10.03.2016

AppChecker source text static analyzer now detects 100 types of software defects!

As it is known the quality of software code used in software programs affects security of modern information systems greatly.

Unfortunately, even the world's leading software developers regularly leave vulnerabilities in their products. The existence of defects and vulnerabilities in source code creates financial and reputational risks for the developing company, and can also lead to risks related to the integrity, availability and confidentiality of user data. A key way to improve source code quality and reduce the cost of the error correction is automatic code defects detection. by Echelon Union for science and development has designed AppChecker source texts static analyzer to resolve this task.

Currently, the software solution can detect 100 types of code defects, written in C/C++, Java, or PHP. AppChecker can be used by the software developers and experts in information security, responsible for control of code security, developed by an outsourcing company. In addition, the decision can be useful for testing laboratories, which conduct code analysis as a part of certification tests.

AppChecker uses several code analysis modules, including signature and heuristic analysis method and analysis of data streams. Signature approach can be called “pattern matching”. This approach lies in comparison of source code fragment with a certain sample from defects database. Pattern matching approach is used in analyzers for quite a long time, so its pros and cons are well-known in the industry. The advantages include easiness of implementation, easiness of patterns drawing and high-speed operation. The disadvantage of the approach is high rate of false triggering. Utilization of new approaches to the code analysis greatly addressing this shortcoming did not reduce the role of the search patterns, as it has an ideal ratio between speed and quality with regard to some defect types searching. In addition to pattern matching, AppChecker uses other analysis modules aimed in reducing a number of false triggering and increasing a number of detected defects, such as data flow analysis, which allows building data flow graphs based on of a call graph and a control flow graph that in turn allows tracking transmission of data in both local and global program blocks.

AppChecker supports CWE international defects classification. Its defects signatures database is continuously updated and formed according to different standards and recommendations for secure coding by OWASP, CERT, NIST, etc.

The solution has been implemented in accordance with “thin client” technology (using web interface) that allows auditing the code by several experts.

As already mentioned earlier, AppChecker allows analyzing code written in C/C++, Java, and PHP. An important advantage of the product is the fact that the flexible configuration of the analyzed projects takes into account the impact of such features of programming languages, such as precompilation directives in C/C++.

Obtain more information about the solution under e-mail request to sales@npo-echelon.ru. A demo version of the complex is available for testing.


Back to the list