools negatively impact risk mitigation efforts. As Gartner analyst Neil MacDonald observed, “we’ve talked with a number of clients that purchased a [static analysis] tool which later becomes expensive “shelfware” or where the project was halted after delivering mixed results.”1 Mr. MacDonald correctly singles out poor security process as an obstacle—but there are serious technical factors that contribute to the “shelfware” problem. A key, overlooked bottleneck comes from the compiler based approach. Getting the code into a state where it can be compiled and linked is not an easy task. How does the need for compilation negatively impact the stakeholders who rely on code analysis?  Developers: With compiler-based approaches, vulnerability scanning is limited to unit testing or even later—weeks after the code is written. This necessitates iterative coding turnarounds that are inefficient and not effective at bringing a culture of building in application security.  Auditors: Forced to rely on testing tools dependent on compilation, auditors lose the flexibility to make spot checks on suspect code early in the development process. Problems of duplicating the developer’s environment and code integration further challenge the auditor’s efficiency. These difficulties can result in vulnerabilities not being revealed in the test environment or just missed due to the inefficiencies of the process itself.  CISOs: CISOs, who bear the responsibility of mitigating risks in the enterprise, often face developer resistance when introducing security code analyzers and frequently are challenged to receive risk assessments from auditors on a timely basis. 1 http://blogs.gartner.com/neil_macdonald/2009/03/07/application-security-a-tool-cannot-solve-whatfundamentally-is-a-process-problem/ www.checkmarx.com
Checkmarx – How Virtual Compilation Transforms Code Analysis 3 Checkmarx’s Virtual Compiler™ eliminates these problems by removing the dependency on compilation and linking for software testing. It transforms code, whether freshly written or old legacy applications, into a form that contains structure and application flow properties. Testing is not dependent on having all modules complete, duplicating the development environment or creating a final build-test harness. Instead, scanning can take place early, and often, as the code is developed. Once scanning is complete, all code and flow properties are stored in a data base that can be interrogated for vulnerabilities. Inspecting applications can be completed without lengthy setups and configurations since virtual compilation is compiler and operating system independent. How does the Virtual Compiler benefit the key stakeholders in the software development process?  Developers: The Virtual Compiler enables developers to test code anywhere, anytime, while avoiding problems of compiler and operating system compatibility. Developers can test uncompiled and unlinked code, their independent modules or any other application subsets in a true developer desktop deployment that reinforces good security awareness and practices as the code is written.  Auditors: Auditors can test code earlier in the SDLC. Further, auditors can easily conduct spot checks without worrying about duplicating development environments.  CISOs: CISOs will be able to monitor and reinforce secure coding practices as the code is written, giving them a better understanding of potential exposure to vulnerabilities earlier in the SDLC. Finally, and most importantly, the Virtual Compiler is not only accepted but welcomed by developers, auditors and CISOs—avoiding a common obstacle in building an efficient and effective SDLC—ensuring that applications get tested thoroughly and effectively, thus saving time and costs. www.checkmarx.com
Checkmarx – How Virtual Compilation Transforms Code Analysis 4 The Need In order to scan compiled code, the code has to successfully compile, without syntax errors or linkage issues. In complex applications, achieving a full build often requires long efforts and coordination between multiple stake holders. Often, such holistic builds take place in later stages of project development as system testing looms. The problems with compiled code are not finished once the code successfully compiles. The binaries from code compiled in compiler A and operating system B differ from code compiled with compiler X for operating system Y. To support this large number of combinations, code analyzers must adapt to all possible permutations of compilers and operating systems. This presents even bigger problems when modern, agile and iterative techniques are used that require testing to be done inline. These techniques assume that whatever gets checked into the build system is solid, secure and plays well with all the other code in the build— presupposing the use of static security analysis by all developers and testers involved in the project. To avoid the dependencies, problems and complexities of numerous compiler and operating systems, and enable the scanning of incomplete code that otherwise could not be compiled; Checkmarx eliminated the need for compilation and invented the Virtual Compiler. The Virtual Compiler: What is it? The Virtual Compiler reads any source code and transforms it to a common language form that can then be scanned thoroughly for vulnerabilities. It can take non-compiled code or any project subset and virtually compiles it by compensating for syntactical errors and stubbing the missing linking parts. Moreover, it is based on published standards that define the exact context and behavior of a computer language. Using this approach it can use the source code itself for analysis and bypasses formal compilation and linkage procedures making it compiler and platform agnostic and avoids any compatibility issues. It enables easy correlation to the code for remediation as well as easy additions of languages and dialects creating a true language agnostic platform. The Virtual Compiler takes the concept of the Java Virtual Machine innovation a step further. Whereas in Java the language is agnostic to operational environment considerations, the Virtual Compiler is agnostic to the language intricacies altogether. It treats all languages and dialects alike bringing them to a common language form. The commonality that was once achieved at the binary level has been successfully transformed to the source level. Significantly, all sources do not have to be alike or even complete: the Virtual Compiler forgives the developer on compile and linkage errors. Furthermore, the code is enhanced to bypass pitfalls presented by standard compilers improving analysis accuracy. While scanning incomplete code early does not find all problems that could show up later, it has been proven to find a significant portion, and has the advantage of being used in the early stages of the development cycle where efficiencies are best achieved. www.checkmarx.com
