True Code Complete

True code complete features True Code foundation and all available static and dynamic checks.

 

Foundation

True Code is a solution for software development units that want to create more secure code, and get the best possible help from both human reviewers and automation. True Code Foundation includes several functionalities that form the basis to start with automating security assesments on your codebase

  • A standalone version that can be used next to any IDE your development teams are using
  • A plugin for Eclipse
  • A command line version that can be used to intergrate the automated security checks in the daily build process
  • Triage functionality to work jointly with the team on mitigation strategies
  • Code flow and dataflow options to assist developers working on the code
  • Categorize vulnerabilities and add additional fields to describe or group vulnerabilities is needed
  • Keep all vulnerabilities found in a database

Static analysis

The presence of logical vulnerabilities can cause dangerous problems, Attackers can use these vulnerabilities to for example steal user data or IP. Riscure developed special logical checks of which we know, based on years of experience, they can form a serious threat for the security of your product. Checks included will automate finding vulnerabilities like ToCToU, specific overflow vulnerabilities, Loop alignment , struct initialization and more.

All checks that can run automatically during devlopment of your product from within your software development toolchain or manually from the desktop of any developer. All checks can be configured so that they exactly fit your needs and the results are saved in a freely accessible database. 

True Code static checks can be guided to the run on the most relevant parts of your codebase. True Code can automatically identify those parts and the code paths that lead to them. Subsequently the checks will run on those parts of your codebase and in that way prevent the occurence of false positives.

 

Dynamic analysis

Dynamic analysis allows you to define testscenarios that cover a small or larger part of the codebase. The defined testscenario will run while True Code various tests will be executed to detect security vulnerabilities.

With dynamic analysis True Code help you to detect logical and fault injection vulnerabilities. The dynamic checks can be used next to the static checks to get a higher level of assurance.

 

Fault injection

Fault injection is a technique used more and more by attackers to break the security of your products. Though many might think that fault injection vulnerabilities only occur in hardware, in fact software offers even a bigger attack surface for these types of attacks. True code package will flag fault injection vulnerabilities to your developers, by executing the software on virtual hardware. In this process True Code injects faults in the virtual hardware and gives actionable feedback on the lines in the source code that are vulnerable. 

Fuzzing

Fuzzing is a method often used by hackers to detect exploitable vulnerabilities in a product. With fuzzing, a attacker uses available API's and with all kinds of inputs tries to trigger unepected behavior that can be exploitred. True Code dynamic analysis allows you to define testscenarios on the public API's but also on any internal function or group of functions to test the robustness of your code. Vulnerabilities are reported in an actionable way, while the development team is also kept up-to-date on the coverage of the defined scenarios