SlideShare a Scribd company logo

Three Interviews About Static Code Analyzers

Andrey Karpov
Andrey Karpov

The author invites you to read three interviews with representatives of three large, modern and interesting projects to learn about their software development methodologies and about how they use static code analyzers in particular. The author hopes that you will find this article interesting. The following companies took part as interviewees: Acronis, AlternativaPlatform, Echelon Company. Sincerely yours, Aleksandr Timofeev

1 of 6
Download to read offline
Three Interviews About Static Code Analyzers Author: Aleksandr Timofeev Date: 26.09.2014 Hello, dear readers! The author invites you to read three interviews with representatives of three large, modern and interesting projects to learn about their software development methodologies and about how they use static code analyzers in particular. The author hopes that you will find this article interesting. The following companies took part as interviewees: Acronis, AlternativaPlatform, Echelon Company. Sincerely yours, Aleksandr Timofeev Interviewees and article structure The author addressed three companies to take the interviews: — Acronis, developer of the Acronis Backup product designed for data backup and subsequent recovery — AlternativaPlatform, developer of the "Tanki Online" project, a multiplayer browser game — Echelon Company, developer of a series of products for code revision in the field of information security All the companies were asked the same questions save Echelon – the questions were changed a bit for this company to better reflect the specifics of their work. Interview with Acronis The interviewee is Kirill Korotaev, Acronis Backup product development vice-president • Give us please an overview of the primary and most large-scale product of your company/project (the main point of the product, the language its code is written in, the size of the team working on it, the usual pace of commits in lines of code or Kbytes per 24 hours/week/month, for example; what VCS you use) The main point of the Acronis Backup product we develop is about creating backup copies of users' data on their computers, notebooks and servers so that they could use these copies to recover the data later. Recovery may be needed when the computer starts malfunctioning, for example; or when one needs an earlier version of some file or document, or a file was lost. 99% of our entire project is written in C++. There are about 70 developers working on it. On average, we make 100 to 300 commits per week. We use SVN (Subversion).
• Who and how analyzes the project code? How is the testing cycle organized? Is the tester team large? How does the company respond to error messages – do you have any established protocol to handle such situations? We have architects and leaders who are well familiar with the code of those project parts they are responsible for; therefore, they carry out analysis of this code and know how to improve it. Every commit is passed through the code review system – that is, any change is first analyzed by programmers responsible for the corresponding code fragment. Presently, the number of our testers is comparable to the number of developers. We employ both automatic and manual tests. For example, we have build validation tests, i.e. a set of tests to verify every new build. Ideally, a new build should be compiled after every commit into the code and tested immediately. The process of addressing a revealed issue is the following. Any issue found by the testing department is registered in the Jira system (a more advanced paid counterpart of BugZilla). And all that is integrated with SVN – when, for example, a commit is made which addresses a particular issue, we add a reference to this commit to Jira. We may also learn about an issue from our users. They first contact our technical support service and if they reveal any bugs that should be analyzed, then, again, the information about them first gets to Jira, and we release bugfixes in the next few updates. • Do you use static code analysis tools? If yes, which then? Could you please give an example of the most remarkable and interesting issue found by analyzers? What results and statistics do you usually get when using analyzers? How often do you run checks and according to what scheme? How do you respond to an issue found by an analyzer? Among analyzers we used earlier or use currently are various tools – for example, both free open-source Cppcheck and PVS-Studio. Of course, code analyzers should be used in any project. But they all are very different, each of them being good at catching a certain type of bugs – that's why I'm totally for employing a wide variety of development means. We do find some interesting potential bugs every now and then. For example, one of the most difficult to find bugs is the one found by PVS-Studio when standard auto pointers from the STL library are used incorrectly. Or, here is another interesting error: when you multiply a sizeof from one structure or parameter by another sizeof, PVS-Studio reasonably notices that it is pretty strange, to put it mildly, to multiply one sizeof by another, for this operation logically implies getting a quadratic quantity result. Sometimes static analyzers can figure out when a pointer is not checked for null before being used. But these are more complex checks as it is not always obvious if a pointer can be null in a certain code fragment. It's quite a good practice to run static analyzers over the code once per day. And we also get bugs to automatically be recorded into that very Jira system, which is very useful for the product under development. • What is your opinion regarding future methodologies of large-scale software development? As separate questions, what do you expect and would like to get from static code analysis tools in future? Automated tools are and will go on developing. For example, there is not a single automated system nowadays that could pick tests relying on the modifications made to the code – that is, select only those tests that need to be run for some particular modification. What the future of static analyzers is concerned, I think they will gradually learn to handle more and more issues. At the same time, they will be shifting towards more complex analysis and perhaps even become a guarantee of code's compliance with some protocol, for instance.
• A few words for your colleagues and readers? Write high-quality code, test it and don't forget to use a wide variety of methodologies – including static analyzers. Interview with AlternativaPlatform The interviewee is Aleksey Kviring, CTO of "Tanki Online" LLC • Give us please an overview of the primary and most large-scale product of your company/project (the main point of the product, the language its code is written in, the size of the team working on it, the usual pace of commits in lines of code or Kbytes per 24 hours/week/month, for example; what VCS you use) Currently we have only one product like that which is the Tanki Online game. The server part is written in Java, the client part in AS3. We have about 20 programmers. We add approximately 5K lines of code per week. We use GIT as a VCS. • Who and how analyzes the project code? How is the testing cycle organized? Is the tester team large? How does the company respond to error messages – do you have any established protocol to handle such situations? We use an approach typical of GIT. All the code runs through obligatory Code Review. We also use continuous integration, and the build server regularly checks code and runs tests over it. Testing is done in a number of stages: first automatic testing, then manual testing by developers themselves (through playing the game), then by the tester team. If everything is alright, community testers join the testing process. And only after that, all the changes get into production. Our tester team is small – only three persons. But we intensively employ community testers: there are a few dozens of volunteers. If some bug still gets into production somehow, it is fixed right after we detect it. Usually all such errors are fixed in a couple of days. • Do you use static code analysis tools? If yes, which then? Could you please give an example of the most remarkable and interesting issue found by analyzers? What results and statistics do you usually get when using analyzers? How often do you run checks and according to what scheme? How do you respond to an issue found by an analyzer? We don't use such tools at the company level. In the past, I launched a couple of static analyzers just for interest, but they found nothing serious (JetBrain IDEA checker). I think static analysis is very useful for complex languages such as C and C++. But for simpler languages like Java, it's not that relevant. Java is not subject to memory-related issues as a class. Its syntax is plain and clear, no alternative interpretations are allowed, many issues are caught by the compiler at the compilation stage. Development environments provide convenient refactoring tools, which excludes accidental errors resulting from manual code modifications. There is one area I'd use static analysis in when working with Java. It has to do with checking a program for correct multithread execution. But there are simply no tools capable of that at present. Generally speaking, if a static analyzer is quality and can find real bugs, it will be useful for one's project. • What is your opinion regarding future methodologies of large-scale software development? As separate questions, what do you expect and would like to get from static code analysis tools in future?
