Policy Management

Parasoft provides centralized management of organization-level and team-level policies for ensuring application security, reliability, performance, and maintainability as well as complying with FDA, DO-178, PCI, and other regulations. Policies are easily deployed and customized for specific projects without compromising the integrity of the corporate objectives. Policy management is centralized for simple access and policy application is automated for rapid scanning and reporting.

Organization/Team Policy Manager
Parasoft's policy manager provides a fast and easy way to ensure that policy enforcement is standardized both globally and locally. This can include a fixed set of organizational policies, as well as subsets of policies customized to suit the needs of specific projects and teams. Policy configurations for thousands of desktops can be implemented or updated once, then distributed to thousands of machines with a single click.

Rule Library
Each language-specific rule library (Java, C/C++, .NET, XML, etc.) provides configurable sets of hundreds of rules including specific (contextual) security rules. Parasoft's rule library is the most comprehensive in the industry, and is constantly being extended. To help developers understand and achieve the benefit that the rules deliver, we provide detailed documentation for each rule, including an explanation of the rule requirements and customizable enforcement parameters, the rationale behind the rule, a sample violation, and an explanation of how to bring code into compliance.

Rule Configuration/Parameterization
Since goals and technologies vary from project to project, Parasoft allows teams to customize the logic of library rules to suit the unique demands of specific projects and priorities. Rules are customized using GUI controls no coding or scripting is required. Moreover, rule names, descriptions, and severities can be matched to your organization's policies, establishing a fully-customized policy management and reporting interface.

Graphical Rule Wizard
In the event that certain internal policies cannot be matched to library rules, Parasoft's RuleWizard provides fast and easy ways to extend the rule set. Custom rules can be built graphically or generated automatically by providing code that demonstrates a sample rule violation. This flexible framework supports definition of even the most complex policy requirements.

Workflow Management

Parasoft defines, automates, and monitors a workflow that improves development productivity and forms the foundation for a sustainable quality process. As quality tasks are defined and automated, process control guidelines are established to measure process progress as well as software quality. With monitorable quality gates and thresholds throughout the SDLC, your organization and team can track progress and ultimately improve the software development process.

Quality Process Definition
Quality processes and tasks are defined in the system and the workflow associated with the process is automated. The organization's expectations around quality tasks are visible and monitored. This significantly reduces the resources required to establish and maintain the quality process, resulting in increased team productivity.

Quality Process Metrics
Process control guidelines are established to measure both process progress and software quality. By establishing quality gates at specific points in the SDLC and establishing quality thresholds, organizations and teams gain the ability to track progress and ultimately improve the software development process.

Workflow Optimization

Tasks to support quality policies must be optimized so they can become an integral part of the team's existing workflow. The lack of automation, repeatability, or consistency will degrade any quality initiative that the organization intends to deploy. Parasoft optimizes the workflow to ensure that the quality process is both sustainable and scalable. For example:

• Routing each reported issue directly to the responsible developer and customizable issue prioritization both ensure that your most critical issues are addressed in a timely manner.
• Centralized configuration management to ensure that test configurations are applied consistently and can be updated effortlessly as priorities and processes evolve.
• Monitoring manual processes that require human intelligence, then converting them into automated processes relieves the team from having to repeat many manual efforts.

Issue Prioritization
Results are reported as a prioritized task list to help the team focus their attention and resources on the issues expected to have the greatest impact on quality. To ensure that the most critical policy violations are identified immediately and promptly resolved, Parasoft allows organizations to customize issue severities to match their unique project needs and priorities.

Context Suppression
Context-sensitive suppressions allow teams to prevent rules from firing under specific circumstances where they do not apply. This reduces the level of noise, ensuring that every violation reported is a real problem that should be fixed. Suppressions can be defined in the code to ensure they are always visible when code is reviewed and modified.

Quick Fix
Parasoft Quick Fix automatically refactors code to conform with certain coding policies. This enables the development team to rapidly remediate many policy violations.

Regulatory Compliance

To help teams achieve and demonstrate regulatory compliance, we establish an in-line continuous quality process that ensures mandated practices are not only deployed across every stage of the SDLC, but also ingrained into the team's workflow.
Parasoft supports:

• PCI DSS
• OWASP
• CWE/SANS
• NIST SAMATE
• FDA
• Joint Strike Fighter
• Ellemtel
• MISRA
• Section 508, WAI and WCAG

After each test, a list of tasks required for compliance is generated and prioritized. The responsible developers are notified immediately, and their assigned tasks are distributed directly to their IDEs. Archived reports and trend graphs document validation efforts and quality improvements.

