SlideShare ist ein Scribd-Unternehmen logo

Driving Risks Out of Embedded Automotive Software

Parasoft
Parasoft

Automobiles are becoming the ultimate mobile computer. Popular models have as many as 100 Electronic Control Units (ECUs), while high-end models push 200 ECUs. Those processors run hundreds of millions of lines of code written by the OEMs’ teams and external contractors—often for black-box assemblies. Modern cars also have increasingly sophisticated high-bandwidth internal networks and unprecedented external connectivity. Considering that no code is 100% error-free, these factors point to an unprecedented need to manage the risks of failure—including protecting life and property, avoiding costly recalls, and reducing the risk of ruinous lawsuits.

Software
1 von 47
Downloaden Sie, um offline zu lesen
Parasoft Copyright © 2016 1 September 30, 2016 Driving Risks out of Embedded Automotive Software
Parasoft Copyright © 2016 22 Your Presenters Arthur Hicken is Chief Evangelist at Parasoft where he has been involved in automating various software development and testing practices for over 20 years. He has worked on projects including cybersecurity, database development, the software development lifecycle, web publishing and monitoring, and integration with legacy systems. Follow him @codecurmudgeon Alan Zeichick is Principal Analyst at Camden Associates, where he focuses on networking technologies, cloud computing, software development and telecom. In the software development industry, Alan is well known as the founding Editor-in-Chief of SD Times and of Software Test & Performance Magazine. A former mainframe jockey, Alan has been researching, writing, speaking and consulting on cutting- edge information technology for more than three decades. Follow him @zeichick
Parasoft Copyright © 2016 33 Agenda Policy enforcement Reducing defects during coding Effective techniques for acceptance testing Using metrics analytics to measure risk Using SDLC analytics
Parasoft Copyright © 2016 44 Open and hide your control panel Join audio: • Choose “Mic & Speakers” to use VoIP • Choose “Telephone” and dial using the information provided Submit questions and comments via the Questions panel Note: Today’s presentation is being recorded and will be provided within 48 hours. Your Participation GoToWebinar Housekeeping
Parasoft Copyright © 2016 55 Much attention has been paid to hacking
Parasoft Copyright © 2016 66 Yet security is only one of the defects ▪ Many cars have more than 100 ECUs ▪ 10s of millions of lines of code ▪ Software Everywhere  No visibility into embedded software from vendors ▪ More software than a fighter jet!
Parasoft Copyright © 2016 77 It’s a rolling data center “A typical luxury sedan now contains about 100 megabytes of code that controls 50 to 70 computers inside the car, most of which communicate over a shared internal network.” - MIT Technology Review
Parasoft Copyright © 2016 88 There’s incredible complexity
Parasoft Copyright © 2016 99 Complexity breeds errors, bugs, recalls • Software errors $350/car in 2005 (IEEE) • Auto problems cost $,$$$,$$$,$$$ • NHTSA estimates $100 per vehicle • $3 billion annually for recalls/fixes • Many recent recalls > $1 billion • Liability above and beyond repairs • Software is an ever growing percent • Consequences are serious
Parasoft Copyright © 2016 10 We’re not talking about Pokemon Go ▪ Software quality in automotive is life-safety critical ▪ Added complexity introduces new vulnerabilities and safety concerns ▪ Car makers can’t audit or review every line of code ▪ The threats of failure involves lives. ▪ It’s clear: We can’t simply treat QA as in the past — or as primarily a hardware issue
Parasoft Copyright © 2016 1111 One real-world measure is recalls
Parasoft Copyright © 2016 12 Software recalls are a growing problem ▪ With proliferation of ECUs, the problem is exploding  From 2005-2012, 32 software recalls affected 3.6 million vehicles  From 2012-June 2015, 63 software recalls affected 6.4 millions vehicles  From less than 5% of all recalls in 2011, software- related recalls rose to almost 15% in 2015  In 2011, only 3 software components were recalled; in 2015, it rose to 20 components
Parasoft Copyright © 2016 1313 Software-related recalls are everywhere
Parasoft Copyright © 2016 14 It’s getting worse, and will keep doing so ▪ Defects? Design flaws? Security vulnerability? ▪ Does it matter?  August 2016: VW Car-Net shown to be capturing and uploading vehicle sensor data  July 2016: Several incidents with Tesla may be attributable to faulty software  June 2016: Apple patents iPhone Bluetooth method to unlock/start cars remotely  June 2016: Hackers demo remote takeover of Mitsubishi Outlander Plug-In Hybrid
Parasoft Copyright © 2016 1515 There’s no one source for software flaws
Parasoft Copyright © 2016 1616 Or even one weak link on the supply chain
Parasoft Copyright © 2016 1717 And that doesn’t even include connectivity
Parasoft Copyright © 2016 1818
Parasoft Copyright © 2016 1919 Poll: Code quality driver  What is the biggest driver of automotive code quality?  Adherence to industry standards like MISRA  Peer review of all source code  Quality contracts with supply chain  A solid process for the SDLC  Context-rich metrics and metadata analysis
Parasoft Copyright © 2016 20 Digging deep into policy, practices, metrics  Policies cover the entire SDLC, not just coding and testing  Policies should be defined by architects or group of architects  Architects and managers define the practices required to meet those policies  The organization needs to find tools to automate practices and policy enforcement  Tools like Policy Center can help by syncing what we are doing with what we are measuring with external standards, like ISO 26262 or MISRA  Why? In order to set goals, measure results
Parasoft Copyright © 2016 2121 Software verification in many stages Coding standards Unit testing Integration testing Functional testing Memory error detection Coverage analysis Regression testing Workflow automation Peer code review & document inspections
Parasoft Copyright © 2016 2222 ISO 26262 Software Tools Map Number Description Tool Functionality 5.4.6 Correctness of software design and implementation Static analysis 8.4.4 Design principles for software unit design and implementation Static analysis 8.4.5 Verification methods Static analysis , flow analysis, peer review 9.4.1-2 Unit test execution Unit testing 9.4.3-4 Unit test creation Unit testing, coverage 9.4.5 Test requirements Requirements management 10.4.2 Integration tests Test execution, coverage 10.4.5 Completeness of integration testing coverage 10.4.7 Requirements for integration test environment Stubs, virtualization/emulation
Parasoft Copyright © 2016 2323 Where to start 1. Measure software test coverage 2. Improve test coverage 3. Static analysis is an essential tactic 4. Implement preventative coding standards 5. Use runtime memory detection in the test lab 6. Link requirements to code and tests and results 7. Get results data back from supply chain vendors 8. Analyze data collected during development
