SlideShare a Scribd company logo

Code Quality - Security

Download as PPT, PDF
S
sedukull

The document discusses code quality and security, emphasizing the importance of addressing web vulnerabilities during the software development lifecycle (SDLC) and implementing effective processes for security and coding standards. It highlights key principles and OWASP's top web vulnerabilities while outlining goals for minimizing bugs and promoting a robust commit and review process. The importance of dynamic and static analysis tools, as well as effective code reviews, is also underscored to ensure high-quality, secure applications.

Software
1 of 38
Downloaded 31 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Code Quality - Security Session Topics: • Understand few terms, terminologies, known Issues and process problems • Software security development cycle, leverage tools and build effective processes. • Example projects(OpenSource and Commercial) Santhosh Kumar Edukulla
Burger King Site Hacked
Twitter hacked by Iranian Army
espn site hacked with unicorns
Few Numbers, Known Issues • More than 70% of attacks “targeted” are application related, of which web vulnerabilities are getting prevalent. • espn, sony, ebay, yahoo, twitter, facebook, dropbox, microsoft …even google is not spared
Few Examples Few Code Samples: • All the samples if we see are functionally wrong, even otherwise lead them to security issues. • All these issues can be caught during code reviews, static analysis, or other code check process.
Core pillars of information security (CIA) • Confidentiality – only allow access to data for which the user is permitted • Integrity – ensure data is not tampered or altered by unauthorized users • Availability – ensure systems and data are available to authorized users when they need it In typical SDLC, “Security starts from requirements phase itself and it never ends…”
Principles of Information Security • Minimize attack surface area • Establish secure defaults • Principle of least privilege • Principle of defense in depth • Fail securely • Don’t trust services • Avoid security by obscurity • Fix security issues correctly • Keep security simple
OWASP Top Web Vulnerabilities OWASP urges all companies to be aware of these concerns within their organization and start the process of ensuring that their web applications do not contain these flaws. • A1 Injection • A2 Broken Authentication and Session Management • A3 Cross Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Invalidated Redirects and Forwards
Code Quality : Functional (Vs) Non Functional Definition of Quality: Broad…but should not be fixed only to functional quality of a software product. Code Quality ~ (“reliability, efficiency, scalability, security, maintainability, readability”)
Application Security Responsibility Definition : Broad… Code Quality ~ (“reliability, efficiency, scalability, security, maintainability, readability”)
In abstract.. “Secure” your transports(TCPUDP) “Secure” your application layers(Https) “Secure” your data(Resources, configurations, physical, virtual, sockets, files, users etc) “Secure” your code. “Secure” your interactions.
Lock Everything… 
Defense In Depth(SD, client, Server)
Layers of Defense
Typical User Process Space
Stack Smashing..
Stack Code Escalation
Code Quality : Goals and Objectives • One of the key goal for every dev team should be to pass on less number of bugs to QA. • One of the key goal for every dev team should be to have less number of design bugs in production and identified more during reviews. • The number of issues identified during design and code reviews quantified with metrics against the total bugs for a release, how many of them were caught in Dev (Vs) QA etc. • The sign off criteria for a build or feature should be from design sign off, code reviews sign off, zero static analysis bugs, zero profiling bugs detected by agreed upon tool etc. • In fact, each sprint definition of done should and must be enforced by quality parameters.
Few Gates • Effective SCM, commit process, defining Check-In criteria • Reviews and Walkthroughs( Design and Code ) • Effective code analysis (SAST DAST ), profiling techniques. • Effective Quality CI Pipeline
Example 1: Code Quality Open Source Apache Project:
Designing HW Independent Code Replace with Simple Simulator proxy
