81 posts categorized "Test Tools"

11/25/2014

Where's The Action On Security Concerns?

Recognition of Software Security Issues Are High; Mitigation is Not

I read an interesting report from Spiceworks recently about mobile security actions by IT departments...or perhaps, lack of actions might be more accurate. The report, which is free to download, shows that nearly all IT professionals are worried about security risks affecting mobile devices supported by their company. However, this level of concern vastly outweighs the level of action their organizations have actually taken to lessen security threats.

This central finding, while disappointing, does not come as a surprise. Year after year, we see a persistent gap between awareness of software security importance and the steps taken to mitigate these issues. To help inform our analysis of the software and systems development market, VDC conducts an extensive end-user survey of global development community. In 2014, only 7.7% of embedded engineers surveyed considered security “not at all important” on their current project; just 2% of enterprise/IT developers felt the same way. Yet 22% of the respondents in embedded and 12% from enterprise report their organization has taken no actions in response to security requirements on their current project.

Picture3 - ATVT security

Need to Close the Awareness – Action Gap

The potential financial and safety impacts of software vulnerabilities have been clearly demonstrated by several recent and very public cases. Incidents, such as those exposing customer data from major retailers and software-related automotive recalls can dominate news cycles, damage brand equity, and more importantly - risk lives.

A growing reliance on software for embedded device functionality and to manage financial data has raised the importance of actively addressing security considerations during software design. Unfortunately, the velocity of software innovation is outpacing the application of safeguards and challenges continue to mount. Code base volume and complexity continues to rise. Development teams are increasingly utilizing alternative code sources including open-source software to meet their time-to-market windows. The number of potential entry points for malicious activities is increasing exponentially as more connected devices are deployed as part of the Internet of Things (IoT).

Teams designing software for the IT or embedded markets should start testing for security vulnerabilities early in the development lifecycle when resolution is the least costly. We recommend static and binary analysis as effective tools for finding the most common security defects such as buffer overflows, resource leaks, and other vulnerabilities. Use of these solutions should be incorporated as part of a comprehensive testing regime. Undoubtedly, the ramifications of software vulnerabilities are too severe to leave addressed by manual processes or chance.

 

More insight and Recommendations

For further investigation and discussion about this and other important trends in the automated test and verification tool landscape, as well as other disruptive shifts in systems lifecycle management, please see our 2014 Software and System Lifecycle Management (SSLM) intelligence service.

09/18/2014

Tasktop unveils new Tricentis offering

Yesterday, at Tricentis Accelerate 2014, Tasktop previewed an upcoming release of Sync featuring increased integration of the Tricentis Tosca Testsuite across multiple software delivery disciplines and tools. Tasktop’s Sync platform provides authoring tools for tasks, data, workflow connectivity and integration between multiple Application Lifecycle Management solutions. Its new partner, Tricentis, is known for its software testing solutions to accelerate business innovation. The partnership between Tricentis and Tasktop represents an exciting advancement along the path of broader Agile and DevOps adoption within the software development industry.

The two companies first partnered in February 2014, to provide a combination of Tricentis Tosca Testsuite and Tasktop Sync. The new software offers a means of automated functional testing in Testsuite and a platform for collaborating across the multiple disciplines of software development with Sync. The evolution of software development has revealed a clear problem of the integration of tools across the design of software. The partnership of Tasktop and Tricentis is an example of a method of addressing this issue. Their tools enable collaboration and testing across different components, removing a disconnect that has hampered software development in the past. We think this software integration can help developers using Agile or DevOps methods to continue to deliver thoroughly tested solutions for customers more rapidly, ultimately lowering the risk of business failure.

 

Upcoming VDC Research reports

In the next few weeks, the VDC M2M and Embedded Software team will publish several reports analyzing important trends impacting the software and system development tool landscape such as the growing need for improved tooling integration. These reports, listed below, also provide VDC’s granular market estimates and growth forecasts through 2016.

  • Automated Test and Verification Tools
  • Software and System Modeling Tools
  • Requirements Management/Definition and Source/Change/Configuration Management tools

To learn more about the research and products offered by VDC Research’s Embedded Software & Tools practice, click here.

