“Talk is cheap, show me the code” How many vulnerabilities does your lines of code have?
30 Aug 2020 Author: Wu Xing Ling Credit: CSDN - translated from Chinese
Programmers usually like to say, “Talk is cheap, show me the code”, but do know you know how many Vulnerabilities there are behind the code? According to the Code Encyclopedia (Second Edition), on average, there are about 1-25 errors per 1,000 lines of code in software delivery.
How to efficiently and accurately locate code vulnerabilities has become a headache for many developers and managers. The software company, Xcalibyte, was established in 2018. The launch of their flagship product, Xcalscan, static code analysis tool has received a good response. Xcalibyte has just completed their A+ round of financing. The development momentum is strong. What is their unique about Xcalibyte’s SAST solution and what “big moves” and surprises will there be in the future?
CSDN interviewed Yuning Liang, the co-founder and CEO of Xcalibyte, to talk about software code quality.
A 20–year IT veteran, tirelessly pursuing software quality.
Before founding Xcalibyte, Yuning, an IT veteran for more than 20 years, worked in many markets around the world in software development and management. A few years ago, Yuning saw a gap in the static code analysis market in China. “The software development life cycle (SDLC) is mature with advanced tools in foreign countries, but the Chinese market is not yet mature, and everyone does not pay attention to checking the quality of the source code”. Given this situation, at the beginning of 2018, Yuning founded Xcalibyte focusing on software analysis for delivering high quality source code.
According to statistics, compared to identifying and repairing errors after the application has been deployed, identifying and repairing code errors in the early stages of coding can save 15 times the cost. Under the “left shift” testing philosophy, where testing is started in the early stages of the development life cycle, higher efficiency can be achieved. The vulnerability scanning tool, Xcalscan, can be integrated into the development process to scan source code for vulnerabilities before the program is compiled. Xcalscan can look for defects that can cause memory corruption, core dumps, buffer overflows, illegal operations and null pointers to name a few.
The entrepreneurial pitfalls of technical people.
Although Liang Yuning has been in the IT industry for 20 years, talking about the challenges, Yuning said frankly: “Because of my lack of entrepreneurial experience, it is difficult for me to start a business to achieve the six characters (天时timing、地利place、人和people) of the right time, the right place and the right people.”
When he first started his business, Liang Yuning made a common mistake that technical people often make: paying too much attention to the core technology and ignoring product functionality and features. He suggested that technology entrepreneurs can learn from Steve Jobs’s thinking: first make a good product, and then discuss which technologies to use to solve customer problems, instead of considering the product direction from the technology.
Fortunately, the team quickly discovered and corrected this problem. The efforts paid off, and the team’s advancement came one after another. First, the core technology algorithm achieved high results in the US NIST software quality benchmark, and then the A+ round of financing was successfully completed.
Yuning said that after this round of financing, the main focus for this year is to commercialize the technology, complete the next round of product planning, prototype DAST and IAST technologies, and strive to launch more new products to help developers in China improve the quality and efficiency of software development. The team is constantly enhancing the technical products whilst expanding the team to provide better services to more customers. He welcomes partners who are interested in working with Xcalibyte.
What about security in the code?
When developers use code analysis tools, they often have questions about whether there will be security issues. In this regard, Yuning said that since his first job, there have been code analysis tools and products internationally. Overseas, developers have higher salaries and are expected to pay much attention to quality and security over rushing products to market. When working at Huawei, he realized that Huawei had very high quality requirements which were challenging to reach. At that time, Yuning and his colleagues used foreign tools for static code analysis. At that time, fewer people used domestic products, after all, the barriers to making such products were high.
Xcalibyte’s founding team includes their Chief Architect, Shin-Ming Liu and their CTO Sun Chan, both of whom are code compiler experts. It is in-depth compiler technology understanding and application that truly differentiates Xcalscan from it’s competitors. Applying compiler technology is a significant technological change in the China market to solving the core problems of source code analysis.
Difficulties of code analysis tools
When running a code analysis tool on different systems in different industries, you will of course, encounter big challenges. For example, in AIoT, due to its fragmented characteristics, each company has different system construction methods, and there is still room for improvement in the understanding of code security and quality.
In this regard, Xcalibyte has conducted in-depth cooperation with AIoT vendors, increased training exchanges, and guided their knowledge and understanding of IoT software and quality.
Nowadays, the complexity of building software applications is very high. For example, an Android application not only uses Java and C language, but also system calls. Without a full-process analysis tool that implements cross-language or cross-module technology, it is difficult to provide high accuracy in defect detection resulting in a lot of false positives: where it appears as though there are errors when in fact there are not.
In this regard, Xcalscan provides cross-language, cross-module, and cross-platform services, covering technologies from user mode to kernel mode. Xcalscan analyzes the system environment of the enterprise and “configures” a special compiler for their projects. In this way, code problems of different enterprise systems can be analyzed and reported on.
Liang Yuning is concerned about the development of China’s open source technology and has written some open source articles on CSDN. Currently, Xcalscan is oriented to businesses and local enterprise deployment. In the future, Yuning is planning to cooperate with open source partners such as GitHub and GitLab to help improve the quality of open source code. Talking about whether Xcalscan will be open source in the future, he said that it will be considered when the time is right.
What about the wave of low-code and no-code?
Speaking of the no-code/low-code wave, many developers have concerns. Does this have an impact on application development and code analysis tools?
Yuning said: “No-code/low-code has been popular for decades. This approach is like Lego, but many products are not made with Lego. Because some software businesses cannot be too modular or too automated, production requires the developer to complete the business logic code.”
As early as when Liang Yuning worked at Nokia, there were automated tools for business code. For simple and standard business, you could use flow charts drawn by Plato to complete the application of simple functions. But for businesses with very complex logic, it is impossible for developers not to write code, it is impossible to have no code writers, and it is impossible to have no code errors.
Yuning further said that low code may reduce the number of positions for writing software, but for core technologies, especially in the current situation, developers have more room for development. After all, technologies such as operating systems are complex and rely on core technologies. There are more than 1,000 libraries, so Chinese developers still have a lot to do with basic software.
Message to CSDN: Freedom, Openness & Pursuit
Going back 20 years, Yuning, whilst still in university, used to read the “Programmer” magazine by CSDN with his classmates. This year marks the 20th anniversary of the “Programmer” magazine. He hopes that CSDN, like the creation of software and programming art, requires a certain free environment and non-profit environment development. ”You have to sit on the bench for at least ten years on the core software technology, before you have the opportunity to have a big return.” His final message to CSDN in ending the interview was “freedom, openness, pursuit” in developing new technologies.