LDRA tool suite tailors security solution to new Homeland Security and MILS standards from requirements traceability through analysis and test
Embedded Systems Conference, Boston, MA – September 22, 2009. LDRA (Booth 414), a pioneer and global leader in automated software verification, source code analysis, and test tools covering the full development lifecycle, has tailored a new security-critical development and certification solution to ensure that the LDRA tool suite can meet today’s growing demand for security-critical software. LDRA has extended its implementation of the CERT C secure coding standard to also meet Multiple Independent Levels of Security (MILS) and new Homeland Security criteria for security-critical software development. Recognizing that static analysis does not expose all software security vulnerabilities, LDRA has integrated this solution into its entire tool suite from analysis through test and requirements traceability.
With the increased dependency on software systems in mission- and safety-critical systems as well as our daily infrastructure, the number of security breaches and attacks has increased. New security vulnerabilities are discovered daily and these cause problems with inadequately protected systems, resulting in security flaws. Studies indicate that a majority of these vulnerabilities can be traced back to a set of common programming errors.
Developing software that avoids these vulnerabilities is driving industries such as transportation, aerospace, defense, finance, and utilities, resulting in an increased interest in secure coding practices. As well, broader industry initiatives highlight the need to combine experience, knowledge and tools for building security into software at every phase of its development. The common goal is to find weaknesses in source code and operational systems, as well as to achieve better understanding and management of software weaknesses in architecture and design.
“With the increased connectivity of software systems, there has been an increase in the number of software security attacks,” noted Robert Seacord, Senior Vulnerability Analyst with Carnegie Mellon’s Software Engineering Institute that created The CERT C Secure Coding Standard. “Our society has become highly dependent on software applications in mission-, business-, and safety-critical systems. The CERT C Secure Coding Standard enumerates the common programming errors behind the majority of software security vulnerabilities so that these problems can be identified by software testing and analysis tools before they enter production code.”
“LDRA’s founder and Technical Director, along with senior members of the LDRA team, worked with the SEI CERT C team to provide technical expertise in developing the standard,” noted Ian Hennell, LDRA Operations Director. “Through our TBsecure product, we enforce these rules and recommendations to assist in eliminating insecure coding practices and undefined behaviours that lead to exploitable vulnerabilities. Application of the CERT C secure coding standard leads to higher quality systems that are robust and more resistant to attack.”
This release extends LDRA’s CERT C integration to adopt MILS and Homeland Security initiatives. The National Cyber Security Division (NCSD) of the US Department of Homeland Security has sponsored the Common Weakness Enumeration (CWE) dictionary and Build Security In (BSI). CWE, a dictionary that provides a unified and measurable set of software weaknesses, enables more effective discussion, description, selection and use of software security tools and services. BSI provides practices, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software in every phase of its development.
“We believe that software security is fundamentally a software engineering problem that must be addressed in a systematic way throughout the software development life cycle,” asserted Hennell. “With systems and software becoming increasingly complex, organizations need tools and methodologies to support them at all stages of software development. By providing a comprehensive set of tools for requirements traceability all the way through the development process to unit testing, LDRA’s tool suite takes developers much closer to their goal of achieving zero defect software development.”
With this release, LDRA brings together two primary types of security—that which can be enforced by static analysis and involves adherence to specific coding rules and creating a firewall that protects a system from the outside world and that which requires a security critical development process and the partitioning of one security level from another within the same system. By combining both of these approaches, LDRA enables developers to not only identify errant and vulnerable code at the language level, but to also find algorithmically deviant code such as a malformed HTTP request which may be correctly coded, but represents a security breach.
To provide secure software development processes, LDRA enhanced its Zero Defect Software Development methodology which integrates and automates software processes from requirements traceability through code, quality, and design review to unit test and test verification with the practices required by MILS/Common Criteria. With the integration of MILS/Common Criteria, the LDRA security-critical solution also incorporates:
• Structural Coverage Analysis and the determination of code structures which have not been exercised by the requirements-based test procedures.
• Control Coupling that provides a visual representation of the control coupling dependence of a given software component on those components that call it or are called by it, including calling frequency.
• Data Coupling that provides information in both the static and dynamic analysis domains, showing all instances of the data items accessed by a software component.
• Requirements Coverage (Traceability) which focuses on verification of whether code properly implements security requirements and the adequacy of those requirements.
• Testing and Structural Code Coverage Measurement that imposes strict structural coverage analysis objectives on the software according to the Common Criteria standard.
“We are committed to delivering software quality and security,” added Hennell. “This security solution demonstrates yet another best-in-class initiative by LDRA to help organizations design systems and software that are on time, on budget and meet their customers’ specified requirements.”
The LDRA tool suite is available for C, C++, Ada 83, Ada 95 and Assembly systems. It is a highly scalable solution that works with large-scale commercial and production systems and is excellent for both legacy code and new code development verification.
Attendees at Embedded Systems Conference can view a demonstration of the security-critical software development techniques or security based static analysis at the LDRA booth #414.
# # #
About the LDRA tool suite
The LDRA tool suite has been derived from many ground-breaking testing techniques developed by LDRA. The LDRA tool suite assists with the eight primary tasks: traceability verification, design, code and quality review, unit testing, target testing, test verification and test management. Focus on all of these key areas is required to achieve an organisation’s software development and maintenance goals. The LDRA tool suite can be used by an entire project team, including developers, QA managers, test engineers, project managers and maintenance/support engineers, to automate the software development lifecycle. Through the deployment of the LDRA tool suite, companies are able to deliver well constructed, documented and tested software and benefit from significant time, cost and operational savings. For more information on the LDRA tool suite, please visit: www.ldra.com.
About LDRA
For more than thirty years, LDRA has developed and driven the market for software used for the automation of code analysis and software testing of safety-critical applications. The LDRA tool suite is used in aerospace, space and defence technology as well as the nuclear energy and automotive industries. Through the use of the LDRA tool suite, companies ensure that their systems are built in accordance with prescribed standards and are durable and reliable in use. The LDRA tool suite is available for a variety of programming languages and supports a wide range of host and target platforms. LDRA is represented world-wide with its head office in the UK and subsidiaries in the USA as well as through an extensive distributor network. For more information on the LDRA tool suite, please visit: www.ldra.com.