What Lurks in Your SDK?!?
Teams building innovative new products do so on the shoulders of giants. Let me explain. When you build on top of the latest boards from NXP, ST Micro, Texas Instruments or others, you will be using their Software Development Kit (SDK) to base your code on. SDKs contain a lot of ... Read More

Can AI Help Fix Security Vulnerabilities?
We get a lot of questions from our customers around the topic of artificial intelligence in combination with SAST (Static Application Security Testing). Everybody is looking for the next level of efficiency around DevSecOps. With CodeSonar the answer to this is a resounding yes, the reason for this is the elaborate ... Read More
I Have An SBOM, Now What ?!?
A Software Bill of Material (SBOM) lists the software components that are used in a piece of software. It typically also provides an overview of known vulnerabilities (N-day vulnerabilities) as well as the software licenses that cover the components used. All in all, this is often a significant amount of ... Read More
Using SAST and MISRA Memory Safety Standards to Prevent the Next CrowdStrike Debacle
The Problem A common coding error in a CrowdStrike Falcon update caused critical system outages around the world starting on Friday July 19th 2024. The culprit? A Null Pointer Dereference (also known as CWE-476) in a piece of C++ program that ran with privileged access to the Windows operating system. X posters offered all ... Read More
Navigating the EU Cyber Resiliency Act
Companies developing software intensive products for the European Union market are scratching their heads as to what to do with the recently-approved EU Cyber Resilience Act (CRA) developed to “ensure safer software and hardware.” In the works since 2020, the CRA does not come as a surprise, but companies are now scrambling to ... Read More
MISRA validation on FreeRTOS
Parts of the FreeRTOS kernel are MISRA 2012 compliant (details are here). I am quite impressed with the work done to make a project originally written without MISRA in mind MISRA-compliant. They used Coverity static analysis (now part of Synopsis) to perform the MISRA testing at the time. But I wondered ... Read More
Code Complexity
“What gets measured gets managed” is a frequently quoted statement in the business world, although there seems to be some confusion as to who coined the phrase. Regardless, that statement holds true in the business and software world. But some things are hard to measure, such as ‘team velocity’ (defined ... Read More
Static Application Security Testing at Scale
Software security requires a holistic view across vast ecosystems of smaller systems, each with its own code set and associated vulnerabilities that need to be prevented or managed. Today’s embedded systems are not monolithic, they are systems of systems, including sensors, actuators, controllers, interfaces, network switches—the works. Consider the many ... Read More
SBOMs and the Secure Software Development Framework
Introduction: The Significance of SSDF and SBOMs Most of the conversations I’m having these days tend to circle around the NIST 800-218 or more colloquially, the Secure Software Development Framework (SSDF). These conversations are in direct response to the EO-14028 and particularly, section 4, Enhancing Software Supply Security. I hadn’t ... Read More