Verifysoft in the News

Interview with Verifysoft Technology

Verifysoft supports software development companies with tools that ensure high quality in software development. Their testing and analysis tools uncover errors in computer programs and provide an overview of whether the software has been sufficiently tested.
Since the foundation in 2003, Verifysoft can look back on a steady growth. The tools are used by more than 700 companies on all continents to improve the quality of their software.
Read the full interview with Verifysoft-CEO Klaus Lambertz: Easy Engineering March 2023

SBOMs and Four Pillars for Managing Medical Device Software Security

Medical devices, which are more complex than ever, face new security challenges. Especially since they are connected to the outside world for remote access, and monitoring, or used in home care applications. These risks increase the stakes in terms of product safety liability for manufacturers as security vulnerabilities can impact human lives.
Unlike enterprise and government technology where cybersecurity has been a mainstay for years, product security is a relatively new discipline for medical device manufacturers. Meanwhile, the use of third-party software, including open-source components, and libraries, in connected devices further raises the ante, making software supply-chain security increasingly critical.
Read more: Connceted World, July 2022.

Using the CVSS to Secure the Software Supply Chain

It’s easy for security teams and software developers to be overwhelmed with the endless stream of software vulnerabilities reported across the hundreds of applications used by a typical large enterprise. But not all software vulnerabilities are created equal and need immediate attention.
Understanding which ones pose a clear and present security risk if they are not remediated is critical to securing the software supply chain. This is where vulnerability scoring can help prioritize mitigation planning and management.
Read more: Embedded Computing Design, June 30, 2022.

How SBOMs Reduce Software Procurement Risk and Improve Enterprise Security

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Mike Dager, the Chief Executive Officer of GrammaTech, shares some insights on the enterprise security benefits that software bill of materials (SBOMs) c an offer to supply chain professionals.
Supply chain professionals should be familiar with a bill of materials (BOM), which is used to build quality products and support the procurement, inventory management, and resolution of problems involved in creating those products. A BOM is also used to manage parts and maintenance supplies when buying products. However, software procurement is often more concerned with licensing terms, security requirements, pricing, maintenance, and support needs. ...
Read more: ERP Solutions Review, May 18, 2022 .

9 tips for better code coverage measurement

Measuring code coverage is increasingly important for embedded systems but requires some experience. This is because there are a few hurdles to overcome, especially with small targets. However, with the right approaches and suitable tools, measuring test coverage is possible without excessive effort. Nine practical tips help you get started.
Measuring test coverage, also known as code coverage, is becoming increasingly important for embedded systems. In many cases, these devices are critical to safety or business. Processes are based on IoT devices, patients rely on working pacemakers and intelligent insulin pumps, automotive and aviation is no longer conceivable without embedded software. This list could be continued almost endlessly.
Read the entire article here.

Measuring code coverage for embedded software

For a long time already, embedded software has been used for critical applications where safety is highly important. As embedded devices are often clients that are connected with other devices on the Internet of Things (IoT), security aspects need to be considered as well. This means that the quality of embedded devices is extremely important – both from a security point of view and from a functional safety point of view.
For safe and reliable embedded devices, testing is an indispensable part of quality assurance. It is not without reason that the standards for safety-critical software development set precise requirements for test methods and test coverage.
Read the entire article here.

How a DevSecOps approach improved security in iris recognition systems

A look at DevSecOps best practice and use of static application security testing (SAST) as part of the software development lifecycle at Iris ID, who provide iris recognition for state-of-the-art access control and sensitive biometric authentication applications. ...
We chose CodeSonar from GrammaTech because it met the above criteria as we implemented a DevSecOps approach. CodeSonar could both identify code issues and also provide explanations to developers so they could fix problems. This enables our global development teams to not only avoid making mistakes, but learn from past errors so they don’t crop up again.
Read the entire article here.

