Tag: automated code review

CAST is pleased to announce the release of AIP 8.1, a continuation of the big step forward made in AIP 8.0. AIP 8.1 extends the functionality of Application Intelligence Platform to provide greater technology support, improved reporting and new code viewing capabilities in the Application Engineering Dashboard (AED).

 Java 8 Support

Java 8 is quickly being adopted by Java developers. CAST now fully supports Java 8 and can help you find flaws linked to the use of the very popular Java 8 lambda functions, among others.

Recently I had the pleasure of speaking at QAI QUEST 2016, which showcases the latest techniques for software quality measurement and testing. It was a content-rich program with more than three days of diving deep into issues like DevOps, Open Source, Security Mobile and more. But what struck me the most above all the event chatter is that even the brightest of companies are still having a difficult time identifying and fixing code quality errors.

We always hear about issues with systems, applications, or services caused by poor code quality or missed defects, but what happens when these problems become life threatening? Recently an article posted by npr discussed the early release of dangerous prisoners who are now being charged for murder. According to the article, Governor Jay Inslee of Washington State reported that more than 3,200 prisoners were released early due to a software defect.

The banking industry has definitely had its share of ups and downs when it comes to service reliability. In the past year, there have been a number of instances where customers have been unable to gain access to funds, receive deposits, and pay bills. As reported in an article by theguardian, HSBC experienced a system failure at the end of August, which left thousands of their customers in a bind over a major banking holiday.

With the advancements of both cloud and mobile technologies, security remains a hot topic for every company. The number of reported instances of security backdoors due to faulty code or hardware continues to stagger. A recent article by Wired has brought forth another one of these unfortunate issues for a big player: Juniper. This technology giant has been providing networking and firewall solutions to companies, corporations, and the government for a number of years.

As a leader in networking technology, the last thing you want to hear is that a tech powerhouse like Juniper has found an application security problem. Two security issues were identified after a code review session outside of the company’s normal evaluation cycle. Security continues to remain a primary concern as more companies, government agencies, and even individuals rely on technology providers to manage data or maintain smooth operations.

As reported in a recent article by InfoWorld, a high profile privacy driven smartphone provider located a security hole capable of exposing their devices to attacks. Blackphone is a specially designed smartphone developed by SGP Technologies, who operates as a subsidiary of Silent Circle. The phone uses VPN for Internet access and runs on a modified Android version titled “SilentOS”. A third-party component Silent Circle used as part of the device design was capable of exposing the secure smartphone to outside attacks.

What Was the Security Issue?

The vulnerability made it possible for an attacker to control the modem functions of the phone. Researchers brought this problem forth when they identified an open socket accessible on the phone during a reverse engineering exercise. Currently, Blackphone is one of the most secure phones on the market because it uses built-in encryption to deliver secure:

• Voice Calling
• Text Messaging
• Video Conferencing
• File Transfers

Software risks to the business, specifically Application Resiliency, headline a recent executive roundtable hosted by CAST and sponsored by IBM Italy, ZeroUno and the Boston Consulting Group.  European IT executives from the financial services industry assembled to debate the importance of mitigating software risks to their business.

Have you performed code analysis on your software recently? If not, you are in good company as many companies are failing to do the one thing that could improve their software security – making sure the software isn’t vulnerable to an attack to begin with.

Some among us may remember Earl Scheib who owned a chain of auto painting facilities; at least, that's what he called them. In actual fact, his shops were a national joke. In his TV commercials he would tell viewers, “I’ll paint any car for $99.95” and would promise one-day service. He did just that, but as the old saying goes, "You get what you pay for."

It’s not uncommon for organizations to hold onto their application software and IT systems longer than they should. This is particularly true for government agencies – Federal, state and local. When you combine an “if it ain’t broke, don’t fix it” mentality with budget cuts and comfort levels of staffers, there is little impetus for change.

Whenever a company chooses to outsource, there is a certain relinquishment of control. It is simply neither possible nor desirable to hold tightly to the reins of all aspects of an outsourced project. It stands to reason, therefore, that studies in the industry have revealed that many in IT management either are dissatisfied with their outsourcers or feel their outsourcers have “made up” work to pad their billings.

Outsourcing is not exactly a new idea. As far back as the 1950’s, companies that found they didn’t have the resources in-house to perform tasks began looking to other individuals and companies to fulfill their needs. It wasn’t until the late 80’s that outsourcing really began to take off as companies turned to “offshoring” of outsourced projects to countries such as China and India in order to take advantage of the savings in labor costs.

Whether it’s in sports, medicine, music or even a military operation, I’m a firm believer in the “best man for the job” concept. This is why Agile, or more specifically, Scrum development, sounds to me like a smart play for an organization.

Earlier this week, our own Jitendra Subramanyam joined industry luminary Capers Jones, Chief Scientist Emeritus of Software Productivity Research (SPR) to co-host a webinar on curbing application software outages like the ones seen in the financial sector over the past couple months. The webinar, titled “Stop High-Profile Outages by Quantifying Application Risks,” focused on the importance of static analysis of application software during the build and/or customization phases to identify potential issues than can them be fixed, preventing a future outage.

On the night of his ship’s maiden and lone voyage, the skipper of the Titanic saw the top of an iceberg, swerved  to avoid it, and in doing so piloted his ship’s hull directly into the monstrous portion of the iceberg that lied unseen beneath the surface of the ocean, tearing apart the “unsinkable” ship. Had he known what lied beneath the surface, his reaction likely would have been much different and could have yielded a very different, possibly positive result.

Industry data demonstrate that code reviews are highly effective.

Join me and Tony Timbol of David Consulting Group on Thursday, May 13 for a joint DCG-CAST Webinar.