Future belongs to automated testing systems, continuous integration systems, and code analyzers. What I expect from static analysis is the ability to analyze multithread applications and architectural solutions. • A few words for your colleagues and readers? Don't be afraid of incorporating new technologies into your development cycle. Learn from more experienced fellow programmers. Revise your old solutions. And then you certainly will succeed. Interview with Echelon The interviewee is Andrey Fadin (a.fadin@cnpo.ru), chief designer of Echelon Company • Give us please an overview of your company and its business related to software security. Echelon Company is both a developer of information security analysis means and an active user of these products within the framework of information protection means certification and commercial code audit projects. Means of information security analysis developed by our company include the following: • AK-VS2, a cloud environment for conducting certification testing of source code for compliance with the requirements of undocumented capabilities absence control (up to Level 1 inclusively); • AppChecker, a product conducting signature-based and heuristic analysis of program code aimed at detecting beetles, critical software vulnerabilities, and other issues related to program code's defects; • PIK, a means to fix and compare checksums of files, folders and physical digital media; • Skaner-VS, a toolkit and environment to conduct network and local security audit including security scanners, traffic analysis means, means of search of residual information on physical media and a few other components. The Echelon team managing code security analysis and penetration testing is an association of highly skilled IT and information security specialists established on the personnel, research, and engineering bases of Echelon Company and the leading technical university of Russia, Bauman Moscow State Technical University. We work with most of the popular programming languages such as PHP, Java, C#, C/C++, Perl, Python, JavaScript, including their most recent standards. Program code audit conducted by Echelon Company specialists allows us to solve the following tasks: • control of in-house and outsourced code's quality, detection of typical defects (coding or designing errors); • detection of intentionally planted beetles in code; • borrowed code control (analysis of software's external dependencies on open-source and other external components) Software that has successfully passed the audit can be certified according to information security requirements in Echelon's test laboratory. • Give us please an overview of your experts' work (what doesn't refer to classified information): Who and how analyzes project code? How is the testing cycle organized? What is the regular protocol when addressing an important issue found in code? The code audit team is formed from specialists of two basic types:
Specialists of the first type are Echelon test laboratory's experts experienced in establishing cooperation with developers of large-scale software projects (operating systems, firewalls) and also in team review of large amounts of code. Specialists of the second type are developers (personnel of Echelon's Research&Development departments) who have high technical qualifications in various programming languages, their frameworks and typical libraries. Whenever possible, we try to cooperate with static analysis tools' developers themselves when conducting code audit, which allows them to appreciate the convenience of our analysis means directly from their own experience. Besides, since developers are better skilled in implementing new signatures for static analyzers, it does make sense to employ them for timely updates of defect base when required by the specifics of a software project under testing. Speaking generally, the process of software development and testing is made up of the following stages: 1. Decomposing project code into components (when analyzing a third-party project) 2. Building a threat model, analyzing these components and their interaction interfaces for severe information security issues. 3. Running static and dynamic analysis tools taking into account the results of Stage 2. 4. Selective code review based on the results of Stages 3 and 2. 5. Preparing a report of potentially dangerous constructs we have detected and discussing the results with the project's developer team. Stages 3, 4 and 5 are usually repeated 3-4 times because, depending on tne analysis results for each potential construct, either the software project is revised to eliminate the defect (which is followed by repetition of stages starting with Stage 3) or the issue is found to be an expert's incorrect assumption or false positive by a static analyzer (which is followed by repetition of stages starting with Stage 4). • A few words about static analysis tools you use: What tools do you use? Could you give an example of the most remarkable and interesting error found by analyzers? What results and statistics do you usually get when using analyzers? How do you respond to an issue found by an analyzer? In their work, auditors use both our own solutions (AK-VS2, AppChecker) and open-source tools (CppCheck, PMD) as well as purchased third-party commercial tools (CppCat). The algorithm of addressing issues was described in section 2. What the statistics of using analyzers is concerned, the ratio of false positives in large projects is usually above 50%, so we in any case have to employ an expert to compose the final list of potentially dangerous constructs found in project code. However, since the expert does not review the entire code but only a few critical parts of it which on average make not more than 5% of the entire code size, we can save a considerable amount of time on code analysis. To avoid breaching any non-disclosure agreements, we unfortunately cannot tell you about errors found in particular products. But as our experience shows, most of interesting errors are related to: • use of hard-coded passwords (Use of Hard-coded Password, CWE-259) and other authentication data (Use of Hard-coded Credentials, CWE-798); • "easter eggs" and other hidden functionality (Hidden Functionality, CWE-912); • rather common errors related to race conditions and shared resources (Race Condition, CWE- 362). • What is your opinion regarding future software development methodologies and, as separate questions, what do you expect and would like to get from static code analysis tools in future?
In our opinion, software verification will be getting more tightly connected with development processes, both within the framework of continuous integration systems and continuous delivery systems. Tight integration with these systems will in future allow developers to fully control software development and delivery; that is, static analyzers will serve as kind of an IPS within these processes, blocking code failed to pass the quality gate at the level of commits and releases. From this viewpoint, any CI/CD system is also an interesting source of events for SIEM systems. Rich prospects are also provided by the introduction of static analyzers into the model-driven development paradigm; tight integration with CASE-means will allow developers to reveal errors at the levels of syntax, software components and their interfaces, and even at the level of business requirements so that an analyst, for instance, could already at the system designing stage substantiate to customers why adding a certain access control role is necessary. • A few words for your colleagues and readers? Dear colleagues, during the last decade, emphasis in the field of enterprise information security was put on network security as well as endpoint security. However, when dealing with such tasks as detection of zero-day exploits, beetles and "implants" (code fragments and configurations planted into software for the purposes of state and industrial espionage), we appear to be facing the issue when classic network- and node-level information security means (intrusion detection systems, antivirus software) cannot efficiently handle such threats. To solve these issues, we need a comprehensive approach that on the one hand implies centralization of enterprise information security management (SIEM-systems), and on the other, makes use of software structural decomposition into components with control over their origin, as well as static analysis of their contents and materials for their production (including source texts). Conclusion The author thanks the press services and experts of the companies that took part in these interviews for prompt and detailed answers to the interview questions. The author is also thankful to the ООО "Program Verification Systems" company, developer of a contemporary static code analyzer PVS-Studio and sponsor of this article. Without their support, it might hardly have been published at all.