Checkmarx – How Virtual Compilation Transforms Code Analysis 5 How does it work? The Virtual Compiler takes any source code and transforms it to a unified form that can then be scanned for vulnerabilities. Following is a diagram of the Virtual Compiler: The Virtual Compiler works in the following steps: 1. Language Adaptor – This first step analyzes the source code based on published standards used by all the compilers in the market. 2. Syntax Compensator – Checkmarx then identifies syntactical errors and isolates the nearby unresolved portion of the program while enabling the complete portions to proceed. 3. Linkage Resolver – Checkmarx identifies missing and unresolved links and “stubs” the missing links enabling the detection throughout the resolved flow. 4. Code Enhancer – Compilation is proprietary and optimized for runtime thus creating during the resolving process pitfalls avoided by Checkmarx code enhancer: o Add missing Control Flow elements www.checkmarx.com
Checkmarx – How Virtual Compilation Transforms Code Analysis 6 o Distinct between ambiguous data elements o Avoid misrepresentations created by Compiler optimization o Resolve Run-time virtual function calls 5. Common Language Form – The language is virtualized into a common form containing structure and data flow properties. 6. Exhaustive flow scanner – Finally, scan complexity and accuracy are correlated to the depth of application graphs. Checkmarx’s patent pending algorithm, implemented by an Exhaustive Flow Scanner, enables the scanning for flaws of all paths within a flow graph, avoiding shortcuts taken by other code analyzers. Consequently, the EFS approach has the added benefit of pinpoint accuracy. The Checkmarx code analyzer is the only product today with virtually zero false positives. Whereas other products can feel like shock therapy, due to long configurations and high false positives, Checkmarx users experience faster time to adoption and a low usage overhead. Once scanning the source is complete, all code and flow properties are stored in a data base and can be interrogated by an open query language for vulnerabilities. The out-of-the-box queries coupled with customization for corporate standards and business logic ensure full detection throughout the vulnerability spectrum. The impact of Virtual Compilation The key risks with compiler-based approaches are: first, builds may fail often and key security vulnerabilities are not reported and second, static analysis will not be deployed at the desktop early in development. The Virtual Compiler gives proper solution to all stake holders who impact security during the development process.  Developers: The ability to scan unbuilt code pushes static analysis even further back into the development life cycle when it is most useful. The biggest impact of virtual compilation is desktop usability by developers and auditors. The promise of code analysis was the reduction of errors at the cheapest phase of development. In addition due to code enhancements and Exhaustive Flow Scanning the user gets much more accurate results.  Auditors: Virtual compilation means auditors are ready to conduct an inspection at any time on any code base. Auditors should have the ability to quickly get into code level reviews but then also review high level trends. Without a dependency upon compiler-based approaches, auditors are not hampered by issues of compiler or platform compatibility—all they need is the source. And faster audits means reviewing more code in less time. Finally, auditors rarely have access to the code for a complete project which is not an obstacle with virtual compilation. www.checkmarx.com
Checkmarx – How Virtual Compilation Transforms Code Analysis 7  CISOs: Static analyzers raise major concerns around developer adoption and productivity. The Virtual Compiler means code analysis will be used more broadly to give CISOs a faster and accurate view of their "risk factory" and enable them to put in place effective controls to contain it. Conclusion: the Virtual Compiler delivers a solid ROI with a significantly reduced TCO Virtual compilation provides the best way for organizations to introduce secure development while systematically eliminating software risk. Virtual compilation streamlines the workflow of key stakeholders in the software development process, increasing their effectiveness in finding problems and reducing the need for costly professional services. The Virtual Compiler enables developers and auditors to scan code anywhere, anytime. For CISOs, it means that securing applications in the enterprise is finally practical and achievable. Checkmarx Virtual Compiler delivers:  Strong ROI: The Virtual Compiler enables problems to be discovered earlier in the SDLC with improved accuracy compared to solutions deployed later during formal testing—reducing the cost to find and fix defects.  Low TCO that facilitates quick, frequent code scanning: The Virtual Compiler is platform independent, enabling quick setup in any environment—all you need is source code. It does not matter if the developer uses Linux, Windows, Apple or Solaris as the operating system. The complexities and system overhead of compiling and building applications are avoided. The faster and more convenient the testing methodology, the more likely that it will be used often and thoroughly, ensuring that your code will be solid and secure. Contact Us For more information about Checkmarx, or any of our products, please contact us or visit our Web site at www.checkmarx.com. For immediate information, contact our staff at:  +1.917.470.9501  info@checkmarx.com www.checkmarx.com

