Perforce, profile picture
Uploaded byPerforce
PDF, PPTX208 views

5 Ways to Accelerate Standards Compliance with Static Code Analysis

The document discusses the importance of static code analysis (SCA) in improving developer output and software quality. It highlights the benefits of SCA, such as early defect detection, compliance with industry standards, and enhanced productivity, while also addressing common myths associated with it. Best practices for implementing SCA, including integration with continuous integration processes and usage for verifying legacy code, are outlined to maximize its effectiveness.

Embed presentation

Download as PDF, PPTX
Klocwork by Perforce © 2019 Perforce Software, Inc. 5 Ways to Improve Developer Output with Static Analysis ROD COPE | CHIEF TECHNOLOGY OFFICER , PERFORCE SOCTWARE
klocwork.com2 | Klocwork by Perforce © 2019 Perforce Software, Inc. What We’ll Cover 1 2 3 4 5 A brief History of Testing What is Static Code Analysis Why Static Code Analysis is Beneficial Beyond the Scope of Static Code Analysis Static Code Analysis Best Practices 6 Q&A
A Brief History of Testing
klocwork.com4 | Klocwork by Perforce © 2019 Perforce Software, Inc. History of Testing 1970s and 1980s 1990s 2000s 2010s • Debugging is the same as testing • All I need is unit testing • How did we survive without automated testing? • DevOps is awesome!
klocwork.com5 | Klocwork by Perforce © 2019 Perforce Software, Inc. Risks and Challenges Regardless of industry or product, all software developers share the same risks and challenges. These include: • Human errors • Software issues • Hardware issues • Shorter time to release • More complex software
What is Static Code Analysis
klocwork.com7 | Klocwork by Perforce © 2019 Perforce Software, Inc. Static Code Analysis Myths and Facts Static Code Analysis Myths Static code analysis is a glorified complier. Static code analysis for “junior” developers. Testing is for QA, not developers. Static Code Analysis Facts Unlike compilers, static code analysis find deep inter-procedural and inter-module issues across the entire codebase. Static code analysis helps all developers become more effective, with large sets of checkers, knowledge of entire code base (including legacy code), and rapid results. Fixing errors before check-in/build is easier, cheaper, and causes less rework.
klocwork.com8 | Klocwork by Perforce © 2019 Perforce Software, Inc. How Static Code Analysis Works Static Code analysis performs tests that developers don’t (or wont) write. D I F F E R E N T T Y P E S O F A N A L Y S I SR E Q U R I E S S O U R C E C O D E • Must be able to compile code. • No changes to existing build flow. • Analyzes each path of your code. • Inter-procedural. • Inter-file.
klocwork.com9 | Klocwork by Perforce © 2019 Perforce Software, Inc. Examples of How Static Code Analysis Works • Static code analysis is similar to a spell. For example: • “he went to the store.” (DEFECT: “he” should be capitalized) • “He went to the store.” (FIXED) • However, static code analysis is more sophisticated. For example: • “Sally purchased two baskets of fruit at the store. When she got home she put the three baskets of fruit on the counter.” (DEFECT: she only purchased two baskets of fruit) • “Sally purchased two baskets of fruit at the store. When she got home she put the two baskets of fruit on the counter.” (FIXED)
klocwork.com10 | Klocwork by Perforce © 2019 Perforce Software, Inc. How Static Code Analysis Can Help • Buffer Overflows: Security exploit or program crashes. • Null Pointer Dereferences: Your program crashes. • Memory Leaks: Processor runs out of memory and locks up. • Uninitialized Data Usage: Data injection. • Platform/OS Specifics: Privilege escalation. • Concurrency: Deadlock. • Coding: Ensuring that the code matches the guidelines. • Security: Ensuring that the code free of common vulnerabilities. • Safety: Ensuring that the code minimizes the risk. C O D E I S S U E S S T A N D A R D S C O M P L I A N C E
klocwork.com11 | Klocwork by Perforce © 2019 Perforce Software, Inc. Traditional Testing Versus Static Code Analysis • Tradition testing tools require reproduction of the exact runtime conditions that caused the issue to occur. • Requires tests specifically tailored to the code. • Time consuming process. • Not always accurate and reliable. • Static code analysis finds defects early, that aren’t easily identified by manual code reviews. • Comprehensive and reliable. • Identifies coding errors and vulnerabilities before they become and issue.
Why Static Code Analysis Helps
klocwork.com13 | Klocwork by Perforce © 2019 Perforce Software, Inc. Static Code Analysis Identifies Defects Early in the Process $139 $455 $977 $7,136 $14,103 Requirements Design Coding Testing MaintenanceTime Detected Specification Design Code Unit Test System Test UAT Release Lifecycle Stage Development Unit Tests QA Testing Production Time 1X 3X 5X 10X 100X Requirements Architecture Construction System Test Post Release CosttoFixCosttoFix CosttoFix
klocwork.com14 | Klocwork by Perforce © 2019 Perforce Software, Inc. Static Code Analysis Improved Productivity • Increases development productivity. • No test cases, stubs, or complex set up. • Runs your code “as is”. • Example productivity benefits: • Lawrence Livermore: $200K savings on 360K LOC project. • Harris: $60K in six months on 10-person pilot project. • LMCO: 1 critical defect per developer per year gives ROI. • ACCESS Co. : 20% bug reduction (C/C++, IoT). • OpenSpan: Achieved CWE Top 25 compliance.
