79 posts categorized "Test Tools"

08/07/2014

IoT Lessons from the Russian CyberVor Hacking

Widely reported during the first week of August was the revelation that a group of Russian hackers known as CyberVor had amassed a database of 1.2 billion usernames and passwords, as well as more than 500 million email addresses. The New York Times originally broke the story, based on findings from the firm Hold Security. Unlike the Target retail data breach of late 2013 and the more recent eBay breach, CyberVor’s loot is not the result of one or two large breaches, but rather a large number of breaches of all sizes. Hold Security says that the data came from 420,000 websites, ranging from large household-name dotcoms down to small sites. Most of the sites were breached using SQL injection techniques through malware infecting the computers of unwitting legitimate users.

Breaches of major websites or retailers tend to be highly concentrated, narrowly focused efforts, whereas the database collected by CyberVor appears to be the result of casting a very wide (bot)net, trawling the world wide web for anything the group could catch.

What lessons can the CyberVor revelation teach us (or reinforce) about the Internet of Things?

Lesson #1: No IoT site (either physical or virtual) is too small to be attacked. Many users are tempted to think, “Why would anyone bother to hack my little IoT network?” The answer is, “Because they can.”

Lesson #2: Even data that has little or no value to hackers on its own may have value when aggregated.  If you think your data is worthless to others, you’re probably wrong. Big data is comprised of a whole lot of little data.

Lesson #3: Authorized users or devices are not necessarily safe just because they are authorized. Follow the principle of least privilege, in which users or devices only have access to the minimum amount of data and system resources necessary to perform their functions.

Lesson #4: Monitor your networks for atypical or unexpected movements of data. This is challenging in practice, because valid usage occasionally may not follow past patterns. Nevertheless, at a minimum the system should have a way to throw up a red flag if a user or device is attempting to copy large portions of a database.

Lesson #5: Don’t neglect the basics. SQL injection attacks as well as buffer overflows and cross-site scripting are common and easily preventable. Most software code analysis tools can check for vulnerabilities to such attacks early in the development process.

Lesson #6: Conduct independent penetration tests on your devices and networks. If you think that your own engineers already have covered every possible attack vector, you’re probably wrong. You need outside eyeballs incentivized to find flaws without concern about stepping on coworkers’ toes.

And lastly, Lesson #7: At the risk of stating the obvious, encrypt your data. Any database that is accessible either directly or indirectly from the Internet is worth encrypting. Passwords in particular are keys to the kingdom. Encrypt them with salted hash techniques and strong algorithms. There is never a valid reason to store passwords in plain text.

If the websites breached by CyberVor already had learned these lessons, the hack wouldn’t even have been newsworthy.

For more insights into IoT security issues, check out VDC’s research program on Security & the Internet of Things.

02/21/2014

Is this a run on static analysis?

The static analysis solutions market is one of the most dynamic segments VDC’s embedded software team currently tracks. While still a relatively young and evolving technology, static analysis has rapidly become a standard -- perhaps even necessary -- element of the software development lifecycle. Software is emerging as the primary agent for differentiation and resource investment for more companies as they try to speed the delivery of innovative new solutions. The development of increasingly complex software needed for these devices and systems is accelerating growth of code quality and security issues that static analysis is designed to address. In parallel, there is a growing awareness of the potentially catastrophic impact of software failure. As a result, we expect static analysis tools to generate revenue growth exceeding many other tooling segments.

“Strong forecasted growth and the presence of several profitable, small, and privately owned companies among market leaders make the segment (static analysis) ripe for mergers and acquisitions.”  - VDC Research, Stategic Insights 2013, The Global Market for Automated Testing and Verification Tools

Earlier this week Synopsys, a prominent supplier of electronic design automation and semiconductor IP solutions, announced it reached an agreement to purchase Coverity for approximately $375M (US).

The news is compelling for several reasons. Code analysis offerings of Coverity represent a logical expansion of the existing Synopsys portfolio into an adjacent technology area. The acquisition of Coverity would provide Synopsys with the leading vendor share position in the static analysis tool market, a segment expanding at a compound annual growth rate greater than 15%. Furthermore, the combined sales teams and existing customer bases should provide excellent opportunities for both Coverity and Synopsys to increase sales into new realms, primarily the semiconductor and ISV markets, respectively.

