1. What are the challenges of detecting software vulnerabilities in SDLC?
Detecting software vulnerabilities in SDLC is challenging because vulnerabilities are often introduced during the construction stage and become apparent as security failures in the operational stage. This makes it difficult to detect them early, leading to higher repair costs, decreased company reputation, privacy violations, and unrepairable issues. Techniques to detect vulnerabilities are needed before product release, and dedicated tools like Veracode and SonarCode can help reduce false alerts and focus testing efforts on potentially vulnerable files. In the case of UMI application, automated testing is crucial to detect vulnerable code efficiently.
read more
2. What are the eight characteristics of ISO 25010 for software quality?
ISO/IEC 25010 defines eight characteristics to measure software quality: functional suitability, performance efficiency, compatibility, usability, reliability, security, maintainability, and portability. Functional suitability measures if the system provides functions according to requirements under certain conditions. Performance efficiency calculates the relative performance of resources under specified conditions. Compatibility assesses how a system shares information and executes functions in a shared environment. Usability measures the system's effectiveness and efficiency in achieving goals. Reliability evaluates the system's ability to execute functions under specified conditions for a certain period. Security measures the system's ability to protect information and data based on authorization levels. Maintainability represents the effectiveness and efficiency of system modification for improvement in changing environments. Portability measures the system's ability to transfer from one device to another effectively and efficiently.
read more
3. What coding rules does SonarCloud verify for software development languages?
SonarCloud verifies coding rules for most common development languages to ensure code compliance. These rules are designed to maintain code quality and adherence to best practices. The platform calculates various metrics, such as the number of lines of code, code complexity, and adherence to coding standards. If the analyzed source code violates these rules or if the metrics fall outside predefined thresholds, SonarCloud generates an 'issue'. This helps developers identify and rectify potential problems early in the development process, leading to more reliable and maintainable software. Additionally, SonarCloud classifies rules into five levels of code severity, including Blocker, Critical, Major, Minor, and Info, providing developers with a clear understanding of the impact of each issue on the application's functionality and security.
read more
4. How does SonarCloud Pipeline detect insecure code?
SonarCloud Pipeline detects insecure code by using its REST API to request vulnerable source code. The process involves three main phases: crawling the application's source code, manipulating the code by adding vulnerable lines as comments, and storing the results locally. The pipeline then classifies the code based on the ISO 25010 Standard, focusing on reliability, maintainability, security, and other categories. This method allows researchers to analyze and understand the vulnerabilities present in the code, contributing to the development of more secure software.
read more