Application Security Testing Techniques

Recommended Application Security Testing (AST) Techniques

Thursday, July 23, 2020

There are some very interesting takeaways from Gartner’s recent report “How to Deploy and Perform Application Security Testing” (published March 20, 2020, Gartner subscription required). Primarily, “application security testing (AST) is a critical practice within the software development life cycle (SDLC) and covers multiple techniques, from early development stages through to, and including, production.” Clearly, …

Bug injector research

GrammaTech Bug-Injector Research Receives IEEE SCAM 2019 Distinguished Paper

Friday, March 27, 2020

During the International Working Conference on Source Code Analysis & Manipulation (SCAM), a GrammaTech research publication was awarded the Institute of Electrical and Electronics Engineers (IEEE) Computer Society TCSE (Technical Council on Software Engineering) Distinguished Paper Award. The paper, “Automated Customized Bug-Benchmark Generation,” describes Bug-Injector, a system that automatically creates benchmarks for customized evaluation of static analysis tools. This work …

Static Analysis tool CodeSonar

Make the most of the C/C++ static analysis tools

Thursday, March 19, 2020

Static code analysis is the process of detecting flaws in software’s source code.  The static analysis tools are useful to detect common coding mistakes; here are some benefits from using them: Make the code source more readable and maintainable. Prevent unexpected behavior in execution. Optimize the execution. Make the code more secure. Many C/C++ static analysis …

end-to-end test automation

Explore a flexible C/C++ SonarQube plugin based on CppDepend.

Thursday, February 27, 2020

Both CppDepend and SonarQube are static analyzers that offer a rule-based system to detect problems in C/C++ code. However, the CppDepend default Rules-Set has very few overlaps with the SonarQube rules. Basically, the SonarQube rules are good at analyzing what is happening inside a method, the code flow while the CppDepend code model, on which the …

Static Analysis tool CodeSonar

How Sound Static Analysis Complements Heuristic Analysis

Wednesday, September 18, 2019

Not all static analysis tools work the same, there are in fact a spectrum of tools that use a variety of techniques ranging from relatively simple syntactic analysis through very sophisticated abstract interpretation-like algorithms that reason about potential executions. Each approach has its strengths and weaknesses and often tools, like GrammaTech CodeSonar, use a combination …

software security - DevSecOps

Tainted Data and Format String Attack Strike Again

Monday, September 09, 2019

A recent code execution vulnerability (we also call this a code injection vulnerably) was discovered in Palo Alto Networks’ GlobalProtect SSL VPN, a product that handles SSL handshakes and in particular, certain versions of the software running on these products, PAN-OS. The vulnerability was discovered by security researchers Orange Tsai and Meh Chang and documented on their blog. …