Parasoft's static analysis monitors whether code meets uniform expectations around security, reliability, performance, and maintainability—delivering real-time training based on corporate policy. By exposing structural errors and preventing entire classes of errors, this provides a foundation for producing solid code. Our static analysis includes static code analysis, data flow static analysis, and code metrics analysis. All are centrally managed and highly automated. Moreover, an automated framework is provided to ensure consistency across development languages, development teams, and third-party partners.

Parasoft's static code analysis monitors whether code follows industry-standard or customized rules for ensuring that code meets uniform expectations around security, reliability, performance, and maintainability. Over 15 years of research and development have gone into optimizing Parasoft's patented static code analysis engine and knowledge base. Our static code analysis solutions feature:

• A centralized, integrated system for automated monitoring of code compliance across heterogeneous environments (Java, C/C++, C#, VB.NET, JavaScript, etc.), core industry standards (WS-*, Section 508, FDA, PCI, MISRA, etc.), and organization-specific policies (security, branding, etc.).
• Rule sets that are the most comprehensive in the industry and are constantly being extended.
• Fast, easy ways to define and check custom static analysis rules that prevent application-specific errors from reoccurring and monitor adherence to organization-specific policies.
• Automated task assignment and customizable issue prioritization to ensure that the most critical issues are addressed in a timely manner.
• Extensive support for policy management, workflow management, and workflow optimization to facilitate code improvement without impeding project progress or team productivity.

[ back to top ]

Policy Enforcement

Parasoft's static code analysis can easily be configured to automatically monitor adherence to organization, team, and project policies for security, compliance, etc. The rule library includes hundreds of rules that deliver "out-of-the-box" monitoring of many common policy requirements. These static analysis rules can be customized as needed to match specific policy requirements, and the rule set can be rapidly extended to address even the most complex and unique requirements. Moreover, rule names, descriptions, and severities can be mapped to the organization's policies, establishing a fully-customized policy management and reporting interface.

Security

In addition to enforcing organizations' unique security policies, Parasoft's static code analysis automatically identifies common security vulnerabilities with the most comprehensive static analysis rule set in the industry-across the industry's most popular technologies and platforms, including Apache Axis, WebSphere, Hibernate, servlets, Struts, and EJB 3.

Our static code analysis solutions are configured to deliver an instant assessment of compliance with PCI DSS section 6 security guidelines. This enables teams to rapidly assess the level of compliance without spending time reading the PCI DSS specification and determining how the requirements translate to code. We also provide an automated assessment of your risks regarding the most critical application security vulnerabilities (as listed in the CWE/SANS Top 25 and OWASP Top 10).

• Input-based attacks
• Backdoor vulnerabilities
• Unsafe environment configuration
• Weak security controls
• Deadlocks and race conditions
• Erratic application behavior
• Unsafe error handling and logging
• Exposing sensitive data

Expert Best Practices

Industry leaders have built an extensive knowledge base of guidelines for preventing the most serious and common software defects. Parasoft's static code analysis provides expert code feedback in seconds by automatically applying the wisdom of gurus such as:

• Java: Joshua Bloch, Scott Ambler, and Sun Microsystems
• C/C++: Scott Meyers, Herb Sutter, Andrei Alexandrescu
• .NET: Microsoft experts

Identifying and fixing the reported violations improves code security, reliability, performance, and maintainability.

Technology Guidelines and Standards

To help developers understand and negotiate the unique pitfalls involved in working with certain technologies, Parasoft's static code analysis automatically monitors code compliance to technology-specific guidelines and standards. Parasoft's static code analysis provides out-of-the-box support for preventing mistakes related to common technologies/frameworks, such as:

• Java: Spring, Struts, Hibernate, JSP, EJB, J2ME, JDBC.
• C/C++: Standard Template Library, Trolltech Qt framework
• .NET: IL, C#, VB.NET, CLS

Moreover, our flexible static code analysis framework can easily be extended to support more specialized needs.

Regulatory Compliance Standards

To help teams achieve and demonstrate regulatory compliance, we establish an in-line continuous quality process that ensures mandated practices are not only deployed across every stage of the SDLC, but also ingrained into the team's workflow.

Our static code analysis enable teams to rapidly assess the level of compliance to various regulatory standards–without spending time reading the related specifications and determining how the requirements translate to code.

Parasoft provides built-in support for:

• PCI DSS
• OWASP
• CWE/SANS
• NIST SAMATE
• FDA
• Joint Strike Fighter
• Ellemtel
• MISRA
• Section 508, WAI and WCAG

Moreover, our flexible static code analysis framework can easily be extended to support more specialized needs.

