Quality/Security Assurance¶
Each build of M-Star CFD is taken through a series of steps to safeguard your use of our solution.
Digital Signatures¶
Each build of the software is immediately signed by our digital code signing certificate issued by a root certificate authority. This means that when you go to install the software on Windows, the operating system will recognize M-Star Simulations, LLC, as the publisher, which verifies the file content is correct. To verify the digital signature of the MSI file, you can just double click on it and see that M-Star Simulations, LLC, is the publisher. Or you can right click on the file, open the digital signatures panel, and verify that M-Star Simulations signed the file. The signature is time-stamped to further enhance the reliability of the signature.
Additionally, all downloadable packages provided by M-Star have the file hashes provided on the download page. File hashes (MD5, SHA1, SHA256) can be used to verify file authenticity. The file hashes are generated at build time and are stored separately from download artifacts.
Static Application Security Testing (SAST)¶
SAST checking is a process that scans the source code and reports security issues. All code developed by M-Star goes through the SAST scan each time it is compiled. The build process then identifies if High or Critical vulnerabilities exist in code developed by M-Star. If any are detected, the build is failed and operations are alerted to the problem.
Software Composition Analysis (SCA)¶
SCA scanning is a process that scans a project and identifies third party dependencies. This creates a “bill of materials” (BOM) for a project that shows all the open source components and their versions. The BOM is then scanned against a large database of known vulnerabilities both in the National Vulnerability Database and other large proprietary databases provided by our SCA software. The build process then identifies if High of Critical vulnerabilities exist in code developed by M-Star. If any are detected, the build is failed and operations are alerted to the problem. This provides a monitoring system against supply chain attacks since M-Star is alerted to any issues with upstream dependencies.
Quality Assurance Testing (QA)¶
General QA testing is done on each build of the software to identify and remediate any defects. These are full system tests that create example cases and execute them. Each case must run successfully. Some cases will also verify output data values to ensure solver behavior is correct. If any issues are detected in this QA testing, M-Star operations are notified and corrective action is taken.