LDRA tool suite support identifies Security Vulnerabilities and meets the CERT C standard

LDRA has enhanced the capabilities of the LDRA tool suite to assist in identifying security vulnerabilities and enforce security standards for development and deployment. LDRA’s adoption in this area demonstrates the company’s commitment to ensure their clients are able to comply fully with the latest security standards and certifications.

With the increased dependency on software systems in mission- and safety-critical systems, there has been an increase in the number of attacks. New security vulnerabilities are discovered daily and these cause problems with systems inadequately protected that result in security flaws. Studies indicate that a majority of these vulnerabilities can be traced back to a set of common programming errors.
The CERT C Secure Coding Standard provides rules and recommendations for secure coding in the C programming language. The goal of these rules and recommendations is to eliminate insecure coding practices and undefined behaviors that lead to exploitable vulnerabilities. The application of the secure coding standard leads to higher quality systems that are robust and more resistant to attack. Rules and recommendations included in this CERT C Programming Language Secure Coding Standard are designed to be operating system and platform independent. Once established, these standards can be used as a metric to evaluate source code using an automated process.
The LDRA tool suite has been extended to support a wide range of programming rules that enable increased application security using the following classification of security issues:

• Dynamic Memory Allocation (A) concerns: Dynamic memory management is a common source of programming flaws that can lead to security issues such as heap-buffer overflows, dangling pointers, and double-free issues. In particular, memory management encompasses allocating memory, reading and writing to memory, and deallocating memory.

• Vulnerabilities (V): These rules are intended to eliminate insecure coding practices aside from those associated with dynamic memory. Examples of insecure coding practices include array indices out of range and dereferencing a null pointer.

Without proper security technology vulnerability, malicious code attacks, fraudulent transactions, and theft-of-service opportunities will be on the rise. One proven way to help reduce these risks is with the use of software testing and analysis tools that identify these problems before they enter production code.

“At LDRA, we aim to assist in the development of zero-defect software development, and the CERT C standard plays a significant role in the development of higher quality systems that are more robust and more resistant to attack,” commented Ian Hennell, LDRA Operations Director. “Because of our commitment to best practice programming, we have supported CERT C through the involvement of Chris Tapp, one of our key field application engineers, in development of the standard. This participation continues our tradition of leadership in programming standards enforcement, also evident in our participation in the development of MISRA C:2004, MISRA C++:2008 and others.”