Each issue detected is prioritized, automatically correlated to the developer who introduced it, then distributed to his or her IDE with direct links to the problematic code. Eventually, developers start writing compliant code as a matter of habit. Moreover, through integration with the development infrastructure, results are correlated with requirements, bugs, and source code changes–converting data into actionable information.

Archived reports and trend graphs document validation efforts and quality improvements.

Application-Specific Errors

Parasoft provides fast and easy ways to define custom static code analysis rules that prevent the recurrence of application-specific defects after a single instance has been found. By ensuring that the team does not make the same mistake twice, this significantly improves team productivity and product quality.

Automated Correction and Refactoring

Parasoft Quick Fix automatically refactors code to correct violations of many static analysis rules. This enables the development team to make instant and effortless improvements to code security, reliability, performance, and maintainability.

Unused and Duplicate Code

Parasoft's static code analysis automatically detects and refactors both unused code and duplicate code. This results in a code base that is more maintainable and less error prone?enabling more rapid responses to changing requirements.

Broad Support for Heterogeneous Environments

In addition to analyzing Java files, Parasoft's static code analysis checks JSP, .properties files, and XML configuration files. This makes it easier to validate policy through static analysis for XML, .properties, JSP, and Java files in the same project with one product, one Test Configuration, and one analysis pass.

Thread Safety

Parasoft identifies code that will be dangerous to run in multi-threaded environments—helping teams prevent serious problems such as deadlocks, race conditions, missed notification, infinite loops, and data corruption. In many cases, the dangerous code can be repaired automatically.

This proactive preventative approach is significantly more reliable and cost-effective than hoping that runtime analysis alone happens to identify all of the threading problems, then trying to fix them late in the process.

Parasoft's data flow analysis provides automated detection of runtime errors without requiring the software to actually be executed. This enables early and effortless detection of critical runtime errors that might otherwise take weeks to find. We statically simulate application execution paths which may cross multiple units, components, and files to identify paths that could trigger runtime errors such as resource leaks, SQL injections, and other security vulnerabilities. To simply defect analysis, a complete analyzed path trace for each potential defect is reported in the IDE, and automatic cross-links to code help users quickly jump to any point in the highlighted analysis path.

This ability to expose these errors without executing code is especially valuable for teams with legacy code bases lacking robust test suites or embedded code, where runtime analysis and detection of such errors is not effective or possible.

Static Detection of Security Vulnerabilities

For security vulnerability detection, Parasoft's data flow analysis detects whether actual application execution paths could lead to injection vulnerabilities, XSS, buffer overflows, exposure of sensitive data, and other vulnerabilities.

We statically analyze source code and identify all possible paths where tainted data may be introduced by a malicious user and end up in a sensitive section of code (e.g. database) while bypassing all validation routines specified in the configured policy. In addition to drawing upon an extensive knowledge base of common attack patterns, we also enable organizations to map the data flow logic to their own security policy. The result is more realistic and accurate validation that is aligned with the team's security priorities.

Static Detection of Complex Runtime Errors

Parasoft data flow analysis enables you to find potentially crash-causing defects such as exceptions and resource leaks without having to create, execute, or maintain test cases. This provides a fast and easy way to identify reliability and performance problems without having to actually execute the application.

Validation of Unit Test Exceptions

Automated unit testing can deliver a long list of potential uncaught runtime exceptions each of which could indicate either a real problem with the code, or an unrealistic test case. Parasoft's data flow analysis can be applied to determine whether the exceptions reported from unit testing are "real bugs" that could actually be triggered by available application paths. This feedback enables teams to quickly zero in on those unit test exceptions that pose real risks to application reliability.

Legacy Code Audit

Parasoft's data flow analysis can be applied to a large code base for fast, effortless detection of complex runtime problems. This provides a practical way to identify critical problems in a large code base when testing resources are limited. Moreover, data flow helps you audit the effectiveness of your quality policies. If proper quality policies are in place, no problems should be reported by data flow analysis. An issue detected by data flow analysis indicates that the quality policy was not comprehensive enough or was not applied properly.

