Agile Zone is brought to you in partnership with:

Mitch Pronschinske is the Lead Research Analyst at DZone. Researching and compiling content for DZone's research guides is his primary job. He likes to make his own ringtones, watches cartoons/anime, enjoys card and board games, and plays the accordion. Mitch is a DZone Zone Leader and has posted 2576 posts at DZone. You can read more from them at their website. View Full User Profile

Klocwork Beefs Up Security in Agile Source Analysis

03.25.2010
| 6712 views |
  • submit to reddit
The vulnerability analysis features in Klocwork's products were recently strengthened to align with industry and government best practices.  Klocwork is a static analysis suite for agile development projects in Java, C#, C and C++.  Their tools check for memory and resource leaks, buffer overflows, and security vulnerabilities.  Klocwork has added support for the Common Weakness Enumeration (CWE), the CERT Secure Coding Initiative, and the Software Assurance Metrics and Tool Evaluation (SAMATE) project.

Klocwork's Insight Pro features automated code refactoring and uses a "no-click usability model" that removes the step for requesting analysis, and ensures that static analysis is performed automatically, much like a spell checker in word processing.  Without conscious interaction, developers always have the most up-to-date analysis results available to them based on actions they’re taking anyway, such as saving a file, opening a file, transitioning between different files in a tabbed environment, etc.  Underlying Klocwork's tools is a static analysis engine that understands what your code will actually do when it’s executed, without requiring you to run it.  The engine is a database of code semantics that are interpreted via symbolic execution, and it is the crux of Klocwork's technology.

Common Weakness Enumeration (CWE)
This is a community-developed list of software weaknesses lead by MITRE.  The CWE helps define the and categorize the most common weaknesses in software security, including buffer overflows, format string vulnerabilities and un-validated user inputs.  Klocwork Insight now provides Phase II compliance with the CWE standard, meaning Klocwork analysis results can be reported using CWE identifiers.  Klocwork's documentation has also been updated to include CWE identifiers.  

CERT Secure Coding Standards
CERT is an initiative run by the Carnegie Mellon Software Engineering Institute.  It identifies common code-writing errors that result in security vulnerabilities.  The standards also establish secure coding standards for Java, C, and C++.  Klocwork's source code analysis tools now help developers check for rule violations according to this standard as well.  There is also CERT documentation included by Klocwork.

Software Assurance Metrics and Tool Evaluation (SAMATE)

SAMATE is an inter-agency project between the U.S. Department of Homeland Security and the National Institute of Standards and Technology (NIST).  This project has a set of metrics to measure the effectiveness of security and source code analysis tools like Klocwork's Insight.  Klocwork ran the SAMATE benchmarks against its product and Insight maintains a 90% pass rate.

Free trials
are available for Klocwork Insight or Insight Pro.