To increase the reliability and security of banking software, use PVS-Studio

Among our clients are gradually beginning to emerge organizations engaged in the development of software in the field of finance. We have many articles on various subjects, but we somehow unfairly avoided the sphere of finance. We will try to improve and eventually write a series of articles, and I will begin with a little story.
Introductory paragraph for those who are not familiar with the PVS-Studio tool. The PVS-Studio static code analyzer is designed to detect errors and potential vulnerabilities in the code of programs in C #, C, C ++, as well as C ++ dialects, such as C ++ / CLI and C ++ / CX (WinRT). Works in the environment of Windows and Linux. At the moment, PVS-Studio is one of the most powerful tools in the class of static analyzers and allows you to detect a large number of defect types. We offer to get acquainted with the list of warnings , as well as examples of the use of the analyzer.

PVS-Studio allows you to identify many errors immediately after they appear. The faster the error is detected, the cheaper it is to eliminate it. Here's how, for example, the cost of a security defect grows according to NIST:

')
The PVS-Studio analyzer is highly demanded where any mistake can lead to large losses of time or money. One of these areas of software development is the financial sector. It is, for example, about hanging and banking software. We see a gradual increase in interest from the development teams serving financial companies, and they began to replenish the list of our clients from the financial sector . However, of course, we need to pay more attention to this area and this article is the first sign.

And now a small promised story. In the analyzer, there is a V3040 diagnostics, which reveals a situation where one integer value is divided by another integer value and the result is placed in a variable of type float or double . Of course, this code is not always erroneous, but it is clearly suspicious and requires verification.

Someone thinks that such a mistake is contrived, and the warning V3040 will often be false. He may be right and wrong. It all depends on the type of application and on what the program actually considers.

One person said that the team in which he works found a very unpleasant error in their software using this diagnostic. Where this person works, I cannot tell, since the story was told to me on condition of anonymity (no, it was not a bank).

The module in which the error was found, calculated flexible prices for various options and conditions of orders. In other words, it was calculated what price to the sales manager to voice to the potential client. Error crept into the calculation of a certain coefficient. Integer division was used where it is not necessary:

double K; .... if (foo) K = 200 / 95; else .... 

I must say, I came up with this code and I don’t know how it actually looked like. The idea is that instead of a coefficient of 2.1, a factor of 2. has turned out. As a result, managers began communicating with a client, setting the price a little lower than expected. The price was considered wrong only under a certain combination of conditions, so no one ever noticed the error, trusting the numbers that the program gives out.

Since, as I said, this ratio was calculated incorrectly only in rare cases, this error did not cause any significant harm to the company's revenue. However, the mistake was so unpleasant for the developers that they decided to hide its discovery of the supervisor and just silently fixed the code.

Let us leave aside the question of the correctness of such behavior of programmers. It is much more interesting that a very simple error of integer division leads to such consequences, which are terrible to tell the authorities.

As you can see, even simple mistakes can cause a loss of time, money, and reputation. If we are talking about more responsible software, then errors can be very expensive at all. Those who develop software for the financial sector use an integrated approach to ensure reliability. The PVS-Studio static analyzer can be an excellent complement to the code quality control measures package.

I suggest that anyone who cares about the quality of the code immediately download and try the PVS-Studio analyzer. He will find errors for you, and you will be amazed at the luck that the program worked at all :). Let the analyzer find better many errors, not your customers, and certainly not hackers.

And also PVS-Studio reports can be very nicely shown to the authorities by integrating it with the SonarQube tool.

Several introductory videos about PVS-Studio (in English):

1. PVS-Studio static code analyzer for C, C ++ and C # (2017) .
2. PVS-Studio plugin for SonarQube .
3. PVS-Studio for Linux . This is a video show about how to install the PVS-Studio for Linux and Far Manager for bugs.
4. Adopting PVS-Studio in a large project. Part N1 , Part N2 .

If you want to share this article with an English-speaking audience, then please use the link to the translation: Andrey Karpov. Use PVS-Studio to Increase Software for Security