HomeНаука и техникаRelated VideosMore From: Software Engineering Institute | Carnegie Mellon University

Source Code Analysis Laboratory (SCALe) Demo: Running Fortify

21 ratings | 13758 views
David Svoboda, CERT® Software Security Engineer demonstrates the Source Code Analysis Laboratory (SCALe): Running Fortify. We do research and development to create tools to support creation of secure code right from the start, and analytical tools to detect code vulnerabilities. We also work with the software development and security communities to research and develop secure coding standards for commonly used programming languages and for smartphone platforms (Android, iOS, Win8). http://www.sei.cmu.edu/legal/index.cfm
Html code for embedding videos on your blog
Text Comments (7)
Anupam Saha (4 months ago)
Can you tell me how it is different from Parasoft C/C++ test? We are currently using Parasoft and looking at Fortify for potential better outputs.
SCALe is a static analysis alert auditing framework, it is not a static code analyzer. SCALe takes as input the output of static analysis flaw-finding tools, and SCALe provides a GUI for analyzing alerts and making determinations (e.g., true or false) and can export the audit project to a database. Some versions of SCALe can use the output of Parasoft and Fortify, but not the current GitHub version. Organizations that are interested in using SCALe with Parasoft or Fortify (and some other proprietary static analysis tools) that have their own license for those tools can contact CERT about possible sharing of compatible versions of SCALe.
jarheadlulu (1 year ago)
Hi, thanks for sharing the video. I am just wondering, during the scan, do we need to keep the internet connection or not? The scan is done according to the rules by HP server or the rules are stored somehow locally?
Andrew Earle (11 months ago)
No internet connection required. Everything occurs locally on a machine with the Fortify SCA application, its rules, and the target application.
SCALe's platform support depends not on SCALe itself, but on which static-analysis tools (including compilers) that you choose to use to analyze your software. The tools that SCALe publicly supports are designed for general desktop development on Windows and Linux. However, SCALe is designed so that adding support for new static-analysis tools is easy. In fact, last year we added support for a commercial embedded-systems compiler for a client. The work took about half a day, and most of that time was spent mapping the compiler's diagnostic output to CERT Secure Coding rules*1. Furthermore, the client learned how to extend SCALe to support other compilers, or future versions of their compiler. *1 https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard
Dmitry Ponyatov (1 year ago)
Are any special options available for use SCALe for embedded development? cross-compiling to run on (1) low memory devices starting from 4K+ RAM (AVR8, Cortex-M), and (2) embedded Linux (MIPS primarily, ARM/Cortex-A, x86). Hard real-time constrained applications.
Dmitry Ponyatov (1 year ago)
Should check MISRA C/C++ and CERT safe code standards.

Would you like to comment?

Join YouTube for a free account, or sign in if you are already a member.