Tag Archives: Cloud

Get Started with Free Service Virtualization

Free service virtualization, sounds great! Whenever you hear free, should get nervous, I know that I do. After I wrote this title I looked at it and immediately hated it. But here’s the thing – at my day job at Parasoft we’ve just taken one of our really great products, Parasoft Virtualize, and made a free “community edition” version of it.

So who needs this and why should you care about it? Well software applications have gotten a lot more complex in the last decade. Time was you had a simple monolithic desktop application and that’s all you had to worry about. Some of them had a little connectivity, like to a database or maybe simple external dependencies, but mostly they stood on their own. Today’s “applications” look more like systems or even systems-of-systems. It’s not uncommon to have a relatively small core application but surrounded by a plethora of dependencies like databases, cloud APIs to provide data, shipping services, payment services and even connections to physical devices in the real world – the Internet of Things or IoT.

That’s where the “service virtualization” technology comes in. I know, I know, it’s a horrible name and it’s already caused you to think it’s something other than what it is. Nothing I can do about it, that name is in use by the analysts and I have no control over it. I think of it more like “communication emulation” in that it emulates the communication. Think of it this way, instead of APIs linked into an application as part of the compilation processed, we now have services that are accessed live dynamically – meaning we talk to them and they talk to us. Even in the IoT world of SmartHome or SmartFactory or SmartCity it’s all about pieces talking to each other. This gives as remote info, remote control, and even some degree of autonomous decision making – like the NEST thermostat. Initially I used the app to control the thermostat to my liking, now it just figures out what I was doing and mostly does it for me.

Testing these kinds of systems is a huge pain. You need a test lab that has one of everything you’re connecting to. If you’re updating some of them, then you need a lab with the old one AND the new one – like a new version of Oracle or MySQL. Setting up the lab costs time and money, and then I have to fight with other teams to use it. Service Virtualization let’s me make fake (virtual) versions of the things I depend on, and then use them to test instead of needing the real thing.

This not only makes it faster/easier/cheaper to test, but it frees IT to do other important things. Plus I can make these virtual things behave how I want them to – if I want them to flood the network, they will. If I want them to be fast or slow to respond, I can do that. If I want one of them to be a bad actor and pretend it’s been compromised, no problem. My testing will be more thorough in addition to easier.

Once you realize that service virtualization technology is for you, the next step is to choose a tool. Lot’s of people instantly go check open-source, because of course it “doesn’t cost anything”. I’ve done a pretty thorough check of all open-source SV tools and at the moment they’re only really useful if your whole world is centered in http/https. Even then there are lots of other features like using a UI to create, manage, and deploy the virtual assets. So now that Parasoft created a free version, why not see what commerical software offers you? You can download it here.

Try it, you’ll like it.

Does Cloud Change Static Analysis

Look, we all know that using static analysis tools can be a real pain. In the past I’ve talked about some of the reasons people struggle with the output of AppSec tools. Similarly people struggle with using static code analysis. I even did a poll about static analysis challenges at one point.

From the feedback I’ve gotten, it seems that some people think that doing static analysis via SaaS (IE the cloud) would address the problems I’ve discussed. There are real challenges in getting the most out of your static analysis, but the claim that somehow cloud will solve them is ridiculous marketing hype – why would it change at all? Why should developers even be able to tell the difference? It doesn’t address any of the core issues. There are benefits you can get from using cloud for your static analysis aka Static Analysis as as Service (SAaaS?) such as reduction of up-front costs, saved IT costs, and easy deployment. But the most common problems are the same whether you run the tool in-house or use a service.

The core problem I mentioned was really getting developers to buy-in. They need to believe in the results because they need to fix them. Once the developers start picking and choosing what to fix, you’ve lost. They’ll spend countless hours challenging results and explaining why they’re not important – the inappropriately labeled “false positive“. Changing the method or location of how you run static analysis may have ramifications on the overall process, but it will in no way affect how developers perceive the results.

Getting the static analysis tool running is one of the first steps in a successful rollout, but from there you’ve got to do several things to make sure that you’ll get the value you expect.

