"Codyze - a viable SAST tool for evaluators, not developers?"
Authors: Dr. Dietmar Rosenthal1, Niko Hardt1, Markus Wagner1, Marcus Krechel1.
1TÜV Informationstechnik GmbH (TÜViT), IT Security Evaluation and Validation, Am TÜV 1, 45307 Essen
Use of static application security testing (SAST) tools is indispensable for any developer. They may even be mandatory prerequisites to enter specific markets, ranging from automotive, biomedical engineering and eHealth, to mobile communication and the emerging 5G standard, to name a few. There, they are used to demonstrate adherence to coding standards such as MISRA C++ , and a general “clean” code quality as understood by e.g. the AUTOSAR  guidelines.
For evaluators however, structured source code review following e.g.  is still the predominant technique to assess correct operation of security code. This is the case, because SAST tools are aimed at developers, not evaluators. They would rarely state strictly security related findings, focusing on clean, or safe code, rather than secure code. Codyze , developed by the Fraunhofer AISEC Institute and the German Bundesamt für Sicherheit in der Informationstechnik (BSI), is potentially the first SAST tool to cover specific needs of evaluators. It is designed to assess correct and secure use of cryptographic algorithms, based around the German information security standard BSI-TR-02102 , and to detect typical implementation pitfalls.
TÜViT has evaluated Codyze as piloting partner of Fraunhofer AISEC. In this talk, we briefly review the theory of operation of Codyze, and describe from an evaluator’s point of view its potential benefits and conceptual limitations in several case studies.
 MISRA Compliance:2020 - Achieving compliance with MISRA Coding Guidelines, February 2020, ISBN 978-1-906400-26-2 PDF
 Guidelines for the use of the C++14 language in critical and safety-related systems, Autosar, 2017-03-31
 OWASP Code Review Guide, https://owasp.org/www-project-code-review-guide/
 Codyze: Static Code Analysis, https://www.codyze.io (Project site managed by Fraunhofer)
 BSI TR-02102 Kryptographische Verfahren: Empfehlungen und Schlüssellängen, Technische Richtlinie des Bundesamts für Sicherheit in der Informationstechnik (BSI), Version 2022-01
Dietmar Rosenthal is currently technical lead source code analysis and consultant – evaluator IT security with TÜV Informationstechnik (TÜViT). He aided in the CC-certification of products ranging from eHealth terminals and -connectors to smart metering devices.
Before Dr. Rosenthal joined TÜViT in 2016, he developed imaging techniques for clinical gait analysis, and co-authored more than 20 full paper in neuro-rehabilitation and movement disorders.
With TÜViT, he specializes in security by design, as well as implementation analysis of cryptographic mechanisms.