Recommended

Static analysis as part of the development process in Unreal Engine
Static analysis as part of the development process in Unreal EngineStatic analysis as part of the development process in Unreal Engine
Static analysis as part of the development process in Unreal Engine
PVS-Studio
 
Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team development
Andrey Karpov
 
Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team development
PVS-Studio
 
Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team development
PVS-Studio
 
0136 ideal static_analyzer
0136 ideal static_analyzer0136 ideal static_analyzer
0136 ideal static_analyzer
PVS-Studio
 
Test driven development
Test driven developmentTest driven development
Test driven development
namkha87
 
Synthesizing Continuous Deployment Practices in Software Development
Synthesizing Continuous Deployment Practices in Software DevelopmentSynthesizing Continuous Deployment Practices in Software Development
Synthesizing Continuous Deployment Practices in Software Development
Akond Rahman
 
Testing As A Bottleneck - How Testing Slows Down Modern Development Processes...
Testing As A Bottleneck - How Testing Slows Down Modern Development Processes...Testing As A Bottleneck - How Testing Slows Down Modern Development Processes...
Testing As A Bottleneck - How Testing Slows Down Modern Development Processes...
TEST Huddle
 

Recommended

Static analysis as part of the development process in Unreal Engine
Static analysis as part of the development process in Unreal EngineStatic analysis as part of the development process in Unreal Engine
Static analysis as part of the development process in Unreal Engine
PVS-Studio
 
Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team development
Andrey Karpov
 
Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team development
PVS-Studio
 
Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team development
PVS-Studio
 
0136 ideal static_analyzer
0136 ideal static_analyzer0136 ideal static_analyzer
0136 ideal static_analyzer
PVS-Studio
 
Test driven development
Test driven developmentTest driven development
Test driven development
namkha87
 
Synthesizing Continuous Deployment Practices in Software Development
Synthesizing Continuous Deployment Practices in Software DevelopmentSynthesizing Continuous Deployment Practices in Software Development
Synthesizing Continuous Deployment Practices in Software Development
Akond Rahman
 
Testing As A Bottleneck - How Testing Slows Down Modern Development Processes...
Testing As A Bottleneck - How Testing Slows Down Modern Development Processes...Testing As A Bottleneck - How Testing Slows Down Modern Development Processes...
Testing As A Bottleneck - How Testing Slows Down Modern Development Processes...
TEST Huddle
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group
 
Acceptance Testing Driven Development, TDD
Acceptance Testing Driven Development, TDDAcceptance Testing Driven Development, TDD
Acceptance Testing Driven Development, TDD
Laurent PY
 
A Case for automated Tests
A Case for automated TestsA Case for automated Tests
A Case for automated Tests
Anja Pilz
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
Rushana Bandara
 
How to Actually DO High-volume Automated Testing
How to Actually DO High-volume Automated TestingHow to Actually DO High-volume Automated Testing
How to Actually DO High-volume Automated Testing
TechWell
 
Unit tests benefits
Unit tests benefitsUnit tests benefits
Unit tests benefits
Kate Semizhon
 
FutureOfTesting2008
FutureOfTesting2008FutureOfTesting2008
FutureOfTesting2008
vipulkocher
 
Digital Transformation, Testing and Automation
Digital Transformation, Testing and AutomationDigital Transformation, Testing and Automation
Digital Transformation, Testing and Automation
TEST Huddle
 
Software testing
Software testingSoftware testing
Software testing
Abhishek Gautam
 
Agile Testing Pasadena JUG Aug2009
Agile Testing Pasadena JUG Aug2009Agile Testing Pasadena JUG Aug2009
Agile Testing Pasadena JUG Aug2009
Grig Gheorghiu
 
Continuous Automated Regression Testing to the Rescue
Continuous Automated Regression Testing to the RescueContinuous Automated Regression Testing to the Rescue
Continuous Automated Regression Testing to the Rescue
TechWell
 
Career in Software Testing | Skills Required for Software Test Engineer | Edu...
Career in Software Testing | Skills Required for Software Test Engineer | Edu...Career in Software Testing | Skills Required for Software Test Engineer | Edu...
Career in Software Testing | Skills Required for Software Test Engineer | Edu...
Edureka!
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
Lalit Kale
 
Peer Code Review An Agile Process
Peer Code Review An Agile ProcessPeer Code Review An Agile Process
Peer Code Review An Agile Process
gsporar
 
Enhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsEnhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code Forensics
TechWell
 
Manual software-testing-interview-questions-with-answers
Manual software-testing-interview-questions-with-answersManual software-testing-interview-questions-with-answers
Manual software-testing-interview-questions-with-answers
Sachin Gupta
 
Code review in practice
Code review in practiceCode review in practice
Code review in practice
Edorian
 
Interview questions
Interview questionsInterview questions
Interview questions
sivareddyeda
 
Why Automated Testing Matters To DevOps
Why Automated Testing Matters To DevOpsWhy Automated Testing Matters To DevOps
Why Automated Testing Matters To DevOps
dpaulmerrill
 
TDD in the ABAP world - sitNL 2013 edition
TDD in the ABAP world - sitNL 2013 editionTDD in the ABAP world - sitNL 2013 edition
TDD in the ABAP world - sitNL 2013 edition
Hendrik Neumann
 
Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual ...
Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual ...Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual ...
Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual ...
Andrey Karpov
 
ABAP Unit and TDD
ABAP Unit and TDDABAP Unit and TDD
ABAP Unit and TDD
Hendrik Neumann
 

More Related Content

What's hot

Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group
 
Acceptance Testing Driven Development, TDD
Acceptance Testing Driven Development, TDDAcceptance Testing Driven Development, TDD
Acceptance Testing Driven Development, TDD
Laurent PY
 
A Case for automated Tests
A Case for automated TestsA Case for automated Tests
A Case for automated Tests
Anja Pilz
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
Rushana Bandara
 
How to Actually DO High-volume Automated Testing
How to Actually DO High-volume Automated TestingHow to Actually DO High-volume Automated Testing
How to Actually DO High-volume Automated Testing
TechWell
 
Unit tests benefits
Unit tests benefitsUnit tests benefits
Unit tests benefits
Kate Semizhon
 
FutureOfTesting2008
FutureOfTesting2008FutureOfTesting2008
FutureOfTesting2008
vipulkocher
 
Digital Transformation, Testing and Automation
Digital Transformation, Testing and AutomationDigital Transformation, Testing and Automation
Digital Transformation, Testing and Automation
TEST Huddle
 
Software testing
Software testingSoftware testing
Software testing
Abhishek Gautam
 
