Klocwork Beefs Up Security in Agile Source Analysis
Join the DZone community and get the full member experience.Join For Free
Learn more about how DevOps teams must adopt a more agile development process, working in parallel instead of waiting on other teams to finish their components or for resources to become available, brought to you in partnership with CA Technologies.
Klocwork's Insight Pro features automated code refactoring and uses a "no-click usability model" that removes the step for requesting analysis, and ensures that static analysis is performed automatically, much like a spell checker in word processing. Without conscious interaction, developers always have the most up-to-date analysis results available to them based on actions they’re taking anyway, such as saving a file, opening a file, transitioning between different files in a tabbed environment, etc. Underlying Klocwork's tools is a static analysis engine that understands what your code will actually do when it’s executed, without requiring you to run it. The engine is a database of code semantics that are interpreted via symbolic execution, and it is the crux of Klocwork's technology.
Common Weakness Enumeration (CWE)
This is a community-developed list of software weaknesses lead by MITRE. The CWE helps define the and categorize the most common weaknesses in software security, including buffer overflows, format string vulnerabilities and un-validated user inputs. Klocwork Insight now provides Phase II compliance with the CWE standard, meaning Klocwork analysis results can be reported using CWE identifiers. Klocwork's documentation has also been updated to include CWE identifiers.
CERT Secure Coding Standards
CERT is an initiative run by the Carnegie Mellon Software Engineering Institute. It identifies common code-writing errors that result in security vulnerabilities. The standards also establish secure coding standards for Java, C, and C++. Klocwork's source code analysis tools now help developers check for rule violations according to this standard as well. There is also CERT documentation included by Klocwork.
Software Assurance Metrics and Tool Evaluation (SAMATE)
SAMATE is an inter-agency project between the U.S. Department of Homeland Security and the National Institute of Standards and Technology (NIST). This project has a set of metrics to measure the effectiveness of security and source code analysis tools like Klocwork's Insight. Klocwork ran the SAMATE benchmarks against its product and Insight maintains a 90% pass rate.
Free trials are available for Klocwork Insight or Insight Pro.