15 June 2016

Security Checks
CodeSonar brings efficiency to security compliance

Cyber-Security Analyses

The accelerating M2M and IoT trends of connected systems are increasing security risks, and creating new development challenges by expanding the attack surfaces that cyber-criminals exploit.
As an embedded programmer today, you need to defend against highly advanced malicious attacks, such as command injections or format string attacks, by adopting a full-spectrum approach to securing your application. This requires that you test the source code of your application with static analysis, the execution of your application with dynamic analysis, and all third-party and open-source components and libraries with binary analysis.

Understand your Applications Interface Vulnerabilities with Visual Taint Analysis

CodeSonar implements an analysis that tracks potentially hazardous data flows in code. The results of analyzing this "tainted data" can be viewed as an overlay directly on the code or superimposed on a high-level graphical visualization of the architecture of the program. This allows engineers to see those notoriously hard-to-find tainted data pathways. By accelerating the speed and accuracy of pinpointing these flows, this technology helps find dangerous vulnerabilities that an attacker could exploit, including buffer over/underrun, command injection, SQL injection, and integer overflow of allocation size.
See tainted data analysis in action and learn more about tainted data: Watch the video here.

Find Security Vulnerabilities quickly with CodeSonar Security Checkers

CodeSonar´s advanced static analysis engine automatically detects over 100 types of security vulnerabilities in your code, allowing you to accurately and efficiently eliminate risks of security breaches.

CodeSonar´s warning classes also support several coding initiatives, in order to make compliance with industry standards efficient and effective during software development.

Common Weakness Enumeration (CWE)

The CWE is a list of software weaknesses and security vulnerabilities. This international list allows clear communication between different parties with interests in computer security, including researchers, tool designers, and users.

GrammaTech´s CodeSonar is certified as CWE-Compatible, recognizing that it supports the CWE to the highest level currently recognized by the organization.

See the CodeSonar warning classes that correspond with CWE identifiers.

"Build Security In" (BSI)

BSI is a software assurance initiative of the U.S. Department of Homeland Security. Among other things, they provide a set of C/C++ coding rules, with a focus on security.
GrammaTech´s CodeSonar provides checks that support most of BSI´s rules.

See the CodeSonar warning classes that correspond with BSI coding rules.

Benefits of GrammaTech's embedded software security analyses

Comprehensive Application Security

CodeSonar’s embedded security analysis technology combines cutting edge cyber-security checkers and advanced analyses for identifying security defects, Common Weakness Enumeration (CWE) instances, violations of US CERT guidelines, and tainted information flow.

Protection Against Code Injections

CodeSonar’s industry-leading tainted data analysis allows you to efficiently find and eliminate dangerous information flows in your code.

Defense Against Compromised Third-Party Components

As more embedded systems become a collection of networked components, the possibility of your program being compromised by a component you aren’t responsible for is growing at an alarming rate. CodeSonar provides a definitive, auditable, and objective security analysis of your software outside any broader system it may become part of.

More information about Grammatech