Parasoft Copyright © 2016 2424 Poll: When to catch defects  When is the best time to catch a safety-critical software defect?  During the design/architecture phase  While writing the code  When code is checked-in to the repository  During peer review  During testing
Parasoft Copyright © 2016 2525
Parasoft Copyright © 2016 2626 Managing all that complexity  Prevention of software flaws  Coding Standards  MISRA – software coding standards  ISO 16949 - Automotive Quality  ISO 26262 – Functional Safety  ISO 33001 - Process assessment for software development  Runtime error detection  Integrated development testing results  Coding standards, unit testing, coverage, requirements, static analysis…  Visibility & Traceability
Parasoft Copyright © 2016 2727 Value of coding standards The MISRA Guidelines were written specifically for use in systems that contain a safety aspect to them. The guidelines address potentially unsafe C language features, and provide programming rules to avoid those pitfalls.
Parasoft Copyright © 2016 2828 Static analysis means prevention  Relationship of automated analysis  Preventative static analysis  Flow analysis  Runtime error detection  Uninitialized memory example  Runtime will find it IF the test suite is thorough  Flow analysis may find it depending on complexity  Pattern to prevent: Initialize variables upon declaration  Much of MISRA is designed to prevent rather than detect
Parasoft Copyright © 2016 2929 Standards reduce supply chain risks  Standards and static analysis applied properly prevent errors, reduce risk  Integrated results provides control, measurement, traceability, accountability  Cost of good software is less than the harm caused by a recall or other failure
Parasoft Copyright © 2016 30 What’s Needed to Control Risk  A clear sense of ownership and responsibility for quality  Policies that define quality, such as test coverage, conformance with standards, open source licenses  Practices that enforce those policies – like automated static tests or code reviews  Metrics that show compliance – like 90% code coverage in current tests, or 28% failure rate  Definition of “done” – like zero tasks/user stores incomplete, all unit test failures with 5%, etc.  Definition of “done” will change at different times/phases
Parasoft Copyright © 2016 3131 Validating Requirements  Plan testing for defined Requirements  Test scenario definitions to document use-cases  Confirm Requirement/Test associations in the Requirement Test Matrix report  Automated tests for Requirement Definitions  Code level unit tests  Functional tests  Associate tests with Requirements using annotations 31
Parasoft Copyright © 2016 32 Non Functional Requirements for Software
Parasoft Copyright © 2016 3333 Acceptance Testing  Verify that software development policy is working  Verify that requirements are met  Check for possible failures / flaws  Tests from the outside in  Variety of real-world scenarios  Include security ”penetration” testing
Parasoft Copyright © 2016 3434 Contractual Software Verification Coding standards Unit testing Memory error detection Coverage analysis Regression testing Peer code review & document inspections
Parasoft Copyright © 2016 3535 The Problem
Parasoft Copyright © 2016 3636 What Can You Measure  Code churn  Field bugs  Static analysis findings  Test failures  Coverage  Performance  Counts (lines, files, …)  Bug Arrival Rates
Parasoft Copyright © 2016 37 Example: Code Metrics  Do problems indicate simple coder error, or something more?  Prioritize by understanding impacts of policy violations  Understand where complexity means poor design, hard to validate performance or cover with static/dynamic tests  Identify areas with good (or bad) ROI for refactoring  After all, refactoring is not only costly (time and money) but also introduces new risk
Parasoft Copyright © 2016 3838 Metrics with a Capital M Some metrics have taken on a life of their own  Complexity  Cohesion  Coupling  Maintainability  KLOC There are no silver bullets, no single metric that defines “good” vs. “bad” software
Parasoft Copyright © 2016 39 Context comes from metadata  Understand the meaning of the code, modules, tests  Functional vs non-functional requirements  And externalities, such as licenses, budgets, industry standards, as well as audits  For every task there is an assignment (ownership)  As well as budgets, priorities and risk assessments  May be specific security rules.
Parasoft Copyright © 2016 4040 Checking Your Work  Did you get the right numbers?  Are they going in the right direction?  Are you measuring enough?  Are unexpected things happening?  Are the measurements automatic?  Manual estimates are inconsistent  Multiple layers of manual collection yield compound rounding errors
Parasoft Copyright © 2016 4141 Poll: What kind of testing?  Which testing is most valuable in software verification?  Unit testing  Functional testing  Static code analysis  Memory leak detection  Penetration testing
Parasoft Copyright © 2016 4242 Dashboards Vs Process Intelligence 2001 Ford Explorer • Isolated data points • No priority • Binary warnings (Check Engine) • Nothing • All 2016 Chevy Volt • Multi-variate analysis • Customizable • Engine efficiency • Valuable data (Range) • Real-time feedback
Parasoft Copyright © 2016 4343 Harnessing “Big” Data  Aggregate data  Correlate data  Mine data  Create  Reports  Dashboards  Tasks  Alerts  Continuous testing/delivery/release
Parasoft Copyright © 2016 44 Decisions Based on Metrics and Metadata  What’s the priority and cost/benefit of fixing now vs. fixing later vs. letting it slide  Are there bigger problems with code complexity  What about integration with external systems (like TFS)  Architects and top managers configure parameters, to determine how rules are enforced  After all, it’s only partly about functional requirements for the code; non-functional requirements are equally important – or perhaps even more so.  Polices, and thus practices, must be configured to enforce both functional and non-functional requirements
Parasoft Copyright © 2016 4545 Parasoft Support for Automotive Policy definition management Requirement definition and tracking Static analysis Unit test Peer review Runtime error detection Coverage
Parasoft Copyright © 2016 4646 Conclusions Safety-critical automotive software issues are going to get worse • Due to ever-increasing requirements, faster processors, and greater connectivity This affects software from in-house and the vast supply chain • The right tests can help make informed decisions faster Coding standards and practices can drive policies • And lead to definitions of “done” Code metrics can help manage risk… • If they have the right metadata context • And if integrated across SDLC practices and systems The result: transparency, feedback, supervision — and managed quality
Parasoft Copyright © 2016 4747  Blog: http://alm.parasoft.com  Web: http://www.parasoft.com/jsp/resources  Facebook: https://www.facebook.com/parasoftcorporation  Twitter: @Parasoft @CodeCurmudgeon @Zeichick  LinkedIn: http://www.linkedin.com/company/parasoft  Google+ Community: Static Analysis for Fun and Profit Webinar: RX for FDA Software Compliance Aug 25th IoT API's session - API World - San Jose, CA Sep 13th Managing Auto Supply Chain Risk – Automotive Software Kongress - Germany Sep 21-22

