SlideShare a Scribd company logo

Real World Static Analysis Boot Camp

Erika Barron
Erika Barron

Static analysis is a proven defect prevention development practice, so why do so many organizations undervalue and underuse it—even when they've already invested in it? The key to broad adoption of static analysis across your organization is giving developers and software engineers proper guidance on how to leverage the software quality activity on a daily basis in real-world settings. This presentation explores how to turn static analysis from a disruptive task into an integrated process that actually boosts software quality and team productivity across the SDLC. It covers best practices for integrating static analysis into your workflow, as well as how to avoid the everyday mistakes that discourage adoption.

1 of 36
Download to read offline
Paraso& Copyright © 2014 1 Real World Sta,c Analysis Boot Camp Part 1 2014
GoToWebinar Housekeeping Your Par6cipa6on Paraso& Copyright © 2014 2 Open and hide your control panel Join audio: • Choose “Mic & Speakers” to use VoIP • Choose “Telephone” and dial using the information provided Submit questions and comments via the Questions panel Note: Today’s presentation is being recorded and will be provided within a week.
Paraso& Copyright © 2014 3 Why sta6c analysis Prevent Problems Target Problems Learning
Paraso& Copyright © 2014 4 Defects Types of Sta6c Analysis Pattern Based Flow Analysis Metrics
Paraso& Copyright © 2014 5 What’s it for? Review Sta6c Value Bugs Prevent Standards Behavior Mentor
Paraso& Copyright © 2014 6 Selec6ng a tool § Types of analysis § Languages covered § IDE integra6on § Number of rules / standards covered § Ac6ve development § Supported workflows § Repor6ng
Paraso& Copyright © 2014 7 PaYern-­‐Based Sta6c Analysis What: • Iden6fy specific paYerns in the code Why: • Find dangerous prac6ces • Prevents defects • Ensure inclusion of required items • Security • Branding
Paraso& Copyright © 2014 8 Data Flow Analysis What: • Simulate execu6on to find paYerns • Analyze paths • Analyze data usage Why: • Find real bugs • Find security vulnerabili6es
Paraso& Copyright © 2014 9 Results within IDE 2 Directly access line of code to fix 1 Results delivered as uniform view within IDE 3 Check-in
Paraso& Copyright © 2014 10 Workflow Integra6on § Has to work with your development UI § Same configura6on for desktop and server § Minimize nega6ve impact § Minimize 6me to find / fix viola6ons
Paraso& Copyright © 2014 11 Repor6ng Historical trends Drill-­‐down for detail Cri6cal info • Developer • Project • Severity • Category “Without the right informa6on, you’re just another person with an opinion.” -­‐ Tracy O’Rourke, CEO of Allen-­‐Bradley
Paraso& Copyright © 2014 12 Sample Report
Paraso& Copyright © 2014 13 Selec6ng a rule configura6on
Paraso& Copyright © 2014 14 Being Successful Choose rules carefully Implement progressively • Fewer to more rules • Extend date backward Suppressions to manage noise
Paraso& Copyright © 2014 15 Choosing rules § Things happening in the field § Things you worry will happen § Things happening in the news § Standards you must comply with
Paraso& Copyright © 2014 16 Don’t Get Run Over Same set of rules for everyone Small set of rules Less rules that are followed is beYer than more that are not If you wouldn’t fix it, don’t check for it
Paraso& Copyright © 2014 17 Configura6on Op6ons Configura,on affects adop,on Rules for new code vs legacy code Cut-­‐off dates The right rules Avoid “we want to comply with this later”
