Modern safety critical avionics software requires rigorous security engineering that interleaves with the established safety practices in place. New cyber security standards are requiring security design from the very beginning of product lifecycle. To address these requirements, there are advantages to modern software development practices found in Agile, continuous integration and deployment and DevSecOps practices. Despite many airframe projects being constrained at the high level to a “V model” or waterfall approach, hybrid methods mixing V model and continuous process together are a good alternative.
Focusing on the “shift left” of security and safety verification and assessment reduces the effects of “big bang” integration that plagues the V model approach. Just as it is impossible to build-in safety into software, the same holds true for security. Security must be part of the product concept and built-in.
This paper takes a look at the role of static application security testing tools (SAST) and in particular GrammaTech CodeSonar and how it can be used in DevSecOps and continuous development pipelines to improve quality and security and ultimately, make teams more competitive in getting market leading solutions out the door quicker.