Empfohlen

AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps World
Parasoft
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
Parasoft
 
Rx for FDA Software Compliance
Rx for FDA Software ComplianceRx for FDA Software Compliance
Rx for FDA Software Compliance
Parasoft
 
No Devops Without Continuous Testing
No Devops Without Continuous TestingNo Devops Without Continuous Testing
No Devops Without Continuous Testing
Parasoft
 
ABC's of Service Virtualization
ABC's of Service VirtualizationABC's of Service Virtualization
ABC's of Service Virtualization
Parasoft
 
Deploy + Destroy Complete Test Environments
Deploy + Destroy Complete Test EnvironmentsDeploy + Destroy Complete Test Environments
Deploy + Destroy Complete Test Environments
Parasoft
 
Better Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousBetter Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to Continuous
Parasoft
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 

Empfohlen

AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps World
Parasoft
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
Parasoft
 
Rx for FDA Software Compliance
Rx for FDA Software ComplianceRx for FDA Software Compliance
Rx for FDA Software Compliance
Parasoft
 
No Devops Without Continuous Testing
No Devops Without Continuous TestingNo Devops Without Continuous Testing
No Devops Without Continuous Testing
Parasoft
 
ABC's of Service Virtualization
ABC's of Service VirtualizationABC's of Service Virtualization
ABC's of Service Virtualization
Parasoft
 