Software quality demands both static code analysis and dynamic testing

Increased recall campaigns, delayed deliveries, difficulties in delivering the promised functions on time: software quality is not evident. The development of good software is only possible through consistent action, adherence to standards and the use of mature test and quality assurance tools. Bad software leads to monetary losses and deterioration of the corporate image. Embedded software is even more critical, as it is mostly used in safety-critical applications. Here, software errors can endanger human lives and must therefore be avoided at all costs. For this reason, standards like ISO 26262, IEC 61508 or DO178-C have strict requirements regarding the quality of development and testing of software.
Read the entire article here.

10 Criteria for selecting a Code Coverage Tool

Particularly in safety-critical software development, industry standards prescribe precise requirements for code coverage, so that products cannot be certified here without proof of sufficient test coverage. But also in other development projects, companies increasingly attach great importance to software quality and measure code coverage.
Various code coverage analyzers are available on the market for measuring code coverage. They differ significantly in terms of handling and quality.
Read the entire article here.

Top 5 'Need to Know' Coding Defects for DevSecOps

Integrating static analysis into the development cycle can prevent coding defects and deliver secure software faster. Security practitioners are accustomed to intervening at the end of the software development process to identify security vulnerabilities, many of which could have been prevented with earlier intervention. To address this problem, developers who are already under pressure to deliver increasingly complex software faster and less expensively are being recruited to implement security earlier in the development cycle under the "shift-left" movement. To understand the obstacles facing developers in meeting new security requirements, consider the five most common coding defects and how to address them.
Read the entire article here.

Code Coverage on Embedded Devices

Software for embedded devices requires broad testing before the concerning products reach market maturity. Especially when it comes to safety critical environments, proof of testing is required by various certifications and safety standards such as IEC 61508.
However, in most cases code coverage faces the constraints of limited storage capacity of the targets and CPU performance. Thus, it is vital to choose the right approach in order to facilitate monitoring code coverage analysis on embedded systems.
Read the entire article here.

Real World Benchmark for Static Code Analysis Tools

Software development and quality managers that are looking to measure the benefit of static analysis can now use BugInjector, a tool that can inject Common Weakness Enumeration (CWE) based bug patterns into existing code bases, thus delivering real-world benchmarks. This independent real-world benchmarks have been created by GrammaTech under contract for the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and are now available in the Software Assurance Marketplace (SWAMP) at no cost.
"There is an urgent need for benchmarks, such as those from GrammaTech, to allow software developers to evaluate static analysis tools in a comprehensive and real-world setting," says Barton Miller, Professor of Computer Sciences at the University of Wisconsin – Madison and Chief Scientist of SWAMP. "Also, developers of static analysis tools now have the ability to enhance their tools or benchmark new static analysis technologies with realistic test cases. Integrating these benchmarks into the SWAMP platform increases their effectiveness and availability."
Read the post here.

GrammaTech Announces Integration of JuliaSoft into CodeSonar

Software teams that build safety and security critical systems using Java, C#, or Android can now benefit from high recall, high precision, advanced static analysis. GrammaTech today announces support for these platforms thanks to the integration of the advanced static analysis engine Julia from JuliaSoft into GrammaTech CodeSonar.
Today's software projects are utilizing more and more languages. An IOT device may use C/C++ for the safety critical programmable logic control, while it uses Java to provide a flexible user interface. A medical device may use C inside a pacemaker or an infusion pump, but use C# or Android to provide a familiar user interface to end-users on top of mobile devices. Integrating Julia into CodeSonar provides high recall, high precision, advanced static analysis of multiple languages into a single user interface complete with team collaboration and visualization tools, making it easy for software development teams to deliver better software faster all the while reducing cyber security risk.
Read the entire article here.

Insights Success: Verifysoft Technology is one of the 10 Best Performing Software Testing Solution Providers

Insight Success focuses distinctively on emerging as well as leading fastest growing companies, their confrontational style of doing businesses and the way of delivering effective and collaborative solutions to strengthen market share. Verifysoft Technology has now been elected among the 10 best performing software solution providers by Insights Success. Since its founding in 2003, Verifysoft has established a presence in over 40 countries and recorded growth of more than 40% last year. The company believes software testing is an essential service and its importance will only increase in the future. Verifysoft has established itself as a leader in providing software testing solutions which are efficient and reliable. Its CTC++ test system is extremely reliable even in the most adverse and challenging circumstances. The management team at Verifysoft believes they have a good product on their hands, and they give client satisfaction top priority.
Read the entire article here.