Agile Testing Pasadena JUG Aug2009
Agile Testing Pasadena JUG Aug2009Agile Testing Pasadena JUG Aug2009
Agile Testing Pasadena JUG Aug2009
Grig Gheorghiu
 
Continuous Automated Regression Testing to the Rescue
Continuous Automated Regression Testing to the RescueContinuous Automated Regression Testing to the Rescue
Continuous Automated Regression Testing to the Rescue
TechWell
 
Career in Software Testing | Skills Required for Software Test Engineer | Edu...
Career in Software Testing | Skills Required for Software Test Engineer | Edu...Career in Software Testing | Skills Required for Software Test Engineer | Edu...
Career in Software Testing | Skills Required for Software Test Engineer | Edu...
Edureka!
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
Lalit Kale
 
Peer Code Review An Agile Process
Peer Code Review An Agile ProcessPeer Code Review An Agile Process
Peer Code Review An Agile Process
gsporar
 
Enhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsEnhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code Forensics
TechWell
 
Manual software-testing-interview-questions-with-answers
Manual software-testing-interview-questions-with-answersManual software-testing-interview-questions-with-answers
Manual software-testing-interview-questions-with-answers
Sachin Gupta
 
Code review in practice
Code review in practiceCode review in practice
Code review in practice
Edorian
 
Interview questions
Interview questionsInterview questions
Interview questions
sivareddyeda
 
Why Automated Testing Matters To DevOps
Why Automated Testing Matters To DevOpsWhy Automated Testing Matters To DevOps
Why Automated Testing Matters To DevOps
dpaulmerrill
 

What's hot (19)

Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
 
Acceptance Testing Driven Development, TDD
Acceptance Testing Driven Development, TDDAcceptance Testing Driven Development, TDD
Acceptance Testing Driven Development, TDD
 
A Case for automated Tests
A Case for automated TestsA Case for automated Tests
A Case for automated Tests
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
 
How to Actually DO High-volume Automated Testing
How to Actually DO High-volume Automated TestingHow to Actually DO High-volume Automated Testing
How to Actually DO High-volume Automated Testing
 
Unit tests benefits
Unit tests benefitsUnit tests benefits
Unit tests benefits
 
FutureOfTesting2008
FutureOfTesting2008FutureOfTesting2008
FutureOfTesting2008
 
Digital Transformation, Testing and Automation
Digital Transformation, Testing and AutomationDigital Transformation, Testing and Automation
Digital Transformation, Testing and Automation
 
Software testing
Software testingSoftware testing
Software testing
 
Agile Testing Pasadena JUG Aug2009
Agile Testing Pasadena JUG Aug2009Agile Testing Pasadena JUG Aug2009
Agile Testing Pasadena JUG Aug2009
 
Continuous Automated Regression Testing to the Rescue
Continuous Automated Regression Testing to the RescueContinuous Automated Regression Testing to the Rescue
Continuous Automated Regression Testing to the Rescue
 
Career in Software Testing | Skills Required for Software Test Engineer | Edu...
Career in Software Testing | Skills Required for Software Test Engineer | Edu...Career in Software Testing | Skills Required for Software Test Engineer | Edu...
Career in Software Testing | Skills Required for Software Test Engineer | Edu...
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
 
Peer Code Review An Agile Process
Peer Code Review An Agile ProcessPeer Code Review An Agile Process
Peer Code Review An Agile Process
 
Enhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsEnhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code Forensics
 
Manual software-testing-interview-questions-with-answers
Manual software-testing-interview-questions-with-answersManual software-testing-interview-questions-with-answers
Manual software-testing-interview-questions-with-answers
 
Code review in practice
Code review in practiceCode review in practice
Code review in practice
 
Interview questions
Interview questionsInterview questions
Interview questions
 
Why Automated Testing Matters To DevOps
Why Automated Testing Matters To DevOpsWhy Automated Testing Matters To DevOps
Why Automated Testing Matters To DevOps
 

Viewers also liked

TDD in the ABAP world - sitNL 2013 edition
TDD in the ABAP world - sitNL 2013 editionTDD in the ABAP world - sitNL 2013 edition
TDD in the ABAP world - sitNL 2013 edition
Hendrik Neumann
 
Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual ...
Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual ...Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual ...
Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual ...
Andrey Karpov
 
ABAP Unit and TDD
ABAP Unit and TDDABAP Unit and TDD
ABAP Unit and TDD
Hendrik Neumann
 
ABAPCodeRetreat 23.7.2016 - Unit Testing
ABAPCodeRetreat 23.7.2016 - Unit TestingABAPCodeRetreat 23.7.2016 - Unit Testing
ABAPCodeRetreat 23.7.2016 - Unit Testing
ABAPCodeRetreat
 
Maximizing SAP ABAP Performance
Maximizing SAP ABAP PerformanceMaximizing SAP ABAP Performance
Maximizing SAP ABAP Performance
PeterHBrown
 
static ABAP code analyzers
static ABAP code analyzersstatic ABAP code analyzers
static ABAP code analyzers
Markus Theilen
 

Viewers also liked (6)

TDD in the ABAP world - sitNL 2013 edition
TDD in the ABAP world - sitNL 2013 editionTDD in the ABAP world - sitNL 2013 edition
TDD in the ABAP world - sitNL 2013 edition
 
Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual ...
Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual ...Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual ...
Comparison of static code analyzers: CppCat, Cppcheck, PVS-Studio and Visual ...
 
ABAP Unit and TDD
ABAP Unit and TDDABAP Unit and TDD
ABAP Unit and TDD
 
ABAPCodeRetreat 23.7.2016 - Unit Testing
ABAPCodeRetreat 23.7.2016 - Unit TestingABAPCodeRetreat 23.7.2016 - Unit Testing
ABAPCodeRetreat 23.7.2016 - Unit Testing
 
Maximizing SAP ABAP Performance
Maximizing SAP ABAP PerformanceMaximizing SAP ABAP Performance
Maximizing SAP ABAP Performance
 
static ABAP code analyzers
static ABAP code analyzersstatic ABAP code analyzers
static ABAP code analyzers
 

Similar to Three Interviews About Static Code Analyzers

How we test the code analyzer
How we test the code analyzerHow we test the code analyzer
How we test the code analyzer
PVS-Studio
 
Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...
Andrey Karpov
 
An ideal static analyzer, or why ideals are unachievable
An ideal static analyzer, or why ideals are unachievableAn ideal static analyzer, or why ideals are unachievable
An ideal static analyzer, or why ideals are unachievable
PVS-Studio
 
Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...
PVS-Studio
 
Machine Learning in Static Analysis of Program Source Code
Machine Learning in Static Analysis of Program Source CodeMachine Learning in Static Analysis of Program Source Code
Machine Learning in Static Analysis of Program Source Code
Andrey Karpov
 
