NowTECH: Empowering disabled people with quality code

Founded in 2014 and based in Budapest, Hungary, NOW technologies are a close knit, dedicated team of professionals working to help people with disabilities to live an independent life. NOW Technologies work closely with injured and disabled users and with medical and rehabilitation professionals to ensure that their products are safe, secure and sufficiently intuitive to minimize any necessary training.

3 Sections

HCC raises the bar on quality and reliability

As a developer of efficient and high-quality TCP/IP and file system software for the medical, transport, industrial and aerospace markets worldwide, it is essential for HCC Embedded to maintain a reputation for premium and reliable products. Following a vigorous and extensive competitive evaluation, HCC Embedded chose the LDRA tool suite to enhance the safety and security of their products by enforcing adherence to the MISRA standard.

4 Sections

Why worry about hacking?

In recent years, sophisticated and daring cyberattacks have grabbed the headlines and the attention of the public. Both Miller and Valasek’s famous attack on a Chrysler Jeep as referenced in their 2015 paper “Remote Exploitation of an Unaltered Passenger Vehicle and a separate, sophisticated attack on the Ukraine power grid that same year involved highly motivated, organized, qualified and professional individuals with considerable resources at their disposal. 

It would be easy to conclude that all hackers fit that description. But in fact, hacking is easy, requires very little technical skill, and is widely seen as an easy way to make money by the unscrupulous. Here’s why that should concern anyone developing a connected application or device.    

5 Sections

Verification of Safety-Related Control System Software in Compliance with ISO 13849:2015

There is a confusing wealth of standards relating to machine control systems. This document helps clarify the role of IEC 13849-1 and explains its relationship with IEC/ISO 17305, IEC 62061 and IEC 61508.

6 Sections

Applying IEC 62443-4-1 to Industrial Automation Control Systems

IEC 62443-4:2018 specifies the requirements for the secure development of systems used in industrial control and automation, with part 1 describing the product development requirements. Learn how verification and validation plays an important role in the IEC 62443-4-1 process, and discusses the testing techniques required to comply with the standard’s recommendation for requirement based testing.

4 Sections

Getting to grips with MISRA C:2012

MISRA C is a coding standard appropriate for the development of critical application code, including code for security- and safety-critical applications. LDRA have been influential in its creation and ongoing development, and has had strong representation on the MISRA C working group throughout its evolution. This introduction reflects that unique insight into the creation of the standard, and into the incremental changes resulting from a policy of continuous improvement.

5 Sections

Automate ISO/SAE DIS 21434 compliance – when the time is right

It is welcome news that ISO / SAE 21434 automotive cybersecurity standard has reached the Draft International Standard (DIS) stage. LDRA is committed to fully supporting the standard with enhancements to the LDRA tool suite® for Automotive as dictated by formal release of the standard, but advises caution until then. Here's why.

The End of the Develop-First, Test-Later Approach to Software Development

The traditional approach to secure software development is mostly a reactive one – develop the software and then use penetration, fuzz and functional test to expose any weaknesses. In isolation, however, that is not good enough to comply with a functional safety standard such as DO-178C (in the aerospace sector), IEC 62304 (medical devices) or ISO 26262 (automotive). These demand that security factors with a safety implication are considered from the outset, because a safety-critical system cannot be safe if is not secure.

4 Sections

SAST - Static Analysis/Application Security Test

Static Analysis (or Application) Security Test tools - SAST tools for short - provide the earliest possible insight into the security of an embedded application by scanning the source code. SAST is available as soon as there is source code and by building it into the Secure Software Development LifeCycle (SSDLC), vulnerabilities can be detected even before the build stage is reached.

3 Sections

Requirements Traceability

Best practice suggests that that bidirectional traceability between those requirements, software design artefacts, source code and tests should be established. Such an approach not only ensures that all security requirements are fulfilled, but also that there is no surplus code offering aggressors “back door” access to critical code.

3 Sections

Pen testing and the Secure Software Development Lifecycle

Penetration (or pen) testing is an example of a black box DAST (Dynamic Application/Analysis Security Test). It involves software security experts trying to exploit application code either manually or automatically. Although a traditional approach to software security and one which provides no direct insight into the application source code, pen testing remains a key component of the Secure Sofware Development Lifecycle (SSDLC).

3 Sections

Securing the Industrial Internet of Things

The “Industrial Internet of Things” (IIoT) is a virtual connection of data from people, processes, and things. It promises a world of convenience, efficiency, and economic opportunity to all manufacturing industry. But history has taught us that where society makes changes for the benefit of the majority, we must always be wary of the “touch of human weakness” - opportunists amongst us who will seek to disrupt it or to take dishonest advantage of it. Learn how secure application code is a vital component of any secure IIoT application, including IIRA and RAMI 4.0 compliant applications.

