Zero-compromise IDaaS: Achieve Both Security and Workforce Productivity
How to achieve security, reliability, and productivity in less time
-
Upload
rogue-wave-software -
Category
Software
-
view
99 -
download
1
Transcript of How to achieve security, reliability, and productivity in less time
1© 2017 Rogue Wave Software, Inc. All Rights Reserved.
1
Confronting the mission-critical software testing challengeEpisode 1:
How to achieve security, reliability, and productivity in less timeRod CopeCTO
2© 2017 Rogue Wave Software, Inc. All Rights Reserved.
2
Presenter
Rod CopeCTORogue Wave [email protected]: @RodCope
3© 2017 Rogue Wave Software, Inc. All Rights Reserved.
3
1. A brief history of testing2. Code security3. Software reliability4. Pulling it together5. Q&A
Agenda
4© 2017 Rogue Wave Software, Inc. All Rights Reserved.
4
What is mission-critical?
5© 2017 Rogue Wave Software, Inc. All Rights Reserved.
5
A brief history of testing
6© 2017 Rogue Wave Software, Inc. All Rights Reserved.
6
The evolution of testing
1970s – 80s Debugging == testing
All I need is unit testing
How did we survive without automated testing?
DevOps is awesome!
1990s
2010s
2000s
7© 2017 Rogue Wave Software, Inc. All Rights Reserved.
7
Challenges with different methodsAdvantages Disadvantages
Debugging/printfs
• Immediate• Minimal set up
• Limited view of system• Limited tests• Doesn’t scale across
code/team sizeUnit testing • Close to code
• A form of documentation
• Limited view of system• Limited tests• Cumbersome for single
developer to set upBasic automated testing
• Consistency and repeatability
• Speed• Frees developer time
• Can be slow to run• Can be slow to update
DevOps/CI testing
• Consistency and repeatability
• Scalable & fast• Frees developer time
• Initial set-up costs• Only effective for larger
teams
8© 2017 Rogue Wave Software, Inc. All Rights Reserved.
8
Challenges with different methodsAdvantages Disadvantages
Debugging/printfs
• Immediate• Minimal set up
• Limited view of system• Limited tests• Doesn’t scale across
code/team sizeUnit testing • Close to code
• A form of documentation
• Limited view of system• Limited tests• Cumbersome for single
developer to set upBasic automated testing
• Consistency and repeatability
• Speed• Frees developer time
• Can be slow to run• Can be slow to update
DevOps/CI testing
• Consistency and repeatability
• Scalable & fast• Frees developer time
• Initial set-up costs• Only effective for larger
teams
9© 2017 Rogue Wave Software, Inc. All Rights Reserved.
9
Challenges with different methodsAdvantages Disadvantages
Debugging/printfs
• Immediate• Minimal set up
• Limited view of system• Limited tests• Doesn’t scale across
code/team sizeUnit testing • Close to code
• A form of documentation
• Limited view of system• Limited tests• Cumbersome for single
developer to set upBasic automated testing
• Consistency and repeatability
• Speed• Frees developer time
• Can be slow to run• Can be slow to update
DevOps/CI testing
• Consistency and repeatability
• Scalable & fast• Frees developer time
• Initial set-up costs• Only effective for larger
teams
10© 2017 Rogue Wave Software, Inc. All Rights Reserved.
10
Challenges with different methodsAdvantages Disadvantages
Debugging/printfs
• Immediate• Minimal set up
• Limited view of system• Limited tests• Doesn’t scale across
code/team sizeUnit testing • Close to code
• A form of documentation
• Limited view of system• Limited tests• Cumbersome for single
developer to set upBasic automated testing
• Consistency and repeatability
• Speed• Frees developer time
• Can be slow to run• Can be slow to update
DevOps/CI testing
• Consistency and repeatability
• Scalable & fast• Frees developer time
• Initial set-up costs• Only effective for larger
teams
11© 2017 Rogue Wave Software, Inc. All Rights Reserved.
11
All have sources of risk
• Human error• Software issues• Hardware
issues
And challenges:• Demands for shorter release times• Increasing feature complexity• Requirements for standards
compliance• Increasing open source use
12© 2017 Rogue Wave Software, Inc. All Rights Reserved.
12
Poll #1What is the primary method you use to test code?• Code reviews• Unit tests• Manual tests at build time• Automated tests at build time• Automated testing using CI tools
13© 2017 Rogue Wave Software, Inc. All Rights Reserved.
13
Code security
14© 2017 Rogue Wave Software, Inc. All Rights Reserved.
14
Changing security landscape
More complex software running inside systems
Multiple sources of software being integrated
Software has to run for many years
This requires a very significant security, safety, & functional verification process
Harder to secure code
15© 2017 Rogue Wave Software, Inc. All Rights Reserved.
15
Some research
"Security is not considered important"
"Security takes too much time"
"I feel pressured to complete development"
0% 5% 10% 15% 20% 25%
22%
22%
24%
Why are companies not putting more emphasis on security in
their applications?
Yes
No
0% 10% 20% 30% 40% 50%
49%
51%
Is security a priority for your company?
2015 Survey of Automakers and SuppliersPonemon Institute / Rogue Wave Software / Security
Innovation
16© 2017 Rogue Wave Software, Inc. All Rights Reserved.
16
One of the top flaws in the 2015
National Vulnerability
Database
Example: Memory buffer problems
CWE-119: Software can read or write to locations outside of the boundaries of the memory buffer
• Not checking size of input on copy• Bug allowing writing to arbitrary
locations• Out-of-bounds read• Pointers outside expected range• Untrusted pointer dereference• Uninitialized pointers• Expired pointer references• Access of memory beyond buffer end
17© 2017 Rogue Wave Software, Inc. All Rights Reserved.
