Copyright©2016Parasoft 1

15.09.2016

SoftwareSafetyandSecurityThroughStandards

ArthurHicken- Parasoft

Copyright©2016Parasoft 22

YourPresenter

Arthur Hicken is Chief Evangelist at Parasoft where he has been involved in automating various software development and testing practices for over 20 years.

He has worked on projects including cybersecurity, database development, the software development lifecycle, web publishing and monitoring, and integration with legacy systems and maintains the IoT Hall-of-Shame http://bit.ly/iotshame

Follow him @codecurmudgeonBlog: http://codecurmudgeon.comWeb: http://parasoft.com

Copyright©2016Parasoft 33

Agenda

Softwareiseverywhere

SoftwareCANhurtyou

Softwareshouldbeengineering

Goodsoftwarecostslessthanbadsoftware

Standardsdriveimprovement

Copyright©2016Parasoft 44

ThingsareEverywhere

Industrial Automation Smart Health

Smart Home Smart City

Copyright©2016Parasoft 55

AlreadyontheMarket

Copyright©2016Parasoft 66

SoftwareisEatingtheWorld

Or is it infecting the world?

Copyright©2016Parasoft 77

TheIoTHall-of-shame

http://codecurmudgeon.com http://bit.ly/iotshame

Copyright©2016Parasoft 88

Oneweakspotisallittakes

Copyright©2016Parasoft 99

ImpactofFaultySoftware

-5.70%-1.9B

Copyright©2016Parasoft 1010

SoftwareFailures=Headlines2015

-$2.55 Bn-4.06%

The day of the announcement companies lost an average

of shareholder value

Softwarefailuresmakeheadlinenews—erodingcustomerconfidence,shareholdervalueandbrandequity

Copyright©2016Parasoft 1111

EscalatingCostofFailure:Public

Copyright©2016Parasoft 1212

Qualitydoesnotcostmore

Copyright©2016Parasoft 1313

HOWQUALITYAFFECTSSOFTWARECOSTS

Requirements Design Coding Testing Maintenance

COST

TIME

Pathological

Healthy

Poor quality is cheaper untilthe end of the coding phase.After that, high quality ischeaper.

Technical debt

Software Quality 2011: A Survey of the State of the Art in Software – Capers Jones

Copyright©2016Parasoft 14ParasoftProprietaryandConfidential 14

Whyfindbugsearly?

Applied Software Measurement, Capers Jones, 1996Building Security Into The Software Life Cycle, Marco M. Morana, 2006

Early code audit

Copyright©2016Parasoft 15ParasoftProprietaryandConfidential 15

Whyfindbugsearly?

Applied Software Measurement, Capers Jones, 1996Building Security Into The Software Life Cycle, Marco M. Morana, 2006

PentestLate code audit

Copyright©2016Parasoft 1616

SoftwareSafetyinaNutshell

§ Softwaredevelopmentisalmostneverengineering§ Lackofrepeatability§ Lackofwell-exercisedbestpractices§ Lackofrelianceonbuildingstandards§ Developertrainingunknownandinconsistent

Copyright©2016Parasoft 1717

PurposeofCodingStandards

§ “Provenprogrammingpracticesleadingtosafe,reliable,testable,andmaintainablecode”

§ “AddresspotentiallyunsafeClanguagefeatures,andprovideprogrammingrulestoavoidthosepitfalls”

§ “Byproviding“safer”alternativesto“unsafe”facilities,knownproblems…areavoided.Inessence,programsarewrittenina“safer”subsetofasuperset.”

Copyright©2016Parasoft 1818

StandardStandards

MISRA

ISO26262

DO178 B/C

SANS/CERT

OWASPTop10

JSF

DISASTIG

CWE

Copyright©2016Parasoft 1919

SEIResearch

PredictingSoftwareAssuranceUsingQualityandReliabilityMeasures• Securityandreliabilitygohand-in-hand• Youcanpredictsecuritybasedondefects• Staticanalysisisintegraltoimprovement• Many(ormost!)criticaldefectsarecodingmistakes

http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=428589

Copyright©2016Parasoft 2020

SoftwareSecurityDefined

§ Softwaresecurityistheideaofengineeringsoftwaresothatitcontinuestofunctioncorrectlyundermaliciousattack.

§ Althoughthenotionofprotectingsoftwareisanimportantone,it’sjustplaineasiertoprotectsomethingthatisdefect-freethansomethingriddledwithvulnerabilities.

(GaryMcGraw,Cigital)

https://buildsecurityin.us-cert.gov/resources/building-security-in/software-security

Copyright©2016Parasoft 2121

WhyMISRAforthingsthataren’tcars?

§ CodingStandards§ Well-defined§ Updated§ Flexible

§ DeviationStrategy§ Auditable§ Whynot?

Copyright©2016Parasoft 2222

OtherStandards

DIY DO-178 IEC62304

EffectiveC++ CWE

Copyright©2016Parasoft 2323

INADEQUATE DEFECT REMOVAL IS MAINCAUSE OF POOR SOFTWARE QUALITY

• Individual programmers are only 35% efficient infinding bugs in their own software

• The sum of all normal test steps is often less than75% effective (1 of 4 bugs remains)

• Design Reviews and Code Inspections however areoften 65% effective; can top 85%

• Static analysis are often 65% effective; can top 85%.