 

By Joseph Botsch, Research Assistant and

André Girard, Senior Analyst

 

08/07/2014

IoT Lessons from the Russian CyberVor Hacking

Widely reported during the first week of August was the revelation that a group of Russian hackers known as CyberVor had amassed a database of 1.2 billion usernames and passwords, as well as more than 500 million email addresses. The New York Times originally broke the story, based on findings from the firm Hold Security. Unlike the Target retail data breach of late 2013 and the more recent eBay breach, CyberVor’s loot is not the result of one or two large breaches, but rather a large number of breaches of all sizes. Hold Security says that the data came from 420,000 websites, ranging from large household-name dotcoms down to small sites. Most of the sites were breached using SQL injection techniques through malware infecting the computers of unwitting legitimate users.

Breaches of major websites or retailers tend to be highly concentrated, narrowly focused efforts, whereas the database collected by CyberVor appears to be the result of casting a very wide (bot)net, trawling the world wide web for anything the group could catch.

What lessons can the CyberVor revelation teach us (or reinforce) about the Internet of Things?

Lesson #1: No IoT site (either physical or virtual) is too small to be attacked. Many users are tempted to think, “Why would anyone bother to hack my little IoT network?” The answer is, “Because they can.”

Lesson #2: Even data that has little or no value to hackers on its own may have value when aggregated.  If you think your data is worthless to others, you’re probably wrong. Big data is comprised of a whole lot of little data.

Lesson #3: Authorized users or devices are not necessarily safe just because they are authorized. Follow the principle of least privilege, in which users or devices only have access to the minimum amount of data and system resources necessary to perform their functions.

Lesson #4: Monitor your networks for atypical or unexpected movements of data. This is challenging in practice, because valid usage occasionally may not follow past patterns. Nevertheless, at a minimum the system should have a way to throw up a red flag if a user or device is attempting to copy large portions of a database.

Lesson #5: Don’t neglect the basics. SQL injection attacks as well as buffer overflows and cross-site scripting are common and easily preventable. Most software code analysis tools can check for vulnerabilities to such attacks early in the development process.

Lesson #6: Conduct independent penetration tests on your devices and networks. If you think that your own engineers already have covered every possible attack vector, you’re probably wrong. You need outside eyeballs incentivized to find flaws without concern about stepping on coworkers’ toes.

And lastly, Lesson #7: At the risk of stating the obvious, encrypt your data. Any database that is accessible either directly or indirectly from the Internet is worth encrypting. Passwords in particular are keys to the kingdom. Encrypt them with salted hash techniques and strong algorithms. There is never a valid reason to store passwords in plain text.

If the websites breached by CyberVor already had learned these lessons, the hack wouldn’t even have been newsworthy.

For more insights into IoT security issues, check out VDC’s research program on Security & the Internet of Things.

02/21/2014

Is this a run on static analysis?

The static analysis solutions market is one of the most dynamic segments VDC’s embedded software team currently tracks. While still a relatively young and evolving technology, static analysis has rapidly become a standard -- perhaps even necessary -- element of the software development lifecycle. Software is emerging as the primary agent for differentiation and resource investment for more companies as they try to speed the delivery of innovative new solutions. The development of increasingly complex software needed for these devices and systems is accelerating growth of code quality and security issues that static analysis is designed to address. In parallel, there is a growing awareness of the potentially catastrophic impact of software failure. As a result, we expect static analysis tools to generate revenue growth exceeding many other tooling segments.

“Strong forecasted growth and the presence of several profitable, small, and privately owned companies among market leaders make the segment (static analysis) ripe for mergers and acquisitions.”  - VDC Research, Stategic Insights 2013, The Global Market for Automated Testing and Verification Tools

Earlier this week Synopsys, a prominent supplier of electronic design automation and semiconductor IP solutions, announced it reached an agreement to purchase Coverity for approximately $375M (US).

The news is compelling for several reasons. Code analysis offerings of Coverity represent a logical expansion of the existing Synopsys portfolio into an adjacent technology area. The acquisition of Coverity would provide Synopsys with the leading vendor share position in the static analysis tool market, a segment expanding at a compound annual growth rate greater than 15%. Furthermore, the combined sales teams and existing customer bases should provide excellent opportunities for both Coverity and Synopsys to increase sales into new realms, primarily the semiconductor and ISV markets, respectively.

The Coverity acquisition by Synopsys should not be viewed in isolation. There was another acquisition of a leading code analysis supplier in January, when Rogue Wave Software purchased Klocwork. We see the opportunity for many of the same synergistic benefits to the Klocwork/Rogue Wave integration as in the Synopsys/Coverity combination. It will be interesting to see if these recent acquistions provide the necessary impetus for more potential suitors to buy one of the remaining independent static analysis tool suppliers.