The Coverity acquisition by Synopsys should not be viewed in isolation. There was another acquisition of a leading code analysis supplier in January, when Rogue Wave Software purchased Klocwork. We see the opportunity for many of the same synergistic benefits to the Klocwork/Rogue Wave integration as in the Synopsys/Coverity combination. It will be interesting to see if these recent acquistions provide the necessary impetus for more potential suitors to buy one of the remaining independent static analysis tool suppliers.

12/10/2013

Secure Your Software Supply Chain

The rapid growth in software-driven content for embedded devices is not new - nor is the recognition that connectivity and the Internet of Things are fundamentally changing the ways that OEMs deliver value to end clients.

The ways in which OEMs are responding to these new content and feature creation requirements, however, are adding new layers of complexity to the SDLC - and vulnerabilities - to their products. While many engineering organizations are scaling internal software development efforts and receiving a increasing percentage of their code bases from third-party sources, they are often not placing proportional investments into their security and quality assurance processes and tools.

Code Sources

 

While there is no silver bullet to eliminate code defects and vulnerabilities, the best practices to develop high-integrity software are no secret either. Solutions like static analysis tools and premium requirements and variant management tools can help OEMs limit the introduction of some defects and identify many others in advance of product deployment. In an industry where connectivity and security risks are increasing dramatically with each product generation, engineering organizations must recalibrate their risk assessment calculus and prioritize software defect and security vulnerability mitigation.

Tomorrow, Wednesday December 11th, I will be digging more into these trends and challenges facing our industry during a webcast at 2pm ET, sponsored by Klocwork.

 

Register herehttp://bit.ly/1hZoaGs

 

 

10/22/2013

Outsourced Code Development Driving Automated Test Tool Market

The M2M embedded software team here at VDC Research just published a new report, 2013 Automated Test & Verification Tools (ATVT), volume 3 of our Software & System Lifecycle Management Tools intelligence service. The report looks into the most critical trends and market drivers impacting the rapidly evolving use of dynamic test and static analysis tools in the embedded and enterprise/IT markets.

We expect revenues for several product segments within ATVT to expand at a double digit growth rate over the next several years, fueled by a number of factors.

One of the primary challenges fueling ATVT use is that code bases are expanding in size and complexity as software comes to account for an ever greater percentage of system value. Companies face increasing pressure to deliver more advances through software, and to do so faster. These organizations are looking to several strategies, such as off-shoring to accelerate the pace development while remaining within budget. This outsourcing of embedded systems development enables the use of skilled engineers available at considerably lower labor rates found in the international labor market.

Untitled png


The challenge of coordinating geographically distributed development teams is one of the factors that we continue to see as a major driver for increased use of formal lifecycle management tools. Our research shows project teams with geographically distributed team members are more likely to use automated test tools than those all sharing the same location. We expect it will become increasingly critical for vendors to ensure their test platforms provide the reliable, scalable performance required to execute and manage tests for large installations across distributed geographic locations. There is opportunity for ATVT suppliers to increase revenue and gain market share by providing solution suites with the functionality these customers demand. Many of these organizations will need broader solution suites that enable creation of software code governance, policy definition, testing against those policies, and enforcement of quality, security and efficiency metrics.

More insight

For further investigation and discussion about these trends and others, please see our recently published report, 2013 Automated Test and Verification Tools, volume 3 of our 2013 Software & System Lifecycle Management Tools Market Intelligence Service. This report analyzes the emerging trends for commercially available testing tools, including static analysis, dynamic, and model-based tools. It also covers the previously mentioned tool types used for general software quality testing and defect detection as well as those used for application security testing and vulnerability management.

Please contact us for more information.

09/16/2013

Controlling Complexity with Automated Testing

The increase in the volume and complexity of software code in recent years is indisputable. Software has now become the most critical component for end product differentiation. It is likewise intuitively understood that it is, therefore, the most critical path within the product development cycle. Unfortunately, the larger, more complex software projects of today inevitably result in higher volumes of defects within these code bases.

