Klocwork’s static code analysis technology supports key validation requirements as they relate to the software coding phase outlined in the FDA’s General Principles of Software Validation.
Klocwork helps developers meet software coding standards such as those developed by the FDA. Klocwork provides the detection of critical bugs and security vulnerabilities, software metrics analysis, change verification, bug tracking, peer review of software code, and more that help ensure the development and delivery of high quality, compliant code.
When building safety-critical medical device software, implementing the workflow early for the rigorous detection of critical bugs and security vulnerabilities is a proven best practice for enhancing software reliability while reducing software validation costs. The FDA has issued guidance for proper validation of medical device software in its General Principles of Software Validation.
The guidance applies to any “…software used as components in medical devices, to software that is itself a medical device, and to software used in production of the device or in implementation of the device manufacturer’s quality system.”
The FDA guidance covers all aspects of software development – everything from requirements and design reviews to software maintenance and retirement. Klocwork addresses the validation requirements as they relate to the software construction or coding phase.
Klocwork is certified (pre-qualified) by TÜV SÜD for use in ISO 26262 projects. Klocwork’s analysis can be used to cover a range of guidelines specified in Section 6 of the standard, Product development at the software level. Klocwork’s client-server architecture simplifies and streamlines the process of managing compliance to coding standards, such as MISRA, which form a key feature of the ISO 26262 requirements from the static analysis aspect.
Klocwork includes built-in checkers to support all of the leading Security standards CWE, CERT, DISA STIG, CWE/SANS Top 25, OWASP, MISRA. Klocwork also allows organisations to quickly introduce their own customised security checkers to meet the ever-changing threat landscape
Klocwork is being used successfully in safety-critical and high-integrity embedded systems where system faults are simply not acceptable and, in many cases, compliance with industry standards is required (IEC 61508, ISO 26262, EN 51208, IEC 62304, DO-178B/C, MISRA etc).
Trapping security vulnerabilities
Defensive coding through automation with a threat model in hand, developers can begin to drill-down and identify the specific security vulnerabilities that could expose their embedded software to risk. Programmers, however, aren’t security experts and can miss common security gaps, logic errors, and concurrency violations that expose code to external threats.
Automated static code analysis (SCA) tools can assist embedded software developers by helping to eliminate security vulnerabilities early in the development cycle. While automotive software development teams are familiar with traditional SCA tools, they’re limited to finding programmatic bugs only. Modern tools can detect security vulnerabilities and defects as the developer is writing code. This helps developers build security into their code and reduce risk as early as possible, without burdening the project with a lengthy defect-testing phase.
Static analysis tools can identify hundreds — if not thousands — of security vulnerabilities, including critical vulnerabilities such as buffer overflows, uninitialized data, use of dangling pointers, injection flaws, and the use of known insecure APIs and libraries.
About Rogue Wave Software
Rogue Wave Software are the largest independent provider of cross-platform software development tools and embedded components in the world. Through decades of solving the most complex problems across financial services, telecommunications, healthcare, government, academia, and other industries, Rogue Wave tools, libraries, and services enable developers to write better code, faster. More details…
Find out more…
For more information on Klocwork static analysis tools, standards compliance or to arrange a 7-day free trial, please complete the form below.