Paraso& Copyright © 2014 18 Refining the Rules Check the rules on real code Reduce rules if there are too many viola6ons Rules that have too many viola6ons may not be a good candidate Suppress files that have too many viola6ons Spot-­‐check rules with developers Run on second code base
Paraso& Copyright © 2014 19 Workflow
Paraso& Copyright © 2014 20 Tackling Sta6c Analysis Output § Avoid old-­‐fashioned model “automated build and email” § Avoid complicated manual assignment/triage process § Avoid having results outside of the development IDE
Paraso& Copyright © 2014 21 Implementation of Static Analysis 1 Chose Rulesets and workflow 3 Cross-reference with source 2 Scan Code 4 Deliver Results
Paraso& Copyright © 2014 22 Everything is a Task § Everything a developer does is task § Quality tasks § Coding tasks § Code review tasks § Tes6ng tasks § … tasks § Tasks in the UI are easier than email
Paraso& Copyright © 2014 23 Fixing Viola6ons § Mul6ple methods: § Suppress § Quick-­‐fix § Change the code § Code review § Check the docs for info
Paraso& Copyright © 2014 24 NOISE
Paraso& Copyright © 2014 25 What is Noise? Incorrect messages Unhelpful messages Irrelevant messages Anything I don't need to hear Anything I don't want to hear
Paraso& Copyright © 2014 26 Common nega6ve misconcep6ons It’s a pain I don’t like it It’s wrong
Paraso& Copyright © 2014 27 It’s Too Much Sta6c Analysis is about process It’s incremental Star6ng with too many rules Avoid bi6ng off more than you can chew Avoid any rule you won’t stop the build for
Paraso& Copyright © 2014 28 Tips and Traps
Paraso& Copyright © 2014 29 False posi6ve misconcep6ons False posi6ves are the big problem Manual review & priori6za6on is the way Suppressions should be outside the code
Paraso& Copyright © 2014 30 Expecta6ons § Why do sta6c analysis? § Because it’s the right thing? § Increase quality? § Decrease costs? § Reduce development 6me? § Flow analysis is enough § When will it pay-­‐off? § How can I tell it’s paying off?
Paraso& Copyright © 2014 31 The Right Approach § Running SA on all your code (Don’t) § It’s all about the reports (Or is it?)
Paraso& Copyright © 2014 32 Sta6c Analysis for Preven6on It’s quicker to deal with false posi6ves than bugs Flow analysis finds complicated problems Run6me analysis should match flow analysis Rules should be chosen based on real problems
Paraso& Copyright © 2014 33 SA for Process Improvement Flow analysis won’t find everything Flow rules have corresponding paYern-­‐based rules Prevent the poten6al rather than chase paths
Paraso& Copyright © 2014 34 Policy IS Important § What teams need to do SA? § What projects require SA? § What rules are required? § What amount of compliance? § When can you suppress? § How to handle legacy code? § Do you ship with SA viola6ons? § Which ones?
Paraso& Copyright © 2014 35 Q&A § Web § hYp://www.paraso&.com/jsp/resources § Blog § hYp://alm.paraso&.com § Social § Facebook: hYps://www.facebook.com/paraso&corpora6on § TwiYer: @Paraso& @MustRead4Dev @CodeCurmudgeon § LinkedIn: hYp://www.linkedin.com/company/paraso& § Google+: +Paraso& +ArthurHickenCodeCurmudgeon § Google+ Community: Sta6c Analysis for Fun and Profit
Paraso& Copyright © 2014 36 Coming up Oct 9th – Sta6c Analysis Boot Camp Part 2 Oct 15-­‐16th -­‐ StarWest Oct 17th – Sta6c Analysis for DevOps Oct 24-­‐25th – Southland Tech Conf Oct 29-­‐30th – Cloud Expo Asia