How we test the code analyzer
How we test the code analyzerHow we test the code analyzer
How we test the code analyzer
PVS-Studio
 
The Development History of PVS-Studio for Linux
The Development History of PVS-Studio for LinuxThe Development History of PVS-Studio for Linux
The Development History of PVS-Studio for Linux
PVS-Studio
 
Traps detection during migration of C and C++ code to 64-bit Windows
Traps detection during migration of C and C++ code to 64-bit WindowsTraps detection during migration of C and C++ code to 64-bit Windows
Traps detection during migration of C and C++ code to 64-bit Windows
PVS-Studio
 
Using HPC Resources to Exploit Big Data for Code Review Analytics
Using HPC Resources to Exploit Big Data for Code Review AnalyticsUsing HPC Resources to Exploit Big Data for Code Review Analytics
Using HPC Resources to Exploit Big Data for Code Review Analytics
The University of Adelaide
 
Problems of testing 64-bit applications
Problems of testing 64-bit applicationsProblems of testing 64-bit applications
Problems of testing 64-bit applications
PVS-Studio
 
Control source code quality using the SonarQube platform
Control source code quality using the SonarQube platformControl source code quality using the SonarQube platform
Control source code quality using the SonarQube platform
PVS-Studio
 
Ensuring code quality
Ensuring code qualityEnsuring code quality
Ensuring code quality
MikhailVladimirov
 
Different Methodologies For Testing Web Application Testing
Different Methodologies For Testing Web Application TestingDifferent Methodologies For Testing Web Application Testing
Different Methodologies For Testing Web Application Testing
Rachel Davis
 
PVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio
 
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Applitools
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
Rogue Wave Software
 
Machine programming
Machine programmingMachine programming
Machine programming
DESMOND YUEN
 
Programming Fundamentals lecture 3
Programming Fundamentals lecture 3Programming Fundamentals lecture 3
Programming Fundamentals lecture 3
REHAN IJAZ
 
PVS-Studio and CppCat: An Interview with Andrey Karpov, the Project CTO and D...
PVS-Studio and CppCat: An Interview with Andrey Karpov, the Project CTO and D...PVS-Studio and CppCat: An Interview with Andrey Karpov, the Project CTO and D...
PVS-Studio and CppCat: An Interview with Andrey Karpov, the Project CTO and D...
Andrey Karpov
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 

Similar to Three Interviews About Static Code Analyzers (20)

How we test the code analyzer
How we test the code analyzerHow we test the code analyzer
How we test the code analyzer
 
Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...
 
An ideal static analyzer, or why ideals are unachievable
An ideal static analyzer, or why ideals are unachievableAn ideal static analyzer, or why ideals are unachievable
An ideal static analyzer, or why ideals are unachievable
 
Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...
 
Machine Learning in Static Analysis of Program Source Code
Machine Learning in Static Analysis of Program Source CodeMachine Learning in Static Analysis of Program Source Code
Machine Learning in Static Analysis of Program Source Code
 
How we test the code analyzer
How we test the code analyzerHow we test the code analyzer
How we test the code analyzer
 
The Development History of PVS-Studio for Linux
The Development History of PVS-Studio for LinuxThe Development History of PVS-Studio for Linux
The Development History of PVS-Studio for Linux
 
Traps detection during migration of C and C++ code to 64-bit Windows
Traps detection during migration of C and C++ code to 64-bit WindowsTraps detection during migration of C and C++ code to 64-bit Windows
Traps detection during migration of C and C++ code to 64-bit Windows
 
Using HPC Resources to Exploit Big Data for Code Review Analytics
Using HPC Resources to Exploit Big Data for Code Review AnalyticsUsing HPC Resources to Exploit Big Data for Code Review Analytics
Using HPC Resources to Exploit Big Data for Code Review Analytics
 
Problems of testing 64-bit applications
Problems of testing 64-bit applicationsProblems of testing 64-bit applications
Problems of testing 64-bit applications
 
Control source code quality using the SonarQube platform
Control source code quality using the SonarQube platformControl source code quality using the SonarQube platform
Control source code quality using the SonarQube platform
 
Ensuring code quality
Ensuring code qualityEnsuring code quality
Ensuring code quality
 
Different Methodologies For Testing Web Application Testing
Different Methodologies For Testing Web Application TestingDifferent Methodologies For Testing Web Application Testing
Different Methodologies For Testing Web Application Testing
 
PVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ code
 
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
 
Machine programming
Machine programmingMachine programming
Machine programming
 
Programming Fundamentals lecture 3
Programming Fundamentals lecture 3Programming Fundamentals lecture 3
Programming Fundamentals lecture 3
 
PVS-Studio and CppCat: An Interview with Andrey Karpov, the Project CTO and D...
PVS-Studio and CppCat: An Interview with Andrey Karpov, the Project CTO and D...PVS-Studio and CppCat: An Interview with Andrey Karpov, the Project CTO and D...
PVS-Studio and CppCat: An Interview with Andrey Karpov, the Project CTO and D...
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 

More from Andrey Karpov

60 антипаттернов для С++ программиста
60 антипаттернов для С++ программиста60 антипаттернов для С++ программиста
60 антипаттернов для С++ программиста
Andrey Karpov
 
60 terrible tips for a C++ developer
60 terrible tips for a C++ developer60 terrible tips for a C++ developer
60 terrible tips for a C++ developer
Andrey Karpov
 
Ошибки, которые сложно заметить на code review, но которые находятся статичес...
Ошибки, которые сложно заметить на code review, но которые находятся статичес...Ошибки, которые сложно заметить на code review, но которые находятся статичес...
Ошибки, которые сложно заметить на code review, но которые находятся статичес...
Andrey Karpov
 
PVS-Studio in 2021 - Error Examples
PVS-Studio in 2021 - Error ExamplesPVS-Studio in 2021 - Error Examples
PVS-Studio in 2021 - Error Examples
Andrey Karpov
 
PVS-Studio in 2021 - Feature Overview
PVS-Studio in 2021 - Feature OverviewPVS-Studio in 2021 - Feature Overview
PVS-Studio in 2021 - Feature Overview
Andrey Karpov
 
PVS-Studio в 2021 - Примеры ошибок
PVS-Studio в 2021 - Примеры ошибокPVS-Studio в 2021 - Примеры ошибок
PVS-Studio в 2021 - Примеры ошибок
Andrey Karpov
 
PVS-Studio в 2021
PVS-Studio в 2021PVS-Studio в 2021
PVS-Studio в 2021
Andrey Karpov
 
Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...
Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...
Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...
Andrey Karpov
 