Detecting the Beep Vulnerability with CodeSonar

Taint data does not only enter the system via familiar programs. A small gap like the current bug in the Linux-tool beep.c is enough. These security gaps are often not recorded by the testing-radar. However you can detect them.
The error in beep.c was deteced with the static analysis tool GrammaTech CodeSonar.
Read the whole article here.

Integration Between GrammaTech CodeSonar and Wind River Workbench

With this integration, software developers can annotate and resolve the software vulnerabilities that CodeSonar highlights without leaving the Wind River Workbench development environment, thereby significantly boosting productivity. Supporting the native Wind River VxWorks® real-time operating system as well as the POSIX API, CodeSonar provides advanced, whole program static analysis of application software and device drivers running in either kernel or user mode. For developers of complex Internet of Things (IoT) devices, CodeSonar delivers a must-have capability as it finds security and quality problems as well as problems specific to multi-core development such as deadlocks, livelocks, resource starvation, and race conditions. CodeSonar identifies bugs that can result in system crashes, unexpected behavior, and security breaches, reducing the risk of shipping costly, brand-damaging defects. It finds these bugs during the development phase, before software is tested, thereby saving cost and time.
Read full text here or watch the demo video.

Testwell CTC++ Code Coverage Analyzer: Customer Testimonial from medical industry

... ISD chose Testwell CTC++ Code Coverage Analyzer, a product of Verifysoft to support them in the verification. Being a typical bare metal embedded system without a file system, counters are needed to store information and later download from the target to source. One of the biggest challenges is the limited memory in the systems of ISD. Testwell CTC++ requires a very small footprint for its instrumentation and the Host target add-on makes integrations to any system very easy. ... There are no restrictions with compilers, IDEs or debug tools. ... Embedded-Computing.com, 12 May 2017

Can software development be more secure with static analysis?

The longer answer to the question "when should static analysis be applied?" is "a part of structured and secure development process". Static analysis is an important part of a modern software development tool suite which, when applied correctly and sufficiently early, can have significant impact on code quality, security and safety.
Perhaps the most relevant point is the role static analysis plays in a security-first software design, which is critical in today´s connected and complex operating environment..... Electronicsweekly.com, 05 April 2017

Addressing IoT impact on software engineering

(By Bill Graham, GrammaTech)
Manufacturers need to carefully evaluate the cyber threats and the level of exposure of IoT devices. New levels of software integrity can only be achieved if teams can eliminate both accidental coding errors and intentional design-in vulnerabilities, through efficient analysis techniques suitable for the typical highly complex applications of today.
Powered by the forces of the cloud, connected endpoints, wireless technologies, and big data, the Internet of Things (IoT) evolution is forming a perfect storm for software engineering teams. This single, transformative force is bigger than anything in the history of tech industry, fueling an unparalleled consumer- oriented features race, expected to advance at an incredible rate over the next decade. ...
boards & solutions + ECE March 2017 (PDF)

Free Imagix 4D plug-in for Testwell CTC++ Customers

Imagix 4D is a tool to understand, document and improve complex, third party or legacy source code in C, C++ and Java. Imagix 4D automates the analysis of control flow and dependencies. It detects problems in data usage and task interactions. The integration with Testwell CTC++ Code Coverage Analyzer enables Imagix 4D to aid in review of the test coverage data. This speeds up the development of test cases and the analysis of performance bottlenecks. Free Imagix 4D plug-in is now available for all Testwell CTC++ customers...
Professional Tester, 22 December 2016

Guaranteeing proper software behavior is a challenge: New Testwell CTC++ customer testimonial

“Our reputation is built on products which work properly” says Kees Valkhof, Lely’s Configuration Manager, who has given us an insight into the software testing demands for agricultural solutions and explained why they are using Testwell CTC++ for measuring code coverage...
Professional Tester, October 2016