klocwork.com15 | Klocwork by Perforce © 2019 Perforce Software, Inc. Static Code Analysis Ensures Quality and Safety Boeing The Boeing 787 Dreamliner had a software bug which caused “total loss of electrical power” after 248 days. Department of Corrections A software error that calculates prison sentences caused more then 3,200 U.S. prisoners to be released roughly 49 days early.
klocwork.com16 | Klocwork by Perforce © 2019 Perforce Software, Inc. Static Code Analysis Identifies Bugs • NEST “smart” thermostat software update caused complete battery drain, shutting off heat during January. • Matt Rogers, NEST co-founder said, “the bug took a few weeks to show up.” • The bug affected 2.5 million smart thermostats in U.S. alone.
Beyond the Scope of Static Code Analysis
klocwork.com18 | Klocwork by Perforce © 2019 Perforce Software, Inc. Where Static Code Analysis Can’t Help • Verify runtime behavior. • Static tools are what they say — “static”. • Code is not executed. • Verify code matches design. • Does not verify that behavior is as expected. • Can detect issues that leads us to discover design flaws, such as unreachable code. • Prove whether or not a system will work. • Static code analysis results are not accepted as final word for safety-critical systems. However, they do point us in the right direction.
klocwork.com19 | Klocwork by Perforce © 2019 Perforce Software, Inc. • May report defects that aren’t a problem. • These are known as false positives. • False positives are not something to be afraid of. • Is this a problem? • Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo. (POTENTIAL DEFECT: repeat words) • This is actually grammatically correct: Bison from Buffalo, New York, who are intimidated by other bison in Buffalo, NY also happen to intimidate other bison in Buffalo, NY. Limitations of Static Code Analysis
Static Code Analysis Best Practices
klocwork.com21 | Klocwork by Perforce © 2019 Perforce Software, Inc. #1. Use SCA to Check the Security of Your Code SURVEY: Out of 1700 developers, 80% of them incorrectly answered key questions surrounding the protection of sensitive data. Organizations can have difficulty preventing attacks because of: Lack of time. Lack of focus. Lack of proper tools. Most breaches result from input trust issues, such as: Cross-site scripting. SQL injection. Unvalidated input.
klocwork.com22 | Klocwork by Perforce © 2019 Perforce Software, Inc. SCA Found Heartbleed S C A R E P O R T
klocwork.com23 | Klocwork by Perforce © 2019 Perforce Software, Inc. #2. Use SCA to Enforce Industry and Coding Standards • Significantly reduces the cost of compliance. • Complements existing testing approaches. • Enables automated and repeatable analysis. • Enforces key industry standards. Including: • DISA STIG • CWE • MISRA • CERT • SAMATE • OWASP • DO-178B • FDA validation • And more
klocwork.com24 | Klocwork by Perforce © 2019 Perforce Software, Inc. #3. Integrate SCA and CI Into Your Development Process • Continuous Integration: • Continuous merging and testing of developer changes into the mainline code. • Test thosechanges to verify they work with other changes. • Test new code as it is completed to catch issues early. • Benefits of CI: • Improves quality and productivity: • 90% increase in LOC output per programmer when performing daily builds. • 36% reduction in defect rate with integration/regression testing at each check-in. • Increases the benefits of an Agile software development methodology.
klocwork.com25 | Klocwork by Perforce © 2019 Perforce Software, Inc. SCA and CI
klocwork.com26 | Klocwork by Perforce © 2019 Perforce Software, Inc. Keys to Successful CI To work in a true CI environment, SCA tools must be designed to be: A U T O M A T E D S C A L A B L E E F F I C I E N T R E L E V A N T Support the most important CI build management systems. Require minimal resources and deploy across multiple agents. To reduce feedback time, only analyse the affected code. Report on only the information that is required for the given context.
klocwork.com27 | Klocwork by Perforce © 2019 Perforce Software, Inc. #4. Use SCA to Validate Legacy/OSS Integrate Test Open Source COTS Contractors Legacy ISV Your Product $$$$ Cost to Fix Defects
klocwork.com28 | Klocwork by Perforce © 2019 Perforce Software, Inc. #5. Use SCA to Help Developers Improve Code Quality • SCA is an Educational Tool: • Common programmatic errors. • Security vulnerabilities. • Standards compliance. ONCE A DEFECT IS REPORTED,UNDERSTAND WHY IT’S A DEFECT AND HOW TO FIX IT.
klocwork.com29 | Klocwork by Perforce © 2019 Perforce Software, Inc. Summary 1 2 3 Use SCA to check the security of your code. • Enables you to find vulnerabilities early. Use SCA to enforce industry and coding standards. • Reduces the cost of compliance. Integrate SCA and CI into your development process. • Makes analysis automated, fast, and scalable. 4 5 Use SCA to validate legacy code/OSS. • Enables you to check entire code base before release. Use SCA to help developers improve code quality. • Features a built-in training tool on the desktop.
klocwork.com30 | Klocwork by Perforce © 2019 Perforce Software, Inc. • Support for CI via continuous static code analysis (CSCA). • Desktop on-the-fly analysis as well as traditional server analysis. • Helps to ensure compliance with MISRA, OWASP, FDA, CWE, DISA, and other industry and coding standards. • Hundreds of built-in checkers that go beyond just the industry standards. • Unique analysis engine that detects a thorough and comprehensive range of defects. • Widest compiler support. • Custom checker studio for extensibility. • Support for process certification (ISO 26262). Klocwork Continuous Static Code Analysis
Q & A