Recommandé

Delivering Quality Software with Continuous Integration
Delivering Quality Software with Continuous IntegrationDelivering Quality Software with Continuous Integration
Delivering Quality Software with Continuous Integration
Aspire Systems
 
Improving Development Productivity: Static Analysis and Continuous Integration
Improving Development Productivity: Static Analysis and Continuous IntegrationImproving Development Productivity: Static Analysis and Continuous Integration
Improving Development Productivity: Static Analysis and Continuous Integration
Klocwork
 
Manoj_Resume
Manoj_ResumeManoj_Resume
Manoj_Resume
Manoj Kumar kumar
 
20070925 03 - La qualimétrie en environnement industriel (Schneider automation)
20070925 03 - La qualimétrie en environnement industriel (Schneider automation)20070925 03 - La qualimétrie en environnement industriel (Schneider automation)
20070925 03 - La qualimétrie en environnement industriel (Schneider automation)
LeClubQualiteLogicielle
 
Part5 - enforcing coding standard and best practices with jas forge v1.0
Part5 - enforcing coding standard and best practices with jas forge v1.0Part5 - enforcing coding standard and best practices with jas forge v1.0
Part5 - enforcing coding standard and best practices with jas forge v1.0
Jasmine Conseil
 
Embedded software static analysis_Polyspace-WhitePaper_final
Embedded software static analysis_Polyspace-WhitePaper_finalEmbedded software static analysis_Polyspace-WhitePaper_final
Embedded software static analysis_Polyspace-WhitePaper_final
TAMILMARAN C
 
Ensuring code quality
Ensuring code qualityEnsuring code quality
Ensuring code quality
MikhailVladimirov
 
Software Localization (L10N) Quality Assurance from the Tester's Perspective
Software Localization (L10N) Quality Assurance from the Tester's PerspectiveSoftware Localization (L10N) Quality Assurance from the Tester's Perspective
Software Localization (L10N) Quality Assurance from the Tester's Perspective
Carola F. Berger, PhD, Dipl.-Ing., CT
 

Recommandé

Delivering Quality Software with Continuous Integration
Delivering Quality Software with Continuous IntegrationDelivering Quality Software with Continuous Integration
Delivering Quality Software with Continuous Integration
Aspire Systems
 
Improving Development Productivity: Static Analysis and Continuous Integration
Improving Development Productivity: Static Analysis and Continuous IntegrationImproving Development Productivity: Static Analysis and Continuous Integration
Improving Development Productivity: Static Analysis and Continuous Integration
Klocwork
 
Manoj_Resume
Manoj_ResumeManoj_Resume
Manoj_Resume
Manoj Kumar kumar
 
20070925 03 - La qualimétrie en environnement industriel (Schneider automation)
20070925 03 - La qualimétrie en environnement industriel (Schneider automation)20070925 03 - La qualimétrie en environnement industriel (Schneider automation)
20070925 03 - La qualimétrie en environnement industriel (Schneider automation)
LeClubQualiteLogicielle
 
Part5 - enforcing coding standard and best practices with jas forge v1.0
Part5 - enforcing coding standard and best practices with jas forge v1.0Part5 - enforcing coding standard and best practices with jas forge v1.0
Part5 - enforcing coding standard and best practices with jas forge v1.0
Jasmine Conseil
 
Embedded software static analysis_Polyspace-WhitePaper_final
Embedded software static analysis_Polyspace-WhitePaper_finalEmbedded software static analysis_Polyspace-WhitePaper_final
Embedded software static analysis_Polyspace-WhitePaper_final
TAMILMARAN C
 
Ensuring code quality
Ensuring code qualityEnsuring code quality
Ensuring code quality
MikhailVladimirov
 
Software Localization (L10N) Quality Assurance from the Tester's Perspective
Software Localization (L10N) Quality Assurance from the Tester's PerspectiveSoftware Localization (L10N) Quality Assurance from the Tester's Perspective
Software Localization (L10N) Quality Assurance from the Tester's Perspective
Carola F. Berger, PhD, Dipl.-Ing., CT
 
Building a CI/CD Pipeline for PHP apps
Building a CI/CD Pipeline for PHP appsBuilding a CI/CD Pipeline for PHP apps
Building a CI/CD Pipeline for PHP apps
Juan Manuel Torres
 
Ijcatr04051014
Ijcatr04051014Ijcatr04051014
Ijcatr04051014
Editor IJCATR
 
Qualidade de Software em zOS usando IBM Debug Tool e RDz
Qualidade de Software em zOS usando IBM Debug Tool e RDzQualidade de Software em zOS usando IBM Debug Tool e RDz
Qualidade de Software em zOS usando IBM Debug Tool e RDz
Paulo Batuta
 