12/10/2013

Secure Your Software Supply Chain

The rapid growth in software-driven content for embedded devices is not new - nor is the recognition that connectivity and the Internet of Things are fundamentally changing the ways that OEMs deliver value to end clients.

The ways in which OEMs are responding to these new content and feature creation requirements, however, are adding new layers of complexity to the SDLC - and vulnerabilities - to their products. While many engineering organizations are scaling internal software development efforts and receiving a increasing percentage of their code bases from third-party sources, they are often not placing proportional investments into their security and quality assurance processes and tools.

Code Sources

 

While there is no silver bullet to eliminate code defects and vulnerabilities, the best practices to develop high-integrity software are no secret either. Solutions like static analysis tools and premium requirements and variant management tools can help OEMs limit the introduction of some defects and identify many others in advance of product deployment. In an industry where connectivity and security risks are increasing dramatically with each product generation, engineering organizations must recalibrate their risk assessment calculus and prioritize software defect and security vulnerability mitigation.

Tomorrow, Wednesday December 11th, I will be digging more into these trends and challenges facing our industry during a webcast at 2pm ET, sponsored by Klocwork.

 

Register herehttp://bit.ly/1hZoaGs

 

 

10/22/2013

Outsourced Code Development Driving Automated Test Tool Market

The M2M embedded software team here at VDC Research just published a new report, 2013 Automated Test & Verification Tools (ATVT), volume 3 of our Software & System Lifecycle Management Tools intelligence service. The report looks into the most critical trends and market drivers impacting the rapidly evolving use of dynamic test and static analysis tools in the embedded and enterprise/IT markets.

We expect revenues for several product segments within ATVT to expand at a double digit growth rate over the next several years, fueled by a number of factors.

One of the primary challenges fueling ATVT use is that code bases are expanding in size and complexity as software comes to account for an ever greater percentage of system value. Companies face increasing pressure to deliver more advances through software, and to do so faster. These organizations are looking to several strategies, such as off-shoring to accelerate the pace development while remaining within budget. This outsourcing of embedded systems development enables the use of skilled engineers available at considerably lower labor rates found in the international labor market.

Untitled png


The challenge of coordinating geographically distributed development teams is one of the factors that we continue to see as a major driver for increased use of formal lifecycle management tools. Our research shows project teams with geographically distributed team members are more likely to use automated test tools than those all sharing the same location. We expect it will become increasingly critical for vendors to ensure their test platforms provide the reliable, scalable performance required to execute and manage tests for large installations across distributed geographic locations. There is opportunity for ATVT suppliers to increase revenue and gain market share by providing solution suites with the functionality these customers demand. Many of these organizations will need broader solution suites that enable creation of software code governance, policy definition, testing against those policies, and enforcement of quality, security and efficiency metrics.

More insight

For further investigation and discussion about these trends and others, please see our recently published report, 2013 Automated Test and Verification Tools, volume 3 of our 2013 Software & System Lifecycle Management Tools Market Intelligence Service. This report analyzes the emerging trends for commercially available testing tools, including static analysis, dynamic, and model-based tools. It also covers the previously mentioned tool types used for general software quality testing and defect detection as well as those used for application security testing and vulnerability management.

Please contact us for more information.

09/16/2013

Controlling Complexity with Automated Testing

The increase in the volume and complexity of software code in recent years is indisputable. Software has now become the most critical component for end product differentiation. It is likewise intuitively understood that it is, therefore, the most critical path within the product development cycle. Unfortunately, the larger, more complex software projects of today inevitably result in higher volumes of defects within these code bases.

More and more organizations are recognizing the need to identify critical quality, safety and security issues early in the lifecycle where they are the least expensive to fix. The use of automated test and verification tools (ATVT) are a key part of the remediation solution.

Test tool use

VDC’s research verifies that automated testing tool use increases the frequency of defect detection in current projects. More importantly, the findings confirm that engineers using testing tools are more likely to find vulnerabilities and defects earlier in the development cycle than nonusers of the tools.

Interested in learning more about the trends impacting software engineering today and best practices for quality software development?

