Governments and companies alike rely on Thales Alenia Space, Europe’s largest satellite manufacturer, for satellite-based systems that are used for navigation, Earth observation, space exploration, and to help connect everyone everywhere.
“Thales has a corporate mandate that cybersecurity risk will be addressed at every level of application creation,” said Nicolas Leclercq, product security officer for software engineering at Thales Alenia Space. “Our focus is on ensuring that the code we develop in-house does not include defects that may be lead to vulnerability and exploit by attackers. We base our coding rules on SEI CERT, an internationally recognized coding standard to improve the reliability and security of software from design through development.”
“As product security officer, my role encompasses helping our groups set the level of cybersecurity they want and to promote the right security tools to introduce into our continuous integration pipeline,” Leclercq added. “We have a corporate group focused on identifying the best tools we can use to meet internal and industrial standards. That group recommended Synopsys as having the right set of tools to implement our security practices.”
Whether a software factory or restricted/confidential environments, Coverity is available to all Thales Alenia Space France employees and projects."
Nicolas Leclercq
|Thales Alenia Space
“Synopsys Coverity® static analysis security testing (SAST) helps Thales Alenia Space ensure that the software we develop in-house does not include coding defects. We use Coverity to help maintain code quality and to comply with industrial standards such as MISRA and the HIS Metriken set.”
A fast, accurate, and highly scalable static analysis testing solution, Coverity helps Thales Alenia Space development and security teams address security and quality defects early in the software development life cycle (SDLC). It also helps development and security teams track and manage risks and ensure compliance with security and coding standards.
“Coverity is primarily used in our automatic continuous integration pipeline,” said Leclercq. “The pipeline is fully automated to help developers focus on essential tasks. Currently, we serve more than 200 projects and are testing several million lines of code. Any code commit automatically triggers a Coverity analysis.”
“[The flexibility of] Coverity server deployment and licensing allows us to deploy many instances matching the diversity of our environments. Whether a software factory or restricted/confidential environments, Coverity is available to all Thales Alenia Space France employees and projects,” Leclercq said.
Introduced in June 2021, Black Duck® software composition analysis (SCA) is still relatively new at Thales Alenia Space. “Black Duck’s signature scanner’s ability to detect open source components in multiple ways is a unique and useful feature,” said Leclercq. “As with our Coverity deployment, any introduction of a new artifact or when dependencies are modified will trigger a Black Duck scan. We’re currently supporting approximately 100 projects with Black Duck, and expect to reach the same number of projects as our Coverity deployment by the end of 2022.”
Being able to detect and manage open source vulnerabilities early in the SDLC helps lower remediation costs."
Nicolas Leclercq
|Thales Alenia Space
“Coverity is a very powerful static analysis tool that can detect issues in almost all kinds of software builds,” Leclercq noted. “For example, cross-compilation—that is, where the build and host machines are not of the same architecture—is used extensively for Thales Space onboard satellite systems. Coverity is very efficient at helping us analyze low-level code such as onboard C code used in flight satellite software.”
“Using Coverity has helped enhance our mandate to ensure code quality and security, as well as to enforce our compliance with SEI-CERT coding standards for C, C++, and Java, and MISRA standards for C. Most importantly, Coverity allows our developers to work on their essential tasks rather than having to allot time to identifying code defects.”
“Being able to detect and manage open source vulnerabilities early in the SDLC helps lower remediation costs,” Leclercq continued. “In addition to vulnerability management, we’ve also found Black Duck very useful in determining the viability of open source projects—that is, ‘is the project we’re using being maintained and updated?’—as well as keeping track of licenses for IP compliance.”
Black Duck SCA has also provided Thales Alenia Space with the means to create and maintain a software Bill of Materials (SBOM) of the open source being used in its code. Visibility into code is an important need—nearly 100% of the aerospace industry’s codebases were found to contain open source, according to the annual “Open Source Security and Risk Analysis” report.
“We’ve also been very appreciative of the support we’ve received from Synopsys,” said Leclercq. “The ongoing support for Coverity over the past few years has been really good. Whenever we’ve had a problem, the Coverity support team has had a solution.”
“Black Duck SCA is still relatively new to us, and we received a lot of help from the Black Duck support team to address some deployment issues we ran into. I’m happy to say Black Duck is now working like clockwork.”
“Using Coverity has helped enhance our mandate to ensure code quality and security as well as to enforce coding standards."
Nicolas Leclercq
|Thales Alenia Space
A business unit of the Thales Group, Thales Alenia Space delivers cost-effective solutions for telecommunications, navigation, Earth observation, environmental management, exploration, and science and orbital infrastructures. Thales Alenia Space has approximately 8,900 employees in 10 countries and posted consolidated revenues of approximately €2.15 billion in 2021.
Learn more about conducting security testing early in the SDLC
Explore the value of SAST in managing application risk