logo

GrammaTech CodeSonar in the News


Further press articles:
Testwell CTC++     Testwell CMT++/CMTJava     Imagix4D     GrammaTech CodeSonar     GrammaTech CodeSentry     Verifysoft/General     All Press Articles    

This are only some of all GrammaTech CodeSonar news in English language

More GrammaTech news are available in German


10 criteria for selecting a code coverage tool

How a DevSecOps approach improved security in iris recognition systems

A look at DevSecOps best practice and use of static application security testing (SAST) as part of the software development lifecycle at Iris ID, who provide iris recognition for state-of-the-art access control and sensitive biometric authentication applications. ...
We chose CodeSonar from GrammaTech because it met the above criteria as we implemented a DevSecOps approach. CodeSonar could both identify code issues and also provide explanations to developers so they could fix problems. This enables our global development teams to not only avoid making mistakes, but learn from past errors so they don’t crop up again.
Read the entire article here.
10 criteria for selecting a code coverage tool

Software quality demands both static code analysis and dynamic testing

Increased recall campaigns, delayed deliveries, difficulties in delivering the promised functions on time: software quality is not evident. The development of good software is only possible through consistent action, adherence to standards and the use of mature test and quality assurance tools. Bad software leads to monetary losses and deterioration of the corporate image. Embedded software is even more critical, as it is mostly used in safety-critical applications. Here, software errors can endanger human lives and must therefore be avoided at all costs. For this reason, standards like ISO 26262, IEC 61508 or DO178-C have strict requirements regarding the quality of development and testing of software.
Read the entire article here.
Top 5 'Need to Know' Coding Defects for DevSecOps

Top 5 'Need to Know' Coding Defects for DevSecOps

Integrating static analysis into the development cycle can prevent coding defects and deliver secure software faster. Security practitioners are accustomed to intervening at the end of the software development process to identify security vulnerabilities, many of which could have been prevented with earlier intervention. To address this problem, developers who are already under pressure to deliver increasingly complex software faster and less expensively are being recruited to implement security earlier in the development cycle under the "shift-left" movement. To understand the obstacles facing developers in meeting new security requirements, consider the five most common coding defects and how to address them.
Read the entire article here.
Real World Benchmark for Static Code Analysis Tools

Real World Benchmark for Static Code Analysis Tools

Software development and quality managers that are looking to measure the benefit of static analysis can now use BugInjector, a tool that can inject Common Weakness Enumeration (CWE) based bug patterns into existing code bases, thus delivering real-world benchmarks. This independent real-world benchmarks have been created by GrammaTech under contract for the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and are now available in the Software Assurance Marketplace (SWAMP) at no cost.
"There is an urgent need for benchmarks, such as those from GrammaTech, to allow software developers to evaluate static analysis tools in a comprehensive and real-world setting," says Barton Miller, Professor of Computer Sciences at the University of Wisconsin – Madison and Chief Scientist of SWAMP. "Also, developers of static analysis tools now have the ability to enhance their tools or benchmark new static analysis technologies with realistic test cases. Integrating these benchmarks into the SWAMP platform increases their effectiveness and availability."
Read the post here.
Data Race beep.c

Detecting the Beep Vulnerability with CodeSonar

Taint data does not only enter the system via familiar programs. A small gap like the current bug in the Linux-tool beep.c is enough. These security gaps are often not recorded by the testing-radar. However you can detect them.
The error in beep.c was deteced with the static analysis tool GrammaTech CodeSonar.
Read the whole article here.
Grammatech

Integration Between GrammaTech CodeSonar and Wind River Workbench

With this integration, software developers can annotate and resolve the software vulnerabilities that CodeSonar highlights without leaving the Wind River Workbench development environment, thereby significantly boosting productivity. Supporting the native Wind River VxWorks® real-time operating system as well as the POSIX API, CodeSonar provides advanced, whole program static analysis of application software and device drivers running in either kernel or user mode. For developers of complex Internet of Things (IoT) devices, CodeSonar delivers a must-have capability as it finds security and quality problems as well as problems specific to multi-core development such as deadlocks, livelocks, resource starvation, and race conditions. CodeSonar identifies bugs that can result in system crashes, unexpected behavior, and security breaches, reducing the risk of shipping costly, brand-damaging defects. It finds these bugs during the development phase, before software is tested, thereby saving cost and time.
Read full text here or watch the demo video.
Electronics Weekly

Can software development be more secure with static analysis?

