Standardizing Safety & Security with Static Analysis

Today’s presenters

Christopher Rommel Walter Capitani

VDC Research Rogue Wave Software
crommel@vdcresearch.com walter.capitani@roguewave.com
@chris_rommel @walter_capitani
Standardizing Safety & Security
With Static Analysis
May 2018
 What is Static Code Analysis?

Performs one or Requires Different types

more processes source code of analysis

Syntax Analysis The most accurate Intra-procedural

tools must be able to (simplest analysis)
compile the code
Data Flow Analysis
Inter-procedural
No changes to your
Symbolic Logic Analysis existing build flow
Inter-file

© 2018 VDC Research Group, Inc. 3

 What Kind of Defects are We Looking For?

 Find common issues in code

Null pointer Uninitialized data
Buffer overflows Memory leaks
dereferences usage
Security exploit or Your program Processor runs out Data injection
program crashes crashes of memory and
locks up

Platform/OS Suspicious coding

Concurrency
specifics practices
Privilege Deadlock Variable
escalation, etc. assignments,
function calls

 Not easy to spot with the human eye

 Not generally found by code review
 Many are traditionally found with dynamic testing after a failure has
occurred in testing or the field

© 2018 VDC Research Group, Inc. 4

Software Sophistication Amplifies Schedule Issues
Project Schedule Adherence SW delivers more and more value to customers,
(Percent of Respondents) fueling corporate differentiation and revenue growth
Don't know
1.1% Efficient and accurate SW dev is essential for meeting
schedule & budget goals
Ahead of
schedule Unfortunately, project delays are nothing new in the
12.6% embedded industry
Over the past decade, delays hovered around 40%
Behind
schedule
43.4% Delays cost ~115K/per month – just in labor
On schedule
42.9% Faced with pressures to change and adapt growing
more acute, eng orgs cannot afford to fall behind

IoT biz model changes make costs from delays

increasingly acute  more revenue now not available
or collectable until long after deployment
© 2018 VDC Research Group, Inc. 5
 Collaboration Crossing Engineering Boundaries
Distribution of Development Costs
(Average of Respondents) Demand for IoT-related services and the
advance of software-driven product
2.0% 2.1% innovation is reshaping OEMs
100%

80% The profile of Eng org skillset and

Electrical
investments in changing rapidly
56.0% 61.2%
60% Mechanical
But continuing to scale SW dev spending
is unsustainable
40%
Software. Analytics,
18.1%
15.7% and Cloud/IoT
20% Organizations must to find new ways to
24.0% 21.0%
Other improve the efficiency of their software
engineering teams
0%
Current Project Three Years From Now

© 2018 VDC Research Group, Inc. 6

 IoT Shaping All Corners of Embedded Market

Deployment of IoT Capabilities and/or New opportunities and a need

Applications into Organization's Products to speed change
(Percent of Respondents)
40% 36.2% IoT is enabling the creation of
new device classes and end-
30% user engagement models
21.9%
19.3%
20%
12.2% Established practices and value
10% creation processes are rapidly
4.6% 4.3%
1.5% evolving
0%
Currently Within the Within the Within the After at We do not Don't
deploying next 1 next 3 next 5 least 5 currently know New focuses for differentiation
year years years years intend to are emerging
deploy Connectivity
Ability to deliver new value
added-services
© 2018 VDC Research Group, Inc. 7
 Challenges are Driving Change Across Industries
Implementation/Investigation of Multi-Engineering Domain Integration
(Percent of Respondents) Automotive
High level of sys-sys design
reqs – encouraging extensive
integration of engineering
domains
Automotive
Fragmented component and
manufacturing ecosystem
challenges comprehensive
change
Industrial
Connectivity and smart
factory initiatives are
transforming sys reqs
Complexity rapidly increasing
from analytics, edge
computing, and automation
© 2018 VDC Research Group, Inc. 8
 Entrenched Processes Evolving
Static Analysis Testing Tool Use Rate
(Percent of Respondents) Automotive
2/3rds of current projects either
Automotive 37.2%
completely complying with MISRA
Aerospace & Defense 27.0% C or are selectively enforcing
Medical 32.7%
Industrial Automation & Control 28.4% Medical
Compliance environment maturing
0% 20% 40%
Static analysis and SAST tool use is
Full Compliance With a Formal Software Coding Standard strong, but many orgs are recent
(Percent of Respondents) adopters – use rates were 28.2%
Automotive 39.4% and 5.1% in 2016
Aerospace & Defense 15.7%
A&D
Process standards often dictate
Medical 18.8% SDLC and tools
Industrial Automation & Control 22.6% BUT full compliance with formal
coding standards trails other
0% 20% 40%
safety-critical industries
© 2018 VDC Research Group, Inc. 9
Comparing Static Code Analysis Technologies

© 2018 VDC Research Group, Inc. 10

 Coding Standards Improve Quality – and Schedule

Schedule Performance, by Coding Standard Compliance Coding Standards help

ensure SW dev follows best
(Percent of Respondents)
practices

4.0% Helps prevent common code

2.0% vulnerabilities
22.0%
34.8% More than just improving
quality, coding standards
Fully Complying Not Complying to Any
37.3% help get the code “done-
with a Formal Formal Coding
Standard
right” sooner, improving
Coding Standard
schedule performance –
56.7% helping control dev costs

43.2% Significant improvement in

Ahead of Schedule schedule performance on
On Schedule projects when SW was
Behind Schedule
Don't Know
produced in full compliance

© 2018 VDC Research Group, Inc. 11

Standards Compliance – What Matters to You?

© 2018 VDC Research Group, Inc. 12

 Securing Your Bottom-line During Development
Consequences of software exploits
Implications of Security Vulnerabilities are multi-faceted
(Percent of Respondents)
60% 55.2% Failure of any type, even “cockpit
errors,” will always point back to
SI/OEM at some point
42.5% 40.2%
40% New tools can help address many
31.0% 28.7% issues

20% SW quality investment should scale

with SW dev resources
8.0% Diverse/integrated testing
3.4% 2.3% SW composition analysis

0%
Eng Orgs must take proactive
steps to improve system security
and reduce financial risk
Implement during dev
Reduce number of
vulnerabilities
Reduce cost of remediation
© 2018 VDC Research Group, Inc. 13
 Final Summary & Recommendations

Use Static Analysis Tools

1
Embrace Coding Standards
2
Begin Security Mitigation Planning Early
3
Integrate Across the Engineering Organization
4

© 2018 VDC Research Group, Inc. 14

Christopher Rommel
VDC Research
crommel@vdcresearch.com Questions?
@chris_rommel

Walter Capitani Ready to try Klocwork static

Rogue Wave Software
walter.capitani@roguewave.com
code analysis?
@walter_capitani roguewave.com/klocwork

© 2018 VDC Research Group, Inc. 15