 

Listen to our webcast with Coverity Tomorrow, Tuesday, September 17th at 8:30 AM PT / 11:30 ET

Register here

06/26/2013

Controlling In-Vehicle Innovation with IVI Design

Automotive differentiation is no longer driven by gears and grease. Electronic systems now control most aspects of a vehicle’s operation and the software within those systems has risen to account for an increasing share of their functionality and differentiation. Today, software content growth in the automotive industry continues to outpace most other embedded device classes. In no automotive sector is this trend more acute than in IVI.

Ivi ibm

The culture of conservatism, rooted in automotive’s safety-critical requirements, that has traditionally characterized the domain must adapt. The recent financial crisis imposed an unparalleled catalyst for such change. Entire supply chains followed the OEM leads into bankruptcy. The remaining engineering organizations, many of which lacked the level of development resources they had prior to the financial crisis, are being forced to reevaluate their incumbent development processes and tools in an effort to keep pace with the unabated growth in consumer expectations. In many cases, OEMs must be prepared to adopt new software development solutions to adequately address the complexities of UI design and consumer device integration.

VDC will be conducting a live webcast with IBM and Jaguar Land Rover on June 27th to discuss this emerging trend. Attendees will learn:

  • How open source technologies will impact tomorrow's automotive ecosystem
  • Why OEMs need to revisit their supply-chain strategies to promote new levels of collaboration  and innovation
  • What new development solutions should be considered to adapt

When: June 27th, 11:00am ET / 2:00pm PT

Register: http://bit.ly/136NjqJ

05/22/2013

Got Ugly Code? Test to See if Quality Runs Deep

In today’s celebrity culture, inner beauty isn’t always a valued trait. But when it comes to embedded software development, beauty is truly on the inside. High quality, well-designed and reliable products necessitate high-quality and highly secure embedded software. Development Testing is one of the most effective ways to achieve this.

Development Testing is a rapidly emerging category, including a set of processes and software, designed to easily find and fix quality and security problems early in the development cycle, as the code is being written. All this serves to dramatically improve time to market, reduce development costs and improve customer satisfaction.

Join us at an exclusive event hosted by Coverity on June 12th in Cambridge, England. ip.access will share some of their experiences implementing advanced testing practices and I will discuss what our research says about the latest trends and techniques in embedded software development and quality assurance.

When: Wednesday, June 12th

Time: 09.30 – 14.00 with presentations between 10.00 and 12.30, followed by lunch.

Location: Fitzwilliam College Storey’s Way, Cambridge CB3 0DG

Register: Click here

03/19/2013

Expect Quick Response to MISRA C: 2012

Introducing MISRA C: 2012

Yesterday, the Motor Industry Software Reliability Association (MISRA) announced the availability of MISRA C: 2012, an important update to the software development standard for the C programming language. Beyond providing support for the C99 version of C, the improvements also aim to reduce the cost and complexity required to achieve compliance.

VDC’s View

MISRA adoption has spread far and wide since being introduced in the 1990s to provide guidelines for the development of embedded software in the European automotive industry. Since that time, the value proposition of a standard set of quality assurance coding rules has resonated far beyond safety-critical applications. The MISRA standards are now often used by developers as a collection of best practices for coding across a range of industries which may not be subject to specific certifications. 

MISRA C 1
VDC’s ongoing review of the engineering community continues to show more and more projects are being developed to some level of compliance with MISRA guidelines. Findings from our most recent Software and System Development Survey were gathered earlier this month. The results show 30% of engineers’ current projects are either fully MISRA C compliant or adhere to a subset of these rules (partially compliant). Full or partial MISRA C++ compliance was cited for 27% of current projects.

Given the widespread adoption of these process guidelines across multiple regions and vertical markets, you can expect the automated test and verification solution provider community to respond rapidly to the MISRA C: 2012 update.

Some, in fact, have already responded. LDRA, one of leading suppliers of automated test and verification tools, announced availability of compliance tools for MISRA C: 2012 on the same day as the standard’s release. Expect more suppliers to follow suit.

More insight

For further investigation and discussion about the impact of process standards in the embedded and enterprise development markets, please see our 2012 Software & Systems Lifecycle Management Tools Market Intelligence Service.

The M2M Embedded Software team at VDC is in the process of updating this research for 2013. The first volume of the 2013 service, Software & System Modeling Tools, will be available in the next couple of weeks. Included with the purchase of these reports are the findings from VDC’s Software and System Development survey which canvases software developers and serves as the source of the figures used above.