Continuing to expand its footprint in the application security arena, Klocwork today released version 7.7 of its...
static code analysis product suite. Ease of use for the developer is the primary theme of this iterative release, according to Ian Gordon, vice president of product management for Klocwork Inc. in Burlington, Mass.
A key new feature aiming at usability is expanded stack traces for easier defect comprehension, with a mechanism called trace back.
"Our theme is to make it as easy as possible for developers to [address vulnerabilities] right in their IDE," Gordon said. "We got feedback from customers about how we display what we find. We have to convey that to developers in an easy-to-understand way."
With trace back, developers can see where in the source code the security flaw occurs, and this version simplifies the ability to do so, Gordon said. New stack traces are visible in the IDE and the Project Central Web interface.
Version 7.7 also expands IDE support to include Visual Studio .NET for C and C++ as well as IntelliJ IDEA for Java from JetBrains. According to Gordon, the demand for Visual Studio support was very high on their customers' list. "We've got a broad range of IDEs we support; it's the easiest way to find these [vulnerability] issues."
The fact that Klocwork addresses both C/C++ and Java is an advantage, according to Diana Kelley, vice president and service director at Burton Group based in Midvale, Utah. However, she said, "There's also .NET out there. It's on their roadmap, but it's something they're missing."
Unlike some of its competitors in the application security space, Klocwork's roots are in software quality. "They really have been strengthening their security side," Kelly said. However, she added, "When I get calls from customers, they tend to look at more security-specific tools -- they're not thinking Klocwork first."
Today, many organizations have two separate teams to address security and quality, and thus have two different types of users. But as these tools get more widely adopted into the lifecycle, the fact that Klocwork addresses both quality and security could be an advantage, Kelly said.
Beyond new features, the third key area of Klocwork 7.7 is support for the Software Assurance Metrics and Tools Evaluation (SAMATE) project, sponsored by the U.S. Department of Homeland Security (DHS) National Cybersecurity Divison and NIST. The SAMATE Reference Dataset has code snippets containing vulnerabilities/weaknesses in C/C++ and Java. Klocwork ran these test cases as part of the QA process for 7.7 and will continue to add SAMATE test cases to its automated testing each release.
"Our goal is to make sure we run as many as we can of those reference tests against our product and make it part of our ongoing QA cycle," Gordon said. "For this release, we had about a 90% pass rate, which we were happy with, and we will deal with the things we found that didn't pass."
Kelly praised Klocwork's support for SAMATE. The project "is trying to get together metrics around software security, to understand how to make more robust software. A lot of vendors will try and reinvent the wheel and have their own secret sauce. They think, 'If we're using SAMATE, my products won't be special enough.' So it's neat [Klocwork] is working with standards, especially SAMATE. It's a sticky problem."
Gordon said Klocwork does not worry about an effort like SAMATE commoditizing the static analysis space. "There's still a lot of work to do to cover landscape out there; it will make it easier to compare products."
In addition to SAMATE, Klocwork has also committed support for the DHS' Common Weakness Enumeration (CWE) effort, a catalog of known software weaknesses collated from academic and industry sources, and plans to be CWE compatible in an upcoming release.
Gordon said Klocwork is not part of the new Software Assurance Framework project being driven by the Object Management Group (OMG), which is intended to allow the sharing of security-related information and analysis among disparate tools. He said the company "will take look at it; we're definitely following OMG standards."
Version 7.7 of Klocwork is generally available this week.