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
ijseajournal
 
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
ijseajournal
 
Model Based Systems and Software Engineering an overview of the IBM Rational ...
Model Based Systems and Software Engineering an overview of the IBM Rational ...Model Based Systems and Software Engineering an overview of the IBM Rational ...
Model Based Systems and Software Engineering an overview of the IBM Rational ...
Real-Time Innovations (RTI)
 
Slides for Houston iPhone Developers' Meetup (April 2012)
Slides for Houston iPhone Developers' Meetup (April 2012)Slides for Houston iPhone Developers' Meetup (April 2012)
Slides for Houston iPhone Developers' Meetup (April 2012)
lqi
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
Parasoft
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
Computaris
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Spv Reddy
 
Neha Arora_Resume
Neha Arora_ResumeNeha Arora_Resume
Neha Arora_Resume
Neha Arora
 
Top 10 Automation Testing Tools in 2020
Top 10 Automation Testing Tools in 2020Top 10 Automation Testing Tools in 2020
Top 10 Automation Testing Tools in 2020
Marianne Harness
 
Psi multi accessgateway_casestudy
Psi multi accessgateway_casestudyPsi multi accessgateway_casestudy
Psi multi accessgateway_casestudy
Primesoftinc
 
[ITAS.VN]CxSuite Enterprise Edition
[ITAS.VN]CxSuite Enterprise Edition[ITAS.VN]CxSuite Enterprise Edition
[ITAS.VN]CxSuite Enterprise Edition
ITAS VIETNAM
 
CODE REVIEW AND COOPERATIVE PAIR PROGRAMMING BEST PRACTICE
CODE REVIEW AND COOPERATIVE PAIR PROGRAMMING BEST PRACTICECODE REVIEW AND COOPERATIVE PAIR PROGRAMMING BEST PRACTICE
CODE REVIEW AND COOPERATIVE PAIR PROGRAMMING BEST PRACTICE
ijseajournal
 
Web Application Testing
Web Application TestingWeb Application Testing
Web Application Testing
Richa Goel
 
Manoj resume
Manoj resumeManoj resume
Manoj resume
tekwissen
 
Shailaja_SoftwareEngineerQA_4.9Exp
Shailaja_SoftwareEngineerQA_4.9ExpShailaja_SoftwareEngineerQA_4.9Exp
Shailaja_SoftwareEngineerQA_4.9Exp
Shailaja Chundru
 
DevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceDevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous Compliance
Source Code Control Limited
 
Application Quality Best Practices with Visual Studio 2010 - Adrian Dunne
Application Quality Best Practices with Visual Studio 2010 - Adrian DunneApplication Quality Best Practices with Visual Studio 2010 - Adrian Dunne
Application Quality Best Practices with Visual Studio 2010 - Adrian Dunne
Spiffy
 
postdev.pptx
postdev.pptxpostdev.pptx
postdev.pptx
ssuserf111e7
 
Coverity Data Sheet
Coverity Data SheetCoverity Data Sheet
Coverity Data Sheet
Jon Lundquist
 

Contenu connexe

Tendances

IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
ijseajournal
 
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
ijseajournal
 
Model Based Systems and Software Engineering an overview of the IBM Rational ...
Model Based Systems and Software Engineering an overview of the IBM Rational ...Model Based Systems and Software Engineering an overview of the IBM Rational ...
Model Based Systems and Software Engineering an overview of the IBM Rational ...
Real-Time Innovations (RTI)
 
Slides for Houston iPhone Developers' Meetup (April 2012)
Slides for Houston iPhone Developers' Meetup (April 2012)Slides for Houston iPhone Developers' Meetup (April 2012)
Slides for Houston iPhone Developers' Meetup (April 2012)
lqi
 
Neha Arora_Resume
Neha Arora_ResumeNeha Arora_Resume
Neha Arora_Resume
Neha Arora
 
Psi multi accessgateway_casestudy
Psi multi accessgateway_casestudyPsi multi accessgateway_casestudy
Psi multi accessgateway_casestudy
Primesoftinc
 
CODE REVIEW AND COOPERATIVE PAIR PROGRAMMING BEST PRACTICE
CODE REVIEW AND COOPERATIVE PAIR PROGRAMMING BEST PRACTICECODE REVIEW AND COOPERATIVE PAIR PROGRAMMING BEST PRACTICE
CODE REVIEW AND COOPERATIVE PAIR PROGRAMMING BEST PRACTICE
ijseajournal
 
Web Application Testing
Web Application TestingWeb Application Testing
Web Application Testing
Richa Goel
 
