© Coverity 2010 Coverity Analysis: Improving Quality in the Software Supply Chain Peter Henriksen, Development Manager for Analysis, Coverity October 1,
Post on 15-Dec-2015
246 Views
Preview:
Transcript
© Coverity 2010
Coverity Analysis: Improving Quality in the Software Supply Chain
Peter Henriksen, Development Manager for Analysis, CoverityOctober 1, 2010
3
Importance of SATE
3ALL MATERIALS CONFIDENTIAL
Helping the Space MatureImportant to have broad participation
TransparencyPushing the envelope
Coverity ParticipationSignificant amount of work (~20 times more than 2009!)
C/C++ Track: Chrome, Wireshark & DovecotCoverity tools freely available for SATE researchers
4
SATE 2010: Listening to the Community
4ALL MATERIALS CONFIDENTIAL
Improved ClassificationSecurity/Quality/Insignificant/False Positive
Broader Language CoverageC, C++ & Java
Larger Code BasesAddition of Chrome: large code base, widely used
CVEHealthy challenge!
5
Coverity SATE Results: C/C++ Track
5ALL MATERIALS CONFIDENTIAL
SATE 2010 Selection: 30-40bugsImproved SATE triage with new Quality classification
General agreement on the triage results
Number of BugsTotal (estimated TP): ~2300
High & Medium Impact: ~1900SATE selection: ~1%
Triage is hard!Quality of event messages is important
Impact assessment is essential
7
The Software Supply Chain
7ALL MATERIALS CONFIDENTIAL
The ProblemWeakest link in the chain
Defects in shared libraries can impact millions of devices (computers, phones, etc)
How Coverity Can HelpIntegrity Report with Integrity Rating
Software Certification
Upstream Elimination of DefectsOpen source
3rd partyCompany wide libraries
10
How to Use Your Software Integrity Rating
10ALL MATERIALS CONFIDENTIAL
Set software integrity standards for your projects, products and teams
Audit your software supply chain
Promote your commitment to software integrity
11
Next Steps for SATE
11ALL MATERIALS CONFIDENTIAL
Defect (& FP) CatalogSelect one code base (per language)
Fix the versionPerform deep & thorough triage
Resulting contents: Tools + Manual + CVE + FP
Minor RecommendationsImprove the CVE triage
More time (add 4-6 weeks)Make Ubuntu VmWare VM’s available for C/C++ Track
top related