Automated Code Review

Parasoft's automated code analysis checks code as it is written to prevent entire classes of errors and ensure that code meets uniform expectations around security, reliability, performance, and maintainability. This typically relieves developers from having to perform line-by-line inspections during peer code reviews, freeing them to focus on higher-level analyses that require human intelligence. With automated checking for compliance to the team's and organization's development policies, the team can begin code reviews by discussing interesting findings from the automated code analysis results, then move on to examining design, algorithmic, and implementation issues. This aspect of the peer code review is supported by Parasoft's code review capability, which automatically identifies updated code, matches the code with designated reviewers, and tracks the progress of each review item until closure. By automating critical workflow components, the team gains more time to focus on inspecting and improving the code.

Peer Code Review

Parasoft automates and manages the peer code review workflow. Our code review capability-which automates preparation, notification, and tracking of peer code reviews-addresses the known shortcomings of this very powerful inspection method. It automatically identifies updated code by scanning the source control system or the local file system, matches the code with designated reviewers, and tracks the progress of each review item until closure. This allows teams to establish a bulletproof review process where all new code gets reviewed and all identified issues are resolved.

Teams who prefer to review only the the most dangerous segments of their code (for example, the most security-sensitive or deadlock-prone areas of the code base) can easily set up such focused reviews using the flexible configuration options.

Workflow
For a code review process to be sustainable and successful, it’s essential that the workflow be as natural and unobtrusive as possible. That’s why Parasoft engineered an automated peer code review workflow where developers simply check in code as normal, then review packages are prepared automatically and distributed to the appropriate reviewer’s IDE. The only added work is the actual peer review—a creative process that cannot, and should not, be automated.

Parasoft provides built-in support for the following typical code review flows:

• Post-commit code review: This mode is based on automatic identification of code changes in a source repository via custom source control interfaces. Code review tasks are created based on a preconfigured mapping of changed code to reviewers.
• Pre-commit code review: Users can initiate a code review from the desktop by selecting a set of files to distribute for the review, or automatically identify all locally changed source code.

Contextual Analysis
Although automated code analysis can identify many issues related to security, reliability, performance, and maintainability, it cannot detect functional defects: instances where the code is not doing what it’s supposed to do. This high-level error detection can only be achieved when the human brain analyzes code in the context of its requirements and available test cases. Parasoft aggregates these artifacts, reducing the barrier to entry for this irreplaceable analysis.

Monitoring
For a code review process to stay on track, it needs to be measured and actively monitored. That’s why Parasoft automates the process and connects it to Parasoft's reporting system — providing objective answers to questions such as:

• Are reviews being performed?
• Are identified issues actually being resolved?
• How is the code review impacting team productivity and application quality?

API Penetration Testing

Parasoft SOA Quality Solution automatically generates tests to perform security penetration testing at the message layer. By testing the SOA with penetration attacks and analyzing the responses, security vulnerabilities can be discovered and fixed earlier in the software development cycle. The following penetration tests are currently supported: Parameter fuzzing, SQL injections, XPath injections, XML bombs, external entities, malformed XML, invalid XML, username harvesting, large XML.

SOA Security Policy Validation

Parasoft SOA Quality Solution includes security support for testing Web services with security layers. At the transport level, we support SSL (both server and client authentication), basic, Digest and Kerberos authentication. At the message level, we support WS-Security including X509, SAML, Username security tokens, XML Encryption and XML Digital Signature. The solution allows for security token validation as well as negative tests that ensure proper enforcement of message integrity and authentication.

Web Interface Penetration Testing

Parasoft SOA Quality Solution automatically generates tests to perform security penetration testing of Web interfaces. By simulating a hacker and "attacking" a Web site with malformed input data, we can uncover OWASP top ten issues such as SQL injection, cross site scripting, buffer overflow, command injection, unvalidated input, and more.

Additionally, we utilize a database of over 4,000 checks to find vulnerabilities related to outdated server applications, default installations, and so on. This helps secure and standardize HTML to enforce best practices related to login forms, comments, hidden fields, and other security-relevant HTML issues.

Data Flow

Parasoft's data flow analysis detects whether actual application execution paths could lead to injection vulnerabilities, XSS, exposure of sensitive data, and other vulnerabilities.

We statically analyze source code and identify all possible paths where tainted data may be introduced by a malicious user and end up in a sensitive section of code (e.g. database) while bypassing all validation routines specified in the configured policy. In addition to drawing upon an extensive knowledge base of common attack patterns, we also enable organizations to map the data flow logic to their own security policy. The result is more realistic and accurate validation that is aligned with the team's security priorities. [ back to top ]

Memory Error Detection

Parasoft's memory error detection automatically identifies a variety of difficult-to-track programming and memory-access errors, along with potential defects and inefficiencies in memory usage. Errors such as memory corruption, memory leaks, access outside of array bounds, invalid pointers, and the like often go undetected during normal testing, only to result in application crashes in the field. We help you find and eliminate such defects in your applications to ensure the integrity of their memory usage.

