| SOFTWARE SECURITY
Klocwork Insight is a source code analysis product that helps automate security vulnerability and quality risk analysis, remediation and measurement. It employs more than 200 different techniques for identifying software flaws for C, C++ and Java.
This kind of tool is increasingly important, as very few people are capable of analyzing and, most importantly, fixing software security flaws.
The installation is difficult for a user of any type, requiring several different modules and server components to be installed or loaded prior to use. Plan to spend time on training. The upside to the initial learning curve is scalability and flexibility for large, hybrid or segregated development environments.
Licensing can be centrally managed across multiple teams and updated in seconds via a quick change of the license file. MySQL is utilized as the backend database and can be configured at will, making it easy to schedule backups, modify the default schema, or integrate Insight into other products such as Microsoft SharePoint or BMC Remedy Service Desk. All aspects of the Web interface and server are configurable, as it runs atop Apache Tomcat.
Klocwork supports most development environments and can be installed on a range of *nix and Windows OSes.
Leveraging the Eclipse and Visual Studio native interfaces for developer integration was key to provide true engineering-level value. From the Eclipse interface, we could easily navigate through the source tree from the Windows Explorer-like folder system, and see the associated identified vulnerabilities and issues.
Double-clicking an issue, such as one we found for null pointer dereferencing, opens the associated file directly at the line in question. You can modify and save the code in the IDE as usual, or right-click the issue at the bottom to obtain sample "bad code" and documentation on the potential vulnerability.
Post-installation management is still immature, as DOS batch files are used to start and stop the Klocwork servers on local installations. It is also recommended that you manually stop all of the Klocwork components prior to rebooting your machine.
We were blown away by Klocwork's reporting capabilities. The Web-based reporting interface, Insight Review, allows users to navigate through findings and recommendations, and drill down into specific components.
You can select one of the current projects your teams set up during configuration--typically, each application, product or tool has a standalone project created in Insight.
Once you select a project, the interface changes into a robust report-creation engine, with the ability to flag and group issues by severity, status and state. These reports are dynamic and contain active links or hyperlinks that allow you to gain further detail on specifics issues. More than 300 issues were identified in one of the tests we ran, and creating the critical issues report took two minutes from start to finish. These issues were divided into logical code directories based upon the build structure.
All data views and graphical reports can be exported to PDF or CSV files, and detailed issue data broken down by file and line can be conveniently exported to XML.
Klocwork's enterprise reporting and analysis techniques will help companies with structured programming ties to C/C++ and Java.applications.
Testing methodology: We tested Klocwork on a Windows XP Professional SP2 workstation and on a fully patched Windows 2003 Server against several open source, C/C++ and Java applications utilizing the Eclipse IDE developer plug-in.