Process Improvements 1. CI Cycle Improvements. 2. Categorized the Integration tests to “Self-Service” (Vs) “Hardware” dependent 3. “Two” LGTM(+1s ) for every commit request. No “-1” 4. 100% Unit test coverage. 5. “0” slow static analysis and “0” full Coverity bugs. 6. New Integration Tests should be added, if it’s a new feature commit. 7. Integration test coverage should not regress the previous ones. 8. All Self-Service tests should pass 100%. 9. No new OWASP, sec bugs found with Sonar/Coverity rules engine. 10. Style and license check should pass 100% 11. New feature design document should have at least “2 LGTMs”
Tools Used • Jenkins • Git(SCM) • Gerritt • ReviewBoard(Code Review) • Coverity, findbugs, PMD for static analysis • Jira(For bug tracking) • Jacoco, SonarQube for Coverage Analysis. • Nose, coverage for integration tests.
Review and Check-In Sign-Off Passed
Review and Check-In Sign-Off Failed
Static Analysis: Identifying issues
Sample coverage report with Issues
Sample coverage report
Git - CI process flow Diagram
Code Coverage What is is not for:  It does not signify quality “completeness” criteria.  A 100% coverage information does not signify high quality and no bugs.  Tools can report 100% coverage, but still it does not mean code is covered fully. What it is for:  Finding “Covered” and “Uncovered Areas”.  Priority Vs Non Priority Areas  Priority Tests Vs Non Priority Tests
Coverage Types • Statement Coverage • Decision Coverage • Condition Coverage • Multiple Condition Coverage • Condition/Decision Coverage • Modified Condition/Decision Coverage • Path Coverage • Function Coverage • Call Coverage • Linear Code Sequence and Jump (LCSAJ) Coverage • Data Flow Coverage • Object Code Branch Coverage • Loop Coverage • Race Coverage • Relational Operator Coverage • Weak Mutation Coverage
Code Coverage Typically code coverage has two components viz.,  Collection Component: − Jacoco for Java − gcov for cc++ − SonarSource c++ Component − BullsEye − Rational Purify Plus  Analsysis Component: − Sonar Qube − lcov with gcov output − BullsEye − Rational Purify Plus
Check-in Criteria.  We had an integration of coverity with our svn server. Every check-in is first analyzed for coverity run automatically and any checkers marked and finding high severity bugs was not allowed to be checked in with a failed commit.  We had a valgrind running at scheduled intervals on build and emailing the list of issues and creating bugs automatically. Any issue reported on new checkins are reverted automatically.  Zero Coverity and Code Collaborator defects for check-in was adopted, otherwise commit wont be allowed and it is automated.  Failing Sanity run through AutoBVT on staging build wont push the commits to production.  Production push happens automatically only when staging build gets passed.  Peer Review Sign off for every checkin and in case of no signoff, commit wont get committed.
Design and Code Reviews Tool Used : Code Collaborator, review board, gerritt, github  Reviews Vs WalkThroughs.  What is important is enforcing the Reviews!!
Profiling and Dynamic Analysis Tools Used: Rational purify plus, coverity, valgrind, gprof, vtune, oprofile etc.  Valgrind: It is an effective memory analysis and debugging tool, not an effective for memory analysis with static allocation, anything with dynamic memory allocation, it is very effective. It is limited in support on various platforms and not extensive like Rational Purify Plus, free and lot of community and user support available.  Rational Purify Plus : Supports lots of platforms, wealth of documentation, good support, does static analysis, dynamic analysis, and does provide coverage information as well, but little pricey :)  Gprof with krprof : Easily usable with gcc tools on the fly with limited tool set. A common complaint about these is their excessive rate of false alarms and that the warnings they issue do not correlate very well with real defects.
To Summarize.. 1. Don’t trust your inputs, don’t trust your code, any inputs from any sources. Validate all Input Sources EX: • Browser input, headers, request parameters. • Cookies • Property files • External processes • Data feeds • Service responses • Flat files • Command line parameters • Environment variables 2. Follow effective commit and build CI process. 3. Effective Reviews, tools, Coverage, sign-off criteria, early fixes 4. Follow Secure Coding Guidelines, many of them are available at OWASP site. 5. Follow a threat model for your projects. 6. Get to an effective assurance level agreed upon.
Code quality, in effect software security -- Thank you  -- Q && A: If(we know) { “We will answer”; } else { “Will find out”; } Santhosh Kumar Edukulla

