Boston Scientific

CodeSecure Streamlines Static Analysis of Medical Device Software.


Download PDF

Boston Scientific, one of the world’s largest medical device companies, manufactures over 13,000 products worldwide. Among these offerings are safety-critical medical devices, including implantable cardiac rhythm management products.

City street at night with long exposure light trails from traffic, against a backdrop of illuminated office buildings.

“It doesn’t just free up engineers’ time, it also means we can analyze our entire code base more often to ensure that our standards are continuously upheld, and to receive more frequent feedback on our code quality.”

A man in a gray sweater smiles against a backdrop of colorful autumn leaves.

Gerald Rigdon

Boston Scientific Software Engineering Fellow

Boston Scientific and CodeSecure Streamline Analysis of Medical Device Software

Recognizing the importance of static analysis as a complement to dynamic analysis and traditional software testing techniques, Boston Scientific included static analysis in their product development lifecycle; however, many of their static analyses were performed manually. Manual analysis is labor-intensive, but it was their only option because commercially available analysis tools that they had looked at didn’t offer the complex analysis functionalities needed. They required analyses to cover specific product design constraints alongside more general software quality checks.

Automating Static Analysis 

Eager to automate more of their static analysis activities, Boston Scientific‘s engineers explored various options. They weren’t satisfied with the prospect of adopting an “off-the-shelf” tool and using its general-purpose analyses while waiting for the state-of-the-art in domain-specific analysis to evolve. Investigations with one analysis tool seemed to suggest that certain enhancements could be made, but its vendor was not interested in making those changes. 

A solution came when they commissioned CodeSecure to develop a customized analysis suite. “Instead of waiting for the future to come, we recommend active participation in making it happen,” explains Boston Scientific Software Engineering Fellow Gerald Rigdon. “We partnered with CodeSecure because they combine a focus on innovation in static analysis with the expertise needed to turn innovation into a workable reality.”

Customizing the Analyses 

Boston Scientific elected to automate the analyses that were most manually intensive, and whose reliability and repeatability were most important. One of the highest priority analyses for automation was their Shared Data Analysis (SDA), a meticulous examination of global data usage within the devices’ preemptive, multi-threaded operating environment. 

A number of other static checks were also automated, including stack usage analysis and recursion identification. CodeSecure delivered the customized analyses, together with supporting reporting mechanisms, as extensions to CodeSonar.

The automated analysis now runs in mere hours, compared to the person-weeks it took previously. “The automated analysis provides a huge amount of leverage in a cost-effective way,” notes Rigdon. “It doesn’t just free up engineers’ time, it also means we can analyze our entire code base more often to ensure that our standards are continuously upheld, and to receive more frequent feedback on our code quality.”

Book a Demo

We’re ready to help you integrate SAST and BCA security into your DevSecOps flow. Get a personally guided tour of our solution offerings to ensure you are receiving the right solution for your development team. 

book now