Manoj resume
Manoj resumeManoj resume
Manoj resume
tekwissen
 
Shailaja_SoftwareEngineerQA_4.9Exp
Shailaja_SoftwareEngineerQA_4.9ExpShailaja_SoftwareEngineerQA_4.9Exp
Shailaja_SoftwareEngineerQA_4.9Exp
Shailaja Chundru
 
Application Quality Best Practices with Visual Studio 2010 - Adrian Dunne
Application Quality Best Practices with Visual Studio 2010 - Adrian DunneApplication Quality Best Practices with Visual Studio 2010 - Adrian Dunne
Application Quality Best Practices with Visual Studio 2010 - Adrian Dunne
Spiffy
 

Tendances (20)

Building a CI/CD Pipeline for PHP apps
Building a CI/CD Pipeline for PHP appsBuilding a CI/CD Pipeline for PHP apps
Building a CI/CD Pipeline for PHP apps
 
Ijcatr04051014
Ijcatr04051014Ijcatr04051014
Ijcatr04051014
 
Qualidade de Software em zOS usando IBM Debug Tool e RDz
Qualidade de Software em zOS usando IBM Debug Tool e RDzQualidade de Software em zOS usando IBM Debug Tool e RDz
Qualidade de Software em zOS usando IBM Debug Tool e RDz
 
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
 
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
IDENTIFICATION OF PROMOTED ECLIPSE UNSTABLE INTERFACES USING CLONE DETECTION ...
 
Model Based Systems and Software Engineering an overview of the IBM Rational ...
Model Based Systems and Software Engineering an overview of the IBM Rational ...Model Based Systems and Software Engineering an overview of the IBM Rational ...
Model Based Systems and Software Engineering an overview of the IBM Rational ...
 
Slides for Houston iPhone Developers' Meetup (April 2012)
Slides for Houston iPhone Developers' Meetup (April 2012)Slides for Houston iPhone Developers' Meetup (April 2012)
Slides for Houston iPhone Developers' Meetup (April 2012)
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Neha Arora_Resume
Neha Arora_ResumeNeha Arora_Resume
Neha Arora_Resume
 
Top 10 Automation Testing Tools in 2020
Top 10 Automation Testing Tools in 2020Top 10 Automation Testing Tools in 2020
Top 10 Automation Testing Tools in 2020
 
Psi multi accessgateway_casestudy
Psi multi accessgateway_casestudyPsi multi accessgateway_casestudy
Psi multi accessgateway_casestudy
 
[ITAS.VN]CxSuite Enterprise Edition
[ITAS.VN]CxSuite Enterprise Edition[ITAS.VN]CxSuite Enterprise Edition
[ITAS.VN]CxSuite Enterprise Edition
 
CODE REVIEW AND COOPERATIVE PAIR PROGRAMMING BEST PRACTICE
CODE REVIEW AND COOPERATIVE PAIR PROGRAMMING BEST PRACTICECODE REVIEW AND COOPERATIVE PAIR PROGRAMMING BEST PRACTICE
CODE REVIEW AND COOPERATIVE PAIR PROGRAMMING BEST PRACTICE
 
Web Application Testing
Web Application TestingWeb Application Testing
Web Application Testing
 
Manoj resume
Manoj resumeManoj resume
Manoj resume
 
Shailaja_SoftwareEngineerQA_4.9Exp
Shailaja_SoftwareEngineerQA_4.9ExpShailaja_SoftwareEngineerQA_4.9Exp
Shailaja_SoftwareEngineerQA_4.9Exp
 
DevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous ComplianceDevOps and Open Source Software Continuous Compliance
DevOps and Open Source Software Continuous Compliance
 
Application Quality Best Practices with Visual Studio 2010 - Adrian Dunne
Application Quality Best Practices with Visual Studio 2010 - Adrian DunneApplication Quality Best Practices with Visual Studio 2010 - Adrian Dunne
Application Quality Best Practices with Visual Studio 2010 - Adrian Dunne
 

Similaire à How Virtual Compilation Transforms Static Code Analysis

Continuous Integration and development environment approach
Continuous Integration and development environment approachContinuous Integration and development environment approach
Continuous Integration and development environment approach
Aleksandr Tsertkov
 
Challenges of integrating code signing with CI.pdf
Challenges of integrating code signing with CI.pdfChallenges of integrating code signing with CI.pdf
Challenges of integrating code signing with CI.pdf
Savinder Puri
 
Rhapsody Software
Rhapsody SoftwareRhapsody Software
Rhapsody Software
Bill Duncan
 

Similaire à How Virtual Compilation Transforms Static Code Analysis (20)

postdev.pptx
postdev.pptxpostdev.pptx
postdev.pptx
 
Coverity Data Sheet
Coverity Data SheetCoverity Data Sheet
Coverity Data Sheet
 
Software Lifecycle Management
Software Lifecycle ManagementSoftware Lifecycle Management
Software Lifecycle Management
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
 
Unit iv
Unit ivUnit iv
Unit iv
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!
 