8 Sections

Endpoints and IOT security

Search in any browser for “IoT security”, and the results will most likely refence security frameworks, IoT and OT monitoring, data protection, hardware devices, and middleware. But amidst all of this very useful technology it is easy to overlook the endpoints – the physical computing devices that perform a function or task as a part of an internet connected product or service, such as wearable fitness devices, industrial control systems, automotive telematics units, and home heating thermostats. Secure endpoint software development is a key component of any defence in depth strategy.

2 Sections

Defence in depth

Defence in Depth describes an approach to security in which a series of defensive mechanisms are layered in order to protect valuable data and information, such that if one mechanism fails, another can be relied upon to thwart an attack. Learn more of the role of secure application code as part of a defence in depth strategy.

3 Sections

Embedded Systems and Security Maturity Models

Although there are growing numbers of standards offering guidance on security issues, few provide an adequate measure of the security measures themselves. Security Maturity Models enable communities to evaluate their current status and provide a framework for them to design a programme to improve their security posture, and are sufficiently adaptable to be applicable to both embedded and enterprise computing alike.

5 Sections

CERT Secure Coding Practices

Recognised as a trusted, authoritative organisation dedicated to improving the security and resilience of computer systems and networks, the CERT (Computer Emergency Readiness Team) Division of the Software Engineering Institute (SEI), ​CERT have nominated a total of 12 key secure coding practices – a “top ten”, more recently supplemented by two “bonus practices”. Adherence to these practices is key to the successful implementation of the secure software development lifecycle (SSDLC).

7 Sections

Blaster Worm: A vulnerability case study

One of the most high-profile security threats in recent times was the Blaster worm which was first seen on July 14, 2003, infected at least 100,000 Microsoft windows systems, and cost millions in damage. According to some commentators, the W32.Blaster worm may have contributed to the cascading effect of the blackout in the US north-east that year.

This paper explains how SAST (Static Analysis/Application Security Test) tools can help you find such security vulnerabilities early in the secure software development lifecycle (SSDLC), minimizing opportunities for bad actors when the software is deployed.

5 Sections

SSDLC: A proactive approach to secure software development

Connected systems underpin the drive for technological development in many domains such as aerospace, defense, automotive, healthcare and industrial control. When networked together, intelligent electronic devices form smart systems that impact almost all aspects of our lives. Security is critical, and cannot be an afterthought. To be optimal it must be designed in.

4 Sections

DAST - Dynamic Analysis/Application Security Test

Dynamic Analysis (or Application) Security Test - DAST for short is a key component of the secure software development lifecycle (SSDLC). It provides evidence of adherence to security requirements and a rigorous and thorough test of potential vulnerabilities. Unlike static analysis, it exercises part or all of the application, usually on the target device for which it was developed.

6 Sections

DENSO - Case Study

DENSO, a leading supplier of advanced automotive technology, systems and components for all the world’s major automakers, operates in 32 countries and regions with more than 112,000 associates. Through the deployment of the LDRA tool suite DENSO's Electronic Systems Business Group has been able to apply a uniform set of analysis techniques and standards for each software platform which has, in turn, provided significant cost and time savings for current and future projects.

4 Sections

Addressing your insecurities with CERT C

Secure coding standards make a vital contribution to any SAST regime, and represent a key component of any successful secure software development lifecycle (SSDLC). Learn how best to apply the CERT C Coding Standard, which consists of a set of guidelines designed to assist in the development of safe, reliable, and secure systems, and was developed by the renowned Computer Emergency Response Team (CERT) division of the Software Engineering Institute (SEI).

5 Sections

ISO 26262 Technical Overview

There is an ever-widening range of automotive electrical and/or electronic (E/E/PE) systems such as adaptive driver assistance systems, anti-lock braking systems, steering and airbags. Their increasing levels of integration and connectivity provide almost as many challenges as their proliferation, with non-critical systems such as entertainment systems sharing the same communications infrastructure as steering, braking and control systems. Read how the resulting need for exacting functional safety development processes is fulfilled by ISO 26262, from requirements specification, design, implementation, integration, verification, validation, and through to configuration.

4 Sections

An Introduction to Automated MISRA C:2012 Analysis and Review

MISRA C has always been designed to support the development of all critical applications. These include functionally safe applications in accordance with standards such as ISO 26262, IEC 61508 and DO-178C, and secure applications as part of a SAST regime. Although it has become much more user-friendly in recent years, enforcing is manually would be impossibly difficult and time-consuming. This video explains how automated code review is initiated, and how reported violations can be understood and corrected.