Best Bugs from Games: Fellow Programmers' Mistakes
Best Bugs from Games: Fellow Programmers' MistakesBest Bugs from Games: Fellow Programmers' Mistakes
Best Bugs from Games: Fellow Programmers' Mistakes
Andrey Karpov
 
Does static analysis need machine learning?
Does static analysis need machine learning?Does static analysis need machine learning?
Does static analysis need machine learning?
Andrey Karpov
 
Typical errors in code on the example of C++, C#, and Java
Typical errors in code on the example of C++, C#, and JavaTypical errors in code on the example of C++, C#, and Java
Typical errors in code on the example of C++, C#, and Java
Andrey Karpov
 
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
Andrey Karpov
 
Game Engine Code Quality: Is Everything Really That Bad?
Game Engine Code Quality: Is Everything Really That Bad?Game Engine Code Quality: Is Everything Really That Bad?
Game Engine Code Quality: Is Everything Really That Bad?
Andrey Karpov
 
C++ Code as Seen by a Hypercritical Reviewer
C++ Code as Seen by a Hypercritical ReviewerC++ Code as Seen by a Hypercritical Reviewer
C++ Code as Seen by a Hypercritical Reviewer
Andrey Karpov
 
The Use of Static Code Analysis When Teaching or Developing Open-Source Software
The Use of Static Code Analysis When Teaching or Developing Open-Source SoftwareThe Use of Static Code Analysis When Teaching or Developing Open-Source Software
The Use of Static Code Analysis When Teaching or Developing Open-Source Software
Andrey Karpov
 
Static Code Analysis for Projects, Built on Unreal Engine
Static Code Analysis for Projects, Built on Unreal EngineStatic Code Analysis for Projects, Built on Unreal Engine
Static Code Analysis for Projects, Built on Unreal Engine
Andrey Karpov
 
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Safety on the Max: How to Write Reliable C/C++ Code for Embedded SystemsSafety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Andrey Karpov
 
The Great and Mighty C++
The Great and Mighty C++The Great and Mighty C++
The Great and Mighty C++
Andrey Karpov
 
Static code analysis: what? how? why?
Static code analysis: what? how? why?Static code analysis: what? how? why?
Static code analysis: what? how? why?
Andrey Karpov
 
Zero, one, two, Freddy's coming for you
Zero, one, two, Freddy's coming for youZero, one, two, Freddy's coming for you
Zero, one, two, Freddy's coming for you
Andrey Karpov
 

More from Andrey Karpov (20)

60 антипаттернов для С++ программиста
60 антипаттернов для С++ программиста60 антипаттернов для С++ программиста
60 антипаттернов для С++ программиста
 
60 terrible tips for a C++ developer
60 terrible tips for a C++ developer60 terrible tips for a C++ developer
60 terrible tips for a C++ developer
 
Ошибки, которые сложно заметить на code review, но которые находятся статичес...
Ошибки, которые сложно заметить на code review, но которые находятся статичес...Ошибки, которые сложно заметить на code review, но которые находятся статичес...
Ошибки, которые сложно заметить на code review, но которые находятся статичес...
 
PVS-Studio in 2021 - Error Examples
PVS-Studio in 2021 - Error ExamplesPVS-Studio in 2021 - Error Examples
PVS-Studio in 2021 - Error Examples
 
PVS-Studio in 2021 - Feature Overview
PVS-Studio in 2021 - Feature OverviewPVS-Studio in 2021 - Feature Overview
PVS-Studio in 2021 - Feature Overview
 
PVS-Studio в 2021 - Примеры ошибок
PVS-Studio в 2021 - Примеры ошибокPVS-Studio в 2021 - Примеры ошибок
PVS-Studio в 2021 - Примеры ошибок
 
PVS-Studio в 2021
PVS-Studio в 2021PVS-Studio в 2021
PVS-Studio в 2021
 
Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...
Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...
Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...
 
Best Bugs from Games: Fellow Programmers' Mistakes
Best Bugs from Games: Fellow Programmers' MistakesBest Bugs from Games: Fellow Programmers' Mistakes
Best Bugs from Games: Fellow Programmers' Mistakes
 
Does static analysis need machine learning?
Does static analysis need machine learning?Does static analysis need machine learning?
Does static analysis need machine learning?
 
Typical errors in code on the example of C++, C#, and Java
Typical errors in code on the example of C++, C#, and JavaTypical errors in code on the example of C++, C#, and Java
Typical errors in code on the example of C++, C#, and Java
 
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
 
Game Engine Code Quality: Is Everything Really That Bad?
Game Engine Code Quality: Is Everything Really That Bad?Game Engine Code Quality: Is Everything Really That Bad?
Game Engine Code Quality: Is Everything Really That Bad?
 
C++ Code as Seen by a Hypercritical Reviewer
C++ Code as Seen by a Hypercritical ReviewerC++ Code as Seen by a Hypercritical Reviewer
C++ Code as Seen by a Hypercritical Reviewer
 
The Use of Static Code Analysis When Teaching or Developing Open-Source Software
The Use of Static Code Analysis When Teaching or Developing Open-Source SoftwareThe Use of Static Code Analysis When Teaching or Developing Open-Source Software
The Use of Static Code Analysis When Teaching or Developing Open-Source Software
 
Static Code Analysis for Projects, Built on Unreal Engine
Static Code Analysis for Projects, Built on Unreal EngineStatic Code Analysis for Projects, Built on Unreal Engine
Static Code Analysis for Projects, Built on Unreal Engine
 
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Safety on the Max: How to Write Reliable C/C++ Code for Embedded SystemsSafety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
 
The Great and Mighty C++
The Great and Mighty C++The Great and Mighty C++
The Great and Mighty C++
 
Static code analysis: what? how? why?
Static code analysis: what? how? why?Static code analysis: what? how? why?
Static code analysis: what? how? why?
 
