LDRA, provider of the most complete automated software verification, source code analysis and test tools covering the full development lifecycle, has enhanced the capabilities of the LDRA tool suite to assist in identifying security vulnerabilities and enforce security standards for development and deployment. LDRA’s adoption in this area demonstrates the company’s commitment to ensure their clients are able to comply fully with the latest security standards and certifications.
With the increased dependency on software systems in mission- and safety-critical systems, there has been an increase in the number of attacks. New security vulnerabilities are discovered daily and these cause problems with systems inadequately protected that result in security flaws. Studies indicate that a majority of these vulnerabilities can be traced back to a set of common programming errors.
The CERT C Secure Coding Standard provides rules and recommendations for secure coding in the C programming language. The goal of these rules and recommendations is to eliminate insecure coding practices and undefined behaviors that lead to exploitable vulnerabilities. The application of the secure coding standard leads to higher quality systems that are robust and more resistant to attack. Rules and recommendations included in this CERT C Programming Language Secure Coding Standard are designed to be operating system and platform independent. Once established, these standards can be used as a metric to evaluate source code using an automated process.
The LDRA tool suite has been extended to support a wide range of programming rules that enable increased application security using the following classification of security issues:
- Dynamic Memory Allocation (A) concerns: Dynamic memory management is a common source of programming flaws that can lead to security issues such as heap-buffer overflows, dangling pointers, and double-free issues. In particular, memory management encompasses allocating memory, reading and writing to memory, and deallocating memory.
- Vulnerabilities (V): These rules are intended to eliminate insecure coding practices aside from those associated with dynamic memory. Examples of insecure coding practices include array indices out of range and dereferencing a null pointer.
Without proper security technology vulnerability, malicious code attacks, fraudulent transactions, and theft-of-service opportunities will be on the rise. One proven way to help reduce these risks is with the use of software testing and analysis tools that identify these problems before they enter production code.
“At LDRA, we aim to assist in the development of zero-defect software development, and the CERT C standard plays a significant role in the development of higher quality systems that are more robust and more resistant to attack,” commented Ian Hennell, LDRA Operations Director. “Because of our commitment to best practice programming, we have supported CERT C through the involvement of Chris Tapp, one of our key field application engineers, in development of the standard. This participation continues our tradition of leadership in programming standards enforcement, also evident in our participation in the development of MISRA C:2004, MISRA C++:2008 and others.”
For more information on how LDRA can assist with your CERT C Secure Coding compliance, please visit www.ldra.com/certc.asp. For general information on CERT C, please visit: www.securecoding.cert.org.
About the LDRA tool suite
Many ground-breaking testing techniques have been derived from methodologies developed by LDRA. The LDRA tool suite assists with the eight primary tasks required to achieve an organization’s software development and maintenance goals. It can be utilized by an entire project team, ranging from developers, QA managers, test engineers, project managers and maintenance/support engineers, to automate the software development lifecycle. Through the deployment of the LDRA tool suite companies are able to deliver well constructed, documented and tested software and, in addition, benefit from significant time, cost and operational savings for their businesses.
For more than thirty years LDRA has developed and driven the market for software used for the automation of code analysis and software testing of safety critical applications. The LDRA tool suite is used in the aerospace, space and defense technology industries as well as the nuclear energy and automotive industries. Through the use of the LDRA tool suite companies ensure that their systems are built in accordance to prescribed standards and are durable and reliable in use. The LDRA tool suite is available for a multiplicity of programming languages and supports a wide range of host and target platforms. LDRA is represented world-wide with its head office in the UK and subsidiaries in the USA as well as through an extensive distributor network.