Our highly detailed memory analysis capabilities are based on patented source instrumentation algorithms. Source code instrumentation enables us to detect more error types than other memory error detection technologies, and also provides complete information indicating the root causes of the errors found using a full database of program elements and memory structures.

Compile-Time Memory Error Detection

Parasoft can detect errors at compile-time as well as runtime. Compile-time errors detected include:

• Cast of pointer loses precision
• Mismatch in format specification
• Mismatch in argument type
• Code is not evaluated, has no effect, or is unreachable
• Undefined identifier
• Variable declared, but never used
• Returning pointer to local variable
• Function returns inconsistent value
• Unused variables

Runtime Memory Error Detection

During testing, we check all types of memory references, including those to static (global), stack, and shared memory—both in user’s code and in third party libraries. Errors detected include:

• Corrupted heap and stack memory
• Use of uninitialized variables and objects
• Array and string bounds errors on heap and stack
• Use of dangling, NULL, and uninitialized pointers
• All types of memory allocation and free errors or mismatches
• All types of memory leaks
• Type mismatches in global declarations, pointers, and function calls

Coverage Analysis

A multi-metric test coverage analyzer, including statement, branch, path, and MC/DC coverage, helps users gauge test suite efficacy and completeness, and demonstrate compliance with test and validation requirements such as DO-178B, FDA, etc. Coverage is reported in percentages as well as graphically displayed via source code that is annotated with line-by-line coverage details.

Moreover, data from unit, component, and manual testing can be combined for cumulative coverage reporting. This includes interactive visualization and analysis in the code browser, as well as automatic generation of comprehensive coverage reports.

Multiple Instrumentation Modes

There are three ways to use Parasoft solutions for memory analysis and error detection. The first and most detailed analysis is achieved with full source code instrumentation. This requires that application sources be compiled and linked with Parasoft, which generates its own instrumented files that are passed to the actual compiler.

The second option is linking with Parasoft, which provides a trade-off between the extent of error reporting and the actual time to build and run an instrumented application. In this mode, we can detect and report most of the error types, including leaks, bad memory references, standard API usage errors, and so on.

Additionally, Chaperon is exclusive to dynamically linked executables on Linux/x86. Chaperon does not require recompilation or re-linking, and checks all the data memory references a process makes, reporting reads of uninitialized memory, bounds errors, and memory leaks.

Error Detection in Threads

Parasoft instruments all threads, tracks all processes in the application, and quickly pinpoints algorithmic anomalies, bugs, and deficiencies. This allows developers of multithreaded applications to rapidly find and fix the bugs that would otherwise remain hidden in threads and cause the application to perform incorrectly, or to fail to perform at all.

Unit testing allows you to start testing verifying security functionality before the complete system is read. Using unit testing, you can verify that your input validation methods are correctly identifying and resisting attack patterns.

Parasoft delivers a complete framework to create, manage, and extract greater value from unit tests. We help you exercise and test an incomplete system enabling you to identify problems when they are least difficult, costly, and time-consuming to fix. This reduces the length and cost of downstream processes such as debugging. Moreover, since all tests are written at the unit level, the test suite can be run independent of the complete system. This allows you to isolate code behavior changes, reduces setup complexities, and makes it practical.

Test Creation

To facilitate standardized testing and quality processes, our patented technologies automatically generate extensible, reusable test cases. These test cases not only expose potential reliability problems, but also capture the code's current behavior to establish a baseline for regression testing. You can incrementally improve the test suite's intelligence and value by extending the generated test cases. Collectively, these test cases establish a safety net that alerts you when modifications impact application behavior.

Regression Baseline
If your team has a large code base with minimal tests or no tests, the fastest route to regression testing is to automatically generate a regression test suite that captures the code's current behavior and then run it daily to determine if code modifications break existing functionality. To help you achieve this, we scan the project code base, then automatically generate a baseline set of unit test cases that capture the code's current behavior. Then, we establish a continuous regression testing process which ensures that the impacts of code modifications are identified and addressed daily, and the test suite stays in synch with the evolving application. This provides a safety net that helps developers rapidly change code with confidence, which is especially critical for teams working on complex and constantly-evolving applications.

Exception Detection
By using corner case conditions, automatically-generated test cases check responses to unexpected inputs, exposing potential reliability problems.

