White Papers

Modern medical devices are gaining complexity, and as connectivity to the internet, cloud, and outside world increases, so does the security challenge. Further, medical devices for home use are increasing exponentially, so devices must withstand a non-clinical environment while communicating on insecure home networks. And with medical devices, security risks are also safety risks, which increases development costs and liability. To address…

Using CodeSecure CodeSentry and CodeSonar. download pdf 1 Purpose and Scope In order to develop secure code free of vulnerabilities, suppliers are increasingly following a secure development lifecycle to achieve these goals. The IEC 62443-4-1 standard (Security for industrial automation and control systems –Part 4-1: Secure product development lifecycle requirements) defines specific requirements for using…

download pdf BACKGROUND Considerable effort in the development of medical devices is focused on safety and reducing patient risk. Even so, with the recently increased connectivity of devices, security researchers have found security lacking in medical devices, with one recent example finding over 1400 security vulnerabilities in a commonly-used infusion pump. As a reaction to…

download pdf INTRODUCTION Multicore processors have opened the door to new levels of performance in embedded applications. To unlock multicore’s full performance potential, advanced programming techniques such as concurrency and parallel computing are necessary. Applications must be designed so that individual portions of a program can be run in parallel on the various processor cores.…

download pdf INTRODUCTION Static analysis tools have been around for decades and have helped many customers improve the quality of their code by finding programming problems. There have been tremendous developments in the capabilities of static analysis tools, becoming more sophisticated compared to older commercial and open source offerings. The latest generation of advanced static…

Powered by the forces of the cloud, connected endpoints, wireless technologies, and big data, the Internet of Things (IoT) evolution is forming a “perfect storm” for software engineering teams. This single, transformative force is bigger than anything in the history of tech industry, fueling an unparalleled consumer-oriented features race, expected to advance at an incredible…

Static application security testing (SAST) solutions are needed to ensure software code quality, security and critical safety and enforce the standard, but not all tools are created equal. Sophisticated SAST solutions that provide support for the complex development process and perform more than simple syntax checking are desired to reduce risk, costs, and time to…

download pdf INTRODUCTION Powered by the forces of the cloud, connected endpoints, wireless technologies, and big data, the Internet of Things (IoT) and Machine-to-Machine (M2M) evolutions are forming a “perfect storm” for software engineering teams. Vendors are racing to claim a piece of the predicted 19 trillion dollar IoT market¹, made up of more than 50 billion…

download pdf INTRODUCTION Software development teams are continually pushed to deliver more complex software systems, including cyber-physical systems, in a shorter time with fewer resources. At the same time, the cost of failure is increasing as software is often integrated into larger, more complex business chains such as in the case of IoT edge-to-cloud chains,…

download pdf INTRODUCTION The FDA, recognizing the need for more robust security in medical devices, issued its guidance on managing cybersecurity in 2014. The growth of wireless, networked, and Internet-connected devices means that medical devices are more at risk than ever before. In addition, medical devices deal with patient safety and privacy unlike other classes…

INTRODUCTION Today’s automobiles run on an astonishing and increasing amount of networked software, much of which powers safety-critical systems. Virtually every aspect of a car is controlled by software, including the throttle, transmission, brakes, speedometer, climate, lights, navigation, and entertainment. With well over 100 million lines of code running on 60 or more interconnected embedded…

download pdf STATIC ANALYSIS, RAILWAY SAFETY-CRITICAL Transportation systems (railway systems in particular) are a growing market that increasingly relies on software for command, communication, and control. Due to the impact of errors and accidents in this environment, software is developed to strict standards, including EN 50128. This standard is very specific on the use of…

download pdf INTRODUCTION Attacks against embedded systems are growing in frequency as malicious hackers become more sophisticated in their methods. These vulnerabilities are being exploited by hostile users to gain access to a system so they may subvert its use. These exploits are typically triggered when a hostile user sends data over an input channel.…

download pdf INTRODUCTION The security threat posed by insiders is often underestimated. According to an IBM study, 32% of attackers are insiders and 24% are “inadvertent actors” (e.g. people making mistakes that lead to a system breach or incorrect behavior.) One such class of insider attack is malicious code added during development that allows for…

download pdf The term “forensics” refers to the method of using science to discover evidence of criminal activity. Extending this to software broadens the use case to consider all the purposes of software investigation techniques. Software is ubiquitous and is a part of all mission-critical systems. As such, software failures have tremendous real-world effects. In…

download pdf INTRODUCTION Advanced static-analysis tools are popular because they have proven effective at finding serious programming defects. In contrast to traditional dynamic testing, the code is never executed so there is no need for test cases. This means that static analysis can be applied very early in the development process. When programmers use static…

download pdf BACKGROUND Safety-critical software has hit the “affordability” wall due to increasing complexity and growing reliance on software to perform mission-critical functions (Redman et. al. 2010). Software developer productivity on safety-critical systems hasn’t really changed from 5 lines of code (LOC) a day and roughly 1000 LOC per year (O. Benediktsson 2000). However, with…

download pdf BACKGROUND Over the last few years, third-party code has moved from a minor factor in software development to a dominant force in the industry. It is now used throughout software development in all applications, from highly sensitive government and military applications to security-intensive consumer commerce and communications. According to the latest report from…

download pdf INTRODUCTION This paper reviews a number of the growing complexities that embedded software development teams are facing, including the proliferation of third-party code, increased pressures to develop secure code, and the challenges of multi-threaded applications. It highlights how static analysis tools such as GrammaTech’s CodeSonar can detect defects caused by these complexities, early…

download pdf INTRODUCTION Although decades of advances in miniaturization have yielded enormous performance gains for single processors, it now appears that this era is coming to a close. The industry has placed a big bet on future single-chip performance gains coming from increasing core counts. This will only be a winning wager if the software…

download pdf INTRODUCTION The adoption of any new tool into an existing Software Development Process with an established code base is always a challenge. Static analysis tools are no different but there are steps to take to make the transition easier and smooth the introduction of these tools into an existing workflow. In addition, the…

download pdf INTRODUCTION Flip a switch and a room is filled with light. Turn on the tap and clean drinking water flows. We are absolutely dependent on these marvels of modern infrastructure, and we take them completely for granted. It is only when the system breaks down that we are reminded of this reality. As…

download pdf INTRODUCTION DO-178C, Software Considerations in Airborne Systems and Equipment Certification, is a standard published by RTCA, Inc and developed jointly with EUROCAE, the European Organization forCivil Aviation Equipment. Alongside DO-178C is D-326A (U.S.) and ED-202A (Europe) titled “Airworthiness Security Process Specification” and is the only Acceptable Means of Compliance (AMC) by FAA &…

download pdf Authored By: Jim Routh, Esteemed cybersecurity expert and former CISO and CSO at MassMutual, Aetna and CVSHealth Vince Arneja, Chief Product Officer at GrammaTech Executive Summary The Apache Log4j vulnerability exposed a massive software supply chain weakness in thousands of software applications. The prevalent use of open source components in software is creating…