AUTOSAR TOTAL SOLUTIONS
SYNOPSYS Coverity Static Application Security Testing (SAST) Coverity
Static Analysis finds critical defects and security weaknesses in code as it’s written
The Automotive Cybersecurity Standards and Regulations mention that “Uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management system. “(from R. 155 – Cyber Security and Cyber Security Management) “Uniform provisions concerning the approval of vehicles with regards to software update and software update management system.” (from R. 156 – Software Update Processes and Management Systems).
Finally, ISO/SAE 21434 gives the means to achieve compliance. ISO/SAE 21434 outlines the process requirements around a Cyber Security Management System (CSMS) and how to identify application scenarios, assets, threat analysis, modeling models, risk assessment, test verification.
It can be seen that the issue of cyber security will be paid more and more attention. Many organizations have heavily invested in application security testing (AST) tooling. Most enterprises today use a variety of AST tools for the stages of the SDLC—static application security testing (SAST) and software composition analysis (SCA) are typically leveraged at the build/development stage, and dynamic application security testing (DAST) is leveraged during staging to uncover issues in simulated production conditions. Additionally, within each of these categories of AST tools, the detection capabilities and types of applications and programming languages supported can vary between vendors. Each tool searches for specific types of software flaws, exploitability, and issue sources, so any testing tool in isolation will uncover a limited scope of potential vulnerabilities.
SYNOPSYS Coverity Static Application Security Testing (SAST) helps developers build better code without slowing them down.
Coverity works with the Code Sight™ IDE plugin, enabling developers to find and fix security and quality defects as they write code.
Fast and accurate incremental analysis runs in the background to minimize disruption, giving developers real-time results, including CWE information, remediation guidance, and relevant security training, directly within the IDE.
Static Application Security Testing (SAST)
- analyze application source code for coding and design conditions that are indicative of security vulnerabilities.
- SAST solutions analyze an application from the “inside out” in a nonrunning state.
Static Analysis Strengths
- Early detection: Can find defects before a working executable is ready
- No test case: All paths are automatically analyzed
- Fast analysis of very large codebases
- Deterministic: Analysis of same codebase = same results