Functional (Tracer)
Parasoft's Tracer technology provides a fast and easy way to create the realistic test cases required for functional testing. Simply use the application's UI or Parasoft's SOA/Web solution to execute the use cases you want to verify. Tracer automatically designs unit test cases with real data that represents the paths taken through the application. No coding or scripting is required. If the functionality associated with your "traced" use cases later breaks, you will be alerted by the failure of the related test cases.

The generated unit tests directly correlate tests to source code, which improves error identification and diagnosis, and allows developers to run these test cases without having to depend on access to the production environment or set up a complex staging environment. This facilitates collaboration between QA and Development: QA can provide developers traced test sessions with code-level test results, and these tests help developers identify, understand, and resolve the problematic code.

Test Optimization

Parasoft provides a variety of technologies to help you extend your manually-defined and automatically-generated test cases, enabling you to increase their value with minimal effort.

Easy Extension
Parasoft automatically generates complete tests, including test drivers and test cases for individual methods/functions, in industry-standard xUnit formats. Developers can rapidly add additional tests (for verifying specific functionality and/or increasing coverage) by extending the automatically-generated tests. This allows developers to extend the test suite while writing a minimal amount of code.

Stub Creation and Management
Parasoft can automatically stub out calls to external resources or problematic methods/functions within the source code base. This relieves developers from having to write extensive stubs or mock objects from scratch. Using automatically-generated stub templates, you can define your own stubs for automatically-generated or user-defined test cases.

Object Repository
The Object Repository contains object inputs that can be used to increase coverage and make test cases more realistic and meaningful. It includes built-in objects, automatically-generated/"traced" objects, and user-defined objects. These objects can be used during automated test case generation or in user-defined test cases.

Test Case Parameterization
Test Case Parameterization automates the process of reusing a test with different sets of data. This allows teams to increase the amount of testing and coverage with very little effort.

Data-Driven Test Cases
Parasoft can use values from any of the following types of data sources for test case inputs as well as data validation:

• CSV files
• Databases
• Excel spreadsheets
• Tables created in (or copied into) the internal table editor.
• File

Test Case Editor
The Test Case Editor provides a way for users to specify test cases without writing or modifying code. It is especially helpful if users want a convenient way to run the same user-defined test case with different method inputs (for instance, to better test functionality or increase test coverage). This saves time, simplifies work, and extends the range of testing.

Extended Execution Environment

Extended Execution Environment
Parasoft's extended execution environment centralizes execution and enhances reporting for all of your automatically-generated and manually-written xUnit-format unit test cases.

Error Assignment and Distribution
To promote fast remediation, each test failure or exception detected is prioritized, assigned to the developer who introduced the problem, and distributed to his or her IDE with direct links to the problematic code.

Debugger Integration
Developers can step through test cases with a debugger to better examine the code's internal state during a given test. For example, they might want to debug test cases to learn more about why an unexpected outcome was reported, or to determine why a test case failed.

Coverage Analysis
Parasoft's centralized reporting of coverage metrics helps teams gauge test suite efficacy and completeness, as well as demonstrate compliance with test and validation requirements. In addition to line coverage, we report decision coverage to help developers test relevant and important paths through their code and find defects in the main use cases through their application. Coverage is reported in percentages as well as graphically displayed via source code that is annotated with line-by-line coverage details. Reporting options can be configured to alert users when a designated coverage goal is not achieved.

When teams integrate their server-side tests into the extended execution environment, we can also report server-side coverage analysis for these tests.

Customizable Severities
To ensure that the most critical policy violations are identified immediately and promptly resolved, Parasoft allows organizations to customize unit testing issue severities to match their unique project needs and priorities. Results are reported as a prioritized task list to help the team focus their attention and resources on the issues expected to have the greatest impact on quality.

Memory Leak Detection
Parasoft can check for memory leaks as unit test cases are executed in the extended execution environment. This allows early detection of memory issues that could impact application performance.

Exception Validation
Automated unit testing can deliver a long list of potential uncaught runtime exceptions each of which could indicate either a real problem with the code, or an unrealistic test case. Parasoft's data flow analysis can be applied to determine whether the exceptions reported from unit testing are "real bugs" that could actually be triggered by available application paths. This feedback enables teams to quickly zero in on those unit test exceptions that pose real risks to application reliability.

Design By Contract
If you use Design by Contract (DbC) to add specification information to your code, we not only leverage that information to create unit tests cases that are more realistic and meaningful, but also create functional test cases that verify the functionality described in your DbC contracts. Parasoft also provides automated runtime and system-level monitoring by using Design by Contract (DbC) to verify whether system parts interface correctly after integration. We can instrument and compile code that contains DbC comments, then automatically check whether the specified contracts are violated at runtime. This monitoring verifies that classes and components work correctly and are used correctly at the system level. You prevent system-level errors, improve software reliability, and reduce testing/debugging time.