The longer answer to the question "when should static analysis be applied?" is "a part of structured and secure development process". Static analysis is an important part of a modern software development tool suite which, when applied correctly and sufficiently early, can have significant impact on code quality, security and safety.
Perhaps the most relevant point is the role static analysis plays in a security-first software design, which is critical in today´s connected and complex operating environment..... Electronicsweekly.com, 05. April 2017
boards & solutions + ECE

Addressing IoT impact on software engineering

(By Bill Graham, GrammaTech)
Manufacturers need to carefully evaluate the cyber threats and the level of exposure of IoT devices. New levels of software integrity can only be achieved if teams can eliminate both accidental coding errors and intentional design-in vulnerabilities, through efficient analysis techniques suitable for the typical highly complex applications of today.
Powered by the forces of the cloud, connected endpoints, wireless technologies, and big data, the Internet of Things (IoT) evolution is forming a perfect storm for software engineering teams. This single, transformative force is bigger than anything in the history of tech industry, fueling an unparalleled consumer- oriented features race, expected to advance at an incredible rate over the next decade. ...
boards & solutions + ECE March 2017 (PDF)
EE Times Europe

Static code analysis tools gain ISO 26262, IEC 61508, EN 50128 certification

GrammaTech, Inc., has announced that CodeSonar, the company's static analysis product, has been certified for use in the development of safety-critical software according to several international standards: ISO 26262, IEC 61508, and EN 50128 for automotive systems, medical devices, and railway applications, respectively.
EE Times Europe, 4 July 2014
Professional Tester

CodeSonar Achieves ISO 26262, IEC 61508, and EN 50128 Certification

Innovative Visual Taint Analysis for Understanding Hazardous Data Flow in Code Improves Embedded Device Reliability and Security
Ithaca, NY — GrammaTech, Inc., a leading maker of tools that improve and accelerate software development, today announced that CodeSonar, the company's flagship static analysis product, has been certified by SGS TÜV Saar GmbH for use in the development of safety-critical software according to several international standards: ISO 26262, IEC 61508 and EN 50128. These three standards were designed to define the functional safety of electronics throughout their lifecycle within automotive systems, medical devices, and railway applications, respectively.
Professional Tester, 2 July 2014
Professional Tester

GrammaTech Unveils Visual Security Analysis for Embedded Software

Innovative Visual Taint Analysis for Understanding Hazardous Data Flow in Code Improves Embedded Device Reliability and Security
GrammaTech, Inc., a leading maker of tools that improve and accelerate embedded software development, today introduced the industry´s first visual taint analysis technology. Available in CodeSonar, GrammaTech´s flagship static analysis product, this innovation combines advanced tainted dataflow analyses with GrammaTech´s proprietary visualization engine, to clearly display notoriously hard-to-find tainted data pathways in embedded systems. ... Professional Tester, 25 February 2014
EE Times Europe

Embedded software security analysis gets visual

Brought by GrammaTech, visual taint analysis technology is available in the company's flagship static analysis product, CodeSonar, combining advanced tainted dataflow analyses with a proprietary visualization engine to clearly display notoriously hard-to-find tainted data pathways in embedded systems...
EE Times Europe, 4 March 2014
NASA Spinoff 2011

Tools Ensure Reliability of Critical Software

In November 2006, after attempting to make a routine maneuver, NASA´s Mars Global Surveyor (MGS) reported unexpected errors. The onboard software switched to backup resources, and a 2-day lapse in communication took place between the spacecraft and Earth. ...
After successfully adapting CodeSonar to check for the NASAderived rules, GrammaTech transitioned the changes into its commercial version of the product in 2008. ...
NASA Spinoff 2011
'Dr. Dobb´s March 2008

Detecting Bugs in Safety-Critical Code - Advanced Static Analysis

When software is used for safety-critical applications, bugs aren´t just expensive annoyances - they can kill. Faced with such dire consequences, developers of safety-critical systems go to great lengths to prevent bugs from making it into the field. These measures are undeniably effective at reducing risk. Although there have been some famous catastrophic failures over the years, if medical devices or flight-control systems failed as often as most software fails, the headlines would be much grimmer. ...
Dr. Dobb´s Journal March 2008
'Embedded Technology March 2008

Static vs. Dynamic Detection of Bugs in Safety-Critical Code

In the never-ending quest to produce high-quality software, traditional dynamic testing plays a fundamental role. The weakness of dynamic testing is that it is only as good as the test cases. To be effective, a great deal of effort must go into writing or generating good test cases, and doing so can be very expensive.
Recently, a new breed of static analysis tools has emerged that can find flaws without writing any test cases. ...
Embedded Technology March 2008