Best Practices of Static Code Analysis in the SDLC
Upcoming SlideShare
Loading in...5
×
 

Best Practices of Static Code Analysis in the SDLC

on

  • 1,442 views

Static Analysis helps developers prevent and eliminate defects—using thousands of rules tuned to find code patterns that lead to reliability, performance, and security problems. Over 15 years of ...

Static Analysis helps developers prevent and eliminate defects—using thousands of rules tuned to find code patterns that lead to reliability, performance, and security problems. Over 15 years of research and development have gone into fine-tuning Parasoft's rule set.

For more information about Static Analysis please click on the link below.

http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547

Statistics

Views

Total Views
1,442
Views on SlideShare
1,438
Embed Views
4

Actions

Likes
0
Downloads
18
Comments
0

1 Embed 4

http://www.slashdocs.com 4

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Best Practices of Static Code Analysis in the SDLC Best Practices of Static Code Analysis in the SDLC Presentation Transcript

    • Best Practices of Static Analysis in theSDLC Part 1 November 2010
    • Agenda 1. House Keeping - Certification Overview 2. Very Brief Parasoft Introduction 3. Today’s AgendaParasoft Proprietary and Confidential
    • House Keeping - Certification 2 – 45 minute live interactive sessions focused on Static Analysis using best practices for development, testing, and management Session 1: Best Practices of Static Analysis Fri, Nov 12, 11:00am - 12:00pm PST / 2:00pm – 3:00pm EST Session 2: Best Practices of Static Analysis Fri, Nov 19, 11:00am - 12:00pm PST / 2:00pm - 3:00pm EST Materials published day after on-line session Final exam (multiple choice) on-line Certificate of completion from Parasoft CorporationParasoft Proprietary and Confidential
    • Important Note This course is not designed to Teach how to do security Review (in depth) the reasons “why” we should have solid software Cover how-to use any specific tools This course is designed to Explain available SA techniques and what they’re used for Help avoid common pitfalls Provide in-depth examples of selected best practices and teach you how to optimize them for the software development environmentParasoft Proprietary and Confidential
    • About Parasoft Founded in 1987 27 Patents for automated quality processes Build quality into the process Static Analysis tools since 1994Parasoft Proprietary and Confidential
    • Parasoft Capabilities Technologies Quality Policy Management Task Management Code Analysis – Pattern Based Code Analysis – Flow Based Code Analysis - Metrics Code Review Unit Testing Framework Memory Error Detection Runtime Analysis Message/Protocol Testing Application Behavior Emulation Functional Testing Load TestingParasoft Proprietary and Confidential
    • Agenda for this session Define static analysis Define “false positives” Static analysis for Security Static analysis for defect prevention Static analysis for process improvementParasoft Proprietary and Confidential
    • What IS Static Analysis? Variety of methods Peer Review / Manual Code Review / Code Inspection Pattern-based code scanners Flow-based code scanners Metrics-based code scanners Compiler / build outputParasoft Proprietary and Confidential
    • What is: Peer Code Review What: A human review process provides checks and balances for finding and preventing human mistakes. Why: Find defects early Find real functional problems Increase breadth of understanding Increase productivityParasoft Proprietary and Confidential
    • Peer Code Review Review policies Coder / reviewer pairs QA reviewer / test review Frequency Scope Pre commit vs. post commit review Automation potential A system to enforce the review policy Track un-reviewed changes Facilitate non-blocking communicationParasoft Proprietary and Confidential
    • Methods of Code Review Code Review “in a room” Wastes time Developers are inhibited Using an automated infrastructure consistentParasoft Proprietary and Confidential
    • Determining Reviewers Who reviews whom How close are they in the code? Increase code understandingParasoft Proprietary and Confidential
    • What is: Pattern-Based SA What: Identify specific patterns in the code Why: Find bugs Ensure inclusion of required items Security Branding Prevent Problems Improve DevelopersParasoft Proprietary and Confidential
    • Pattern-Based Static Analysis Quick scan to list possible problems Fixing violations prevents certain classes of errors Each source file is analyzed separately Static analysis categories include: Logical Errors API Misuse Typographical Errors Security Threads and Synchronization Performance and OptimizationParasoft Proprietary and Confidential
    • What is: Data Flow Analysis What: Simulate execution to find patterns Why: Find real bugsParasoft Proprietary and Confidential
    • Data Flow Analysis Simulate hypothetical execution paths Detect possible errors along those paths Data flow analysis error categories include: Exceptions Optimization Resource Leaks API misuse SecurityParasoft Proprietary and Confidential
    • What is: Code Metrics What: Measurement of code based on various statistics Why: Understanding code Possible problemsParasoft Proprietary and Confidential
    • Code Analysis Perceptions “Static analysis is a pain” False positives has varying definitions I don’t like it It was wrongParasoft Proprietary and Confidential
    • Pattern based false positives True false positives generally rule deficiency Context Does this apply here and now? In-code suppressions to document decisionParasoft Proprietary and Confidential
    • Flow Analysis False Positives False positives are inevitable Finds real bugs Flow analysis is not comprehensiveParasoft Proprietary and Confidential
    • Static Analysis for Security Flow analysis finds low-hanging fruit Flow won’t guarantee security SA prevents security problems Input validation is keyParasoft Proprietary and Confidential
    • Static Analysis for Prevention It’s quicker to deal with false positives than bugs Flow analysis finds complicated problems Runtime analysis should match flow analysis Rules should be chosen based on real problemsParasoft Proprietary and Confidential
    • SA for Process Improvement Flow analysis won’t find everything Flow rules have corresponding pattern-based rules Prevent the potential rather than chase pathsParasoft Proprietary and Confidential
    • House Keeping - Certification 2 – 45 minute live interactive sessions focused on Static Analysis using best practices for development, testing, and management Session 1: Best Practices of Static Analysis Fri, Nov 12, 11:00am - 12:00pm PST / 2:00pm – 3:00pm EST Session 2: Best Practices of Static Analysis Fri, Nov 19, 11:00am - 12:00pm PST / 2:00pm - 3:00pm EST Process infrastructure Workflows Choosing the best configuration And more Materials published day after on-line session Final exam (multiple choice) on-line Certificate of completion from Parasoft CorporationParasoft Proprietary and Confidential
    • Q&A QuestionsParasoft Proprietary and Confidential
    • Further Reading Automated Defect Prevention (Huizinga & Kolawa) …Principles and processes to improve the software development process. Effective C++ / More Effective C++ (Meyers) …Definitive work on proper C++ design and programming. Effective Java (Bloch) …Best-practice solutions for programming challenges. Design Patterns (Gamma, Helm, Johnson, Vlissides) …Timeless and elegant solutions to common problems.Parasoft Proprietary and Confidential