The vulnerability analysis features in Klocwork's
products were recently strengthened to align with industry and government best practices. Klocwork is a static analysis suite
for agile development projects in Java, C#, C and C++. Their tools check for memory and resource leaks, buffer overflows, and security vulnerabilities. Klocwork has added support for the Common Weakness Enumeration (CWE), the CERT Secure Coding Initiative, and the Software Assurance Metrics and Tool Evaluation (SAMATE) project.
Klocwork's Insight Pro features automated code refactoring and uses a "no-click usability model" that removes the step for requesting analysis, and ensures that static analysis is performed automatically, much like a spell checker in word processing. Without conscious interaction, developers always have the most up-to-date analysis results available to them based on actions they’re taking anyway, such as saving a file, opening a file, transitioning between different files in a tabbed environment, etc. Underlying Klocwork's tools is a static analysis engine that understands what your code will actually do when it’s executed, without requiring you to run it. The engine is a database of code semantics that are interpreted via symbolic execution, and it is the crux of Klocwork's technology.
Common Weakness Enumeration (CWE)
This is a community-developed list of software weaknesses lead by MITRE
. The CWE helps define the and categorize the most common weaknesses in software security, including buffer overflows, format string vulnerabilities and un-validated user inputs. Klocwork Insight now provides Phase II compliance with the CWE standard, meaning Klocwork analysis results can be reported using CWE identifiers. Klocwork's documentation has also been updated to include CWE identifiers. CERT Secure Coding Standards
CERT is an initiative run by the Carnegie Mellon Software Engineering Institute. It identifies common code-writing errors that result in security vulnerabilities. The standards also establish secure coding standards for Java, C, and C++. Klocwork's source code analysis tools now help developers check for rule violations according to this standard as well. There is also CERT documentation included by Klocwork.
Software Assurance Metrics and Tool Evaluation (SAMATE)
SAMATE is an inter-agency project between the U.S. Department of Homeland Security and the National Institute of Standards and Technology (NIST). This project has a set of metrics to measure the effectiveness of security and source code analysis tools like Klocwork's Insight. Klocwork ran the SAMATE benchmarks against its product and Insight maintains a 90% pass rate.
are available for Klocwork Insight or Insight Pro.