Static Analysis
SWAP Detector: Preventing API Errors from Swapped Arguments
Third-party application programming interfaces (APIs), libraries, and frameworks are a fact for modern software developers. They are usually complex, rapidly evolving, and sometimes poorly documented. According to industry estimates, open-source components can ...
Detecting Iterator Invalidation with CodeQL
by Kevin Higgs, Montgomery Blair High School Iterator invalidation is a common and subtle class of C++ bugs that often leads to exploitable vulnerabilities. During my Trail of Bits internship this summer, ...
What the Building In Security Maturity Model (BSIMM) Says About the Role of SAST and SCA
The BSIMM is an annual study of the real-world software security initiatives – “SSIs” in the report - across the software industry drawing from data and experience from 130 organizations. Rather than ...
Latest Version of CodeSonar Improves on C++ Analysis, MISRA Support; Introduces Subcommands for DevSecOps and More
The latest version of GrammaTech CodeSonar, Version 5.4, continues our commitment to being the go-to provider for static application security testing (SAST) and the static analysis tool of choice for improving software ...
Security Code Review of a Banking Trojan — Cerberus
Security Code Review of a Banking Trojan — CerberusOver a year ago, I started hearing about this new Banking Trojan called Cerberus. The author of this malware reportedly used to ridicule security researchers on ...
On the Road to DevSecOps: Security and Privacy Controls per NIST SP 800-53
This past March, the National Institute of Standards and Technology (NIST) released the NIST Special Publication 800-53, Revision 5, which was their final public draft revision. According to the abstract, “This publication ...
Memory Management is the Leading Cause of Security Vulnerabilities in Google Chrome
Google recently has studied the root cause of high severity security vulnerabilities detected in their Chrome browser project (specifically the open source Chromium project which Chrome and other browsers are based on) ...
Latest Version of CodeSonar Improves on Functional Safety, MISRA Support, C++ Parsing and Visualization
The latest version of GrammaTech CodeSonar, Version 5.3, continues our commitment to being the go-to provider for static application security testing (SAST) and the static analysis tool of choice for improving software ...
DevSecOps in Safety Critical Avionics Software and the Role of Static Analysis
DO-178C, Software Considerations in Airborne Systems and Equipment Certification, is a standard published by RTCA, Inc and developed jointly with EUROCAE, the European Organization for Civil Aviation Equipment. Alongside DO-178C is D-326A ...
