Static Application Security Testing
with CodeSonar

Cybersecurity Analyses

The accelerating M2M and IoT trends of connected systems are increasing security risks, and creating new development challenges by expanding the attack surfaces that cyber-criminals exploit.

As an embedded programmer today, you need to defend against highly advanced malicious attacks and cybercrime, such as command injections or format string attacks, by adopting a full-spectrum approach to securing your application. This requires that you test the source code of your application with static analysis, the execution of your application with dynamic analysis, and all third-party and open-source components and libraries with binary analysis.

Understand your Applications Interface Vulnerabilities with Visual Taint Analysis

Track down sources of tainted data using CodeSonar's code visualization system.

CodeSonar implements an analysis that tracks potentially hazardous data flows in code. The results of analyzing this "tainted data" can be viewed as an overlay directly on the code or superimposed on a high-level graphical visualization of the architecture of the program. This allows engineers to see those notoriously hard-to-find tainted data pathways.

By accelerating the speed and accuracy of pinpointing these flows, this technology helps find dangerous vulnerabilities that a cyber-criminal could exploit, including buffer over/underrun, command injection, SQL injection, and integer overflow of allocation size. To see tainted data analysis in action and learn more about tainted data, watch the video to the right.

Find Security Vulnerabilities quickly with CodeSonar Security Checkers

CodeSonar's advanced static analysis engine automatically detects over 100 types of security vulnerabilities in your code, allowing you to accurately and efficiently eliminate cybercrime risks of security breaches.

CodeSonar's warning classes also support several coding initiatives, including the CWE, in order to make compliance with industry standards efficient and effective during software development.

Common Weakness Enumeration (CWE)

GrammaTech's CodeSonar is certified as CWE-Compatible, recognizing that it supports the CWE to the highest level currently recognized by the organization.

The CWE is a list of software weaknesses and security vulnerabilities. This international list allows clear communication between different parties with interests in computer security, including researchers, tool designers, and users.

GrammaTech's CodeSonar provides checks that support most of BSI's rules. BSI is a software assurance initiative of the U.S. Department of Homeland Security. Among other things, they provide a set of C/C++ coding rules, with a focus on security.

Benefits of GrammaTech's embedded software security analyses

Comprehensive Application Security
CodeSonar’s embedded security analysis technology combines cutting edge cyber-security checkers and advanced analyses for identifying security defects, Common Weakness Enumeration (CWE) instances, violations of US CERT guidelines, and tainted information flow.

Protection Against Code Injections
CodeSonar’s industry-leading tainted data analysis allows you to efficiently find and eliminate dangerous information flows in your code.

Defense Against Compromised Third-Party Components
As more embedded systems become a collection of networked components, the possibility of your program being compromised by a component you aren’t responsible for is growing at an alarming rate. CodeSonar provides a definitive, auditable, and objective security analysis of your software outside any broader system it may become part of.

Reputation Defense
Improving the security of your software protects the reputation of your organization by securing customer data. The most sophisticated U.S. Government agencies rely on CodeSonar and other GrammaTech technologies to protect the data of citizens and the reputation of our government.