More Related Content

PDF
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
PPT
SonarQube Overview
Ahmed M. Gomaa
 
PDF
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
PDF
Platform Engineering - a 360 degree view
Giulio Roggero
 
PDF
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
PDF
Demystifying DevSecOps
Archana Joshi
 
PDF
GitOps 101 Presentation.pdf
ssuser31375f
 
PPTX
Get started with GitHub Copilot.pptx
KhushiPanwar33
 
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services
 
SonarQube Overview
Ahmed M. Gomaa
 
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
Platform Engineering - a 360 degree view
Giulio Roggero
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
Demystifying DevSecOps
Archana Joshi
 
GitOps 101 Presentation.pdf
ssuser31375f
 
Get started with GitHub Copilot.pptx
KhushiPanwar33
 

What's hot (20)

PPTX
Observability on Kubernetes - High Availability on Prometheus
U known
 
PDF
Gitops: the kubernetes way
sparkfabrik
 
PDF
uReplicator: Uber Engineering’s Scalable, Robust Kafka Replicator
Michael Hongliang Xu
 
PDF
Jakarta EE 10 - Simplicity for Modern and Lighweight Cloud
Ivar Grimstad
 
PDF
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
PPTX
DevSecOps
Cheah Eng Soon
 
PDF
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
PDF
SonarQube
Gnanaseelan Jeb
 
PPTX
Introduction to Azure DevOps
Lorenzo Barbieri
 
PPTX
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
PDF
GitOps with ArgoCD
CloudOps2005
 
PPTX
Azure Infrastructure as Code and Hashicorp Terraform
Alex Mags
 
PDF
DevSecOps, The Good, Bad, and Ugly
4ndersonLin
 
DOCX
Code review guidelines
Lalit Kale
 
PPTX
DevOps Approach (Point of View by Ravi Tadwalkar)
Ravi Tadwalkar
 
PPTX
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PPTX
I hunt sys admins 2.0
Will Schroeder
 
PDF
Gitlab, GitOps & ArgoCD
Haggai Philip Zagury
 
PDF
Sonarqube
Peerapat Asoktummarungsri
 
PPTX
Introduction to Docker - 2017
Docker, Inc.
 
Observability on Kubernetes - High Availability on Prometheus
U known
 
Gitops: the kubernetes way
sparkfabrik
 
uReplicator: Uber Engineering’s Scalable, Robust Kafka Replicator
Michael Hongliang Xu
 
Jakarta EE 10 - Simplicity for Modern and Lighweight Cloud
Ivar Grimstad
 
DevSecOps Jenkins Pipeline -Security
n|u - The Open Security Community
 
DevSecOps
Cheah Eng Soon
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
SonarQube
Gnanaseelan Jeb
 
Introduction to Azure DevOps
Lorenzo Barbieri
 
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
GitOps with ArgoCD
CloudOps2005
 
Azure Infrastructure as Code and Hashicorp Terraform
Alex Mags
 
DevSecOps, The Good, Bad, and Ugly
4ndersonLin
 
Code review guidelines
Lalit Kale
 
DevOps Approach (Point of View by Ravi Tadwalkar)
Ravi Tadwalkar
 
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
I hunt sys admins 2.0
Will Schroeder
 
Gitlab, GitOps & ArgoCD
Haggai Philip Zagury
 
Sonarqube
Peerapat Asoktummarungsri
 
Introduction to Docker - 2017
Docker, Inc.
 
