LDRA module improves security in IoT software
October 14, 2015
UK software firm LDRA has introduced a module that addresses security concerns in the increasingly complex and growing IoT market. The TBsecure module within the company’s tool suite provides automated support for the Carnegie Mellon Software Engineering Institute Cert C secure coding standard.
With checks for more than 200 Cert C rules, it is claimed to help developers identify more software safety and security vulnerabilities than any other static analysis tool available today.
With a more than 40-year track record for delivering automated code testing and software safety analysis products, LDRA’s modular tool suite is used by IoT and other product developers who require early insight into potentially exploitable safety and security vulnerabilities in source code. The TBsecure module uses the most current Cert C secure coding rules to find software issues that could leave products and systems open to security attacks.
“As the number of IoT and other software-connected products in the world increases exponentially, so does the number of software security attacks,” said Ian Hennell, LDRA operations director. “Just recently, for instance, a hack of Fiat Chrysler automobiles resulted in a recall of 1.4 million vehicles. To prevent financial losses and potential loss of life, software developers must take an automated approach to code quality improvement, fault detection and other safety and security intelligence long before the product is manufactured and delivered to the marketplace.”
Particularly well suited for automotive, medical and industrial IoT applications, the checking of the tool suite is said to deliver an additional buffer over that of other code checkers on the market. Developers using the tool suite gain early insight into the types of coding anomalies that can expose complex products to security risks.
“The number and severity of attacks on mission-, business-, safety- and security-critical systems has risen disproportionately with our increased dependency on these systems,” said Robert Seacord, principal security consultant with the NCC Group. “Studies indicate that a majority of vulnerabilities in these systems can be traced back to a relatively small set of common programming errors. The Cert C coding standard enumerates these programming errors so that software testing and analysis tools, such as the LDRA tool suite, can be used to discover these problems before they are deployed in production systems.”
The module, which plugs into the tool suite, shows code quality, fault detection and avoidance measures through call graphs, flow graphs and code review reports. Using TBsecure, managers, team workers and developers can collectively monitor the implementation of safety and security metrics in their applications in an easy-to-read, intuitive format.
The Cert C secure coding standard provides software development rules and recommendations designed to eliminate insecure coding practices and undefined behaviours that can lead to exploitable vulnerabilities. The application of the secure coding standard leads to higher quality systems that are more robust and more resistant to attack. Operating system and platform independent, the standard supports popular coding languages including C, C++ and Java.
TBsecure supports a wide range of programming rules that can increase application security using the following classification of security issues:
- Dynamic memory allocation: Dynamic memory management is a common source of programming flaws that can lead to heap-buffer overflows, dangling pointers, double-free issues and other security problems. In particular, dynamic memory management encompasses allocating memory, reading and writing to memory, and deallocating memory.
- Vulnerabilities: These rules are intended to eliminate insecure coding practices aside from those associated with dynamic memory. Examples of insecure coding practices include array indices out of range and dereferencing a null pointer.