Recommended

Get High-Octane Virtual Datacenter Performance
Get High-Octane Virtual Datacenter PerformanceGet High-Octane Virtual Datacenter Performance
Get High-Octane Virtual Datacenter PerformanceSolarWinds
 
Security Penetration Testing
Security Penetration TestingSecurity Penetration Testing
Security Penetration TestingSteppa Cyber Security
 
[Europe merge world tour] Coverity Development Testing
[Europe merge world tour] Coverity Development Testing[Europe merge world tour] Coverity Development Testing
[Europe merge world tour] Coverity Development TestingPerforce
 
Adopting Cloud Testing for Continuous Delivery, with the premier global provi...
Adopting Cloud Testing for Continuous Delivery, with the premier global provi...Adopting Cloud Testing for Continuous Delivery, with the premier global provi...
Adopting Cloud Testing for Continuous Delivery, with the premier global provi...SOASTA
 
When the System Creaks: Lessons Learned in Agile Maintenance
When the System Creaks: Lessons Learned in Agile MaintenanceWhen the System Creaks: Lessons Learned in Agile Maintenance
When the System Creaks: Lessons Learned in Agile MaintenanceTechWell
 
Accelerate Web and Mobile Testing for Continuous Integration and Delivery
Accelerate Web and Mobile Testing for Continuous Integration and DeliveryAccelerate Web and Mobile Testing for Continuous Integration and Delivery
Accelerate Web and Mobile Testing for Continuous Integration and DeliverySOASTA
 
QA in Production
QA in ProductionQA in Production
QA in Productionrouanw
 
TechWell Accelerating Software Delivery with Continuous Integration feat. Dan...
TechWell Accelerating Software Delivery with Continuous Integration feat. Dan...TechWell Accelerating Software Delivery with Continuous Integration feat. Dan...
TechWell Accelerating Software Delivery with Continuous Integration feat. Dan...SOASTA
 

Recommended

Get High-Octane Virtual Datacenter Performance
Get High-Octane Virtual Datacenter PerformanceGet High-Octane Virtual Datacenter Performance
Get High-Octane Virtual Datacenter PerformanceSolarWinds
 
Security Penetration Testing
Security Penetration TestingSecurity Penetration Testing
Security Penetration TestingSteppa Cyber Security
 
[Europe merge world tour] Coverity Development Testing
[Europe merge world tour] Coverity Development Testing[Europe merge world tour] Coverity Development Testing
[Europe merge world tour] Coverity Development TestingPerforce
 
Adopting Cloud Testing for Continuous Delivery, with the premier global provi...
Adopting Cloud Testing for Continuous Delivery, with the premier global provi...Adopting Cloud Testing for Continuous Delivery, with the premier global provi...
Adopting Cloud Testing for Continuous Delivery, with the premier global provi...SOASTA
 
When the System Creaks: Lessons Learned in Agile Maintenance
When the System Creaks: Lessons Learned in Agile MaintenanceWhen the System Creaks: Lessons Learned in Agile Maintenance
When the System Creaks: Lessons Learned in Agile MaintenanceTechWell
 
Accelerate Web and Mobile Testing for Continuous Integration and Delivery
Accelerate Web and Mobile Testing for Continuous Integration and DeliveryAccelerate Web and Mobile Testing for Continuous Integration and Delivery
Accelerate Web and Mobile Testing for Continuous Integration and DeliverySOASTA
 
QA in Production
QA in ProductionQA in Production
QA in Productionrouanw
 
TechWell Accelerating Software Delivery with Continuous Integration feat. Dan...
TechWell Accelerating Software Delivery with Continuous Integration feat. Dan...TechWell Accelerating Software Delivery with Continuous Integration feat. Dan...
TechWell Accelerating Software Delivery with Continuous Integration feat. Dan...SOASTA
 
Better Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousBetter Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousParasoft
 
Leveraging Static Analysis to Secure Software
Leveraging Static Analysis to Secure SoftwareLeveraging Static Analysis to Secure Software
Leveraging Static Analysis to Secure SoftwareParasoft
 
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...Virtual Forge
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRogue Wave Software
 
Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...
Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...
Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...XBOSoft
 
intro.pptx
intro.pptxintro.pptx
intro.pptxarunnatha1
 
XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...
XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...
XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...XebiaLabs
 
Document Control in FDA Regulated Environments - When and how to automate
Document Control in FDA Regulated Environments - When and how to automateDocument Control in FDA Regulated Environments - When and how to automate
Document Control in FDA Regulated Environments - When and how to automateJeff Thomas
 