More Related Content

PPTX
How To Improve Quality With Static Code Analysis
byPerforce
 
PDF
Best Practices for Shifting Left Performance and Accessibility Testing
byPerfecto by Perforce
 
PPTX
Static Code Analysis
byObika Gellineau
 
PPTX
How to Embed Codeless Test Automation Into DevOps
byPerfecto by Perforce
 
PDF
Deliver Flawless Mobile Apps Faster with CI/CD & CT
byPerfecto by Perforce
 
PDF
Solving the 3 Biggest Questions in Continuous Testing
byPerfecto by Perforce
 
PDF
Yoda debunks the top 5 challenges of continuous testing in the cloud
byPerfecto by Perforce
 
PDF
IoT Software Testing Challenges: The IoT World Is Really Different
byTechWell
 
How To Improve Quality With Static Code Analysis
byPerforce
 
Best Practices for Shifting Left Performance and Accessibility Testing
byPerfecto by Perforce
 
Static Code Analysis
byObika Gellineau
 
How to Embed Codeless Test Automation Into DevOps
byPerfecto by Perforce
 
Deliver Flawless Mobile Apps Faster with CI/CD & CT
byPerfecto by Perforce
 
Solving the 3 Biggest Questions in Continuous Testing
byPerfecto by Perforce
 
Yoda debunks the top 5 challenges of continuous testing in the cloud
byPerfecto by Perforce
 