Continuous Integration and development environment approach
Continuous Integration and development environment approachContinuous Integration and development environment approach
Continuous Integration and development environment approach
 
What is SonarQube in DevOps.docx
What is SonarQube in DevOps.docxWhat is SonarQube in DevOps.docx
What is SonarQube in DevOps.docx
 
MongoDB World 2019: Building Flexible and Secure Customer Applications with M...
MongoDB World 2019: Building Flexible and Secure Customer Applications with M...MongoDB World 2019: Building Flexible and Secure Customer Applications with M...
MongoDB World 2019: Building Flexible and Secure Customer Applications with M...
 
mydevops.pptx
mydevops.pptxmydevops.pptx
mydevops.pptx
 
Challenges of integrating code signing with CI.pdf
Challenges of integrating code signing with CI.pdfChallenges of integrating code signing with CI.pdf
Challenges of integrating code signing with CI.pdf
 
IRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable SoftwareIRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable Software
 
Maturity of-code-mgmt-2016-04-06
Maturity of-code-mgmt-2016-04-06Maturity of-code-mgmt-2016-04-06
Maturity of-code-mgmt-2016-04-06
 
Rhapsody Software
Rhapsody SoftwareRhapsody Software
Rhapsody Software
 
Iac evolutions
Iac evolutionsIac evolutions
Iac evolutions
 
[India Merge World Tour] Coverity
[India Merge World Tour] Coverity[India Merge World Tour] Coverity
[India Merge World Tour] Coverity
 
Agile A to Z Chapter 4 Feedback Loop Part 2 DevOps
Agile A to Z Chapter 4 Feedback Loop Part 2 DevOpsAgile A to Z Chapter 4 Feedback Loop Part 2 DevOps
Agile A to Z Chapter 4 Feedback Loop Part 2 DevOps
 
Presentation Verification & Validation
Presentation Verification & ValidationPresentation Verification & Validation
Presentation Verification & Validation
 
Moxa white paper---Using Sample Code to Develop Embedded Applications
Moxa white paper---Using Sample Code to Develop Embedded ApplicationsMoxa white paper---Using Sample Code to Develop Embedded Applications
Moxa white paper---Using Sample Code to Develop Embedded Applications
 

Plus de Checkmarx

10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
Checkmarx
 
Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!
Checkmarx
 

Plus de Checkmarx (13)

Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 
10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers10 Tips to Keep Your Software a Step Ahead of the Hackers
10 Tips to Keep Your Software a Step Ahead of the Hackers
 
The 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code AnalysisThe 5 Biggest Benefits of Source Code Analysis
The 5 Biggest Benefits of Source Code Analysis
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk Intelligence
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Source Code vs. Binary Code Analysis
Source Code vs. Binary Code AnalysisSource Code vs. Binary Code Analysis
Source Code vs. Binary Code Analysis
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST Tool
 
The Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-InsThe Security State of The Most Popular WordPress Plug-Ins
The Security State of The Most Popular WordPress Plug-Ins
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
 
Graph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC ChapterGraph Visualization - OWASP NYC Chapter
Graph Visualization - OWASP NYC Chapter
 
Happy New Year!
Happy New Year!Happy New Year!
Happy New Year!
 

Dernier

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Dernier (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 