Maximize the Power of Your ERP Data
Maximize the Power of Your ERP DataMaximize the Power of Your ERP Data
Maximize the Power of Your ERP DataGlobal Creative Group, Inc
 
Let the adventure begin the 80-20 testing - ingenuity
Let the adventure begin the 80-20 testing - ingenuityLet the adventure begin the 80-20 testing - ingenuity
Let the adventure begin the 80-20 testing - ingenuityIndium Software
 
Driving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareDriving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareParasoft
 
SOFTWARE TESTING TRAFUNDAMENTALS OF SOFTWARE TESTING.pptx
SOFTWARE TESTING TRAFUNDAMENTALS OF SOFTWARE TESTING.pptxSOFTWARE TESTING TRAFUNDAMENTALS OF SOFTWARE TESTING.pptx
SOFTWARE TESTING TRAFUNDAMENTALS OF SOFTWARE TESTING.pptxFinancial Services Innovators
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...Parasoft
 
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Black Duck by Synopsys
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
Webinar: Demonstrating Business Value for DevOps & Continuous Delivery
Webinar: Demonstrating Business Value for DevOps & Continuous DeliveryWebinar: Demonstrating Business Value for DevOps & Continuous Delivery
Webinar: Demonstrating Business Value for DevOps & Continuous DeliveryXebiaLabs
 
Enterprise Agile Deployment
Enterprise Agile DeploymentEnterprise Agile Deployment
Enterprise Agile DeploymentAras
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy Network Intelligence India
 
How the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP CodeHow the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP CodeVirtual Forge
 
Benefits of Opkey for Automation Purpose
Benefits of Opkey for Automation PurposeBenefits of Opkey for Automation Purpose
Benefits of Opkey for Automation Purposeaniketmohanty007
 
Parasoft PIE infographic
Parasoft PIE infographicParasoft PIE infographic
Parasoft PIE infographicErika Barron
 
Parasoft Case Study: Wipro
Parasoft Case Study: WiproParasoft Case Study: Wipro
Parasoft Case Study: WiproErika Barron
 

More Related Content

Similar to Real World Static Analysis Boot Camp

Better Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousBetter Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousParasoft
 
Leveraging Static Analysis to Secure Software
Leveraging Static Analysis to Secure SoftwareLeveraging Static Analysis to Secure Software
Leveraging Static Analysis to Secure SoftwareParasoft
 
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...Virtual Forge
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRogue Wave Software
 
Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...
Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...
Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...XBOSoft
 
XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...
XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...
XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...XebiaLabs
 
Document Control in FDA Regulated Environments - When and how to automate
Document Control in FDA Regulated Environments - When and how to automateDocument Control in FDA Regulated Environments - When and how to automate
Document Control in FDA Regulated Environments - When and how to automateJeff Thomas
 
Let the adventure begin the 80-20 testing - ingenuity
Let the adventure begin the 80-20 testing - ingenuityLet the adventure begin the 80-20 testing - ingenuity
Let the adventure begin the 80-20 testing - ingenuityIndium Software
 
Driving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareDriving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareParasoft
 
SOFTWARE TESTING TRAFUNDAMENTALS OF SOFTWARE TESTING.pptx
SOFTWARE TESTING TRAFUNDAMENTALS OF SOFTWARE TESTING.pptxSOFTWARE TESTING TRAFUNDAMENTALS OF SOFTWARE TESTING.pptx
SOFTWARE TESTING TRAFUNDAMENTALS OF SOFTWARE TESTING.pptxFinancial Services Innovators
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...Parasoft
 
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Black Duck by Synopsys
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
Webinar: Demonstrating Business Value for DevOps & Continuous Delivery
Webinar: Demonstrating Business Value for DevOps & Continuous DeliveryWebinar: Demonstrating Business Value for DevOps & Continuous Delivery
Webinar: Demonstrating Business Value for DevOps & Continuous DeliveryXebiaLabs
 
Enterprise Agile Deployment
Enterprise Agile DeploymentEnterprise Agile Deployment
Enterprise Agile DeploymentAras
 