Ad

Viewers also liked (11)

PPT
Open Source KMIP Implementation
sedukull
 
PDF
Barbican 1.0 - Open Source Key Management for OpenStack
jarito030506
 
PDF
MySQL HA with Pacemaker
Kris Buytaert
 
DOCX
Supriya Shailaja Latest Gallery
telugustop.com
 
PDF
MySQL High Availability Sprint: Launch the Pacemaker
hastexo
 
PDF
High availability and fault tolerance of openstack
Deepak Mane
 
PPTX
Open stack HA - Theory to Reality
Sriram Subramanian
 
PDF
MySQL with DRBD/Pacemaker/Corosync on Linux
Pawan Kumar
 
ZIP
Continuous Integration, Build Pipelines and Continuous Deployment
Christopher Read
 
PDF
Deep dive into highly available open stack architecture openstack summit va...
Arthur Berezin
 
PDF
Chef cookbooks for OpenStack HA
Adam Spiers
 
Open Source KMIP Implementation
sedukull
 
Barbican 1.0 - Open Source Key Management for OpenStack
jarito030506
 
MySQL HA with Pacemaker
Kris Buytaert
 
Supriya Shailaja Latest Gallery
telugustop.com
 
MySQL High Availability Sprint: Launch the Pacemaker
hastexo
 
High availability and fault tolerance of openstack
Deepak Mane
 
Open stack HA - Theory to Reality
Sriram Subramanian
 
MySQL with DRBD/Pacemaker/Corosync on Linux
Pawan Kumar
 
Continuous Integration, Build Pipelines and Continuous Deployment
Christopher Read
 
Deep dive into highly available open stack architecture openstack summit va...
Arthur Berezin
 
Chef cookbooks for OpenStack HA
Adam Spiers
 
Ad

Similar to Code Quality - Security (20)

PDF
AppSec in an Agile World
David Lindner
 
PDF
Using Analyzers to Resolve Security Problems
kiansahafi
 
PPTX
CodeChecker Overview Nov 2019
Olivera Milenkovic
 
PPTX
Static Code Analysis
Obika Gellineau
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
PDF
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
PDF
Code Review with Sonar
Max Kleiner
 
PPTX
Devops architecture
Ojasvi Jagtap
 
PDF
Vulnerability Detection Based on Git History
Kenta Yamamoto
 
PDF
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
PPTX
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
PDF
Software Analytics: Data Analytics for Software Engineering and Security
Tao Xie
 
PPTX
Security for developers
Abdelrhman Shawky
 
PPTX
Zero-bug Software, Mathematically Guaranteed
Ashley Zupkus
 
PPTX
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Inman News
 
PPTX
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
AdaCore
 
PPTX
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
PDF
stackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdf
NETWAYS
 
PPTX
Cerberus_Presentation1
CIVEL Benoit
 
PPTX
Cerberus : Framework for Manual and Automated Testing (Web Application)
CIVEL Benoit
 
AppSec in an Agile World
David Lindner
 
Using Analyzers to Resolve Security Problems
kiansahafi
 
CodeChecker Overview Nov 2019
Olivera Milenkovic
 
Static Code Analysis
Obika Gellineau
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Code Review with Sonar
Max Kleiner
 
Devops architecture
Ojasvi Jagtap
 
Vulnerability Detection Based on Git History
Kenta Yamamoto
 
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
Software Analytics: Data Analytics for Software Engineering and Security
Tao Xie
 
Security for developers
Abdelrhman Shawky
 
Zero-bug Software, Mathematically Guaranteed
Ashley Zupkus
 
Evaluating Web App, Mobile App, and API Security - Matt Cohen
Inman News
 
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
AdaCore
 
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
stackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdf
NETWAYS
 
Cerberus_Presentation1
CIVEL Benoit
 
Cerberus : Framework for Manual and Automated Testing (Web Application)
CIVEL Benoit
 

Recently uploaded (20)

PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PPTX
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
assetexplorer- product-overview - presentation
nonameist3434
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Introduction to Artificial Intelligence
lohedi9363
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 