Zero, one, two, Freddy's coming for you
Zero, one, two, Freddy's coming for youZero, one, two, Freddy's coming for you
Zero, one, two, Freddy's coming for you
 

Recently uploaded

Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
DDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systemsDDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systems
Gerardo Pardo-Castellote
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
Codeigniter VS Cakephp Which is Better for Web Development.pdf
Codeigniter VS Cakephp Which is Better for Web Development.pdfCodeigniter VS Cakephp Which is Better for Web Development.pdf
Codeigniter VS Cakephp Which is Better for Web Development.pdf
Semiosis Software Private Limited
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
Deuglo Infosystem Pvt Ltd
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
Ayan Halder
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
SOCRadar
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
Boni García
 
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
kalichargn70th171
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
mz5nrf0n
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 

Recently uploaded (20)

Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
DDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systemsDDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systems
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
Codeigniter VS Cakephp Which is Better for Web Development.pdf
Codeigniter VS Cakephp Which is Better for Web Development.pdfCodeigniter VS Cakephp Which is Better for Web Development.pdf
Codeigniter VS Cakephp Which is Better for Web Development.pdf
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
 
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 

Three Interviews About Static Code Analyzers

  • 1. Three Interviews About Static Code Analyzers Author: Aleksandr Timofeev Date: 26.09.2014 Hello, dear readers! The author invites you to read three interviews with representatives of three large, modern and interesting projects to learn about their software development methodologies and about how they use static code analyzers in particular. The author hopes that you will find this article interesting. The following companies took part as interviewees: Acronis, AlternativaPlatform, Echelon Company. Sincerely yours, Aleksandr Timofeev Interviewees and article structure The author addressed three companies to take the interviews: — Acronis, developer of the Acronis Backup product designed for data backup and subsequent recovery — AlternativaPlatform, developer of the "Tanki Online" project, a multiplayer browser game — Echelon Company, developer of a series of products for code revision in the field of information security All the companies were asked the same questions save Echelon – the questions were changed a bit for this company to better reflect the specifics of their work. Interview with Acronis The interviewee is Kirill Korotaev, Acronis Backup product development vice-president • Give us please an overview of the primary and most large-scale product of your company/project (the main point of the product, the language its code is written in, the size of the team working on it, the usual pace of commits in lines of code or Kbytes per 24 hours/week/month, for example; what VCS you use) The main point of the Acronis Backup product we develop is about creating backup copies of users' data on their computers, notebooks and servers so that they could use these copies to recover the data later. Recovery may be needed when the computer starts malfunctioning, for example; or when one needs an earlier version of some file or document, or a file was lost. 99% of our entire project is written in C++. There are about 70 developers working on it. On average, we make 100 to 300 commits per week. We use SVN (Subversion).
  • 2. • Who and how analyzes the project code? How is the testing cycle organized? Is the tester team large? How does the company respond to error messages – do you have any established protocol to handle such situations? We have architects and leaders who are well familiar with the code of those project parts they are responsible for; therefore, they carry out analysis of this code and know how to improve it. Every commit is passed through the code review system – that is, any change is first analyzed by programmers responsible for the corresponding code fragment. Presently, the number of our testers is comparable to the number of developers. We employ both automatic and manual tests. For example, we have build validation tests, i.e. a set of tests to verify every new build. Ideally, a new build should be compiled after every commit into the code and tested immediately. The process of addressing a revealed issue is the following. Any issue found by the testing department is registered in the Jira system (a more advanced paid counterpart of BugZilla). And all that is integrated with SVN – when, for example, a commit is made which addresses a particular issue, we add a reference to this commit to Jira. We may also learn about an issue from our users. They first contact our technical support service and if they reveal any bugs that should be analyzed, then, again, the information about them first gets to Jira, and we release bugfixes in the next few updates. • Do you use static code analysis tools? If yes, which then? Could you please give an example of the most remarkable and interesting issue found by analyzers? What results and statistics do you usually get when using analyzers? How often do you run checks and according to what scheme? How do you respond to an issue found by an analyzer? Among analyzers we used earlier or use currently are various tools – for example, both free open-source Cppcheck and PVS-Studio. Of course, code analyzers should be used in any project. But they all are very different, each of them being good at catching a certain type of bugs – that's why I'm totally for employing a wide variety of development means. We do find some interesting potential bugs every now and then. For example, one of the most difficult to find bugs is the one found by PVS-Studio when standard auto pointers from the STL library are used incorrectly. Or, here is another interesting error: when you multiply a sizeof from one structure or parameter by another sizeof, PVS-Studio reasonably notices that it is pretty strange, to put it mildly, to multiply one sizeof by another, for this operation logically implies getting a quadratic quantity result. Sometimes static analyzers can figure out when a pointer is not checked for null before being used. But these are more complex checks as it is not always obvious if a pointer can be null in a certain code fragment. It's quite a good practice to run static analyzers over the code once per day. And we also get bugs to automatically be recorded into that very Jira system, which is very useful for the product under development. • What is your opinion regarding future methodologies of large-scale software development? As separate questions, what do you expect and would like to get from static code analysis tools in future? Automated tools are and will go on developing. For example, there is not a single automated system nowadays that could pick tests relying on the modifications made to the code – that is, select only those tests that need to be run for some particular modification. What the future of static analyzers is concerned, I think they will gradually learn to handle more and more issues. At the same time, they will be shifting towards more complex analysis and perhaps even become a guarantee of code's compliance with some protocol, for instance.
  • 3. • A few words for your colleagues and readers? Write high-quality code, test it and don't forget to use a wide variety of methodologies – including static analyzers. Interview with AlternativaPlatform The interviewee is Aleksey Kviring, CTO of "Tanki Online" LLC • Give us please an overview of the primary and most large-scale product of your company/project (the main point of the product, the language its code is written in, the size of the team working on it, the usual pace of commits in lines of code or Kbytes per 24 hours/week/month, for example; what VCS you use) Currently we have only one product like that which is the Tanki Online game. The server part is written in Java, the client part in AS3. We have about 20 programmers. We add approximately 5K lines of code per week. We use GIT as a VCS. • Who and how analyzes the project code? How is the testing cycle organized? Is the tester team large? How does the company respond to error messages – do you have any established protocol to handle such situations? We use an approach typical of GIT. All the code runs through obligatory Code Review. We also use continuous integration, and the build server regularly checks code and runs tests over it. Testing is done in a number of stages: first automatic testing, then manual testing by developers themselves (through playing the game), then by the tester team. If everything is alright, community testers join the testing process. And only after that, all the changes get into production. Our tester team is small – only three persons. But we intensively employ community testers: there are a few dozens of volunteers. If some bug still gets into production somehow, it is fixed right after we detect it. Usually all such errors are fixed in a couple of days. • Do you use static code analysis tools? If yes, which then? Could you please give an example of the most remarkable and interesting issue found by analyzers? What results and statistics do you usually get when using analyzers? How often do you run checks and according to what scheme? How do you respond to an issue found by an analyzer? We don't use such tools at the company level. In the past, I launched a couple of static analyzers just for interest, but they found nothing serious (JetBrain IDEA checker). I think static analysis is very useful for complex languages such as C and C++. But for simpler languages like Java, it's not that relevant. Java is not subject to memory-related issues as a class. Its syntax is plain and clear, no alternative interpretations are allowed, many issues are caught by the compiler at the compilation stage. Development environments provide convenient refactoring tools, which excludes accidental errors resulting from manual code modifications. There is one area I'd use static analysis in when working with Java. It has to do with checking a program for correct multithread execution. But there are simply no tools capable of that at present. Generally speaking, if a static analyzer is quality and can find real bugs, it will be useful for one's project. • What is your opinion regarding future methodologies of large-scale software development? As separate questions, what do you expect and would like to get from static code analysis tools in future?