How the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP CodeHow the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP CodeVirtual Forge
 
Benefits of Opkey for Automation Purpose
Benefits of Opkey for Automation PurposeBenefits of Opkey for Automation Purpose
Benefits of Opkey for Automation Purposeaniketmohanty007
 

Similar to Real World Static Analysis Boot Camp (20)

Better Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousBetter Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to Continuous
 
Leveraging Static Analysis to Secure Software
Leveraging Static Analysis to Secure SoftwareLeveraging Static Analysis to Secure Software
Leveraging Static Analysis to Secure Software
 
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
Case Study: Ensuring the Quality and Security of Custom SAP Applications at t...
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
 
Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...
Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...
Not Your Grandfather's Requirements-Based Testing Webinar – Robin Goldsmith, ...
 
intro.pptx
intro.pptxintro.pptx
intro.pptx
 
XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...
XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...
XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...
 
Document Control in FDA Regulated Environments - When and how to automate
Document Control in FDA Regulated Environments - When and how to automateDocument Control in FDA Regulated Environments - When and how to automate
Document Control in FDA Regulated Environments - When and how to automate
 
Maximize the Power of Your ERP Data
Maximize the Power of Your ERP DataMaximize the Power of Your ERP Data
Maximize the Power of Your ERP Data
 
Let the adventure begin the 80-20 testing - ingenuity
Let the adventure begin the 80-20 testing - ingenuityLet the adventure begin the 80-20 testing - ingenuity
Let the adventure begin the 80-20 testing - ingenuity
 
Driving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareDriving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive Software
 
SOFTWARE TESTING TRAFUNDAMENTALS OF SOFTWARE TESTING.pptx
SOFTWARE TESTING TRAFUNDAMENTALS OF SOFTWARE TESTING.pptxSOFTWARE TESTING TRAFUNDAMENTALS OF SOFTWARE TESTING.pptx
SOFTWARE TESTING TRAFUNDAMENTALS OF SOFTWARE TESTING.pptx
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
 
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
Webinar: Demonstrating Business Value for DevOps & Continuous Delivery
Webinar: Demonstrating Business Value for DevOps & Continuous DeliveryWebinar: Demonstrating Business Value for DevOps & Continuous Delivery
Webinar: Demonstrating Business Value for DevOps & Continuous Delivery
 
Enterprise Agile Deployment
Enterprise Agile DeploymentEnterprise Agile Deployment
Enterprise Agile Deployment
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
 
How the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP CodeHow the U.S. Department of Defense Secures Its Custom ABAP Code
How the U.S. Department of Defense Secures Its Custom ABAP Code
 
Benefits of Opkey for Automation Purpose
Benefits of Opkey for Automation PurposeBenefits of Opkey for Automation Purpose
Benefits of Opkey for Automation Purpose
 

More from Erika Barron

Parasoft PIE infographic
Parasoft PIE infographicParasoft PIE infographic
Parasoft PIE infographicErika Barron
 
Parasoft Case Study: Wipro
Parasoft Case Study: WiproParasoft Case Study: Wipro
Parasoft Case Study: WiproErika Barron
 
Are Your Continuous Tests Too Fragile for Agile?
Are Your Continuous Tests Too Fragile for Agile?Are Your Continuous Tests Too Fragile for Agile?
Are Your Continuous Tests Too Fragile for Agile?Erika Barron
 
Service Virtualization: Delivering Complex Test Environments on Demand
Service Virtualization: Delivering Complex Test Environments on DemandService Virtualization: Delivering Complex Test Environments on Demand
Service Virtualization: Delivering Complex Test Environments on DemandErika Barron
 
How the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentHow the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentErika Barron
 
Static Analysis and the FDA Guidance for Medical Device Software
Static Analysis and the FDA Guidance for Medical Device SoftwareStatic Analysis and the FDA Guidance for Medical Device Software
Static Analysis and the FDA Guidance for Medical Device SoftwareErika Barron
 
