Klocwork Brings Both Capabilities Into K7, Its Latest Static Code Analysis Release
By David Rubinstein
BURLINGTON, Mass. – June 15, 2005 – Saying that the line between software quality and security is blurring, Klocwork this week announced version 7 of its static code analysis tool that focuses on both defects and vulnerabilities. The tool will be generally available at the end of the month.
Klocwork’s K7 “is a complete defect management solution, from bugs to vulnerabilities to violations of metrics and architecture rules,” said Chris Fedorko, vice president of product management. “You have to deliver quality out of the box. The objective is to get to no patches,” referring to what he called the all-too-common practice of delivering software and then following up with a string of bug fixes as defects are found.
In the area of security, K7 addresses both C/C++ and Java with feature enhancements, Fedorko said. In C/C++ code, critical issues such as access control, string manipulation, buffer overruns, warnings on use of dangerous functions and tainted data can be managed from the new tool, which sits atop a developer’s code editor, he said. In Java, the focus is on Web applications. Issues such as cross-site scripting and injection flaws, vulnerabilities in provisioned applets, servlets or EJBs, and unvalidated input can be dealt with, he added.
Fedorko said the vulnerabilities stored in the Klocwork repository have been aligned with the work of the Open Web Application Security Project. K7 can be customized, letting developers create specific checkers for adherence to coding practices, for example, or set custom metric boundaries, he said. The tool integrates with Rational Application Developer for WebSphere and Eclipse, he noted.
Other improvements over past versions include the ability to trace back more types of defects. In the visual Project Central interface, users can click on a defect to see the flow of the code and gain a better understanding of what went wrong and where it occurred. The tool also features enhanced reporting capabilities, including log-in and administrative control, and improved navigation, Fedorko said.
An improved accuracy rate from the code analysis also has been gained, he said. “Users want a low false-positive rate, but they also want to cast the net as far and broad as you can.”
Klocwork will sell K7 in four editions; Defect Discovery, emphasizing code quality; Security Vulnerabilities, focused on detecting holes and other flaws in the code; Defects & Security, which combines the two; and Development Edition, which adds the architectural controls, metrics analysis, reporting and customization, Fedorko said.
Klocwork® offers a portfolio of development productivity tools designed to ensure the security, reliability and maintainability of complex code bases. Using proven static analysis technology, Klocwork’s tools identify critical security vulnerabilities and reliability defects, optimize peer code review, and help developers create more maintainable code. Klocwork’s tools are an integral part of the development process for over 1000 customers in the consumer electronics, mobile devices, medical technologies, telecom, military and aerospace sectors.
Klocwork and the Klocwork logo are registered trademarks of Klocwork, Incorporated in the United States and other countries. All other names are trademarks or registered trademarks of their respective companies.