• Reviews and Inspections can lower costs andschedules by as much as 30%

Copyright©2016Parasoft 2424

EXAMPLESOFTYPICALCODEDEFECTS

SOURCES:SANSINSTITUTEANDMITRE(www.SANS.org andwww.CWE-MITRE.org)

§ ErrorsinSQLqueries

§ Failuretovalidateinputs

§ Failuretovalidateoutputs

§ Raceconditions

§ Leaksfromerrormessages

§ Unconstrainedmemorybuffers

§ Lossofstatedata

§ Incorrectbranches;hazardouspaths

§ Carelessinitializationandshutdown

§ Errorsincalculationsandalgorithms

§ Hardcodingofvariableitems § Reusingcodewithoutvalidationorcontextchecking

§ Changingcodewithoutchangingcommentsthatexplaincode

Copyright©2016Parasoft 25ParasoftProprietaryandConfidential 25

FixorPrevent

Copyright©2016Parasoft 2626

Preventativestandardsexamples

Object-Oriented•Avoid"public"/"protected"/package-privateinstancefields•Donotoverrideaninstance"private"method•Donothideinheritedfields•…

BestPractices•Avoidreturning"handles"tointernaldatafromconstmemberfunctions.•Declareatleastoneconstructortopreventthecompilerfromdoingso.•Declarereferenceparametersasconstreferenceswheneverpossible•…

UnusedCode•Avoidunusedlocalvariables•Avoidunused"private"fields•…

ClassMetrics•FollowthelimitforCyclomaticComplexity(default<30)•Followthelimitfornumberof“<type>"fields(private,etc.)•Followthelimitonclasshierarchydepth•…

…

Copyright©2016Parasoft 2727

§ Analysisofcomputerprogramthatisperformedwithoutexecutingsoftware

§ Keyimpact:preventorreduceriskoferroneouscoding§ Advantages:

§ comprehensiveandunbiased§ resultsareavailablewaybeforeapplicationruns

§ Typicallyincludes:§ Compilerwarnings§ Codingstandards/policies§ Flowanalysis/pathsimulation§ Metrics(e.g.complexity)

Staticanalysis

Copyright©2016Parasoft 2828

Whatis:Pattern-BasedSA

§ What:§ Identifyspecificpatternsinthecode

§ Why:§ Findbugs§ Ensureinclusionofrequireditems

§ Security§ Branding

§ PreventProblems§ ImproveDevelopers

Copyright©2016Parasoft 2929

Pattern-BasedStaticAnalysis

§ Quickscantolistpossibleproblems§ Fixingviolationspreventscertainclassesoferrors§ Eachsourcefileisanalyzedseparately§ Staticanalysiscategoriesinclude:

§ LogicalErrors§ APIMisuse§ TypographicalErrors§ Security§ ThreadsandSynchronization§ PerformanceandOptimization

Copyright©2016Parasoft 3030

Whatis:DataFlowAnalysis

§ What:§ Simulateexecutiontofindpatterns

§ Why:§ Findrealbugs

Copyright©2016Parasoft 3131

DataFlowAnalysis

§ Simulatehypotheticalexecutionpaths§ Detectpossibleerrorsalongthosepaths§ Dataflowanalysiserrorcategoriesinclude:

§ Exceptions§ Optimization§ ResourceLeaks§ APImisuse§ Security

Copyright©2016Parasoft 3232

Staticanalysis– whatitcando

§ Identifydefectivecode- runtimebugs§ Flagdefect-pronecode(possiblebugsand“gotchas”)

§ Suggestdefensiveprogrammingpractices§ Monitorapplication-specificguidelines(e.g.portability)

§ Enablepolicyenforcement(security)§ Flagunmaintainable/poorlyreadable/“dialect”code

§ Traindeveloperstocodebetter

Copyright©2016Parasoft 3333

StaticAnalysisPrevention

§ Relationshipofautomatedanalysis§ Preventativestaticanalysis§ Flowanalysis§ Runtimeerrordetection

§ Uninitializedmemoryexample§ RuntimewillfinditIFthetestsuiteisthorough§ Flowanalysismayfinditdependingoncomplexity§ Patterntoprevent:Initializevariablesupondeclaration

§ MuchofMISRAisdesignedtoprevent ratherthandetect

Copyright©2016Parasoft 3434

Howtochooserules

§ Basedonwhyyou’reusingstaticanalysis§ Studyexpectedissues§ Analyzebug-trackingsystem§ Don’tjustturnonrulesbecauseit’sagoodidea

§ Pickfewenoughtousesustainably

Copyright©2016Parasoft 3535

BeingSuccessful

§ Chooserulescarefully§ Implementprogressively

§ Fewertomorerules§ Extenddatebackward

§ Suppressionstomanagenoise

QU

ALI

TY

Code Review and Regression Testing

Copyright©2016Parasoft 3636

Conclusion

Standardsandstaticanalysisappliedproperlypreventerrors

Costofsolidpreventionmethodologyislessthanthecostofdealingwithbadsoftware

Costofgoodsoftwareislessthanbadsoftware

Costofquality,safe,securesoftwareislessthanthecostofarecall

Copyright©2016Parasoft 3737

SecurityResources

CWE– CommonWeaknessEnumeration• http://cwe.mitre.org

CERT- SecureCodingGuidelines• https://www.securecoding.cert.org

BuildSecurityIn– Collaborativesecurityeffort• https://buildsecurityin.us-cert.gov

Parasoft• http://www.parasoft.com

Copyright©2016Parasoft 3838

§ Email:codecurmudgeon@gmail.com§ Web:

§ http://www.parasoft.com/§ http://codecurmudgeon.com

§ Facebook:§ https://facebook.com/parasoftcorporation§ https://facebook.com/codecurmudgeon

§ Twitter:@Parasoft@CodeCurmudgeon§ LinkedIn:http://www.linkedin.com/company/parasoft§ Google+Community:StaticAnalysisforFunandProfit