2020: Looking Back on GrammaTech’s Year – Security Boulevard

Surely 2020 will go down in the history books as an exceptional year to put it mildly. Despite the huge impact of the COVID-19 pandemic on the world, it certainly impacted us and our customers. However, we still managed to have an outstanding year at GrammaTech. This is based on the strength of our team and the support of our customers. It was an outstanding year for corporate growth, for product development and releases and for our research team.

Company Achievements in 2020

GrammaTech added more than 50 new global customers for CodeSonar and increased our distribution network and reach in Europe with the addition of UK subsidiary to support pan-European customers and two new distributors in Spain. We were also a Platinum Award Winner for Best Application Security Testing in 2020 ASTORS Homeland Security Awards and finalist for Best DevSecOps solution in 2020 Computing Security Excellence Awards.

Products in 2020

Most notably for 2020 was the acquisition of JuliaSoft and the integration of their Julia Java and C# static analysis technology into CodeSonar and, of course, the release of CodeSentry.

CodeSentry, based on GrammaTech’s groundbreaking binary code analysis and machine learning technology, delivers deep analysis without the need for source code. Our new product accepts native binaries, zip files, or other archives with or without debug information with analysis of the deployed application outside the build environment. CodeSentry identifies components present in native binaries through a variety of component matching algorithms to gather version number ranges, create a SBOM and provide links to CVE and CVSS scores.

Back in July we acquired the intellectual property and assets of JuliaSoft S.r.l. to extend CodeSonar with automated code analysis for Java and C# code. This an exciting development because of how well the Julia static analysis engine fits with CodeSonar and both team’s approach to quality, safety and security. As a long-time partner, Juliasoft has already integrated their engine with CodeSonar and we’ve been familiar with their tools and how effective they are.

SWAP Detector, an open source static analysis tool recently released by GrammaTech, applies Big Data analysis techniques using what we call “Big Code” analysis, to the Fedora RPM open-source repository to baseline correct API usage. This allowed us to develop error-detection capabilities that exceed the scalability and accuracy of conventional approaches to program analysis.

CodeSonar had two updates in 2020 with expanded support for MISRA-C, MISRA-C++, and AUTOSAR C++14 rules. CodeSonar is pre-qualified against standards such as IEC 61508, ISO 26262 and CENELEC EN 50128 and can be used to develop software that needs to adhere to the highest levels of safety. GrammaTech now provides a Tool Safety Manual that describes how most effectively integrate static analysis into the software development process. Artefacts to support qualification for DO-178C/ED-12C and DO-326A/ED-202 using DO-330/ED-215 are also available.

CodeSonar updates included increased support for Android, NetBSD 8, Visual Studio 2019, and updated CWE 4.2 mapping. Library models have been updated or extended to support FreeRTOS and IAR compiler model improvements and bug fixes have been done to be compatible with latest versions of the IAR compilers.

Command line sub-commands improved the way to invoke additional CodeSonar functionality via the Python API. These improvements make it easier to integrate with CI/CD tools such as Jenkins/GitHub/GitLab or other DevSecOps tools. The separately available Jenkins plug-in has also been updated with more capabilities to decide when to pass or fail a build.

Research News in 2020

It was also a great year for our research team winning IEEE SCAM Distinguished Award for our Bug-Injector research. Our paper “Out of Sight, Out of Place: Detecting and Assessing Swapped Arguments”, on swapped arguments (part of which was released in to open source at the SWAP Detector tool above) was accepted for the 2020 IEEE SCAM Conference.

GrammaTech also received funding from DHS to continue our research into SARIF which included the release of an open source SARIF integration for GitHub. We also received a new award for research into safety and certification as part of DARPA’s Automated Rapid Certification of Software (ARCOS) program. and AI-augmented software development. GrammaTech also received funding for research from DARPA into the use of artificial intelligence (AI) and machine learning (ML) techniques for automating the design, testing and implementation of software applications. The contributions made by GrammaTech will be made available as part of an open source project called Mnemosyne.

We are collaborating with the Joint Federated Assurance Center (JFAC) to provide CodeSonar for Source and Binaries to Department of Defense organizations, improving their software-assurance practices and helping them deliver more secure and resilient software systems. JFAC is a Department of Defense (DoD) organization established in 2014 that promotes software and hardware assurance in DoD programs.

Despite the challenges faced in 2020 we remain optimistic for the future and look forward to solving security, safety and quality problems for our customers. Look forward to another exciting year in 2021!

*** This is a Security Bloggers Network syndicated blog from Blog authored by Mark Hermeling. Read the original post at: https://blogs.grammatech.com/2020-grammatech-review