Deploy + Destroy Complete Test Environments
Deploy + Destroy Complete Test EnvironmentsDeploy + Destroy Complete Test Environments
Deploy + Destroy Complete Test Environments
Parasoft
 
Better Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousBetter Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to Continuous
Parasoft
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
EuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through StandardsEuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through Standards
Arthur Hicken
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
Klocwork
 
Accelerate Agile Development with Service Virtualization - Czech Test
Accelerate Agile Development with Service Virtualization - Czech TestAccelerate Agile Development with Service Virtualization - Czech Test
Accelerate Agile Development with Service Virtualization - Czech Test
Parasoft
 
Evolving from Automated to Continous Testing for Agile and DevOps
Evolving from Automated to Continous Testing for Agile and DevOpsEvolving from Automated to Continous Testing for Agile and DevOps
Evolving from Automated to Continous Testing for Agile and DevOps
Parasoft
 
FDA software compliance 2016
FDA software compliance 2016FDA software compliance 2016
FDA software compliance 2016
Engineering Software Lab
 
A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad Binaries
Sonatype
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
Checkmarx
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
Veracode
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
Suman Sourav
 
DevOps 2017 Conf: evolving from automated to continuous
DevOps 2017 Conf: evolving from automated to continuousDevOps 2017 Conf: evolving from automated to continuous
DevOps 2017 Conf: evolving from automated to continuous
Arthur Hicken
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
Suman Sourav
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
Parasoft
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
Introduction to Parasoft C++TEST
Introduction to Parasoft C++TEST Introduction to Parasoft C++TEST
Introduction to Parasoft C++TEST
Engineering Software Lab
 
Findings Revealed: 2015 State of the Software Supply Chain
Findings Revealed: 2015 State of the Software Supply Chain Findings Revealed: 2015 State of the Software Supply Chain
Findings Revealed: 2015 State of the Software Supply Chain
Sonatype
 
An Essential Guide to Effective Test Automation Leveraging Open Source
An Essential Guide to Effective Test Automation Leveraging Open SourceAn Essential Guide to Effective Test Automation Leveraging Open Source
An Essential Guide to Effective Test Automation Leveraging Open Source
RapidValue
 
EXTENT-2016: The Future of Software Testing
EXTENT-2016: The Future of Software TestingEXTENT-2016: The Future of Software Testing
EXTENT-2016: The Future of Software Testing
Iosif Itkin
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
Suman Sourav
 
How to decode json in php
How to decode json in phpHow to decode json in php
How to decode json in php
Swati Sharma
 
Temporary jobs for freshers
Temporary jobs for freshersTemporary jobs for freshers
Temporary jobs for freshers
Swati Sharma
 

Weitere ähnliche Inhalte

Was ist angesagt?

Accelerate Agile Development with Service Virtualization - Czech Test
Accelerate Agile Development with Service Virtualization - Czech TestAccelerate Agile Development with Service Virtualization - Czech Test
Accelerate Agile Development with Service Virtualization - Czech Test
Parasoft
 
FDA software compliance 2016
FDA software compliance 2016FDA software compliance 2016
FDA software compliance 2016
Engineering Software Lab
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
An Essential Guide to Effective Test Automation Leveraging Open Source
An Essential Guide to Effective Test Automation Leveraging Open SourceAn Essential Guide to Effective Test Automation Leveraging Open Source
An Essential Guide to Effective Test Automation Leveraging Open Source
RapidValue
 

Was ist angesagt? (20)

EuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through StandardsEuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through Standards
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
 
Accelerate Agile Development with Service Virtualization - Czech Test
Accelerate Agile Development with Service Virtualization - Czech TestAccelerate Agile Development with Service Virtualization - Czech Test
Accelerate Agile Development with Service Virtualization - Czech Test
 
Evolving from Automated to Continous Testing for Agile and DevOps
Evolving from Automated to Continous Testing for Agile and DevOpsEvolving from Automated to Continous Testing for Agile and DevOps
Evolving from Automated to Continous Testing for Agile and DevOps
 
FDA software compliance 2016
FDA software compliance 2016FDA software compliance 2016
FDA software compliance 2016
 
A "Firewall" for Bad Binaries
A "Firewall" for Bad BinariesA "Firewall" for Bad Binaries
A "Firewall" for Bad Binaries
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
 
DevOps 2017 Conf: evolving from automated to continuous
DevOps 2017 Conf: evolving from automated to continuousDevOps 2017 Conf: evolving from automated to continuous
DevOps 2017 Conf: evolving from automated to continuous
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
 
Introduction to Parasoft C++TEST
Introduction to Parasoft C++TEST Introduction to Parasoft C++TEST
Introduction to Parasoft C++TEST
 