More and more organizations are recognizing the need to identify critical quality, safety and security issues early in the lifecycle where they are the least expensive to fix. The use of automated test and verification tools (ATVT) are a key part of the remediation solution.

Test tool use

VDC’s research verifies that automated testing tool use increases the frequency of defect detection in current projects. More importantly, the findings confirm that engineers using testing tools are more likely to find vulnerabilities and defects earlier in the development cycle than nonusers of the tools.

Interested in learning more about the trends impacting software engineering today and best practices for quality software development?

 

Listen to our webcast with Coverity Tomorrow, Tuesday, September 17th at 8:30 AM PT / 11:30 ET

Register here

06/26/2013

Controlling In-Vehicle Innovation with IVI Design

Automotive differentiation is no longer driven by gears and grease. Electronic systems now control most aspects of a vehicle’s operation and the software within those systems has risen to account for an increasing share of their functionality and differentiation. Today, software content growth in the automotive industry continues to outpace most other embedded device classes. In no automotive sector is this trend more acute than in IVI.

Ivi ibm

The culture of conservatism, rooted in automotive’s safety-critical requirements, that has traditionally characterized the domain must adapt. The recent financial crisis imposed an unparalleled catalyst for such change. Entire supply chains followed the OEM leads into bankruptcy. The remaining engineering organizations, many of which lacked the level of development resources they had prior to the financial crisis, are being forced to reevaluate their incumbent development processes and tools in an effort to keep pace with the unabated growth in consumer expectations. In many cases, OEMs must be prepared to adopt new software development solutions to adequately address the complexities of UI design and consumer device integration.

VDC will be conducting a live webcast with IBM and Jaguar Land Rover on June 27th to discuss this emerging trend. Attendees will learn:

  • How open source technologies will impact tomorrow's automotive ecosystem
  • Why OEMs need to revisit their supply-chain strategies to promote new levels of collaboration  and innovation
  • What new development solutions should be considered to adapt

When: June 27th, 11:00am ET / 2:00pm PT

Register: http://bit.ly/136NjqJ

05/22/2013

Got Ugly Code? Test to See if Quality Runs Deep

In today’s celebrity culture, inner beauty isn’t always a valued trait. But when it comes to embedded software development, beauty is truly on the inside. High quality, well-designed and reliable products necessitate high-quality and highly secure embedded software. Development Testing is one of the most effective ways to achieve this.

Development Testing is a rapidly emerging category, including a set of processes and software, designed to easily find and fix quality and security problems early in the development cycle, as the code is being written. All this serves to dramatically improve time to market, reduce development costs and improve customer satisfaction.

Join us at an exclusive event hosted by Coverity on June 12th in Cambridge, England. ip.access will share some of their experiences implementing advanced testing practices and I will discuss what our research says about the latest trends and techniques in embedded software development and quality assurance.

When: Wednesday, June 12th

Time: 09.30 – 14.00 with presentations between 10.00 and 12.30, followed by lunch.

Location: Fitzwilliam College Storey’s Way, Cambridge CB3 0DG

Register: Click here

03/19/2013

Expect Quick Response to MISRA C: 2012

Introducing MISRA C: 2012

Yesterday, the Motor Industry Software Reliability Association (MISRA) announced the availability of MISRA C: 2012, an important update to the software development standard for the C programming language. Beyond providing support for the C99 version of C, the improvements also aim to reduce the cost and complexity required to achieve compliance.

VDC’s View

MISRA adoption has spread far and wide since being introduced in the 1990s to provide guidelines for the development of embedded software in the European automotive industry. Since that time, the value proposition of a standard set of quality assurance coding rules has resonated far beyond safety-critical applications. The MISRA standards are now often used by developers as a collection of best practices for coding across a range of industries which may not be subject to specific certifications. 

MISRA C 1
VDC’s ongoing review of the engineering community continues to show more and more projects are being developed to some level of compliance with MISRA guidelines. Findings from our most recent Software and System Development Survey were gathered earlier this month. The results show 30% of engineers’ current projects are either fully MISRA C compliant or adhere to a subset of these rules (partially compliant). Full or partial MISRA C++ compliance was cited for 27% of current projects.