How Virtual Compilation Transforms Static Code Analysis

  • 1. How Virtual Compilation Transforms Code Analysis © 2009 Checkmarx. All intellectual property rights in this publication are owned by Checkmarx Ltd. and are protected by United States copyright laws, other applicable copyright laws and international treaty provisions. Checkmarx Ltd. retains all rights not expressly granted. For further information, contact Checkmarx or your local distributor or reseller. www.Checkmarx.com. www.checkmarx.com
  • 2. Checkmarx – How Virtual Compilation Transforms Code Analysis 2 Executive Summary Secure software development has become a priority for all organizations whether they build their own software or outsource. And code analysis is becoming the de facto choice to introduce secure development as well as measure inherent software risk. Many assume that code analysis requires code compilation as a prerequisite. Today, all major static code analyzers are built on this assumption and only scan post compilation— requiring buildable code. The reliance on compilation has major and negative implications for all stake holders: developers, auditors, CISOs, as well as the organizations that hope to build a secure development lifecycle (SDLC). Historically, static code analysis required a complete and buildable project to run against, which made the logical place to do the analysis at the build server and in-line with the entire build process. The “buildable” requirement also forced the execution of the scan nearer the end of the development process, making security repairs to code more expensive and greatly reducing any benefits. There is evidence that compilation-based code analysis tools negatively impact risk mitigation efforts. As Gartner analyst Neil MacDonald observed, “we’ve talked with a number of clients that purchased a [static analysis] tool which later becomes expensive “shelfware” or where the project was halted after delivering mixed results.”1 Mr. MacDonald correctly singles out poor security process as an obstacle—but there are serious technical factors that contribute to the “shelfware” problem. A key, overlooked bottleneck comes from the compiler based approach. Getting the code into a state where it can be compiled and linked is not an easy task. How does the need for compilation negatively impact the stakeholders who rely on code analysis?  Developers: With compiler-based approaches, vulnerability scanning is limited to unit testing or even later—weeks after the code is written. This necessitates iterative coding turnarounds that are inefficient and not effective at bringing a culture of building in application security.  Auditors: Forced to rely on testing tools dependent on compilation, auditors lose the flexibility to make spot checks on suspect code early in the development process. Problems of duplicating the developer’s environment and code integration further challenge the auditor’s efficiency. These difficulties can result in vulnerabilities not being revealed in the test environment or just missed due to the inefficiencies of the process itself.  CISOs: CISOs, who bear the responsibility of mitigating risks in the enterprise, often face developer resistance when introducing security code analyzers and frequently are challenged to receive risk assessments from auditors on a timely basis. 1 http://blogs.gartner.com/neil_macdonald/2009/03/07/application-security-a-tool-cannot-solve-whatfundamentally-is-a-process-problem/ www.checkmarx.com
  • 3. Checkmarx – How Virtual Compilation Transforms Code Analysis 3 Checkmarx’s Virtual Compiler™ eliminates these problems by removing the dependency on compilation and linking for software testing. It transforms code, whether freshly written or old legacy applications, into a form that contains structure and application flow properties. Testing is not dependent on having all modules complete, duplicating the development environment or creating a final build-test harness. Instead, scanning can take place early, and often, as the code is developed. Once scanning is complete, all code and flow properties are stored in a data base that can be interrogated for vulnerabilities. Inspecting applications can be completed without lengthy setups and configurations since virtual compilation is compiler and operating system independent. How does the Virtual Compiler benefit the key stakeholders in the software development process?  Developers: The Virtual Compiler enables developers to test code anywhere, anytime, while avoiding problems of compiler and operating system compatibility. Developers can test uncompiled and unlinked code, their independent modules or any other application subsets in a true developer desktop deployment that reinforces good security awareness and practices as the code is written.  Auditors: Auditors can test code earlier in the SDLC. Further, auditors can easily conduct spot checks without worrying about duplicating development environments.  CISOs: CISOs will be able to monitor and reinforce secure coding practices as the code is written, giving them a better understanding of potential exposure to vulnerabilities earlier in the SDLC. Finally, and most importantly, the Virtual Compiler is not only accepted but welcomed by developers, auditors and CISOs—avoiding a common obstacle in building an efficient and effective SDLC—ensuring that applications get tested thoroughly and effectively, thus saving time and costs. www.checkmarx.com
  • 4. Checkmarx – How Virtual Compilation Transforms Code Analysis 4 The Need In order to scan compiled code, the code has to successfully compile, without syntax errors or linkage issues. In complex applications, achieving a full build often requires long efforts and coordination between multiple stake holders. Often, such holistic builds take place in later stages of project development as system testing looms. The problems with compiled code are not finished once the code successfully compiles. The binaries from code compiled in compiler A and operating system B differ from code compiled with compiler X for operating system Y. To support this large number of combinations, code analyzers must adapt to all possible permutations of compilers and operating systems. This presents even bigger problems when modern, agile and iterative techniques are used that require testing to be done inline. These techniques assume that whatever gets checked into the build system is solid, secure and plays well with all the other code in the build— presupposing the use of static security analysis by all developers and testers involved in the project. To avoid the dependencies, problems and complexities of numerous compiler and operating systems, and enable the scanning of incomplete code that otherwise could not be compiled; Checkmarx eliminated the need for compilation and invented the Virtual Compiler. The Virtual Compiler: What is it? The Virtual Compiler reads any source code and transforms it to a common language form that can then be scanned thoroughly for vulnerabilities. It can take non-compiled code or any project subset and virtually compiles it by compensating for