Static Analysis Policy

It begins with having a clear static analysis policy. The policy should include when static analysis must be run and when it can be skipped. It also needs to cover when suppressions are acceptable, how severity level affects fix now vs fix later, what rules you must run, and how to handle legacy code. Legacy is one of the big problems – do you fix everything in your code regardless of age? Can you just fix it when you happen to be editing one of the old files? Should you only run static on the code you actually change in old files? These are real issues that will occur when you deploy and if you don’t decide what is proper, each developer will do their own thing.

Training

Developers need to be trained to use static analysis. Usually people remember to train on the mechanics of the tool, but not the further training that ensures success. Developers need to know when/how to suppress – does it go into the code or into an external system? They need to know how to find out more information about the problem. They need to understand what the severity levels mean and how it will affect their decisions.

It’s important as well that they understand the ramifications of a particular error. I’ve repeatedly had the experience of a team claiming a static analysis error was invalid when it was actually a real serious problem that they didn’t understand. Heartbleed is a classic example of this behavior. Finally your training needs to shift the mindset of the users from “static finds bugs” to “static finds bad code”. This distinction is crucial to get the most value. The “bugfinder” rules in static analysis are the proverbial tip of the iceberg. They’re only a small part of the full value. The bigger value is the rich set of coding standards that represent hundreds of man years in crafting best practices that help you harden your code and avoid problems in the first place.

Persistent Static Analysis Suppressions

Suppression handling can make or break your project. The symptom of this is developers saying things like “I keep fixing the same things.” What they mean isn’t that they’re fixing them, but they keep seeing the same violation and tagging it as invalid or acceptable every time the tool runs or versions change. They understandably view this as a stupid tool.

There are two schools of thought on suppressions. One is that they belong in an external system, whether it’s the static analysis tool itself, a file in source control, or a spreadsheet. The other idea is that they belong in the code. There are advantages to both, but I prefer the “suppressions in code” method. The benefits of this are that you never end up with issues that cause old suppressions to come back, because they’re tightly coupled to the code. A secondary benefit is that suppressions will end up in source control, you’ll know who did them, when they’re done, and if they left a comment you’ll even know why. This is really important if you operate in a compliance environment like FDA, Aircraft/DO-178B/C, or Automotive ISO 26262.

Good documentation

I’ve alluded to the idea that the docs need to explain why a particular static analysis rule is important. I’ve got several things I look for in good tool documentation.

  • Example bad code
  • Example fixed code
  • Impact – what will happen if you don’t fix this violation
  • Possible security relevance
  • Resources to learn more
  • integration to IDE – right-click on a violation to see the docs

Summary

Getting your static analysis rollout right is crucial to your success. There are many options from on-premise to cloud-based and you should carefully weight the benefits of each approach. But don’t expect the cloud to solve all the challenges you’ll face. There is no substitute for a well-planned tool deployment.

Resources

Gartner AADI Conference

gartner aadi 2015

I’ll be attending the Gartner Application Architecture, Development & Integration Summit in Las Vegas next week Dec 2nd and 3rd. I’ll be in the Parasoft booth.

This is a great opportunity to learn how to best leverage coming opportunities in mobile, cloud, and internet-of-things (IoT). Lots of useful info and a chance to meet with some interesting vendors as well as the analysts from Gartner. Here’s a preview of the full agenda. Plus who doesn’t like hanging out in Vegas for a couple of days?

If you’re going to be there drop by the booth or shoot me a message and we can meet.

Cloud Security Article in CrossTalk

Pack Horse and Cowboy
Pack Horse

Crosstalk has just published an article I wrote on cloud security in the September/October 2013 issue. The article is titled “Cloud Shifts the Burden of Security to Development“.

The abstract reads: The move to the cloud brings a number of new security challenges, but the application remains your last line of defense. Engineers are extremely well poised to perform tasks critical for securing the application—provided that certain key obstacles are overcome.

The paper explores three ways to help development bear the burden of security that the cloud places on them:

  • Use penetration testing results to help engineers determine how to effectively “harden” the most vulnerable parts of the application.
  • Apply the emerging practice of “service virtualization” to provide engineers the test environment access needed to exercise realistic security scenarios from the development environment.
  • Implement policy-driven development to help engineers understand and satisfy management’s security expectations.

It’s an in-depth article with some practical suggestions for improving your code security in the cloud. If you’re not familiar with Crosstalk, it’s “The Journal of Defense Software Engineering” and is full of interesting articles but carries no advertising. Give it a try.