IoT Software Testing Challenges: The IoT World Is Really Different
byTechWell
 

What's hot

PPT
Embedded software validation best practices with NI and RQM
byPaul Urban
 
PDF
Professional Software Development, Practices and Ethics
byLemi Orhan Ergin
 
PPTX
How to Eliminate Escaped Defects With a Proven Test Automation Coverage Strategy
byPerfecto by Perforce
 
PPTX
IT due diligence and software quality for fintech startups
bySieuwert van Otterloo
 
PDF
11 best practices_for_peer_code_review
bySmartBear Software
 
PPT
Introducing: Klocwork Insight Pro | November 2009
byKlocwork
 
PDF
How to Scale Digital App Testing With Jenkins & Automation You Can Trust
byPerfecto by Perforce
 
PPTX
Advanced Codeless Testing for Web Apps
byPerfecto by Perforce
 
PDF
Test-Driven Code Review: An Empirical Study
byDelft University of Technology
 
PDF
Rtc2014 automate the_process_deliver_quality_ady_beleanu
byAdy Beleanu
 
PPTX
Fast Data, Fast Delivery: How Smart Analysis Accelerates App Testing
byPerfecto by Perforce
 
PDF
CODE REVIEW AND COOPERATIVE PAIR PROGRAMMING BEST PRACTICE
byijseajournal
 
PDF
Software Engineering Culture - Improve Code Quality
byDmytro Patserkovskyi
 
PPTX
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
byGene Gotimer
 
PDF
Network Security Open Source Software Developer Certification
byVskills
 
PDF
Cloud Testing Has Never Been Easier or More Accessible
byPerfecto by Perforce
 
PPTX
Agile vs. DevOps for Continuous Testing: How to Optimize Your Pipeline
byPerfecto by Perforce
 
PPTX
Shifting the conversation from active interception to proactive neutralization
byRogue Wave Software
 
PDF
TMF2014 Mobile Testing Workshop Michael Palotas
byKJR
 
PDF
Better Security Testing: Using the Cloud and Continuous Delivery
byGene Gotimer
 
Embedded software validation best practices with NI and RQM
byPaul Urban
 
Professional Software Development, Practices and Ethics
byLemi Orhan Ergin
 
How to Eliminate Escaped Defects With a Proven Test Automation Coverage Strategy
byPerfecto by Perforce
 
IT due diligence and software quality for fintech startups
bySieuwert van Otterloo
 
11 best practices_for_peer_code_review
bySmartBear Software
 
Introducing: Klocwork Insight Pro | November 2009
byKlocwork
 
How to Scale Digital App Testing With Jenkins & Automation You Can Trust
byPerfecto by Perforce
 
Advanced Codeless Testing for Web Apps
byPerfecto by Perforce
 
Test-Driven Code Review: An Empirical Study
byDelft University of Technology
 
Rtc2014 automate the_process_deliver_quality_ady_beleanu
byAdy Beleanu
 
Fast Data, Fast Delivery: How Smart Analysis Accelerates App Testing
byPerfecto by Perforce
 
CODE REVIEW AND COOPERATIVE PAIR PROGRAMMING BEST PRACTICE
byijseajournal
 
Software Engineering Culture - Improve Code Quality
byDmytro Patserkovskyi
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
byGene Gotimer
 
Network Security Open Source Software Developer Certification
byVskills
 
Cloud Testing Has Never Been Easier or More Accessible
byPerfecto by Perforce
 
Agile vs. DevOps for Continuous Testing: How to Optimize Your Pipeline
byPerfecto by Perforce
 
Shifting the conversation from active interception to proactive neutralization
byRogue Wave Software
 
TMF2014 Mobile Testing Workshop Michael Palotas
byKJR
 
Better Security Testing: Using the Cloud and Continuous Delivery
byGene Gotimer
 

Similar to 5 Ways to Accelerate Standards Compliance with Static Code Analysis

PPTX
Programming languages and techniques for today’s embedded andIoT world
byRogue Wave Software
 
PPTX
Cyber security - It starts with the embedded system
byRogue Wave Software
 
PDF
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
byDenim Group
 
PPT
Improving Development Productivity: Static Analysis and Continuous Integration
byKlocwork
 
