Best Practices of Static Analysis in theSDLC                    Part 1                November 2010
Agenda                 1. House Keeping - Certification Overview                 2. Very Brief Parasoft Introduction      ...
House Keeping - Certification                2 – 45 minute live interactive sessions focused on Static                Anal...
Important Note                        This course is not designed to                              Teach how to do security...
About Parasoft                  Founded in 1987                  27 Patents for automated quality processes               ...
Parasoft Capabilities       Technologies              Quality Policy Management              Task Management              ...
Agenda for this session              Define static analysis              Define “false positives”              Static anal...
What IS Static Analysis?              Variety of methods                    Peer Review / Manual Code Review / Code Inspec...
What is: Peer Code Review             What:               A human review process provides checks and balances             ...
Peer Code Review          Review policies                Coder / reviewer pairs                QA reviewer / test review  ...
Methods of Code Review              Code Review “in a room”                    Wastes time                    Developers a...
Determining Reviewers              Who reviews whom                    How close are they in the code?                    ...
What is: Pattern-Based SA              What:                    Identify specific patterns in the code              Why:  ...
Pattern-Based Static Analysis              Quick scan to list possible problems              Fixing violations prevents ce...
What is: Data Flow Analysis              What:                    Simulate execution to find patterns              Why:   ...
Data Flow Analysis              Simulate hypothetical execution paths              Detect possible errors along those path...
What is: Code Metrics              What:                    Measurement of code based on various statistics              W...
Code Analysis Perceptions              “Static analysis is a pain”              False positives has varying definitions   ...
Pattern based false positives              True false positives generally rule deficiency              Context            ...
Flow Analysis False Positives              False positives are inevitable              Finds real bugs              Flow a...
Static Analysis for Security              Flow analysis finds low-hanging fruit              Flow won’t guarantee security...
Static Analysis for Prevention              It’s quicker to deal with false positives than bugs              Flow analysis...
SA for Process Improvement              Flow analysis won’t find everything              Flow rules have corresponding pat...
House Keeping - Certification                2 – 45 minute live interactive sessions focused on Static                Anal...
Q&A              QuestionsParasoft Proprietary and Confidential
Further Reading           Automated Defect Prevention            (Huizinga & Kolawa)           …Principles and processes t...
Upcoming SlideShare
Loading in...5
×

Best Practices of Static Code Analysis in the SDLC

1,607

Published on

Static Analysis helps developers prevent and eliminate defects—using thousands of rules tuned to find code patterns that lead to reliability, performance, and security problems. Over 15 years of research and development have gone into fine-tuning Parasoft's rule set.

For more information about Static Analysis please click on the link below.

http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,607
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Best Practices of Static Code Analysis in the SDLC

