Software Testing Blog

Coverity and “Heartbleed”

Heartbleed_Defect

A lot of people have been asking whether and how static analysis can help you avoid problems like the so-called Heartbleed vulnerability in your own code. The answer, unsurprisingly, is that it depends. Finding potential defects through static analysis is a great idea. In fact, a lot of tools try to do exactly that with…

Continue reading »

Comments (0)

Why does C# use UTF-16 for strings?

C sharp logo

Today on ATBG a langauge design question from reader Filipe, who asks: Why does C# use UTF-16 as the default encoding for strings instead of the more compact UTF-8 or the fixed-width UTF-32? Good question. First off I need to make sure that all readers understand what these different string formats are. Start by reading…

Continue reading »

A customer focused event with a difference

On March the 20th, we hosted our first UK Customer Theatre and where better to host this than in Theatre-land itself, Leicester Square. The day saw customers come from far and wide to network and to hear the latest and greatest regarding our latest release from the Coverity development team. It started with an introduction from…

Continue reading »

Testing What Matters Most

Ace_Logo

Last summer, Johnny Willemsen, CTO for Remedy IT, delivered a webinar for SD Times to share how the ACE open source project began to implement Coverity as part of their automated testing. ACE, an open source framework that implements many core patterns for concurrent communication software, is part of the ACE+TAO+CIAO+DAnCE open source middleware suite….

Continue reading »

真假死循环-Coverity的嵌入式支持

Snake

在产品设计中,小细节往往体现大智慧,最近笔者在实际的客户现场试用过程中,就遇到了一个看来简单但结果让人诧异的死循环,仔细研究后发现其中大有千秋,示例代码如下: 很简单的死循环,但使用Coverity对其进行检测的时候,默认的指令cov-analyze –all是不会报出任何缺陷的,原因何在? 事实上Coverity能够直接检测到此问题,但为了更好的支持嵌入式系统,默认关闭了这个选项,用户只需添加一个指令即可将其打开并检测。 我们来看一下这个问题的根源:死循环是嵌入式系统中的常见代码,某些嵌入式系统的后台进程为了等待特定的信号,可能需要一直运行(从启动到结束),为了实现此类功能,开发人员不得不使用死循环,最典型的代码莫过于while(1),假如Coverity把这些死循环当做缺陷报告出来的话,嵌入式系统的使用者将面对一大堆密密麻麻的问题,而且最重要的是:这些都是误报! 众所周知,误报是静态分析行业最让人头疼的问题之一,嵌入式开发人员的平均人力资源成本大约是普通开发人员的1.5倍到2倍,同样的,解决误报需要的成本也是普通开发人员的1.5倍到2倍,所以降低误报率是静态分析产品的头等大事,Coverity作为研发测试领域的领导者,自然也在尽全力做到这一点,所不同的是Coverity更多的是面向使用角度降低误报率,正如此例。…

Continue reading »

I’ll Never Look at Security and Agile The Same Way Again

A couple of weeks ago, I attended the Keep Austin Agile event in—unsurprisingly—Austin, Texas. And while I had several compelling conversations with local practitioners about the Austin software culture and the progression of Agile environments in the workplace, there was one recurring theme that came up: the difficulty of tying security into an Agile process….

Continue reading »

NYSE shares best practices for using Coverity across Development & QA teams

nyselogo

On March 5th we hosted a networking event at Del Frisco’s in New York, where we featured one of our customers, Dikshitulu (Tulu) Pulupula, Vice President of Quality Assurance at NYSE Euronext, Inc. , a wholly-owned subsidiary of IntercontinentalExchange (NYSE: ICE). NYSE Euronext operates global financial markets across commodities, FX, equities, bonds and interest rates,…

Continue reading »

Reordering optimizations

C sharp logo

In my previous article on ATBG I said that without a lock, the read of a field can be moved arbitrarily far backwards in time on a thread, and that this can cause unexpected behaviour in a program. It is perhaps not clear why this can be a problem; it seems like a read shouldn’t…

Continue reading »

What Does OWASP Top 10 Coverage Mean to You…and Do You Have It?

OWASP_Logo

Coverity’s Security Research Lab and R&D teams have both been working hard over the past several months improving our security analysis for Java applications. One of the important new checkers that was recently released is for Cross-site Request Forgery. With this comes another important milestone: “full” coverage for the OWASP Top 10. I think it’s…

Continue reading »

Killer bugs are easy to overlook

I had a great time at RSA Conference last month. Thanks to everybody that came by the Coverity booth to chat! While there, I heard a lot of noise about Apple’s recently disclosed security vulnerability. I won’t bore you with the technical details of the vulnerability; if you’re interested, you probably already understand the problem….

Continue reading »

Comments (0)