Findings Revealed: 2015 State of the Software Supply Chain
Findings Revealed: 2015 State of the Software Supply Chain Findings Revealed: 2015 State of the Software Supply Chain
Findings Revealed: 2015 State of the Software Supply Chain
 
An Essential Guide to Effective Test Automation Leveraging Open Source
An Essential Guide to Effective Test Automation Leveraging Open SourceAn Essential Guide to Effective Test Automation Leveraging Open Source
An Essential Guide to Effective Test Automation Leveraging Open Source
 
EXTENT-2016: The Future of Software Testing
EXTENT-2016: The Future of Software TestingEXTENT-2016: The Future of Software Testing
EXTENT-2016: The Future of Software Testing
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 

Andere mochten auch

Andere mochten auch (8)

How to decode json in php
How to decode json in phpHow to decode json in php
How to decode json in php
 
Temporary jobs for freshers
Temporary jobs for freshersTemporary jobs for freshers
Temporary jobs for freshers
 
Google chrome favorites location
Google chrome favorites locationGoogle chrome favorites location
Google chrome favorites location
 
How to donate eyes
How to donate eyesHow to donate eyes
How to donate eyes
 
What does ghostwriting mean
What does ghostwriting meanWhat does ghostwriting mean
What does ghostwriting mean
 
How to donate toys for tots
How to donate toys for totsHow to donate toys for tots
How to donate toys for tots
 
Software Safety and Security Through Standards
Software Safety and Security Through Standards Software Safety and Security Through Standards
Software Safety and Security Through Standards
 
A Comparison of Three Bug-Finding Techniques and Their Relative Effectiveness
A Comparison of Three Bug-Finding Techniques and Their Relative EffectivenessA Comparison of Three Bug-Finding Techniques and Their Relative Effectiveness
A Comparison of Three Bug-Finding Techniques and Their Relative Effectiveness
 

Ähnlich wie Driving Risks Out of Embedded Automotive Software

Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
IoT Integrity: A Guide to Robust Endpoint Testing
IoT Integrity: A Guide to Robust Endpoint TestingIoT Integrity: A Guide to Robust Endpoint Testing
IoT Integrity: A Guide to Robust Endpoint Testing
Josiah Renaudin
 
Five ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecksFive ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecks
Rogue Wave Software
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
Rogue Wave Software
 

Ähnlich wie Driving Risks Out of Embedded Automotive Software (20)

[India Merge World Tour] Coverity
[India Merge World Tour] Coverity[India Merge World Tour] Coverity
[India Merge World Tour] Coverity
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Unit Testing Software Market Size, Share.pdf
Unit Testing Software Market Size, Share.pdfUnit Testing Software Market Size, Share.pdf
Unit Testing Software Market Size, Share.pdf
 
Chapter 16
Chapter 16Chapter 16
Chapter 16
 
IoT Integrity: A Guide to Robust Endpoint Testing
IoT Integrity: A Guide to Robust Endpoint TestingIoT Integrity: A Guide to Robust Endpoint Testing
IoT Integrity: A Guide to Robust Endpoint Testing
 
Five ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecksFive ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecks
 
The Increasing Value and Complexity of Software Call for the Reevaluation of ...
The Increasing Value and Complexity of Software Call for the Reevaluation of ...The Increasing Value and Complexity of Software Call for the Reevaluation of ...
The Increasing Value and Complexity of Software Call for the Reevaluation of ...
 
IBM i Application Lifecycle Management with Remain Software
IBM i Application Lifecycle Management with Remain SoftwareIBM i Application Lifecycle Management with Remain Software
IBM i Application Lifecycle Management with Remain Software
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically Guaranteed
 
The Significance of Regression Testing in Software Development.pdf
The Significance of Regression Testing in Software Development.pdfThe Significance of Regression Testing in Software Development.pdf
The Significance of Regression Testing in Software Development.pdf
 
Software Testing ppt
Software Testing pptSoftware Testing ppt
Software Testing ppt
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
 
Next generation software testing trends
Next generation software testing trendsNext generation software testing trends
Next generation software testing trends
 
Software coding and testing
Software coding and testingSoftware coding and testing
Software coding and testing
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Scale
ScaleScale
Scale
 
Functional and Non-functional Test automation
Functional and Non-functional Test automationFunctional and Non-functional Test automation
Functional and Non-functional Test automation
 
Navigating Your Product's Growth with Embedded Analytics
Navigating Your Product's Growth with Embedded Analytics Navigating Your Product's Growth with Embedded Analytics
Navigating Your Product's Growth with Embedded Analytics
 

Mehr von Parasoft

Mehr von Parasoft (10)

Testing a Microservices Architecture
Testing a Microservices ArchitectureTesting a Microservices Architecture
Testing a Microservices Architecture
 
MedicAlert API Testing Case Study
MedicAlert API Testing Case StudyMedicAlert API Testing Case Study
MedicAlert API Testing Case Study
 
End-to-end Testing for IoT Integrity
End-to-end Testing for IoT IntegrityEnd-to-end Testing for IoT Integrity
End-to-end Testing for IoT Integrity
 
Leveraging Static Analysis to Secure Software
Leveraging Static Analysis to Secure SoftwareLeveraging Static Analysis to Secure Software
Leveraging Static Analysis to Secure Software
 
BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!
 