  • 4. Future belongs to automated testing systems, continuous integration systems, and code analyzers. What I expect from static analysis is the ability to analyze multithread applications and architectural solutions. • A few words for your colleagues and readers? Don't be afraid of incorporating new technologies into your development cycle. Learn from more experienced fellow programmers. Revise your old solutions. And then you certainly will succeed. Interview with Echelon The interviewee is Andrey Fadin (a.fadin@cnpo.ru), chief designer of Echelon Company • Give us please an overview of your company and its business related to software security. Echelon Company is both a developer of information security analysis means and an active user of these products within the framework of information protection means certification and commercial code audit projects. Means of information security analysis developed by our company include the following: • AK-VS2, a cloud environment for conducting certification testing of source code for compliance with the requirements of undocumented capabilities absence control (up to Level 1 inclusively); • AppChecker, a product conducting signature-based and heuristic analysis of program code aimed at detecting beetles, critical software vulnerabilities, and other issues related to program code's defects; • PIK, a means to fix and compare checksums of files, folders and physical digital media; • Skaner-VS, a toolkit and environment to conduct network and local security audit including security scanners, traffic analysis means, means of search of residual information on physical media and a few other components. The Echelon team managing code security analysis and penetration testing is an association of highly skilled IT and information security specialists established on the personnel, research, and engineering bases of Echelon Company and the leading technical university of Russia, Bauman Moscow State Technical University. We work with most of the popular programming languages such as PHP, Java, C#, C/C++, Perl, Python, JavaScript, including their most recent standards. Program code audit conducted by Echelon Company specialists allows us to solve the following tasks: • control of in-house and outsourced code's quality, detection of typical defects (coding or designing errors); • detection of intentionally planted beetles in code; • borrowed code control (analysis of software's external dependencies on open-source and other external components) Software that has successfully passed the audit can be certified according to information security requirements in Echelon's test laboratory. • Give us please an overview of your experts' work (what doesn't refer to classified information): Who and how analyzes project code? How is the testing cycle organized? What is the regular protocol when addressing an important issue found in code? The code audit team is formed from specialists of two basic types:
  • 5. Specialists of the first type are Echelon test laboratory's experts experienced in establishing cooperation with developers of large-scale software projects (operating systems, firewalls) and also in team review of large amounts of code. Specialists of the second type are developers (personnel of Echelon's Research&Development departments) who have high technical qualifications in various programming languages, their frameworks and typical libraries. Whenever possible, we try to cooperate with static analysis tools' developers themselves when conducting code audit, which allows them to appreciate the convenience of our analysis means directly from their own experience. Besides, since developers are better skilled in implementing new signatures for static analyzers, it does make sense to employ them for timely updates of defect base when required by the specifics of a software project under testing. Speaking generally, the process of software development and testing is made up of the following stages: 1. Decomposing project code into components (when analyzing a third-party project) 2. Building a threat model, analyzing these components and their interaction interfaces for severe information security issues. 3. Running static and dynamic analysis tools taking into account the results of Stage 2. 4. Selective code review based on the results of Stages 3 and 2. 5. Preparing a report of potentially dangerous constructs we have detected and discussing the results with the project's developer team. Stages 3, 4 and 5 are usually repeated 3-4 times because, depending on tne analysis results for each potential construct, either the software project is revised to eliminate the defect (which is followed by repetition of stages starting with Stage 3) or the issue is found to be an expert's incorrect assumption or false positive by a static analyzer (which is followed by repetition of stages starting with Stage 4). • A few words about static analysis tools you use: What tools do you use? Could you give an example of the most remarkable and interesting error found by analyzers? What results and statistics do you usually get when using analyzers? How do you respond to an issue found by an analyzer? In their work, auditors use both our own solutions (AK-VS2, AppChecker) and open-source tools (CppCheck, PMD) as well as purchased third-party commercial tools (CppCat). The algorithm of addressing issues was described in section 2. What the statistics of using analyzers is concerned, the ratio of false positives in large projects is usually above 50%, so we in any case have to employ an expert to compose the final list of potentially dangerous constructs found in project code. However, since the expert does not review the entire code but only a few critical parts of it which on average make not more than 5% of the entire code size, we can save a considerable amount of time on code analysis. To avoid breaching any non-disclosure agreements, we unfortunately cannot tell you about errors found in particular products. But as our experience shows, most of interesting errors are related to: • use of hard-coded passwords (Use of Hard-coded Password, CWE-259) and other authentication data (Use of Hard-coded Credentials, CWE-798); • "easter eggs" and other hidden functionality (Hidden Functionality, CWE-912); • rather common errors related to race conditions and shared resources (Race Condition, CWE- 362). • What is your opinion regarding future software development methodologies and, as separate questions, what do you expect and would like to get from static code analysis tools in future?
  • 6. In our opinion, software verification will be getting more tightly connected with development processes, both within the framework of continuous integration systems and continuous delivery systems. Tight integration with these systems will in future allow developers to fully control software development and delivery; that is, static analyzers will serve as kind of an IPS within these processes, blocking code failed to pass the quality gate at the level of commits and releases. From this viewpoint, any CI/CD system is also an interesting source of events for SIEM systems. Rich prospects are also provided by the introduction of static analyzers into the model-driven development paradigm; tight integration with CASE-means will allow developers to reveal errors at the levels of syntax, software components and their interfaces, and even at the level of business requirements so that an analyst, for instance, could already at the system designing stage substantiate to customers why adding a certain access control role is necessary. • A few words for your colleagues and readers? Dear colleagues, during the last decade, emphasis in the field of enterprise information security was put on network security as well as endpoint security. However, when dealing with such tasks as detection of zero-day exploits, beetles and "implants" (code fragments and configurations planted into software for the purposes of state and industrial espionage), we appear to be facing the issue when classic network- and node-level information security means (intrusion detection systems, antivirus software) cannot efficiently handle such threats. To solve these issues, we need a comprehensive approach that on the one hand implies centralization of enterprise information security management (SIEM-systems), and on the other, makes use of software structural decomposition into components with control over their origin, as well as static analysis of their contents and materials for their production (including source texts). Conclusion The author thanks the press services and experts of the companies that took part in these interviews for prompt and detailed answers to the interview questions. The author is also thankful to the ООО "Program Verification Systems" company, developer of a contemporary static code analyzer PVS-Studio and sponsor of this article. Without their support, it might hardly have been published at all.