Security Resources Center

Real Threats – Real Solutions

Finding the most dangerous defects in your code is imperative. Learn how to develop more secure software and the critical role of the QA·C static analysis platform

 

Overview

The National Institute of Standards and Technology (NIST) reports that 64% of software vulnerabilities stem from programming errors and not a lack of security features. Security is a real threat. We've bundle this resource center together so that you can learn more about the implications of security especially the critical role of software and so that you can understand how to leverage the tools you already have such as our static analyzer: QA·C.

Memory errors in C and C++ programs are among the oldest classes of software vulnerabilities. To date, the research community has proposed and developed a number of different approaches to eradicate or mitigate memory errors and their exploitation - and static analysis has emerged as a critical component to eliminate vulnerabilities.

Secure Coding Institute Research Report: Evaluating Software Security

Secure_Coding_Institute_Research_Report_Evaluating_Software_Security_wp_thumb

 

An empirical study of how using static analysis to detect CERT-C secure coding violations in an open source software library improves security.

PRQA Software Security Solutions

We have the tools to be more secure

MISRA C Compliance Module

Automate compliance checks for MISRA, a model for best practices accepted worldwide by automotive, and other industries creating safety-critical embedded-systems.

MISRA C Compliance Data Sheet ►

CERT Compliance Module

Implement a disciplined, repeatable, and security-focused development process by incorporating application security measures into your design and coding processes.

CERT Compliance Data Sheet ►

CWE Enforcement Module

CWE provides a comprehensive repository of known weaknesses. CWE is made up of a series of views, such as the dictionary view and the development view.

CWE Enforcement Data Sheet ►

Get the Secure Code Plug-in

Extend QA·C To Meet New MISRA and Security Requirements with enforcement plug-in modules

 

State of Software Security - Facts

As many as 50 billion devices will connect to the Internet by the end of the decade, bringing great fragmentation and an expanded threat surface.

This invites attacks against a device’s infrastructure on multiple fronts, from client applications and cloud services to the firmware and application layer residing on host processors. we need to prevent IoT from becoming the Internet of Threats.

50 billion
devices by 2020

Internet of Threats?

Image is not available

The History of Application Security

Infographic

Image is not available
Image is not available

Fewer than one in four have confidence in the security configuration of Internet of Things devices already present on enterprise networks...

...showed a survey of IT professionals and executives from energy, retail, and financial services organizations in the U.K. and U.S.

Less than
1 in 4

...have confidence
in the IoT security

Image is not available

HP Security Research 2015, found that 70% of the most commonly used IoT devices, such as smart thermostats and home security systems, contain serious security vulnerabilities.

"Serious
security
vulnerabilities..."

Image is not available

Application vulnerabilities pose one of the most significant risks to the Internet of Things.

Attacks that target security weaknesses in the firmware and applications running on embedded systems, can provide instant, high-level access to IoT deployments.

App
vulnerabilities

significant risk to IoT

Image is not available

“Smart door locks, padlocks, thermostats, refrigerators, wheelchairs and even solar panel arrays were among the internet-of-things devices that fell to hackers during the IoT Village held at the DEF CON security conference in August 2016.

A month after the conference ended, the results are in: 47 new vulnerabilities affecting 23 devices from 21 manufacturers were disclosed during the IoT security talks, workshops and onsite hacking contests.”

CSO Sep 13, 2016

DEF CON Security Conference:

47 new vulnerabilities
23 devices
21 manufacturers
fell to hackers...

Image is not available

NetUSB flaw leaves 'millions' of routers, IoT devices vulnerable to hacking.

The flaw can be exploited to conduct denial-of-service attacks or remote hijacking.

Millions of routers and Internet-of-Things devices have been placed at risk of hijacking due to a stack buffer overflow security flaw.

Millions of routers and IoT devices at risk

due to stack buffer overflow security flaw.