Are Your Continuous Tests Too Fragile for Agile?
Are Your Continuous Tests Too Fragile for Agile?Are Your Continuous Tests Too Fragile for Agile?
Are Your Continuous Tests Too Fragile for Agile?
 
Software Development Metrics You Can Count On
Software Development Metrics You Can Count On Software Development Metrics You Can Count On
Software Development Metrics You Can Count On
 
Accelerating Mobile Testing
Accelerating Mobile TestingAccelerating Mobile Testing
Accelerating Mobile Testing
 
C/C++test Qualification Kit for DO-178B/C Compliance
C/C++test Qualification Kit for DO-178B/C ComplianceC/C++test Qualification Kit for DO-178B/C Compliance
C/C++test Qualification Kit for DO-178B/C Compliance
 
Extreme Automation Enables DirecTV to ”Shift Left” API Testing
Extreme Automation Enables DirecTV to ”Shift Left” API TestingExtreme Automation Enables DirecTV to ”Shift Left” API Testing
Extreme Automation Enables DirecTV to ”Shift Left” API Testing
 

Kürzlich hochgeladen

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 

Kürzlich hochgeladen (20)

VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 

Driving Risks Out of Embedded Automotive Software

  • 1. Parasoft Copyright © 2016 1 September 30, 2016 Driving Risks out of Embedded Automotive Software
  • 2. Parasoft Copyright © 2016 22 Your Presenters Arthur Hicken is Chief Evangelist at Parasoft where he has been involved in automating various software development and testing practices for over 20 years. He has worked on projects including cybersecurity, database development, the software development lifecycle, web publishing and monitoring, and integration with legacy systems. Follow him @codecurmudgeon Alan Zeichick is Principal Analyst at Camden Associates, where he focuses on networking technologies, cloud computing, software development and telecom. In the software development industry, Alan is well known as the founding Editor-in-Chief of SD Times and of Software Test & Performance Magazine. A former mainframe jockey, Alan has been researching, writing, speaking and consulting on cutting- edge information technology for more than three decades. Follow him @zeichick
  • 3. Parasoft Copyright © 2016 33 Agenda Policy enforcement Reducing defects during coding Effective techniques for acceptance testing Using metrics analytics to measure risk Using SDLC analytics
  • 4. Parasoft Copyright © 2016 44 Open and hide your control panel Join audio: • Choose “Mic & Speakers” to use VoIP • Choose “Telephone” and dial using the information provided Submit questions and comments via the Questions panel Note: Today’s presentation is being recorded and will be provided within 48 hours. Your Participation GoToWebinar Housekeeping
  • 5. Parasoft Copyright © 2016 55 Much attention has been paid to hacking
  • 6. Parasoft Copyright © 2016 66 Yet security is only one of the defects ▪ Many cars have more than 100 ECUs ▪ 10s of millions of lines of code ▪ Software Everywhere  No visibility into embedded software from vendors ▪ More software than a fighter jet!
  • 7. Parasoft Copyright © 2016 77 It’s a rolling data center “A typical luxury sedan now contains about 100 megabytes of code that controls 50 to 70 computers inside the car, most of which communicate over a shared internal network.” - MIT Technology Review
  • 8. Parasoft Copyright © 2016 88 There’s incredible complexity
  • 9. Parasoft Copyright © 2016 99 Complexity breeds errors, bugs, recalls • Software errors $350/car in 2005 (IEEE) • Auto problems cost $,$$$,$$$,$$$ • NHTSA estimates $100 per vehicle • $3 billion annually for recalls/fixes • Many recent recalls > $1 billion • Liability above and beyond repairs • Software is an ever growing percent • Consequences are serious
  • 10. Parasoft Copyright © 2016 10 We’re not talking about Pokemon Go ▪ Software quality in automotive is life-safety critical ▪ Added complexity introduces new vulnerabilities and safety concerns ▪ Car makers can’t audit or review every line of code ▪ The threats of failure involves lives. ▪ It’s clear: We can’t simply treat QA as in the past — or as primarily a hardware issue
  • 11. Parasoft Copyright © 2016 1111 One real-world measure is recalls
  • 12. Parasoft Copyright © 2016 12 Software recalls are a growing problem ▪ With proliferation of ECUs, the problem is exploding  From 2005-2012, 32 software recalls affected 3.6 million vehicles  From 2012-June 2015, 63 software recalls affected 6.4 millions vehicles  From less than 5% of all recalls in 2011, software- related recalls rose to almost 15% in 2015  In 2011, only 3 software components were recalled; in 2015, it rose to 20 components
  • 13. Parasoft Copyright © 2016 1313 Software-related recalls are everywhere
  • 14. Parasoft Copyright © 2016 14 It’s getting worse, and will keep doing so ▪ Defects? Design flaws? Security vulnerability? ▪ Does it matter?  August 2016: VW Car-Net shown to be capturing and uploading vehicle sensor data  July 2016: Several incidents with Tesla may be attributable to faulty software  June 2016: Apple patents iPhone Bluetooth method to unlock/start cars remotely  June 2016: Hackers demo remote takeover of Mitsubishi Outlander Plug-In Hybrid