Creating Complete Test Environments in the Cloud
Creating Complete Test Environments in the CloudCreating Complete Test Environments in the Cloud
Creating Complete Test Environments in the CloudErika Barron
 
How To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty SoftwareHow To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty SoftwareErika Barron
 
12 Days of Coding Errors
12 Days of Coding Errors12 Days of Coding Errors
12 Days of Coding ErrorsErika Barron
 
APIs Gone Wild - Star West 2013
APIs Gone Wild - Star West 2013APIs Gone Wild - Star West 2013
APIs Gone Wild - Star West 2013Erika Barron
 
Cloud migration slides
Cloud migration slidesCloud migration slides
Cloud migration slidesErika Barron
 
Complex End-to-End Testing
Complex End-to-End TestingComplex End-to-End Testing
Complex End-to-End TestingErika Barron
 
How the Grinch Stole Software Testing
How the Grinch Stole Software TestingHow the Grinch Stole Software Testing
How the Grinch Stole Software TestingErika Barron
 
Service Virtualization
Service VirtualizationService Virtualization
Service VirtualizationErika Barron
 
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...Erika Barron
 
Beyond Static Analysis: Integrating Java Static Analysis with Unit Testing an...
Beyond Static Analysis: Integrating Java Static Analysis with Unit Testing an...Beyond Static Analysis: Integrating Java Static Analysis with Unit Testing an...
Beyond Static Analysis: Integrating Java Static Analysis with Unit Testing an...Erika Barron
 
Software Development Graveyard
Software Development GraveyardSoftware Development Graveyard
Software Development GraveyardErika Barron
 
The Development Graveyard: How Software Projects Die
The Development Graveyard: How Software Projects DieThe Development Graveyard: How Software Projects Die
The Development Graveyard: How Software Projects DieErika Barron
 
Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...
Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...
Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...Erika Barron
 

More from Erika Barron (20)

Parasoft PIE infographic
Parasoft PIE infographicParasoft PIE infographic
Parasoft PIE infographic
 
Parasoft Case Study: Wipro
Parasoft Case Study: WiproParasoft Case Study: Wipro
Parasoft Case Study: Wipro
 
Are Your Continuous Tests Too Fragile for Agile?
Are Your Continuous Tests Too Fragile for Agile?Are Your Continuous Tests Too Fragile for Agile?
Are Your Continuous Tests Too Fragile for Agile?
 
Service Virtualization: Delivering Complex Test Environments on Demand
Service Virtualization: Delivering Complex Test Environments on DemandService Virtualization: Delivering Complex Test Environments on Demand
Service Virtualization: Delivering Complex Test Environments on Demand
 
How the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentHow the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to Development
 
Static Analysis and the FDA Guidance for Medical Device Software
Static Analysis and the FDA Guidance for Medical Device SoftwareStatic Analysis and the FDA Guidance for Medical Device Software
Static Analysis and the FDA Guidance for Medical Device Software
 
Creating Complete Test Environments in the Cloud
Creating Complete Test Environments in the CloudCreating Complete Test Environments in the Cloud
Creating Complete Test Environments in the Cloud
 
How To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty SoftwareHow To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty Software
 
12 Days of Coding Errors
12 Days of Coding Errors12 Days of Coding Errors
12 Days of Coding Errors
 
APIs Gone Wild - Star West 2013
APIs Gone Wild - Star West 2013APIs Gone Wild - Star West 2013
APIs Gone Wild - Star West 2013
 
Cloud migration slides
Cloud migration slidesCloud migration slides
Cloud migration slides
 
Complex End-to-End Testing
Complex End-to-End TestingComplex End-to-End Testing
Complex End-to-End Testing
 
How the Grinch Stole Software Testing
How the Grinch Stole Software TestingHow the Grinch Stole Software Testing
How the Grinch Stole Software Testing
 
Service Virtualization
Service VirtualizationService Virtualization
Service Virtualization
 
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...
 
