Image for post
Image for post

We all like to pretend “text” is just one thing but these days developers must contend with many forms of “text”. While American English can usually get by with good old ASCII, much of the world world uses UTF-16 or UTF-8 and plenty of systems use legacy encodings such as ISO-8859. Why does this matter? Because the data you get for one encoding can be unreadable if you don’t decode it the same way. The Muse platform itself ran into this problem with our first bug being triggered by a branch named a single UTF-8 character (💩).


Image for post
Image for post

This tricky little bug is a NULL DEREFERENCE, (CWE-476) and here’s one Musebot caught in the wild. These bugs are simple in concept but hard to find in practice as they often require reasoning about code across different functions, files, or even packages.

Null dereferences are both a reliability problem because they can cause an application to crash, and a security risk because an attacker could exploit it to cause outages, bypass security logic or otherwise exploit the crash. And that’s why returning null values is so dangerous. But don’t worry, Musebot can find null dereferences in your code and report them in code review.


Image for post
Image for post

This crafty little bug is a NULL DEREFERENCE, (CWE-476) and to show you what we’re looking for, here’s one Musebot caught in the wild. These bugs are simple in concept but hard to find in practice as they often require reasoning about code across different functions, files, or even packages.

Null dereferences are both a reliability problem because they can cause an application to crash, and a security risk because an attacker could exploit it to cause outages, bypass security logic or otherwise exploit the crash. And that’s why returning null values is so dangerous. …


Image for post
Image for post

A dead_store is when a value is written but never read or used by the rest of the program. Many developers think of dead stores as style issues, or at most “about good hygiene.” But actually, they can consume memory, and can also identify error codes that aren’t being checked when they should.

The Dead Store issue below shows a return value being captured but not checked. This particular return value represents an error code and so an error condition is not being handled.


By Stephen Magill, CEO MuseDev

Image for post
Image for post

Over the past two decades, agile practices have transformed software development by bringing automation, integration, and consistency to a previously disjointed set of tools and processes. Through Continuous Integration and Continuous Delivery pipelines, this modernization has dramatically improved the efficiency and effectiveness of development. These agile practices, tools, and culture today are collectively referred to as DevOps, and organizations of all shapes and sizes are adopting DevOps at a breakneck pace.

But one area of software development has lagged behind — Static Analysis. It has remained stubbornly stuck in waterfall practices where security teams run…

MuseDev

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store