The comprehension of legacy codes is difficult to understand. ... Consequently, the need for a comprehensive reengineering/reverse engineering tool arises. We found the usage of Imagix 4D to be good as it generates the maximum pictorial representations in the form of flow charts, flow graphs, class diagrams, metrics and, to a partial extent, dynamic visualizations. ...
Imagix 4D is a good tool in terms of variety of language supportability, graphical user interface, maximum diagram generation, and provide choices for visualize information by using filtering techniques.
Rashmi Yadav, Ravindra Patel, and Abhay Kothari: Critical evaluation of reverse engineering tool Imagix 4D! (Link to Springerplus, published online 2016)

Beijing Siener Electronics Tech. Development Ltd. Becomes Distributor for Testwell-Tools in China

Verifysoft, vendor of the leading Code Coverage Analyzer Testwell CTC++ and the software testing and analysis tools Testwell CTA++, CMT++, and CMTJava announced the appointment of Beijing Siener Electronics Tech. Development Ltd. as its distributor in China.
Beijing Siener, a privately held company with headquarters in Beijing/China with offices in Shanghai/China, represents already companies like HighTec EDV-Systeme GmbH, pls Development Tools, and GLIWA GmbH in the fast growing Chineese market.
Professional Tester, February 2016

Verifysoft Becomes Distributor of the Source Code Checking and Architecture Analysis Tool Imagix 4D

Imagix Corporaton has choosen Verifysoft Technology as European distributor for its Source Code Checking and Architecture Analysis Tool Imagix 4D. Verifysoft will handle sales and support for Imagix in Germany, Austria, Switzerland, Liechtenstein, France, Netherlands, Belgium, Luxemburg, Poland, Czech Republic, Slovakia, Hungary, Slovenia, Spain and Portugal....
Professional Tester, 27 January 2016

Verifysoft announces new version 8.0 of Testwell CTC++ Code Coverage Analyzer

Verifysoft Technology announces the release of version 8.0 of its flagship tool Testwell CTC++ Code Coverage Analyzer.
New major features of Testwell CTC++ 8.0 include improved the overall architecture of the HTML form coverage report, introduced "line coverage" in the HTML report, introduced "annotations", improved reporting of header files, improved merging of coverage data of independently tested code files...
Professional Tester, 31 December 2015

Static code analysis tools gain ISO 26262, IEC 61508, EN 50128 certification

GrammaTech, Inc., has announced that CodeSonar, the company's static analysis product, has been certified for use in the development of safety-critical software according to several international standards: ISO 26262, IEC 61508, and EN 50128 for automotive systems, medical devices, and railway applications, respectively.
EE Times Europe, 4 July 2014

CodeSonar Achieves ISO 26262, IEC 61508, and EN 50128 Certification

Innovative Visual Taint Analysis for Understanding Hazardous Data Flow in Code Improves Embedded Device Reliability and Security
Ithaca, NY — GrammaTech, Inc., a leading maker of tools that improve and accelerate software development, today announced that CodeSonar, the company's flagship static analysis product, has been certified by SGS TÜV Saar GmbH for use in the development of safety-critical software according to several international standards: ISO 26262, IEC 61508 and EN 50128. These three standards were designed to define the functional safety of electronics throughout their lifecycle within automotive systems, medical devices, and railway applications, respectively.
Professional Tester, 2 July 2014

GrammaTech Unveils Visual Security Analysis for Embedded Software

Innovative Visual Taint Analysis for Understanding Hazardous Data Flow in Code Improves Embedded Device Reliability and Security
GrammaTech, Inc., a leading maker of tools that improve and accelerate embedded software development, today introduced the industry´s first visual taint analysis technology. Available in CodeSonar, GrammaTech´s flagship static analysis product, this innovation combines advanced tainted dataflow analyses with GrammaTech´s proprietary visualization engine, to clearly display notoriously hard-to-find tainted data pathways in embedded systems. ... Professional Tester, 25 February 2014