Code Quality - Security

  • 1. Code Quality - Security Session Topics: • Understand few terms, terminologies, known Issues and process problems • Software security development cycle, leverage tools and build effective processes. • Example projects(OpenSource and Commercial) Santhosh Kumar Edukulla
  • 3. Twitter hacked by Iranian Army
  • 4. espn site hacked with unicorns
  • 5. Few Numbers, Known Issues • More than 70% of attacks “targeted” are application related, of which web vulnerabilities are getting prevalent. • espn, sony, ebay, yahoo, twitter, facebook, dropbox, microsoft …even google is not spared
  • 6. Few Examples Few Code Samples: • All the samples if we see are functionally wrong, even otherwise lead them to security issues. • All these issues can be caught during code reviews, static analysis, or other code check process.
  • 7. Core pillars of information security (CIA) • Confidentiality – only allow access to data for which the user is permitted • Integrity – ensure data is not tampered or altered by unauthorized users • Availability – ensure systems and data are available to authorized users when they need it In typical SDLC, “Security starts from requirements phase itself and it never ends…”
  • 8. Principles of Information Security • Minimize attack surface area • Establish secure defaults • Principle of least privilege • Principle of defense in depth • Fail securely • Don’t trust services • Avoid security by obscurity • Fix security issues correctly • Keep security simple
  • 9. OWASP Top Web Vulnerabilities OWASP urges all companies to be aware of these concerns within their organization and start the process of ensuring that their web applications do not contain these flaws. • A1 Injection • A2 Broken Authentication and Session Management • A3 Cross Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Invalidated Redirects and Forwards
  • 10. Code Quality : Functional (Vs) Non Functional Definition of Quality: Broad…but should not be fixed only to functional quality of a software product. Code Quality ~ (“reliability, efficiency, scalability, security, maintainability, readability”)
  • 11. Application Security Responsibility Definition : Broad… Code Quality ~ (“reliability, efficiency, scalability, security, maintainability, readability”)
  • 12. In abstract.. “Secure” your transports(TCPUDP) “Secure” your application layers(Https) “Secure” your data(Resources, configurations, physical, virtual, sockets, files, users etc) “Secure” your code. “Secure” your interactions.
  • 14. Defense In Depth(SD, client, Server)
  • 19. Code Quality : Goals and Objectives • One of the key goal for every dev team should be to pass on less number of bugs to QA. • One of the key goal for every dev team should be to have less number of design bugs in production and identified more during reviews. • The number of issues identified during design and code reviews quantified with metrics against the total bugs for a release, how many of them were caught in Dev (Vs) QA etc. • The sign off criteria for a build or feature should be from design sign off, code reviews sign off, zero static analysis bugs, zero profiling bugs detected by agreed upon tool etc. • In fact, each sprint definition of done should and must be enforced by quality parameters.
  • 20. Few Gates • Effective SCM, commit process, defining Check-In criteria • Reviews and Walkthroughs( Design and Code ) • Effective code analysis (SAST DAST ), profiling techniques. • Effective Quality CI Pipeline
  • 21. Example 1: Code Quality Open Source Apache Project:
  • 22. Designing HW Independent Code Replace with Simple Simulator proxy
  • 23. Process Improvements 1. CI Cycle Improvements. 2. Categorized the Integration tests to “Self-Service” (Vs) “Hardware” dependent 3. “Two” LGTM(+1s ) for every commit request. No “-1” 4. 100% Unit test coverage. 5. “0” slow static analysis and “0” full Coverity bugs. 6. New Integration Tests should be added, if it’s a new feature commit. 7. Integration test coverage should not regress the previous ones. 8. All Self-Service tests should pass 100%. 9. No new OWASP, sec bugs found with Sonar/Coverity rules engine. 10. Style and license check should pass 100% 11. New feature design document should have at least “2 LGTMs”