Java Environments and Platforms

Java Environments and Platforms
Most development teams have a set of functional JUnit tests that they run frequently for a basic level of regression testing, but few have a regression test suite that is comprehensive enough to expose the many different types of problems that code modifications could introduce into today's Java EE applications. Since problems may originate within or across many different technologies and layers, effective regression testing requires a large scope and range of complex tests. Functional JUnit tests are the logical starting point, but are not sufficient for detecting the many different problems that can be introduced whenever a Java EE application is modified to add new functionality or even to perform routine refactoring. That's why Parasoft actively supports a wide variety of Java frameworks.

JUnit
We automatically generate a large number of JUnit test cases that try to exercise all of the different paths through the code, then save the actual test case outcomes. These test cases essentially take an x-ray of the code's current state, capturing a snapshot of how it was operating at the time of the test case generation. By using corner case conditions, these automatically generated test cases also check responses to unexpected inputs, exposing potential reliability problems.

Spring
Parasoft's Spring framework unit test generation facilitates the testing of classes written for Spring. We automatically generate test code using Spring's own testing framework to help you test more of a Spring application than just its Java files. These tests will be able to detect more problems than plain JUnit tests could (e.g., bean Java classes and Spring application context xml references getting out of sync). We can also automatically generate tests for server-side (in-container) testing.

Struts
Parasoft's Struts framework unit test generation facilitates the testing of classes written for Struts. We automatically generate MockStrutsTestCase for classes that implement the org.apache.struts.action.Action class. This allows you to test not only the implementation of your Action objects, but also your mappings, form beans, and forwards declarations. We can also automatically generate tests for server-side (in-container) testing.

Cactus
To facilitate in-container testing, we generate Cactus tests for Java EE classes and execute those tests in the container to simulate a realistic runtime environment. These extensible tests can pass real container objects (such as sessions, requests and responses) as inputs and validate server state at the end of the test (such as the redirect page).

During development, the tests can be executed on a local application server on the developer desktop. This allows early, development-level exposure of defects that might otherwise go unnoticed until QA, deployment, or production time, when it is more difficult and time-consuming to find and fix such problems. Later in the development lifecycle, these same tests can be run on the application server to verify that the code functions correctly in the staging and production environments.

Eclipse Plug-in Tests
Teams developing Eclipse plugins can use Parasoft's framework to execute their Eclipse plugin tests within their Eclipse plugin testing workbench. We can execute these tests within a new Eclipse process, then report coverage and results in the normal manner.

Easy Mock and ATG Dynamo
Parasoft Tracer provides special support for teams working with the ATG Dynamo framework for online retail applications. Mock objects are automatically generated using the open-source Easy Mock library.

Parasoft's code metrics analysis calculates a customizable set of industry-standard metrics, as well as identifies specific pieces of code that exceed industry-standard or customized metrics thresholds. This helps organizations identify brittle or overly-complex code that could impede agility or reuse.

Calculation

Parasoft's metrics calculation capability provides organizations visibility into code complexity and the potential impacts of an anticipated code change. This enables them to make more informed decisions as to how to modify, refactor, and test it. Metrics calculations provided include Cyclomatic Complexity, Inheritance Depth, Nested Block Depth, and more.

Limit-Based Analysis

Parasoft enables organizations to customize the boundaries and thresholds for available metrics so that team members are alerted when metrics are outside of the prescribed range. Leveraging this automation, the team is freed to focus on analyzing and improving the problematic code-tasks that truly require human intelligence.

Parasoft's robust reporting capabilities not only promote rapid defect resolution, but also support an auditable quality process by providing complete visibility into the team's efforts.

Reports

After each test/analysis run, Parasoft can automatically generate and e-mail role-based reports to managers, team leads, and developers. Reports are available in HTML, PDF, and custom format, and can be easily configured via GUI controls or an options file. Reports can include the high level of detail required for a truly auditable process; for example:

• Pass/fail summary of code analysis and test results
• Expanded test output with pass/fail status of individual tests
• A list of analyzed files
• A list of policies checked
• A code coverage summary
• Full code listings with color-coding of all code coverage results
• Trend graphs for key metrics

Task Distribution

If any developer action is required (fix static analysis violations, address test failures, respond to code review suggestions, etc.), a task is generated, prioritized, and assigned to the developer who wrote the related code. The task is then distributed to the assigned developer's IDE with full data, cross-links to the related code, and a description explaining how to approach the assigned task. An e-mail notification alerts the developer to the assigned tasks.