  • 15. Parasoft Copyright © 2016 1515 There’s no one source for software flaws
  • 16. Parasoft Copyright © 2016 1616 Or even one weak link on the supply chain
  • 17. Parasoft Copyright © 2016 1717 And that doesn’t even include connectivity
  • 19. Parasoft Copyright © 2016 1919 Poll: Code quality driver  What is the biggest driver of automotive code quality?  Adherence to industry standards like MISRA  Peer review of all source code  Quality contracts with supply chain  A solid process for the SDLC  Context-rich metrics and metadata analysis
  • 20. Parasoft Copyright © 2016 20 Digging deep into policy, practices, metrics  Policies cover the entire SDLC, not just coding and testing  Policies should be defined by architects or group of architects  Architects and managers define the practices required to meet those policies  The organization needs to find tools to automate practices and policy enforcement  Tools like Policy Center can help by syncing what we are doing with what we are measuring with external standards, like ISO 26262 or MISRA  Why? In order to set goals, measure results
  • 21. Parasoft Copyright © 2016 2121 Software verification in many stages Coding standards Unit testing Integration testing Functional testing Memory error detection Coverage analysis Regression testing Workflow automation Peer code review & document inspections
  • 22. Parasoft Copyright © 2016 2222 ISO 26262 Software Tools Map Number Description Tool Functionality 5.4.6 Correctness of software design and implementation Static analysis 8.4.4 Design principles for software unit design and implementation Static analysis 8.4.5 Verification methods Static analysis , flow analysis, peer review 9.4.1-2 Unit test execution Unit testing 9.4.3-4 Unit test creation Unit testing, coverage 9.4.5 Test requirements Requirements management 10.4.2 Integration tests Test execution, coverage 10.4.5 Completeness of integration testing coverage 10.4.7 Requirements for integration test environment Stubs, virtualization/emulation
  • 23. Parasoft Copyright © 2016 2323 Where to start 1. Measure software test coverage 2. Improve test coverage 3. Static analysis is an essential tactic 4. Implement preventative coding standards 5. Use runtime memory detection in the test lab 6. Link requirements to code and tests and results 7. Get results data back from supply chain vendors 8. Analyze data collected during development
  • 24. Parasoft Copyright © 2016 2424 Poll: When to catch defects  When is the best time to catch a safety-critical software defect?  During the design/architecture phase  While writing the code  When code is checked-in to the repository  During peer review  During testing
  • 26. Parasoft Copyright © 2016 2626 Managing all that complexity  Prevention of software flaws  Coding Standards  MISRA – software coding standards  ISO 16949 - Automotive Quality  ISO 26262 – Functional Safety  ISO 33001 - Process assessment for software development  Runtime error detection  Integrated development testing results  Coding standards, unit testing, coverage, requirements, static analysis…  Visibility & Traceability
  • 27. Parasoft Copyright © 2016 2727 Value of coding standards The MISRA Guidelines were written specifically for use in systems that contain a safety aspect to them. The guidelines address potentially unsafe C language features, and provide programming rules to avoid those pitfalls.
  • 28. Parasoft Copyright © 2016 2828 Static analysis means prevention  Relationship of automated analysis  Preventative static analysis  Flow analysis  Runtime error detection  Uninitialized memory example  Runtime will find it IF the test suite is thorough  Flow analysis may find it depending on complexity  Pattern to prevent: Initialize variables upon declaration  Much of MISRA is designed to prevent rather than detect
  • 29. Parasoft Copyright © 2016 2929 Standards reduce supply chain risks  Standards and static analysis applied properly prevent errors, reduce risk  Integrated results provides control, measurement, traceability, accountability  Cost of good software is less than the harm caused by a recall or other failure
  • 30. Parasoft Copyright © 2016 30 What’s Needed to Control Risk  A clear sense of ownership and responsibility for quality  Policies that define quality, such as test coverage, conformance with standards, open source licenses  Practices that enforce those policies – like automated static tests or code reviews  Metrics that show compliance – like 90% code coverage in current tests, or 28% failure rate  Definition of “done” – like zero tasks/user stores incomplete, all unit test failures with 5%, etc.  Definition of “done” will change at different times/phases
