Adopting CodeSonar for Static Code Analysis.
Sypris Solutions is a diversified provider of technology-based outsourced services and specialty products. Sypris performs a wide range of manufacturing and technical services, typically under sole-source contracts with major corporations and government agencies in the markets for aerospace and defense electronics and truck components.
“One of the biggest motivators for us to adopt static code analysis tools was to avoid our customers finding problems before we did. It makes a certification process more streamlined and timely.”
A Member of Sypris’ Engineering Team
Sypris Uses CodeSonar to Streamline Certification of High-Security Devices
Because many embedded systems were initially designed to be used in isolation, they lack the security features that would prevent intrusion across a network and are now becoming the target of cyber attacks. To address this, government agencies, including the National Security Agency (NSA), are developing strict security policies for secure coding requirements and certification, and are looking to companies like Sypris Electronics to adhere to these stringent standards.
For nearly 50 years, Sypris has provided lifecycle Information Assurance solutions, from design through deployment, for the United States Government, International Ministries of Defense, and the top aerospace and defense primes in the world. The Sypris Electronics Information Security Solutions (ISS) division of the company focuses on encryption and electronic key management solutions and devices, cyber security solutions, silicon-based identity authentication, and trusted manufacturing services.
Software developers at Sypris Electronics work in close partnership with their customers and end-users to ensure that the software they develop meets these strict secure coding requirements. In fact, engineers within the government go so far as to visually inspect thousands of lines of code painstakingly, looking for logic that could be exploited by hackers. Fortunately, this is not limited to manual techniques. The use of automated software tools that perform advanced static analysis on source code to uncover risky programming practices is common practice.
Adopting CodeSonar for Static Code Analysis
“One of the biggest motivators for us to adopt static code analysis tools was to avoid our customers finding problems before we did,” stated a member of Sypris’ engineering team. “It makes a certification process more streamlined and timely.”
After evaluating a number of products, the Sypris engineering team chose CodeSonar from GrammaTech. A key factor in the Sypris team’s choice was CodeSonar’s extensibility, and it could easily be configured or customized to enforce the specific, and sometimes unusual, coding policies required. Sypris also noted that CodeSonar already included most of the required checks, which made it easy to quickly implement the necessary changes. Government agencies look for structural flaws in the code that could enable unauthorized access; including classic problems such as buffer underflows or overflows, and less common requirements.
Sypris has been using CodeSonar in the development of some of its ruggedized, government-certified equipment. Members of the Sypris development team commented that one of the features they most appreciated about CodeSonar was the user interface. CodeSonar allows the Sypris team to navigate through source code, visualize relationships between different elements of the codebase, and quickly sort through problems found.
“GrammaTech’s CodeSonar does an excellent job of showing you the path of how you got into the problem,” said a member of the Sypris team. “When researching a problem, you really never have to leave CodeSonar; you can trust that it will show you all the relevant information. If you are going to work with the requirements of these software security policies, this is a must-have tool. It allows software development teams to streamline the certification process by allowing developers to find software errors early in the process. This avoids stalls in certification, reduces overall engineering effort, and saves on development costs.”