|
|
|
 Within a more and more complex and challenging environment, the quality of the applications you are developping, buying or using, becomes critical. If you are a software editor, managing the final quality of your products is essential to preserve your current positions, and to get some decisive advantage on emerging new markets. As a final user, you have to face growing demands about productivity, total quality, and processes security. You must be 100% confident in your software tools reliability, and therefore you have to formalize your software requirements, and to be able to check that they are respected in more and more complex applications. Our solutions help you to determine, control and optimize software products quality.
|
|
  Téléchargez le document This audit provides an assessment with respect to a set of control points on the components of a Web application, and produces a report highlighting all found vulnerabilities. Scope and procedure The analysis is based on the components of a Web application: - URLs, deduced by an automated exploration of the site,
- Scripts parameters, which combinatorial values produced all test cases,
- JavaScript code, cookies, comments listed during site exploration,
- Inactive links and pages voluntarily excluded from the analysis are also recorded, making the components coverage as complete as possible.
Due to the systematic exploration of all sequences on each page, most accessible pages are processed: their content is analyzed and their parameters are tested. NOTE: In the case of pages only accessible through a particular procedure (eg : add to cart, provide payment information and confirm the order), scripts for reaching these pages should be provided. Modules and checkpoints Tests performed on the Web application's components depend on the modules selected for the evaluation, each of which is composed of several checkpoints. Among available modules : - "Server structure intrusion" module
The directory structure, names and file contents are revealed by these attacks. They may disclose non-public parts of the site containing development files, trace or debug. - "Database takeover" module
These attacks aim to exploit queries made between the web application and the database to introduce additional queries. The purpose of these commands is to explore the contents of the database and retrieve a list of customers and their data, the history of their orders, the contents of the catalog business. Moreover, orders of modification or deletion can also be introduced, with more destructive effects. - "Identity theft" module
These are attacks aimed at obtaining personal data from a user. Their purpose is to gain identification in place of a user without a password, or discover it along with other personal information. Finally, details of the user's operations during a session are also achievable by such attacks.
Each control point (several thousands are tested in all available modules) focuses on assessing the vulnerability of components for a very precise attack.
For example, a particular type of attack "Brute Force" is an attempt by a malicious user to access the application by sending a large number of possible passwords and / or usernames. Since this technique requires a lot of connection attempts, an application that does not limit the number of unsuccessful connection requests is vulnerable to these attacks. This checkpoint is able to assess whether the application has established such a protection mechanism. Evaluation Report The evaluation report is an HTML report providing: - a presentation of results in two ways: by levels of performance, or control points
- a natural and quick navigation to important elements
The performance level navigation introduces a rating system for all levels of components, starting from the highest level (application) for which an overall score is calculated, to the lower components, which have the same rating system.
This approach provides a single overall level for the application (in terms of vulnerability to attacks), and a quick and effective exploration of the factors responsible for good or bad overall performance. The control points navigation can also find good and bad elements, this time guiding the exploration by the type of attacks.
By selecting a particular module, then a specific checkpoint, it is possible to target the vulnerable components of a particular type of attack. For more information, send an email to
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
or fill in the information request. |
Download documentObjectiveResearch of possible programming errors in source files. JustificationSome uses of the specificities of a language can lead to the introduction of bugs in the code (during the development or the maintenance phase). Their early localization allows to avoid many potential defects and to spare time during the validation and software exploitation phases. Languages C, C++ … ControlsSearch for the following defects:
• Instructions without effect
• Unreachable code
• Empty bloc in a test
• « break » missing in a « switch » branch
• « default » missing in a « switch »
• Use of the return of a procedure
• Confusion between assignment and test
• Comparisons of real numbers for equality or difference Tool used
IBM Rational Logiscope RuleChecker Material
Report identifying all dangerous construction uses in the code. |
|
|
Download document ObjectiveImplementation of a "measurement" repository in order to ensure that coding practices are improving over time on the projects. JustificationOnly measurements can check that improvement procedures really impacts quality of the final production.
A repository allowing to measure how practices are being respected, and to compare it to the final quality obtained, makes improvement much more efficient. LanguagesC, C++, Ada, Java … Service description
Phase 1 : identification of practices to be improved, and of corresponding measurements
Phase 2 : identification of measurements necessary to evaluate the quality of developments (number of defects for example)
Phase 3 : integration of the repository in the development environment
Phase 4 : assessment after 6 months of use ToolKEYS MaterialIntegrated repository in the development environment User's manual |
|
Download document Objective Verifying software element coverage during associated test execution. Justification Software non-regression tests only cover half of the code if coverage measurement is not included. Many tests are redundant and many others are missing. The strict verification of coverage is a good way of improving test sets and their efficiency. Languages C, C++, ADA, Java ... Service description Phase 1 : code instrumentation Phase 2 : test execution Phase 3 : test quality report ToolsIBM Rational Logiscope TestChecker, R-TRT, LDRA Testbed, Pure Coverage MaterialDelivery of a report identifying all code portions non-covered by tests, and redundant tests. |
|
|
|
|
|
|
|
|
Kalimetrix IBM Business Partner
In june, 2009, Kalimetrix became ISV (Independant Software Vendor), approved by IBM to sell the Rational product line for software development.
Tax Credit for Research
Kalimetrix has just received a government agreement concerning the French Tax Credit for Research disposition. This enables French companies to benefit from fiscal reductions when they entrust Kalimetrix with research and development related work. Please note that this applies only to French based companies.
|
|
Secure your investments
