Archive for 2011

  • Importance of MISRA

    on Jul 26, 11 • by Alen Zukich • with No Comments


    Recently I was at our European partner advisory board.  This is a session where we all get together and talk about the current market, the upcoming release and anything else to help our partners be more successful.  The most valuable sessions for myself is hearing from the partners on what works and what doesn’t.  This ranges from commercial issues to technical issues with the product. One very clear message from all the partners was that our MISRA support was a huge plus.  Here in North America we have seen small pockets of adoption, but in

    Read More »
  • Electronic imports contain security threats

    on Jul 19, 11 • by Alen Zukich • with No Comments


    I read an interesting post on electronic imports that could contain security threats.  I can only speak from the software perspective, but I can say that most customers I’ve dealt with usually integrate some sort of software security audit process with any 3rd-party integrator and from my experience that means adopting static analysis.  How many organizations are there that haven’t jumped on board with static analysis?  Probably more than I can count. It would be very interesting to hear of some of the Armed Services and Intelligence cyber threats that the government has not publicly

    Read More »
  • He crossed the line–testing to development

    on Jul 12, 11 • by Patti Murphy • with 1 Comment

    Michail the friendly vampire.

    Instead of fomenting dissent (that barely exists) in a brazen attempt to boost readership, I’m changing tactics to look at ways in which testing and development are complementary, beyond their common goal of releasing quality software products. What can I say? After my previous post, How developers drive testers nuts–let’s count the ways, I’m clearly getting less edgy. I approached our newest addition to the Klocwork development team, Michail Greshishchev. While he’s a new full-timer, Greshishchev is not a new face around here. The recent Carleton University engineering graduate did two co-op terms here–one in professional

    Read More »
  • New programs for software security

    on Jul 5, 11 • by Alen Zukich • with No Comments


    The U.S. Department of Homeland Security, in conjunction with the SANS Institute and Mitre have been hard at work again.  See the article.  There are two new programs called the Common Weakness Risk Analysis Framework (CWRAF) and the Common Weakness Scoring System (CWSS).  Using these two in conjunction will help users identify the most important weaknesses for their business.  It will be interesting to see adoption in the upcoming weeks. In addition to CWRAF and CWSS the 2011 CWE/SANS Top 25 list has been updated.  There has been a number of position changes and a

    Read More »
  • The Evolution of Static Code Analysis – Part 3: The Present Day

    on Jun 8, 11 • by Todd Landry • with 1 Comment


    My first 2 posts looked at 2 different eras of Static Code Analysis, the Early Years and the Early 21st Century. The SCA solutions of these times were revolutionary, and helped software development teams a great deal. But they had their warts. In the final post in this series, I’m going to introduce you to the present day Static Code Analysis technology and how it is impacting developers. The Present Day I’m a huge fan of Reece’s Peanut Butter Cups. I love them. I keep active so I don’t feel guilty eating them. In a

    Read More »
  • To report, or not to report…

    on Jun 6, 11 • by Gwyn Fisher • with No Comments


    Creating a source code analysis (SCA) engine is a balancing act, a decision process of where you believe the most value can be found along the spectrum that is the signal-to-noise ratio of the detection process. At one end lies the realm of massive noise and hopefully complete coverage, whilst at the other is the quiet calm of the theoretically useful but ultimately useless realm of no noise, but ultimately no signal either. That may sound counter-intuitive. Shouldn’t a zero noise point on the spectrum be accompanied by an infinitely strong signal? Perhaps in the

    Read More »
  • Top 10 List: Well Traveled Path to Source Code Analysis Success

    on May 31, 11 • by Brendan Harrison • with 1 Comment

    The Code Integrity folks have developed a lot of best practices on deploying static analysis and have compiled many of them in a solid whitepaper. They include a Top 10 list of what they call “The Well Traveled Path to Success”. Below is their (somewhat paraphrased in spots) list. 1. Determine who cares. Who has a vested interest that bugs actually get fixed. How much do they care? 2. Get an expert to tune the solution for your codebase. Static analysis tuning will maximize defect finding while minimizing false positives. 3. If possible, pilot with

    Read More »
  • The Evolution of Source Code Analysis – Part 2: The Early 21st Century

    on May 26, 11 • by Todd Landry • with 3 Comments


    In my last post, I took us back in time to an era of bad fashion, questionable music, legendary television shows, and source code analysis tools that were made specifically for software developers. It was the 1970s. In this post, I fast forward to just after the turn of the century to discuss the next evolution of static analysis tools. The Early 21st Century Not long after we first viewed hairy-footed Hobbits on the silver screen, and the sham that was affectionately known as Y2K, a new generation of source code analysis tools emerged to

    Read More »
  • And the word of the day is… docragination

    on May 19, 11 • by Helen Abbott • with No Comments

    I came to the practice of procrastination late in life. I was always one of those annoying people who arrived for appointments early, handed in assignments early, went to bed early. Becoming a full-time working parent drove me to the dark side. Now I’m routinely late — late for exercise classes, late going to bed, late getting the kids to daycare. My forgetfulness factor has increased about 26-fold too. I’ve always been a list-maker, but now I have a few sayings that my husband is sick of: If it’s not in my calendar, it’s not

    Read More »
  • The Evolution of Static Code Analysis – Part 1: The Early Years

    on May 17, 11 • by Todd Landry • with 2 Comments


    Our marketing people here at Klocwork like to see me racking up frequent flyer miles and expending CO2 at roadshows, conferences and tradeshows. Whenever I’m out speaking, I always like to gauge audience familiarity with Static Code Analysis. I’m happy to say that SCA knowledge has definitely increased over the years, but it is still not up to levels enjoyed by unit testing or integration testing. What I plan to do over the next three weeks is to provide you with a history lesson on how Static Code Analysis has evolved over the past few

    Read More »
Scroll to top