Java Defects
Java DefectsJava Defects
Java Defects
 
Beyond Static Analysis: Integrating Java Static Analysis with Unit Testing an...
Beyond Static Analysis: Integrating Java Static Analysis with Unit Testing an...Beyond Static Analysis: Integrating Java Static Analysis with Unit Testing an...
Beyond Static Analysis: Integrating Java Static Analysis with Unit Testing an...
 
Software Development Graveyard
Software Development GraveyardSoftware Development Graveyard
Software Development Graveyard
 
The Development Graveyard: How Software Projects Die
The Development Graveyard: How Software Projects DieThe Development Graveyard: How Software Projects Die
The Development Graveyard: How Software Projects Die
 
Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...
Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...
Beyond Static Analysis: Integrating C and C++ Static Analysis with Unit Testi...
 

Real World Static Analysis Boot Camp

  • 1. Paraso& Copyright © 2014 1 Real World Sta,c Analysis Boot Camp Part 1 2014
  • 2. GoToWebinar Housekeeping Your Par6cipa6on Paraso& Copyright © 2014 2 Open and hide your control panel Join audio: • Choose “Mic & Speakers” to use VoIP • Choose “Telephone” and dial using the information provided Submit questions and comments via the Questions panel Note: Today’s presentation is being recorded and will be provided within a week.
  • 3. Paraso& Copyright © 2014 3 Why sta6c analysis Prevent Problems Target Problems Learning
  • 4. Paraso& Copyright © 2014 4 Defects Types of Sta6c Analysis Pattern Based Flow Analysis Metrics
  • 5. Paraso& Copyright © 2014 5 What’s it for? Review Sta6c Value Bugs Prevent Standards Behavior Mentor
  • 6. Paraso& Copyright © 2014 6 Selec6ng a tool § Types of analysis § Languages covered § IDE integra6on § Number of rules / standards covered § Ac6ve development § Supported workflows § Repor6ng
  • 7. Paraso& Copyright © 2014 7 PaYern-­‐Based Sta6c Analysis What: • Iden6fy specific paYerns in the code Why: • Find dangerous prac6ces • Prevents defects • Ensure inclusion of required items • Security • Branding
  • 8. Paraso& Copyright © 2014 8 Data Flow Analysis What: • Simulate execu6on to find paYerns • Analyze paths • Analyze data usage Why: • Find real bugs • Find security vulnerabili6es
  • 9. Paraso& Copyright © 2014 9 Results within IDE 2 Directly access line of code to fix 1 Results delivered as uniform view within IDE 3 Check-in
  • 10. Paraso& Copyright © 2014 10 Workflow Integra6on § Has to work with your development UI § Same configura6on for desktop and server § Minimize nega6ve impact § Minimize 6me to find / fix viola6ons
  • 11. Paraso& Copyright © 2014 11 Repor6ng Historical trends Drill-­‐down for detail Cri6cal info • Developer • Project • Severity • Category “Without the right informa6on, you’re just another person with an opinion.” -­‐ Tracy O’Rourke, CEO of Allen-­‐Bradley
  • 12. Paraso& Copyright © 2014 12 Sample Report
  • 13. Paraso& Copyright © 2014 13 Selec6ng a rule configura6on
  • 14. Paraso& Copyright © 2014 14 Being Successful Choose rules carefully Implement progressively • Fewer to more rules • Extend date backward Suppressions to manage noise
  • 15. Paraso& Copyright © 2014 15 Choosing rules § Things happening in the field § Things you worry will happen § Things happening in the news § Standards you must comply with
  • 16. Paraso& Copyright © 2014 16 Don’t Get Run Over Same set of rules for everyone Small set of rules Less rules that are followed is beYer than more that are not If you wouldn’t fix it, don’t check for it