Dashboards

Interactive Web-based dashboards with drill-down capability allow teams to track project status and trends based on results from Parasoft technologies as well as key process metrics (e.g., from source control, bug tracking, build, and requirements management systems). It correlates data from these sources to provide comprehensive and objective insight into application quality, team productivity, and project risk factors.

PCI DSS

Parasoft supports PCI DSS section 6 compliance by:

• Providing out-of-the-box checking for the security issues referenced in PCI DSS section 6: The solution is configured to deliver an instant assessment of compliance with PCI DSS section 6 security guidelines. This enables teams to rapidly assess the level of compliance–without spending time reading the PCI DSS specification and determining how the requirements translate to code.
• Establishing an automated process that integrates security throughout the SDLC: Audits are necessary, but true success in application security requires an in-line process to prevent security vulnerabilities and ensure that the application adheres to the organization's security policy. Our automated infrastructure makes security policy application, management, and monitoring an unobtrusive part of the team's existing workflow–from the start of the SDLC. Problems are reported as they emerge, so they can be resolved when it is fastest, easiest, and least costly to do so.
• Facilitating issue remediation, not just issue detection: Each issue detected is prioritized, automatically correlated to the developer who introduced it, then distributed to his or her IDE with direct links to the problematic code. Eventually, developers start writing more secure code as a matter of habit. Moreover, through integration with the development infrastructure, results are correlated with requirements, bugs, and source code changes–converting data into actionable information.
• Delivering extensive reporting for documentation and process improvement: Our centralized reporting system provides real-time visibility into overall security status and processes, documents improvements, and helps you determine what additional actions are needed to safeguard security.

Read our white paper "Achieving PCI DSS 6 Compliance with Parasoft Quality Solutions" for specific details about how Parasoft supports PCI DSS.

OWASP

Parasoft provides out-of-the box checking for code that is vulnerable to the OWASP Top 10 most critical web application security flaws.

Context-sensitive suppressions allow teams to prevent rules from firing under specific circumstances where they do not apply. This reduces the level of noise, ensuring that every violation reported is a real problem that should be fixed. Suppressions can be defined in the code to ensure they are always visible when code is reviewed and modified.

To promote fast remediation, each source code weakness detected is prioritized, assigned to the developer who wrote the related code, and distributed to his or her IDE. These results provide a textual description of the precise weakness location, as well as direct links to the problematic code and a rule description. Every rule description includes an explanation of the rule rationale and benefits, a sample violation, an explanation of how to correct the violation, and a demonstration of how to correct the sample violation. In addition, results are available in XML, PDF, HTML and custom format reports.

NIST SAMATE

Parasoft provides automated identification of SAMATE Annex A source code weaknesses in high-complexity C, C++, and Java code–as well as additional programming languages (.NET languages, JavaScript, XML, etc.).

Context-sensitive suppressions allow teams to prevent rules from firing under specific circumstances where they do not apply. This reduces the level of noise, ensuring that every violation reported is a real problem that should be fixed. Suppressions can be defined in the code to ensure they are always visible when code is reviewed and modified.

To promote fast remediation, each source code weakness detected is prioritized, assigned to the developer who wrote the related code, and distributed to his or her IDE. These results provide a textual description of the precise weakness location, as well as direct links to the problematic code and a rule description. Every rule description includes an explanation of the rule rationale and benefits, a sample violation, an explanation of how to correct the violation, and a demonstration of how to correct the sample violation. In addition, results are available in XML, PDF, HTML and custom format reports.

CWE/SANS

Parasoft provides out-of-the box checking for code that is vulnerable to the CWE/SANS Top 25 Most Dangerous Programming Errors.

Context-sensitive suppressions allow teams to prevent rules from firing under specific circumstances where they do not apply. This reduces the level of noise, ensuring that every violation reported is a real problem that should be fixed. Suppressions can be defined in the code to ensure they are always visible when code is reviewed and modified.

To promote fast remediation, each source code weakness detected is prioritized, assigned to the developer who wrote the related code, and distributed to his or her IDE. These results provide a textual description of the precise weakness location, as well as direct links to the problematic code and a rule description. Every rule description includes an explanation of the rule rationale and benefits, a sample violation, an explanation of how to correct the violation, and a demonstration of how to correct the sample violation. In addition, results are available in XML, PDF, HTML and custom format reports.

• Parasoft Application Security Solution