Given the widespread adoption of these process guidelines across multiple regions and vertical markets, you can expect the automated test and verification solution provider community to respond rapidly to the MISRA C: 2012 update.

Some, in fact, have already responded. LDRA, one of leading suppliers of automated test and verification tools, announced availability of compliance tools for MISRA C: 2012 on the same day as the standard’s release. Expect more suppliers to follow suit.

More insight

For further investigation and discussion about the impact of process standards in the embedded and enterprise development markets, please see our 2012 Software & Systems Lifecycle Management Tools Market Intelligence Service.

The M2M Embedded Software team at VDC is in the process of updating this research for 2013. The first volume of the 2013 service, Software & System Modeling Tools, will be available in the next couple of weeks. Included with the purchase of these reports are the findings from VDC’s Software and System Development survey which canvases software developers and serves as the source of the figures used above. 

 

03/18/2013

VDC to Present Embeddy Awards Live at Design West

Want to see the latest technologies and tricks for embedded engineering? Head to Design West next month in San Jose, CA!

Contact us ASAP to schedule a meeting

VDC will be attending the Design West/ESC conference from Tuesday April 23 through Thursday April 25.

At the show, we will be presenting our 9th annual Embeddy Awards. The winners will be announced Live during Thursday's morning keynote session.

So how can your company win the Embeddy award?

To be considered,

First, fill out this on-line form: http://svy.mk/WU0abA

You must also schedule a meeting with VDC to discuss the announcement that you are making at the show. You can arrange a meeting time with VDC by doing one of the following:

For Software and Tools related meetings

Contact Jared Weiner, Analyst, M2M Embedded Software & Tools at:
jweiner@vdcresearch.com or 508.653.9000 x143.

For Hardware related meetings

Contact David Laing, Senior Analyst, M2M Embedded Hardware Platforms at:
dlaing@vdcresearch.com or 508.653.9000 x146.

Haven't decided if you're attending DESIGN West yet?

Please check out the DESIGN West website for more information on the conference program as well as
information on all of the companies that will be exhibiting. You can also click here to register.

We look forward to seeing you at the show!

12/31/2012

Embedded Security: The Bark is Bigger than the Bite, Part 1

Security has been top of mind with most executives of leading embedded suppliers who we spoke to in the past year. This should come as little surprise given the growing awareness of the potential impact of security breaches. As today’s devices and systems grow more complex and connected, this threat is growing exponentially. Time and again, we hear of some hacker or industrious engineering student demonstrating, either maliciously or as an educational warning, that a linked network may only be as secure as its most vulnerable element.

In a recent conversation with one of the foremost automated test and verification tool suppliers, an executive warned that while they hear overwhelming interest in security concerns across all verticals, actual investment in addressing the issue is not close to matching this professed concern.

Our findings do indeed confirm that within the Industrial Automation and Control (IAC) and Energy/Power industry, a distressingly high percentage of current projects involve no action to limit potential security issues. 

Security actions take four jpeg

Just over 42% of the engineers responding from IAC and energy/power market indicate no proactive actions have been taken to address security concerns on their current project. The fact that 40% state their current project has no specific security requirements should offer little relief. Our research indicates that many projects without specific security requirements certainly ought to have them. Lack of security prevention or mitigation does not mean no security threat exists. What should also be alarming is the percentage of respondents “very confident” their security requirements would be met on their current project was in the single digits!

This represents a large, potentially lucrative market opportunity for suppliers of security solutions. But it should be unsettling to everyone else with even a passing understanding of the potentially catastrophic impact of vulnerabilities in these markets. Heard of Stuxnet anyone?

 

In the next couple of weeks, the Embedded Software team here at VDC Research finishes publication of a series of vertical market reports. These studies examine embedded developers’ demand and requirements for commercial OSs and software development tools within key vertical markets.

Volume 1, covering embedded software technologies in the Automotive vertical is available now. Volume 2, available later this week, looks into the Industrial Automation and Control (IAC) and Energy / Power industries. Data in the exhibit above is based on findings from this volume.

FOR MORE INFORMATION:

For more information on security findings, including statistics from other verticals, please take a look at part two of this discussion, coming here soon.