17
Real vulnerability: GNU libc
CVE-2015-1472https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html
• Under certain conditions wscanf can allocate too little memory for the to-be-scanned arguments and overflow the allocated buffer.
• Theoretically, any Linux machine connected to the internet, using this version, is at risk
18© 2017 Rogue Wave Software, Inc. All Rights Reserved.
18
GNU libc example: fail
19© 2017 Rogue Wave Software, Inc. All Rights Reserved.
19
GNU libc example: fix
20© 2017 Rogue Wave Software, Inc. All Rights Reserved.
20
Top four best security practices
• Numeric errors• Code injection• Improper input
validation• Memory buffer
problems
• Numeric errors• Cryptographic issues• Code injection• Memory buffer problems
• Numeric errors• Cryptographic
issues• Code injection• Resource
management errors
• Numeric errors• Resource management errors• Improper access control• Improper input validation
Clean design
Methodical process
Good tools
Careful analysis
21© 2017 Rogue Wave Software, Inc. All Rights Reserved.
21
Poll #2How much time do developers in your company spend on security (as a percentage of work time)?• 0%• 1 – 25%• 26 - 50%• 51 – 75%• 76 – 100%
22© 2017 Rogue Wave Software, Inc. All Rights Reserved.
22
Software reliability
23© 2017 Rogue Wave Software, Inc. All Rights Reserved.
23
Why is reliability important?
May 2015• Boeing 787 Dreamliner had software bug which
caused “total loss of electrical power” after 248 days
December 2015• A software error which calculates prison sentences caused more
than 3,200 US prisoners to be released 49 days early on average
24© 2017 Rogue Wave Software, Inc. All Rights Reserved.
24
January 6, 2016
• NEST ‘smart’ thermostat software update caused complete battery drain, shutting off heat during January
• Matt Rogers, NEST co-founder & VP Eng:”the bug took a few weeks to show up”
• 2.5 million smart thermostats in U.S. alone
25© 2017 Rogue Wave Software, Inc. All Rights Reserved.
25
Key industry standards
The argument for standards compliance
• Re-use the expert research of others• Complements existing testing approaches• Recognizable by customers• May already by a requirement
Significantly reduces the cost of producing reliable software
Security:
26© 2017 Rogue Wave Software, Inc. All Rights Reserved.
26
MISRA C example
a |= 256;b |= 128; c |= 064;
Sets bit 8 of variable a(256 decimal = 0100000000 binary)
Sets bit 7 of variable b(128 decimal = 0010000000 binary)
Is bit 6 set?(64 decimal = 000100000 binary)
Rule 7.1: Octal constants (other than zero) and octal escape sequences shall not be used.
• No, because in C, any constant that begins with 0 is interpreted as an octal number.
• So c is set to the wrong value!
27© 2017 Rogue Wave Software, Inc. All Rights Reserved.
27
Pulling it together
28© 2017 Rogue Wave Software, Inc. All Rights Reserved.
28
Why Agile?
Agile increasing
29© 2017 Rogue Wave Software, Inc. All Rights Reserved.
29
People over processes
Collaborate to build trust and foster change
Set expectations clearly
Test and measure
Share successes
Enable with tools
Pick the right
artifacts
Choose what to keep/throw
away
Lessons learned
30© 2017 Rogue Wave Software, Inc. All Rights Reserved.
30
Continuous testing• Check for security issues• Measure conformance to
standards• Examples of CI systems:
TeamCity, Jenkins• Examples of test tool:
static code analysis
Automate testing
AcceptCheck in
Dev 1
Check inDev 2
Check inDev 3 Release
ChangeAdjust and Track
FeedbackReview
Next Iteration
No!
Release to
Market
Test
TestTest
Yes!
31© 2017 Rogue Wave Software, Inc. All Rights Reserved.
31
Keys to successful CITo work in a true CI environment test tools must be designed to be:
Automated
Fast(er)
Scalable
RelevantTo reduce feedback time, only changed code should be tested (including regression)
By requiring minimal resources & deploying across multiple agents
By reporting only the information that is required for the given context (example: only the diffs since the last build / build X)
Supporting the most important CI build management systems
32© 2017 Rogue Wave Software, Inc. All Rights Reserved.
32
Summary
• Identify and prevent vulnerabilities before release
Security: Clean design, methodical process, careful analysis, good tools
• MISRA, OWASP, ISO 26262Reliability: Adopt proven standards
• Jenkins, static code analysis
Automate with tools that are fast, scalable, and relevant
1
2
3
33© 2017 Rogue Wave Software, Inc. All Rights Reserved.
33
Q & A
34© 2017 Rogue Wave Software, Inc. All Rights Reserved.
34
Follow up
Free white paper:
Fitting static code analysis into continuous integrationwww.roguewave.com/resources/white-papers/static-code-analysis-into-continuous-integration
35© 2017 Rogue Wave Software, Inc. All Rights Reserved.
35
Missed this webinar? Watch it on-demand
How to achieve security, reliability, and productivity in
less time
Watch now.
36© 2017 Rogue Wave Software, Inc. All Rights Reserved.
36
Stay tunedConfronting the mission-critical software testing
challengeFeb. 8: Static analysis works for mission-critical systems, why not yours?Compare different techniques for testing by analysis and dive into static code analysis, including the types of problems found, barriers to adoption, and fitting it into various developer environments.
Feb. 22: What if you could eliminate the hidden costs of development?Combat different types of development inefficiency by examining error-prone tasks, waiting for resources, “bug fix crowdsourcing,” and more to learn what the industry is doing about them and what you can do to get ahead.
37© 2017 Rogue Wave Software, Inc. All Rights Reserved.
37