  • 17. Paraso& Copyright © 2014 17 Configura6on Op6ons Configura,on affects adop,on Rules for new code vs legacy code Cut-­‐off dates The right rules Avoid “we want to comply with this later”
  • 18. Paraso& Copyright © 2014 18 Refining the Rules Check the rules on real code Reduce rules if there are too many viola6ons Rules that have too many viola6ons may not be a good candidate Suppress files that have too many viola6ons Spot-­‐check rules with developers Run on second code base
  • 19. Paraso& Copyright © 2014 19 Workflow
  • 20. Paraso& Copyright © 2014 20 Tackling Sta6c Analysis Output § Avoid old-­‐fashioned model “automated build and email” § Avoid complicated manual assignment/triage process § Avoid having results outside of the development IDE
  • 21. Paraso& Copyright © 2014 21 Implementation of Static Analysis 1 Chose Rulesets and workflow 3 Cross-reference with source 2 Scan Code 4 Deliver Results
  • 22. Paraso& Copyright © 2014 22 Everything is a Task § Everything a developer does is task § Quality tasks § Coding tasks § Code review tasks § Tes6ng tasks § … tasks § Tasks in the UI are easier than email
  • 23. Paraso& Copyright © 2014 23 Fixing Viola6ons § Mul6ple methods: § Suppress § Quick-­‐fix § Change the code § Code review § Check the docs for info
  • 24. Paraso& Copyright © 2014 24 NOISE
  • 25. Paraso& Copyright © 2014 25 What is Noise? Incorrect messages Unhelpful messages Irrelevant messages Anything I don't need to hear Anything I don't want to hear
  • 26. Paraso& Copyright © 2014 26 Common nega6ve misconcep6ons It’s a pain I don’t like it It’s wrong
  • 27. Paraso& Copyright © 2014 27 It’s Too Much Sta6c Analysis is about process It’s incremental Star6ng with too many rules Avoid bi6ng off more than you can chew Avoid any rule you won’t stop the build for
  • 28. Paraso& Copyright © 2014 28 Tips and Traps
  • 29. Paraso& Copyright © 2014 29 False posi6ve misconcep6ons False posi6ves are the big problem Manual review & priori6za6on is the way Suppressions should be outside the code
  • 30. Paraso& Copyright © 2014 30 Expecta6ons § Why do sta6c analysis? § Because it’s the right thing? § Increase quality? § Decrease costs? § Reduce development 6me? § Flow analysis is enough § When will it pay-­‐off? § How can I tell it’s paying off?
  • 31. Paraso& Copyright © 2014 31 The Right Approach § Running SA on all your code (Don’t) § It’s all about the reports (Or is it?)
  • 32. Paraso& Copyright © 2014 32 Sta6c Analysis for Preven6on It’s quicker to deal with false posi6ves than bugs Flow analysis finds complicated problems Run6me analysis should match flow analysis Rules should be chosen based on real problems
  • 33. Paraso& Copyright © 2014 33 SA for Process Improvement Flow analysis won’t find everything Flow rules have corresponding paYern-­‐based rules Prevent the poten6al rather than chase paths
  • 34. Paraso& Copyright © 2014 34 Policy IS Important § What teams need to do SA? § What projects require SA? § What rules are required? § What amount of compliance? § When can you suppress? § How to handle legacy code? § Do you ship with SA viola6ons? § Which ones?
  • 35. Paraso& Copyright © 2014 35 Q&A § Web § hYp://www.paraso&.com/jsp/resources § Blog § hYp://alm.paraso&.com § Social § Facebook: hYps://www.facebook.com/paraso&corpora6on § TwiYer: @Paraso& @MustRead4Dev @CodeCurmudgeon § LinkedIn: hYp://www.linkedin.com/company/paraso& § Google+: +Paraso& +ArthurHickenCodeCurmudgeon § Google+ Community: Sta6c Analysis for Fun and Profit
  • 36. Paraso& Copyright © 2014 36 Coming up Oct 9th – Sta6c Analysis Boot Camp Part 2 Oct 15-­‐16th -­‐ StarWest Oct 17th – Sta6c Analysis for DevOps Oct 24-­‐25th – Southland Tech Conf Oct 29-­‐30th – Cloud Expo Asia