Image is not available

Zdnet May 20, 2015

ArrowArrow
ArrowArrow
Slider

Curated Articles on Security

HINT: They Don't Work In Your Organization: In general code security often gets overlooked and Learn more

Are We On The Road To Ruin : Shortly after Wired’s scoop about Jeep vulnerabilities and the conseque Learn more

28 Clicks To Disaster: Researchers recently found source code security flaws that allow an attacker Learn more

"What's past is prologue" Networks, personal computers and servers have long been und Learn more

Software Security Short Videos


 

What is the connection between CERT & CWE?

What is the connection between CERT & CWE?

Why do we need coding rules? What are the differences and similarities between CERT® & CWE?
This is an excerpt of the session " Prioritizing Security Vulnerabilities and Focused Testing", presented by Robert Martin at the seminar "Secure Coding Best Practices for Automotive" in Detroit, MI, October 2015.

What is the connection between CERT & CWE? MISRA-C Documents and Roadmap Conceptual differences between MISRA and CERT How to prioritize software vulnerabilities Software weaknesses vs. vulnerabilities. Common vulnerabilities scoring system CERT vs MISRA CERT C Secure Coding Initiative

What is the connection between CERT & CWE?

Why do we need coding rules? What are the differences and similarities between CERT® & CWE?
This is an excerpt of the session " Prioritizing Security Vulnerabilities and Focused Testing", presented by Robert Martin at the seminar "Secure Coding Best Practices for Automotive" in Detroit, MI, October 2015.

MISRA-C Documents and Roadmap

Launch of Amendments and Addendum for Security for MISRA-C:2012 and Compliance Document at Device Developer Conference 2016

Conceptual differences between MISRA and CERT

Do you agree with Fergus Bolger, CTO at PRQA: "There is no point to have a large collection of rules, if you do not have a reasonable means to achieve compliance to it"?
This short video is part of the session "MISRA vs CERT®", which has been originally presented at the seminar "Secure Coding Best Practices for Automotive" in Detroit, MI, October 2015

How to prioritize software vulnerabilities

Software is like water - you use water in different ways!
This short video is an excerpt of the sessions "Prioritizing Security Vulnerabilities and Focused Testing", presented by Robert Martin at the seminar "Secure coding best practices for automotive", Oct 2015, Detroit, MI.

Software weaknesses vs. vulnerabilities. Common vulnerabilities scoring system

"Weaknesses are things, that can be a problem in the right conditions. Those right conditions are what makes them vulnerabilities." (Robert Martin, CWE/CAPEC Program Manager)

CERT vs MISRA

In this brief session, Fulvio Baccaglini, Senior Software Developer at PRQA & member of the MISRA C Working Group, compares MISRA C:2012 and CERT® C.

CERT C Secure Coding Initiative

Could you spot the defect?
This presentation was delivered by Robert Seacord, the lead for CERT® Secure Coding Initiative, at the ISO 26262 Functional Safety Seminar in Detroit, MI, May 2015.

Software Security White Papers

White paper

Addressing Security Vulnerabilities at the Source

Learn about the need for application-level security in embedded systems software and connected device applications.

Download

White paper

Addressing Security Vulnerabilities in Embedded Applications

Using Best Practice Software Development Processes and Standard. sLearn how to incorporate the CERT secure coding standard...

Download

White paper

Developing Secure Embedded Software

Quality Doesn't Equal Security. Embedded development presents the challenge of coding in a language that’s inherently insecure...

Download

White paper

How IoT is Making Security Imperative for All Embedded Software

To keep up with new demands posed by the Internet of Things (IoT), developers are under pressure to write and reuse more code than ever.

Download

Software Security Training

Need guidance on implementing coding Standards? What's best for your organization? Request more information about software security training.

MISRA C: from Safety Critical to High Integrity

This training aims to present the improved MISRA C:2012 and compare its approach to already established security standards for C, like CERT C.

Request more information about this training ►

Secure Coding Practices for Safety Critical Applications

This training provides information on the state-of-the-art coding standards, and focuses on the presentation of the CERT family with a particular attention to C and C++ languages.

Request more information about this training ►

Incorporating security in the application development lifecycle

This training discuss the most effective strategies to improve the overall SDLC process security posture using automated analysis aligned with CWE content.

Request more information about this training ►