Software certification: Qualification kit for Testwell CTC++

Verifysoft Technology presents a qualification kit for the Code Coverage Analyzer Testwell CTC++, covering the safety standards DO-178C, EN 50128, IEC 61508, and ISO 26262. The qualification kit simplifies the certification of embedded software, which has been analysed with Testwell CTC++. This Code Coverage Analyzer shows all coverage levels up to MC/DC Coverage and Modified Condition Coverage. Testwell CTC++ works with all compilers and all - even the smallest - embedded targets and microcontrollers.
The Official Daily 2014, 25 February 2014

Embedded software security analysis gets visual

Brought by GrammaTech, visual taint analysis technology is available in the company's flagship static analysis product, CodeSonar, combining advanced tainted dataflow analyses with a proprietary visualization engine to clearly display notoriously hard-to-find tainted data pathways in embedded systems...
EE Times Europe, 4 March 2014

Testwell CTC++: Code Coverage Analysis for safety-critical Embedded Systems

Software for embedded systems is often used in safety-critical systems. In this area malfunctions could lead to accidents or damages of high magnitude and even to loss of lives. Therefore, safety standards such as the DO178-C (aviation), the ISO 26262 (automotive) or the EN 50128 (railway) demand harsh proof of code coverage. In dependency to the criticality, a suitable level of code coveage has to be applied.
DSP Valley Newsletter 5/2013 (November 2013)

Tools Ensure Reliability of Critical Software

In November 2006, after attempting to make a routine maneuver, NASA´s Mars Global Surveyor (MGS) reported unexpected errors. The onboard software switched to backup resources, and a 2-day lapse in communication took place between the spacecraft and Earth. ...
After successfully adapting CodeSonar to check for the NASAderived rules, GrammaTech transitioned the changes into its commercial version of the product in 2008. ...
NASA Spinoff 2011

How good are your software tests?

Testwell CTC++ Code Coverage Analyzer will show you
Test coverage is used to evaluate the completeness of software tests. There are many standards which require test coverage measurements. ISO 26262 Road Vehicules Functional Safety requires according to the Safety Integrity Level statement coverage, branch coverage or MC/DC (Modified Condition/Decision Coverage). The aeronautics standard DO178-B requires test coverage up to MC/DC coverage. Coverage analysis is also widely used in healthcare industry and companies which are aware of higher software quality. ...

DSP Valley Newsletter 1/2012

Siemens Corporate Technology publishes paper on Conformiq Designer and one other MBT tool

Siemens Corporate Technology has published a paper about "Model-based testing in industry: a case study with two MBT tools".
Conformiq is rated reliable and easy to use. Download (ACM Portal)

Detecting Bugs in Safety-Critical Code - Advanced Static Analysis

When software is used for safety-critical applications, bugs aren´t just expensive annoyances - they can kill. Faced with such dire consequences, developers of safety-critical systems go to great lengths to prevent bugs from making it into the field. These measures are undeniably effective at reducing risk. Although there have been some famous catastrophic failures over the years, if medical devices or flight-control systems failed as often as most software fails, the headlines would be much grimmer. ...
Dr. Dobb´s Journal March 2008

Static vs. Dynamic Detection of Bugs in Safety-Critical Code

In the never-ending quest to produce high-quality software, traditional dynamic testing plays a fundamental role. The weakness of dynamic testing is that it is only as good as the test cases. To be effective, a great deal of effort must go into writing or generating good test cases, and doing so can be very expensive.
Recently, a new breed of static analysis tools has emerged that can find flaws without writing any test cases. ...
Embedded Technology March 2008

Tool automatically generates software tests

Verifysoft Technology will exhibit a number of new products at Embedded World.
Conformiq Test Generator replaces the time consuming process of writing test scripts with the building of a test model.
... The test generator analyses this model and generates automatically a large number of relevant tests that cover all combinations and aspects of the model. ...
Embedded Systems EUROPE January/February 2006

Verifysoft: automatic software testing tool

Conformiq Test Generator replaces the time-consuming process of writing test scripts with the building of a test model. This releases the burden of writing manual test cases and script programming from the test engineers.
Embedded Control Europe (February 2006)