Checking for MISRA C:2004 and MISRA C++:2008 Compliance

MISRA coding standards has always been designed to support the development of all critical applications. These include functionally safe applications in accordance with standards such as ISO 26262, IEC 61508 and DO-178C, and secure applications as part of a SAST regime. Although it has become much more user-friendly in recent years, enforcing is manually would be impossibly difficult and time-consuming. This video explains how automated code review is initiated, and how reported violations can be understood and corrected.

Leveraging Automated Code Review with C++

The C++ language includes features that are prone to error - a problem for any functionally safe or secure system development. To counter that, "coding standards" or "language subsets" can be used in accordance with a functional safety standard (ISO 26262, IEC 61508, DO-178C...) or as part of a SAST regime to reduce the opportunity for mistakes by restricting the use of those features. Referencing the JSF ++ and MISRA C++:2008 subsets of the C++ language, this presentation gives a practical overview of how deviations from a standard can be identified and addressed using an automated code review process.

Automated Code Review with C

The C language includes features that are prone to error - a problem for any functionally safe or secure system development. To counter that, "coding standards" or "language subsets" can be used in accordance with a functional safety standards (ISO 26262, IEC 61508, DO-178C...) or as part of a SAST regime to reduce the opportunity for mistakes by restricting the use of those features. Referencing the MISRA C:2004 subset of the C language, this presentation gives a practical overview of how deviations can be identified and addressed using an automated code review process, how baselines can be used to monitor progress, and how a custom coding standard can be created.

IBM Rational DOORS: Automated Traceability Between Requirements, Source Code, and Tests

The IBM Rational DOORS ALM tool provides facilities for the careful management and monitoring of all aspects of software development and completing the phases of design, development, testing, deployment, and ongoing enhancements. However, ALM tools in general rely on manual intervention to collate information on code development, verification and validation. This overview presentation shows how the collation of that information can be automated, making for a more seamless and less error prone solution.

Siemens Polarion REQUIREMENTS: Automated Traceability Between Requirements, Source Code, and Tests

The Siemens Polarion REQUIREMENTS ALM tool provides facilities for the careful management and monitoring of all aspects of software development and completing the phases of design, development, testing, deployment, and ongoing enhancements. However, ALM tools in general rely on manual intervention to collate information on code development, verification and validation. This overview presentation shows how the collation of that information can be automated, making for a more seamless and less error prone solution.

Jama Connect: Automated Traceability Between Requirements, Source Code, and Tests

The Jama Connect ALM tool provides facilities for the careful management and monitoring of all aspects of software development and completing the phases of design, development, testing, deployment, and ongoing enhancements. However, ALM tools, in general, rely on manual intervention to collate information on code development, verification, and validation. This detailed presentation shows how the collation of that information can be automated, making for a more seamless and less error-prone solution.

Automated Dynamic Analysis and Unit Testing with the IAR Embedded Workbench

Functional safety standards (ISO 26262, IEC 61508, DO-178C etc.) often require that the test environment for software unit (low-level), integration and system testing reflects the target environment. Best practice in the development of secure applications for all DAST techniques would echo that recommendation, and in both cases most thorough way of achieving it is to perform the tests on the target itself. This detailed presentation shows how an automated integrated environment provides an efficient and effective path to the achievement of that objective, where the development enviroment used with the target is the IAR Embedded Workbench.

Automated Dynamic Analysis and Unit Testing with TI Code Composer Studio V5

Functional safety standards (ISO 26262, IEC 61508, DO-178C etc.) often require that the test environment for software unit (low-level), integration and system testing reflects the target environment. Best practice in the development of secure applications for all DAST techniques would echo that recommendation, and in both cases most thorough way of achieving it is to perform the tests on the target itself. This detailed presentation shows how an automated integrated environment provides an efficient and effective path to the achievement of that objective, where the development enviroment used with the target is the TI Code Composer Studio v5.

SAE J3061 and ISO 26262? They're Made for Each Other

SAE J3061 provides an engineering process to design and build cybersecurity into vehicle systems in a comprehensive and systematic way, to monitor for and respond to incidents in the field, and to address vulnerabilities in service and operation. This document describes how that process relates to the ISO 26262 functional safety standard in the context of automotive software systems

13 Sections

Automated Static Analysis, Dynamic Analysis and Unit Testing with the Eclipse-Based TI Code Composer Studio V6

Functional safety standards (ISO 26262, IEC 61508, DO-178C etc.) often require that the test environment for software unit (low-level), integration and system testing reflects the target environment. Best practice in the development of secure applications for all DAST techniques would echo that recommendation, and in both cases most thorough way of achieving it is to perform the tests on the target itself. This detailed presentation shows how an automated integrated environment provides an efficient and effective path to the achievement of that objective, where the development enviroment used with the target is the TI Code Composer Studio v6.