syntactical errors and stubbing the missing linking parts. Moreover, it is based on published standards that define the exact context and behavior of a computer language. Using this approach it can use the source code itself for analysis and bypasses formal compilation and linkage procedures making it compiler and platform agnostic and avoids any compatibility issues. It enables easy correlation to the code for remediation as well as easy additions of languages and dialects creating a true language agnostic platform. The Virtual Compiler takes the concept of the Java Virtual Machine innovation a step further. Whereas in Java the language is agnostic to operational environment considerations, the Virtual Compiler is agnostic to the language intricacies altogether. It treats all languages and dialects alike bringing them to a common language form. The commonality that was once achieved at the binary level has been successfully transformed to the source level. Significantly, all sources do not have to be alike or even complete: the Virtual Compiler forgives the developer on compile and linkage errors. Furthermore, the code is enhanced to bypass pitfalls presented by standard compilers improving analysis accuracy. While scanning incomplete code early does not find all problems that could show up later, it has been proven to find a significant portion, and has the advantage of being used in the early stages of the development cycle where efficiencies are best achieved. www.checkmarx.com
  • 5. Checkmarx – How Virtual Compilation Transforms Code Analysis 5 How does it work? The Virtual Compiler takes any source code and transforms it to a unified form that can then be scanned for vulnerabilities. Following is a diagram of the Virtual Compiler: The Virtual Compiler works in the following steps: 1. Language Adaptor – This first step analyzes the source code based on published standards used by all the compilers in the market. 2. Syntax Compensator – Checkmarx then identifies syntactical errors and isolates the nearby unresolved portion of the program while enabling the complete portions to proceed. 3. Linkage Resolver – Checkmarx identifies missing and unresolved links and “stubs” the missing links enabling the detection throughout the resolved flow. 4. Code Enhancer – Compilation is proprietary and optimized for runtime thus creating during the resolving process pitfalls avoided by Checkmarx code enhancer: o Add missing Control Flow elements www.checkmarx.com
  • 6. Checkmarx – How Virtual Compilation Transforms Code Analysis 6 o Distinct between ambiguous data elements o Avoid misrepresentations created by Compiler optimization o Resolve Run-time virtual function calls 5. Common Language Form – The language is virtualized into a common form containing structure and data flow properties. 6. Exhaustive flow scanner – Finally, scan complexity and accuracy are correlated to the depth of application graphs. Checkmarx’s patent pending algorithm, implemented by an Exhaustive Flow Scanner, enables the scanning for flaws of all paths within a flow graph, avoiding shortcuts taken by other code analyzers. Consequently, the EFS approach has the added benefit of pinpoint accuracy. The Checkmarx code analyzer is the only product today with virtually zero false positives. Whereas other products can feel like shock therapy, due to long configurations and high false positives, Checkmarx users experience faster time to adoption and a low usage overhead. Once scanning the source is complete, all code and flow properties are stored in a data base and can be interrogated by an open query language for vulnerabilities. The out-of-the-box queries coupled with customization for corporate standards and business logic ensure full detection throughout the vulnerability spectrum. The impact of Virtual Compilation The key risks with compiler-based approaches are: first, builds may fail often and key security vulnerabilities are not reported and second, static analysis will not be deployed at the desktop early in development. The Virtual Compiler gives proper solution to all stake holders who impact security during the development process.  Developers: The ability to scan unbuilt code pushes static analysis even further back into the development life cycle when it is most useful. The biggest impact of virtual compilation is desktop usability by developers and auditors. The promise of code analysis was the reduction of errors at the cheapest phase of development. In addition due to code enhancements and Exhaustive Flow Scanning the user gets much more accurate results.  Auditors: Virtual compilation means auditors are ready to conduct an inspection at any time on any code base. Auditors should have the ability to quickly get into code level reviews but then also review high level trends. Without a dependency upon compiler-based approaches, auditors are not hampered by issues of compiler or platform compatibility—all they need is the source. And faster audits means reviewing more code in less time. Finally, auditors rarely have access to the code for a complete project which is not an obstacle with virtual compilation. www.checkmarx.com
  • 7. Checkmarx – How Virtual Compilation Transforms Code Analysis 7  CISOs: Static analyzers raise major concerns around developer adoption and productivity. The Virtual Compiler means code analysis will be used more broadly to give CISOs a faster and accurate view of their "risk factory" and enable them to put in place effective controls to contain it. Conclusion: the Virtual Compiler delivers a solid ROI with a significantly reduced TCO Virtual compilation provides the best way for organizations to introduce secure development while systematically eliminating software risk. Virtual compilation streamlines the workflow of key stakeholders in the software development process, increasing their effectiveness in finding problems and reducing the need for costly professional services. The Virtual Compiler enables developers and auditors to scan code anywhere, anytime. For CISOs, it means that securing applications in the enterprise is finally practical and achievable. Checkmarx Virtual Compiler delivers:  Strong ROI: The Virtual Compiler enables problems to be discovered earlier in the SDLC with improved accuracy compared to solutions deployed later during formal testing—reducing the cost to find and fix defects.  Low TCO that facilitates quick, frequent code scanning: The Virtual Compiler is platform independent, enabling quick setup in any environment—all you need is source code. It does not matter if the developer uses Linux, Windows, Apple or Solaris as the operating system. The complexities and system overhead of compiling and building applications are avoided. The faster and more convenient the testing methodology, the more likely that it will be used often and thoroughly, ensuring that your code will be solid and secure. Contact Us For more information about Checkmarx, or any of our products, please contact us or visit our Web site at www.checkmarx.com. For immediate information, contact our staff at:  +1.917.470.9501  info@checkmarx.com www.checkmarx.com