  • 24. Tools Used • Jenkins • Git(SCM) • Gerritt • ReviewBoard(Code Review) • Coverity, findbugs, PMD for static analysis • Jira(For bug tracking) • Jacoco, SonarQube for Coverage Analysis. • Nose, coverage for integration tests.
  • 25. Review and Check-In Sign-Off Passed
  • 26. Review and Check-In Sign-Off Failed
  • 28. Sample coverage report with Issues
  • 30. Git - CI process flow Diagram
  • 31. Code Coverage What is is not for:  It does not signify quality “completeness” criteria.  A 100% coverage information does not signify high quality and no bugs.  Tools can report 100% coverage, but still it does not mean code is covered fully. What it is for:  Finding “Covered” and “Uncovered Areas”.  Priority Vs Non Priority Areas  Priority Tests Vs Non Priority Tests
  • 32. Coverage Types • Statement Coverage • Decision Coverage • Condition Coverage • Multiple Condition Coverage • Condition/Decision Coverage • Modified Condition/Decision Coverage • Path Coverage • Function Coverage • Call Coverage • Linear Code Sequence and Jump (LCSAJ) Coverage • Data Flow Coverage • Object Code Branch Coverage • Loop Coverage • Race Coverage • Relational Operator Coverage • Weak Mutation Coverage
  • 33. Code Coverage Typically code coverage has two components viz.,  Collection Component: − Jacoco for Java − gcov for cc++ − SonarSource c++ Component − BullsEye − Rational Purify Plus  Analsysis Component: − Sonar Qube − lcov with gcov output − BullsEye − Rational Purify Plus
  • 34. Check-in Criteria.  We had an integration of coverity with our svn server. Every check-in is first analyzed for coverity run automatically and any checkers marked and finding high severity bugs was not allowed to be checked in with a failed commit.  We had a valgrind running at scheduled intervals on build and emailing the list of issues and creating bugs automatically. Any issue reported on new checkins are reverted automatically.  Zero Coverity and Code Collaborator defects for check-in was adopted, otherwise commit wont be allowed and it is automated.  Failing Sanity run through AutoBVT on staging build wont push the commits to production.  Production push happens automatically only when staging build gets passed.  Peer Review Sign off for every checkin and in case of no signoff, commit wont get committed.
  • 35. Design and Code Reviews Tool Used : Code Collaborator, review board, gerritt, github  Reviews Vs WalkThroughs.  What is important is enforcing the Reviews!!
  • 36. Profiling and Dynamic Analysis Tools Used: Rational purify plus, coverity, valgrind, gprof, vtune, oprofile etc.  Valgrind: It is an effective memory analysis and debugging tool, not an effective for memory analysis with static allocation, anything with dynamic memory allocation, it is very effective. It is limited in support on various platforms and not extensive like Rational Purify Plus, free and lot of community and user support available.  Rational Purify Plus : Supports lots of platforms, wealth of documentation, good support, does static analysis, dynamic analysis, and does provide coverage information as well, but little pricey :)  Gprof with krprof : Easily usable with gcc tools on the fly with limited tool set. A common complaint about these is their excessive rate of false alarms and that the warnings they issue do not correlate very well with real defects.
  • 37. To Summarize.. 1. Don’t trust your inputs, don’t trust your code, any inputs from any sources. Validate all Input Sources EX: • Browser input, headers, request parameters. • Cookies • Property files • External processes • Data feeds • Service responses • Flat files • Command line parameters • Environment variables 2. Follow effective commit and build CI process. 3. Effective Reviews, tools, Coverage, sign-off criteria, early fixes 4. Follow Secure Coding Guidelines, many of them are available at OWASP site. 5. Follow a threat model for your projects. 6. Get to an effective assurance level agreed upon.
  • 38. Code quality, in effect software security -- Thank you  -- Q && A: If(we know) { “We will answer”; } else { “Will find out”; } Santhosh Kumar Edukulla