2. âSoftware is Eating the Worldâ
Software
- Marc Andreessen
Health
Financial
Communications
SCM / Logistics
Enterprise
Mobile
81% of business leaders believe technology is a fundamental
element of their business model
Over 60 million tablets and 175 million smart phones will be in
the workplace by the end of 2012
By 2016, open source software will be included in mission-
critical applications within 99% of Global 2000 enterprises
Automotive
3.
4. Development Testing âŚ
⌠is transforming software development by:
Reducing operational costs
Accelerating development and time to market
Protecting brands from catastrophic failure
5. Why All the Risk?
Software Complexity and Speed have Outpaced Legacy Testing Methods
Development
Testing
Software Complexity
Time to Market
Testing MethodsSecurity Testing
Functional Testing
Performance Testing
Manual Testing
6. Fewer defects escape development
Design Development
Quality &
Security
Assurance
Product Release
& Management
Development Testing
Transform software testing, from reactive to proactive
7. Transformation Maturity Model
Level 1
Automatic Defect
Detection
No new defects
introduced.
Level 3
Developer
Workflow
Optimization
Feeding all
components into
the developer
workflow
Level 4
Code Governance
Establish source
code acceptance
criteria
Complete
Enterprise Code
Assurance
All critical code
and code impacted
by change is tested
IntegrationintoSDLCHigh
Development Testing Adoption High
Level 2
Identification of
Residual Risk
Ensure critical code
is prioritized &
tested
8. How Coverity Static Analysis Works
Mimicks the
behavior of
dozens of
compilers
Integrates with
existing build
systems
Statically tests
all execution
paths
Finds defects
and inconsistent
coding patterns
AnalyzeBuild
Explains the
location and root
cause of defects
Manage and
share triage of
defects across
teams
Present &
Manage
9. Meaningful, real results
Focus on finding real defects, not style violations or superficial issues.
Over 12 years of experience analyzing open source and commercial code.
Industry-leading low false positive/negative rate
False positive rates typically below 15%
False positives waste time, hinder adoption, and reduce trust in the results.
Broadest Checker Library + Deepest Algorithms
Optimal balance of breadth, depth, and scalability to large code bases.
High Quality Results
10. Sample Project: PostgreSQL
Defects Fixed in 2012 per Category
Category # Defects Impact
Memory
 â
 corrup,ons
 20
 High
Â
Memory
 -Ââ
 illegal
 accesses
 10
 High
Â
Resource
 leaks
 43
 High
Â
Unini,alized
 variables
 10
 High
Â
API
 usage
 errors
 1
 Medium
Â
Control
 ďŹow
 issues
 4
 Medium
Â
Error
 handling
 issues
 14
 Medium
Â
Incorrect
 expression
 3
 Medium
Â
Insecure
 data
 handling
 24
 Medium
Â
Integer
 handling
 issues
 8
 Medium
Â
Null
 pointer
 dereferences
 43
 Medium
Â
Code
 maintainability
 issues
 58
 Low
Â
Security
 best
 prac,ces
 viola,ons
 15
 Low
Â
Grand
 Total
 253
Â
â˘âŻ ~20 Developers
â˘âŻ Weekly Build
â˘âŻ 680k LOC
â˘âŻ False Positive Rate: 11.1%
â˘âŻ Defect Density: 0,273
11. We Find Critical Defects
â˘âŻ Tomcat Webserver 5.5.17
â˘âŻ Among several hundred defects, we found a âreverse lock
bugâ that can lead to deadlock of the entire server
12. Focus testing
time where
it matters
⌠donât waste
time writing tests
you donât need
Test Advisor
Improving Unit Testing Effectiveness and Efficiency
High
Risk
Code
High
Risk
Code
13. Risk Mitigation Architecture
Test Advice
Actionable work items to address risk
due to inadequate testing
Test Policy Evaluation
â˘âŻ Critical code analysis
â˘âŻ Change impact analysis
â˘âŻ Test execution analysis
Test Monitoring
Code Ownership
and Change History
Static Code
Analysis
Customized
Test Policy
14. Move Quality into the
Inner Loop of Development
Code
Build
Test
Nightly Build
Continuous
Integration
Finding and Fixing
Quality Defects
15. QA
Development Testing Workflow
Code Check In
Development Security Audit
Static Analysis
Results
Nightly/Continuous Build
Regression Test
â˘âŻ Built into development process
â˘âŻ Retesting minimized
â˘âŻ Immediately actionable by developers
â˘âŻ Reduces burden on auditing team
Developer QA Security
17. Ingredients for Success
Code
Build
Test
Nightly Build
Continuous
Integration
High-Fidelity
Code
Compilation
High-
Performance
Analysis
Low False
Positive Rate
Detecting
Critical
Defects
Easy Defect
Navigation and
Comprehension
Comprehensive
Triage and
Remediation
Management
Visibility and
Governance
Team
Collaboration
18. Governance with Metrics
Automated high-fidelity
analysis on daily basis
18
Fast and educated triage
of results to categorize
and prioritize issuesAccurate
Data
Precise actions based
on comprehensive
data analysis
Trusted
Data
19. Policy Definition and Monitoring
Definition of organizational-wide policies for code quality
Aggregated sanity view of code by component, team, supplier
21. Transformation Maturity Model
Level 1
Automatic Defect
Detection
No new defects
introduced.
Level 3
Developer
Workflow
Optimization
Feeding all
components into
the developer
workflow
Level 4
Code Governance
Establish source
code acceptance
criteria
Complete
Enterprise Code
Assurance
All critical code
and code impacted
by change is tested
IntegrationintoSDLCHigh
Development Testing Adoption High
Level 2
Identification of
Residual Risk
Ensure critical code
is prioritized &
tested
22. Coverity Development Testing Platform
Security
Advisor
Test
Advisor
Analysis Packs
Coverity SAVEâ˘
Static Analysis Verification Engine
SDLC
Integrations
Policy Manager
Quality
Advisor
Architecture
Analysis
Dynamic
Analysis
FindBugsâ˘
Analysis
Analysis
Integration
Toolkit
Coverity Connect
Test
Execution
Third Party
Metrics
Build/
Continuous
Integration
HP ALM
IDE
Code
Coverage
Defect
Tracking
SCM
23. ĂźďźâŻ Proven significant operational cost reductions
ĂźďźâŻ Metric visibility of code estate onshore and offshore
ĂźďźâŻ Proven history of finding crash causing or
unexpected behavior causing defects
ĂźďźâŻ Process Improvement of the Application Lifecycle
Management
Coverity Summary