Code Coverage and Static Analysis with Independence in the MathWorks Simulink Environment

Model based development offers many advantages to developers of functionally safe and secure software. There are some caveats however, as highlighted (for example) by ISO 26262:2018 which suggests that "In comparison to a traditional development process where lifecycle data are separated, a stronger coalescence of the phases ... may occur. The potential benefits of this approach ... are appealing, but this approach may also introduce issues causing systematic faults". This overview presentation describes an approach to testing that is integrated with the modelling tool but at the same time is independent from it, helping to offset the concerns with regards to systemic failure.

Leveraging Static and Dynamic Analysis to Improve Confidence in Software Of Unknown Pedigree (SOUP)

Not everyone has the luxury of working with code developed in accordance with clearly defined requirements, coding standards, a well-controlled development process, and a coherent test regime. Legacy code, for example, is often a proven and valuable asset but has often not been developed in accordance with current best practise This video explains how automated test tools can help to get a better understanding of legacy code, for it to then be used as a basis for further development.

Improving Confidence in Software Of Unknown Pedigree (SOUP)

Not everyone has the luxury of working with code developed in accordance with clearly defined requirements, coding standards, a well-controlled development process, and a coherent test regime. Legacy code, for example, is often a proven and valuable asset but has often not been developed in accordance with current best practice This video explains how automated test tools can help to get a better understanding of legacy code, for it to then be used as a basis for further development.

4 Sections

Automated Dynamic Analysis and Unit Testing with QNX Momentics

Functional safety standards (ISO 26262, IEC 61508, DO-178C etc.) often require that the test environment for software unit (low-level), integration and system testing reflects the target environment. Best practice in the development of secure applications for all DAST techniques would echo that recommendation, and in both cases most thorough way of achieving it is to perform the tests on the target itself. This detailed presentation shows how an automated integrated environment provides an efficient and effective path to the achievement of that objective, where the Eclipse based QNX Momentics development enviroment is used with the target.

Leveraging Automated Tools to Satisfy the Demands of AUTOSAR, MISRA and ISO 26262

Since December 2017, two reference architectures have been available from the AUTOSAR organisation. The Classic Platform is AUTOSAR’s established solution for embedded systems with hard real-time and safety constraints, first published in 2005, while the Adaptive Platform is their more recent solution for high-performance computing ECUs to build safetyrelated systems for use cases such as highly automated and autonomous driving. This technical briefing provides an overview on how an integrated suite of tools can ease the path to compliance not only with the AUTOSAR architectures themselves, but also with ISO 26262 and MISRA C (Classic platform) or ISO 26262 and AUTOSAR C++ (Adaptive platform)

13 Sections

ISO 26262 a Pain in the ASIL?

There is an ever-widening range of automotive electrical and/or electronic (E/E/PE) systems such as adaptive driver assistance systems, anti-lock braking systems, steering and airbags. ISO 26262 “Road vehicles – Functional safety” was published in response to this explosion in automotive E/E/PE system complexity, and the associated risks to public safety. This document presents an overview of the role of static analysis, dynamic analysis and requirements traceability in the context of the standard.

9 Sections

The Importance of Test Component Reuse in Testing Safety Compliant Systems

There has been significant recent growth in electronic complexity and the amount of embedded software in products, and in many of them there is the potential for software flaws to potentially be life-threatening. The reuse of test components represents one methodology that can help to ensure efficient and complete testing while also saving time and cost. This discussion explains how both National Instruments and the LDRA tool suite can be used to implement test component reuse and how this can benefit development of products for safety critical systems.

4 Sections

Automated Static Analysis, Dynamic Analysis and Unit Testing in the Eclipse Environment

Functional safety standards (ISO 26262, IEC 61508, DO-178C etc.) often require that the test environment for software unit (low-level), integration and system testing reflects the target environment. Best practice in the development of secure applications for all DAST techniques would echo that recommendation, and in both cases most thorough way of achieving it is to perform the tests on the target itself. This detailed presentation shows how an automated integrated environment provides an efficient and effective path to the achievement of that objective, where an Eclipse based development enviroment is used with the target.

Satisfying the Demands of AUTOSAR, MISRA and ISO 26262

This document focuses on how an integrated and comprehensive set of tools such as the LDRA tool suite® can help ease the development path of AUTOSAR applications for the Classic and Adaptive Platforms.

7 Sections

Pen