  1. 1. Best Practices of Static Analysis in theSDLC Part 1 November 2010
  2. 2. Agenda 1. House Keeping - Certification Overview 2. Very Brief Parasoft Introduction 3. Today’s AgendaParasoft Proprietary and Confidential
  3. 3. House Keeping - Certification 2 – 45 minute live interactive sessions focused on Static Analysis using best practices for development, testing, and management Session 1: Best Practices of Static Analysis Fri, Nov 12, 11:00am - 12:00pm PST / 2:00pm – 3:00pm EST Session 2: Best Practices of Static Analysis Fri, Nov 19, 11:00am - 12:00pm PST / 2:00pm - 3:00pm EST Materials published day after on-line session Final exam (multiple choice) on-line Certificate of completion from Parasoft CorporationParasoft Proprietary and Confidential
  4. 4. Important Note This course is not designed to Teach how to do security Review (in depth) the reasons “why” we should have solid software Cover how-to use any specific tools This course is designed to Explain available SA techniques and what they’re used for Help avoid common pitfalls Provide in-depth examples of selected best practices and teach you how to optimize them for the software development environmentParasoft Proprietary and Confidential
  5. 5. About Parasoft Founded in 1987 27 Patents for automated quality processes Build quality into the process Static Analysis tools since 1994Parasoft Proprietary and Confidential
  6. 6. Parasoft Capabilities Technologies Quality Policy Management Task Management Code Analysis – Pattern Based Code Analysis – Flow Based Code Analysis - Metrics Code Review Unit Testing Framework Memory Error Detection Runtime Analysis Message/Protocol Testing Application Behavior Emulation Functional Testing Load TestingParasoft Proprietary and Confidential
  7. 7. Agenda for this session Define static analysis Define “false positives” Static analysis for Security Static analysis for defect prevention Static analysis for process improvementParasoft Proprietary and Confidential
  8. 8. What IS Static Analysis? Variety of methods Peer Review / Manual Code Review / Code Inspection Pattern-based code scanners Flow-based code scanners Metrics-based code scanners Compiler / build outputParasoft Proprietary and Confidential
  9. 9. What is: Peer Code Review What: A human review process provides checks and balances for finding and preventing human mistakes. Why: Find defects early Find real functional problems Increase breadth of understanding Increase productivityParasoft Proprietary and Confidential
  10. 10. Peer Code Review Review policies Coder / reviewer pairs QA reviewer / test review Frequency Scope Pre commit vs. post commit review Automation potential A system to enforce the review policy Track un-reviewed changes Facilitate non-blocking communicationParasoft Proprietary and Confidential
  11. 11. Methods of Code Review Code Review “in a room” Wastes time Developers are inhibited Using an automated infrastructure consistentParasoft Proprietary and Confidential
  12. 12. Determining Reviewers Who reviews whom How close are they in the code? Increase code understandingParasoft Proprietary and Confidential
  13. 13. What is: Pattern-Based SA What: Identify specific patterns in the code Why: Find bugs Ensure inclusion of required items Security Branding Prevent Problems Improve DevelopersParasoft Proprietary and Confidential
  14. 14. Pattern-Based Static Analysis Quick scan to list possible problems Fixing violations prevents certain classes of errors Each source file is analyzed separately Static analysis categories include: Logical Errors API Misuse Typographical Errors Security Threads and Synchronization Performance and OptimizationParasoft Proprietary and Confidential
  15. 15. What is: Data Flow Analysis What: Simulate execution to find patterns Why: Find real bugsParasoft Proprietary and Confidential
  16. 16. Data Flow Analysis Simulate hypothetical execution paths Detect possible errors along those paths Data flow analysis error categories include: Exceptions Optimization Resource Leaks API misuse SecurityParasoft Proprietary and Confidential
  17. 17. What is: Code Metrics What: Measurement of code based on various statistics Why: Understanding code Possible problemsParasoft Proprietary and Confidential
  18. 18. Code Analysis Perceptions “Static analysis is a pain” False positives has varying definitions I don’t like it It was wrongParasoft Proprietary and Confidential
  19. 19. Pattern based false positives True false positives generally rule deficiency Context Does this apply here and now? In-code suppressions to document decisionParasoft Proprietary and Confidential
  20. 20. Flow Analysis False Positives False positives are inevitable Finds real bugs Flow analysis is not comprehensiveParasoft Proprietary and Confidential
  21. 21. Static Analysis for Security Flow analysis finds low-hanging fruit Flow won’t guarantee security SA prevents security problems Input validation is keyParasoft Proprietary and Confidential
  22. 22. Static Analysis for Prevention It’s quicker to deal with false positives than bugs Flow analysis finds complicated problems Runtime analysis should match flow analysis Rules should be chosen based on real problemsParasoft Proprietary and Confidential
  23. 23. SA for Process Improvement Flow analysis won’t find everything Flow rules have corresponding pattern-based rules Prevent the potential rather than chase pathsParasoft Proprietary and Confidential
  24. 24. House Keeping - Certification 2 – 45 minute live interactive sessions focused on Static Analysis using best practices for development, testing, and management Session 1: Best Practices of Static Analysis Fri, Nov 12, 11:00am - 12:00pm PST / 2:00pm – 3:00pm EST Session 2: Best Practices of Static Analysis Fri, Nov 19, 11:00am - 12:00pm PST / 2:00pm - 3:00pm EST Process infrastructure Workflows Choosing the best configuration And more Materials published day after on-line session Final exam (multiple choice) on-line Certificate of completion from Parasoft CorporationParasoft Proprietary and Confidential
  25. 25. Q&A QuestionsParasoft Proprietary and Confidential
  26. 26. Further Reading Automated Defect Prevention (Huizinga & Kolawa) …Principles and processes to improve the software development process. Effective C++ / More Effective C++ (Meyers) …Definitive work on proper C++ design and programming. Effective Java (Bloch) …Best-practice solutions for programming challenges. Design Patterns (Gamma, Helm, Johnson, Vlissides) …Timeless and elegant solutions to common problems.Parasoft Proprietary and Confidential
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×