  • 31. Parasoft Copyright © 2016 3131 Validating Requirements  Plan testing for defined Requirements  Test scenario definitions to document use-cases  Confirm Requirement/Test associations in the Requirement Test Matrix report  Automated tests for Requirement Definitions  Code level unit tests  Functional tests  Associate tests with Requirements using annotations 31
  • 32. Parasoft Copyright © 2016 32 Non Functional Requirements for Software
  • 33. Parasoft Copyright © 2016 3333 Acceptance Testing  Verify that software development policy is working  Verify that requirements are met  Check for possible failures / flaws  Tests from the outside in  Variety of real-world scenarios  Include security ”penetration” testing
  • 34. Parasoft Copyright © 2016 3434 Contractual Software Verification Coding standards Unit testing Memory error detection Coverage analysis Regression testing Peer code review & document inspections
  • 35. Parasoft Copyright © 2016 3535 The Problem
  • 36. Parasoft Copyright © 2016 3636 What Can You Measure  Code churn  Field bugs  Static analysis findings  Test failures  Coverage  Performance  Counts (lines, files, …)  Bug Arrival Rates
  • 37. Parasoft Copyright © 2016 37 Example: Code Metrics  Do problems indicate simple coder error, or something more?  Prioritize by understanding impacts of policy violations  Understand where complexity means poor design, hard to validate performance or cover with static/dynamic tests  Identify areas with good (or bad) ROI for refactoring  After all, refactoring is not only costly (time and money) but also introduces new risk
  • 38. Parasoft Copyright © 2016 3838 Metrics with a Capital M Some metrics have taken on a life of their own  Complexity  Cohesion  Coupling  Maintainability  KLOC There are no silver bullets, no single metric that defines “good” vs. “bad” software
  • 39. Parasoft Copyright © 2016 39 Context comes from metadata  Understand the meaning of the code, modules, tests  Functional vs non-functional requirements  And externalities, such as licenses, budgets, industry standards, as well as audits  For every task there is an assignment (ownership)  As well as budgets, priorities and risk assessments  May be specific security rules.
  • 40. Parasoft Copyright © 2016 4040 Checking Your Work  Did you get the right numbers?  Are they going in the right direction?  Are you measuring enough?  Are unexpected things happening?  Are the measurements automatic?  Manual estimates are inconsistent  Multiple layers of manual collection yield compound rounding errors
  • 41. Parasoft Copyright © 2016 4141 Poll: What kind of testing?  Which testing is most valuable in software verification?  Unit testing  Functional testing  Static code analysis  Memory leak detection  Penetration testing
  • 42. Parasoft Copyright © 2016 4242 Dashboards Vs Process Intelligence 2001 Ford Explorer • Isolated data points • No priority • Binary warnings (Check Engine) • Nothing • All 2016 Chevy Volt • Multi-variate analysis • Customizable • Engine efficiency • Valuable data (Range) • Real-time feedback
  • 43. Parasoft Copyright © 2016 4343 Harnessing “Big” Data  Aggregate data  Correlate data  Mine data  Create  Reports  Dashboards  Tasks  Alerts  Continuous testing/delivery/release
  • 44. Parasoft Copyright © 2016 44 Decisions Based on Metrics and Metadata  What’s the priority and cost/benefit of fixing now vs. fixing later vs. letting it slide  Are there bigger problems with code complexity  What about integration with external systems (like TFS)  Architects and top managers configure parameters, to determine how rules are enforced  After all, it’s only partly about functional requirements for the code; non-functional requirements are equally important – or perhaps even more so.  Polices, and thus practices, must be configured to enforce both functional and non-functional requirements
  • 45. Parasoft Copyright © 2016 4545 Parasoft Support for Automotive Policy definition management Requirement definition and tracking Static analysis Unit test Peer review Runtime error detection Coverage
  • 46. Parasoft Copyright © 2016 4646 Conclusions Safety-critical automotive software issues are going to get worse • Due to ever-increasing requirements, faster processors, and greater connectivity This affects software from in-house and the vast supply chain • The right tests can help make informed decisions faster Coding standards and practices can drive policies • And lead to definitions of “done” Code metrics can help manage risk… • If they have the right metadata context • And if integrated across SDLC practices and systems The result: transparency, feedback, supervision — and managed quality
  • 47. Parasoft Copyright © 2016 4747  Blog: http://alm.parasoft.com  Web: http://www.parasoft.com/jsp/resources  Facebook: https://www.facebook.com/parasoftcorporation  Twitter: @Parasoft @CodeCurmudgeon @Zeichick  LinkedIn: http://www.linkedin.com/company/parasoft  Google+ Community: Static Analysis for Fun and Profit Webinar: RX for FDA Software Compliance Aug 25th IoT API's session - API World - San Jose, CA Sep 13th Managing Auto Supply Chain Risk – Automotive Software Kongress - Germany Sep 21-22