There is a general awareness that software complexity has been growing immensely over time. Starting a few decades ago with special-purpose tasks, such as calculating equations to send a man to the moon, we are now at a stage where our world and much of our lives depend intrinsically on software. Not only do systems such as autonomous cars contain huge software stacks, but they also depend on a plethora of programming languages, frameworks, and communication protocols. While in the past a single developer could keep a system in his or her head, this is rarely the case today. Moreover, it is no longer sufficient to be an expert in one programming language. Efficient development often requires someone to master many languages and frameworks.
This increased complexity has heightened the danger of making unintentional mistakes, wrongly applying a programming idiom from one language to another, or simply not being aware of some of the subtleties in a particular programming environment. These mistakes can lead to serious bugs, security vulnerabilities in code, and eventually catastrophic failures.
Software standards are aimed at providing some guidance for safe and secure programming, with the objective of preventing the most common mistakes developers make. To an extent, software standards teach developers how to avoid shooting themselves in the foot as they race to complete their projects.
There are different types of standards for different purposes. Besides simple syntactic guides that make code look more uniform, there are quality and security standards that take deep engineering expertise and practical observations and condense them into best practice rules and proactive guidance. Examples can be found in the automotive space, where MISRA standards have long been used to increase robustness and portability and prevent deep software flaws. Similarly, CERT has condensed security knowledge into language guides for the C/C++ and Java programming languages to enable the delivery of more secure and robust software. Other examples include guidance to avoid the most serious security pitfalls, as published in the OWASP Top 10 and the SANS/CWE Top 25 lists. No matter the individual focus, each standard aims to help software development organizations deliver better, higher quality, and more secure software.
The challenge with all these standards is that getting used to best practices takes some time. Realistically, no developer has the time or inclination to read through these standards and have them open on their desks while coding.
Fortunately, these days there are automated software solutions, such as Coverity static analysis, that look over your shoulder to automatically identify standards violations and guide you to becoming a more proficient and secure coder. Static analysis serves as your code-reviewing colleague, assisting you along the way.
Moreover, these automated solutions can be integrated both into the back end of the continuous development and integration process to ensure code quality, and directly into the front-end IDEs to prevent bugs from slipping into your code in the first place.
Synopsys has invested heavily in helping developers and development organizations bring high-integrity software to market faster. Coverity static analysis supports a wide variety of standards and coding guidelines tailored to your need and industry. Whether it’s MISRA C/C++, CERT C, OWASP Top 10, SANS/CWE 25, or general CWE classifications, we have you covered. Not only that, but Synopsys provides industry-leading scalability and precision that sets you up for a compliant and secure future.
Dr. Ralf Huuck is a director and senior architect with Synopsys’ Software Integrity Group. He focuses on driving next-generation technology for practical and actionable software security and compliance tools. Prior to joining Synopsys, Ralf served as the CEO with the security tool company, Goanna Software, and as a Principal Researcher with R&D lab, NICTA. He is also an Adjunct Associate Professor with UNSW, Australia.