Engineering Services

LDRA Offers Security-Critical Software Development and Certification Support

LDRA Oct 06, 2009


LDRA tool suite tailors security solution to new Homeland Security and MILS standards from requirements traceability through analysis and test

Embedded Systems Conference, Boston, MA - September 22, 2009. LDRA (Booth 414), a pioneer and global leader in automated software verification, source code analysis, and test tools covering the full development lifecycle, has tailored a new security-critical development and certification solution to ensure that the LDRA tool suite can meet today's growing demand for security-critical software. LDRA has extended its implementation of the CERT C secure coding standard to also meet Multiple Independent Levels of Security (MILS) and new Homeland Security criteria for security-critical software development. Recognizing that static analysis does not expose all software security vulnerabilities, LDRA has integrated this solution into its entire tool suite from analysis through test and requirements traceability.

With the increased dependency on software systems in mission- and safety-critical systems as well as our daily infrastructure, the number of security breaches and attacks has increased. New security vulnerabilities are discovered daily and these cause problems with inadequately protected systems, resulting in security flaws. Studies indicate that a majority of these vulnerabilities can be traced back to a set of common programming errors.

Developing software that avoids these vulnerabilities is driving industries such as transportation, aerospace, defense, finance, and utilities, resulting in an increased interest in secure coding practices. As well, broader industry initiatives highlight the need to combine experience, knowledge and tools for building security into software at every phase of its development. The common goal is to find weaknesses in source code and operational systems, as well as to achieve better understanding and management of software weaknesses in architecture and design.

"With the increased connectivity of software systems, there has been an increase in the number of software security attacks," noted Robert Seacord, Senior Vulnerability Analyst with Carnegie Mellon's Software Engineering Institute that created The CERT C Secure Coding Standard. "Our society has become highly dependent on software applications in mission-, business-, and safety-critical systems. The CERT C Secure Coding Standard enumerates the common programming errors behind the majority of software security vulnerabilities so that these problems can be identified by software testing and analysis tools before they enter production code."

"LDRA's founder and Technical Director, along with senior members of the LDRA team, worked with the SEI CERT C team to provide technical expertise in developing the standard," noted Ian Hennell, LDRA Operations Director. "Through our TBsecure product, we enforce these rules and recommendations to assist in eliminating insecure coding practices and undefined behaviours that lead to exploitable vulnerabilities. Application of the CERT C secure coding standard leads to higher quality systems that are robust and more resistant to attack."

This release extends LDRA's CERT C integration to adopt MILS and Homeland Security initiatives. The National Cyber Security Division (NCSD) of the US Department of Homeland Security has sponsored the Common Weakness Enumeration (CWE) dictionary and Build Security In (BSI). CWE, a dictionary that provides a unified and measurable set of software weaknesses, enables more effective discussion, description, selection and use of software security tools and services. BSI provides practices, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software in every phase of its development.

"We believe that software security is fundamentally a software engineering problem that must be addressed in a systematic way throughout the software development life cycle," asserted Hennell. "With systems and software becoming increasingly complex, organizations need tools and methodologies to support them at all stages of software development. By providing a comprehensive set of tools for requirements traceability all the way through the development process to unit testing, LDRA's tool suite takes developers much closer to their goal of achieving zero defect software development."

With this release, LDRA brings together two primary types of security-that which can be enforced by static analysis and involves adherence to specific coding rules and creating a firewall that protects a system from the outside world and that which requires a security critical development process and the partitioning of one security level from another within the same system. By combining both of these approaches, LDRA enables developers to not only identify errant and vulnerable code at the language level, but to also find algorithmically deviant code such as a malformed HTTP request which may be correctly coded, but represents a security breach.

To provide secure software development processes, LDRA enhanced its Zero Defect Software Development methodology which integrates and automates software processes from requirements traceability through code, quality, and design review to unit test and test verification with the practices required by MILS/Common Criteria. With the integration of MILS/Common Criteria, the LDRA security-critical solution also incorporates:

o Structural Coverage Analysis and the determination of code structures which have not been exercised by the requirements-based test procedures.

o Control Coupling that provides a visual representation of the control coupling dependence of a given software component on those components that call it or are called by it, including calling frequency.

o Data Coupling that provides information in both the static and dynamic analysis domains, showing all instances of the data items accessed by a software component.

o Requirements Coverage (Traceability) which focuses on verification of whether code properly implements security requirements and the adequacy of those requirements.

o Testing and Structural Code Coverage Measurement that imposes strict structural coverage analysis objectives on the software according to the Common Criteria standard.

"We are committed to delivering software quality and security," added Hennell. "This security solution demonstrates yet another best-in-class initiative by LDRA to help organizations design systems and software that are on time, on budget and meet their customers' specified requirements."

The LDRA tool suite is available for C, C++, Ada 83, Ada 95 and Assembly systems. It is a highly scalable solution that works with large-scale commercial and production systems and is excellent for both legacy code and new code development verification.

Attendees at Embedded Systems Conference can view a demonstration of the security-critical software development techniques or security based static analysis at the LDRA booth #414.

About the LDRA tool suite

The LDRA tool suite has been derived from many ground-breaking testing techniques developed by LDRA. The LDRA tool suite assists with the eight primary tasks: traceability verification, design, code and quality review, unit testing, target testing, test verification and test management. Focus on all of these key areas is required to achieve an organisation's software development and maintenance goals. The LDRA tool suite can be used by an entire project team, including developers, QA managers, test engineers, project managers and maintenance/support engineers, to automate the software development lifecycle. Through the deployment of the LDRA tool suite, companies are able to deliver well constructed, documented and tested software and benefit from significant time, cost and operational savings. For more information on the LDRA tool suite, please visit: www.ldra.com.

About LDRA

For more than thirty years, LDRA has developed and driven the market for software used for the automation of code analysis and software testing of safety-critical applications. The LDRA tool suite is used in aerospace, space and defence technology as well as the nuclear energy and automotive industries. Through the use of the LDRA tool suite, companies ensure that their systems are built in accordance with prescribed standards and are durable and reliable in use. The LDRA tool suite is available for a variety of programming languages and supports a wide range of host and target platforms. LDRA is represented world-wide with its head office in the UK and subsidiaries in the USA as well as through an extensive distributor network. For more information on the LDRA tool suite, please visit: www.ldra.com.

Please send reader enquiries to:

Mark James

LDRA Technology, Inc, Lake Amir Office Park,

1250 Bayhill Drive, Suite # 360, San Bruno, CA 94066

Email: mark.james@ldra.com

White Papers & Case Studies

View All White Papers & Case Studies

View All Resources

All Topics

Manufacturing Innovation

Industry Trends

Engineering & Design

Sales & Marketing

Supply Chain

Career & Workforce

Company News

New Products

Thomas Index

Daily Bite

Find Suppliers, Insights, Tools and More...

Become part of North America's largest and most active network of B2B buyers and industrial/commercial suppliers.

Select From Over 500,000
Industrial Suppliers

Find and evaluate OEMs, Custom Manufacturers, Service Companies and Distributors.

Receive Daily
Industry Updates

Stay up to date on industry news and trends, product announcements and the latest innovations.

Search Over
6 Million Products

Find materials, components, equipment, MRO supplies and more.

Download 2D & 3D
CAD Models

10+ million models from leading OEMs, compatible with all major CAD software systems.
Start Sourcing Suppliers Claim Your Company Profile ico-arrow-default-right
Cookie Policy
Close
Thomas uses cookies to ensure that we give you the best experience on our website. By using this site, you agree to our Privacy Statement and our Terms of Use.
Accept