PDF
Code Quality Management Best Practices
byPerforce
 
PDF
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
byPerforce
 
PPTX
Top 10 static code analysis tool
byscmGalaxy Inc
 
PPTX
Static Verification Techniques S/W Q/A.pptx
byssuser618f69
 
PDF
[Europe merge world tour] Coverity Development Testing
byPerforce
 
PPTX
Combining Static Analysis with Code Coverage for Better Test Quality
bySophie Lane
 
PDF
Static code analysis
byPrancer Io
 
PPTX
Static code analysis
byRushana Bandara
 
PDF
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
by.NET Conf UY
 
PPTX
What if you could eliminate the hidden costs of development?
byRogue Wave Software
 
PPTX
SCA in an Agile World | June 2010
byKlocwork
 
PDF
CODE INSPECTION VIMRO 2015 MHF
byFitCEO, Inc. (FCI)
 
PDF
Videos about static code analysis
byPVS-Studio
 
PPTX
What a DevOps specialist has to know about static code analysis
byAndrey Karpov
 
PPTX
Static Code Analysis
byGeneva, Switzerland
 
PPTX
Static code analysis
bymashaathukorala
 
Programming languages and techniques for today’s embedded andIoT world
byRogue Wave Software
 
Cyber security - It starts with the embedded system
byRogue Wave Software
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
byDenim Group
 
Improving Development Productivity: Static Analysis and Continuous Integration
byKlocwork
 
Code Quality Management Best Practices
byPerforce
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
byPerforce
 
Top 10 static code analysis tool
byscmGalaxy Inc
 
Static Verification Techniques S/W Q/A.pptx
byssuser618f69
 
[Europe merge world tour] Coverity Development Testing
byPerforce
 
Combining Static Analysis with Code Coverage for Better Test Quality
bySophie Lane
 
Static code analysis
byPrancer Io
 
Static code analysis
byRushana Bandara
 
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
by.NET Conf UY
 
What if you could eliminate the hidden costs of development?
byRogue Wave Software
 
SCA in an Agile World | June 2010
byKlocwork
 
CODE INSPECTION VIMRO 2015 MHF
byFitCEO, Inc. (FCI)
 
Videos about static code analysis
byPVS-Studio
 
What a DevOps specialist has to know about static code analysis
byAndrey Karpov
 
Static Code Analysis
byGeneva, Switzerland
 
Static code analysis
bymashaathukorala
 

More from Perforce

PDF
How to Do Code Reviews at Massive Scale For DevOps
byPerforce
 
PDF
Branching Out: How To Automate Your Development Process
byPerforce
 
PPTX
Better, Faster, Easier: How to Make Git Really Work in the Enterprise
byPerforce
 
PDF
How To Master Your Mega Backlog
byPerforce
 
PDF
Easier Requirements Management Using Diagrams In Helix ALM
byPerforce
 
PDF
How to Organize Game Developers With Different Planning Needs
byPerforce
 
PDF
What's New in Helix ALM 2019.4
byPerforce
 
PDF
Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...
byPerforce
 
PDF
Understanding Compliant Workflow Enforcement SOPs
byPerforce
 
PDF
Scale Kanban Beyond Team Level
byPerforce
 
PDF
Should You Break Up With Your Monolith?
byPerforce
 
PDF
Achieving Software Safety, Security, and Reliability Part 2
byPerforce
 
PDF
Achieving Software Safety, Security, and Reliability Part 3: What Does the Fu...
byPerforce
 
PDF
Going Remote: Build Up Your Game Dev Team
byPerforce
 
PDF
Free Yourself From the MS Office Prison
byPerforce
 
PPTX
Hybrid Development Methodology in a Regulated World
byPerforce
 
PDF
Achieving Software Safety, Security, and Reliability Part 1: Common Industry ...
byPerforce
 
PDF
How to Scale With Helix Core and Microsoft Azure
byPerforce
 
PDF
How to Spark Joy In Your Product Backlog
byPerforce
 
PDF
Shift to Remote: How to Manage Your New Workflow
byPerforce
 
How to Do Code Reviews at Massive Scale For DevOps
byPerforce
 
Branching Out: How To Automate Your Development Process
byPerforce
 
Better, Faster, Easier: How to Make Git Really Work in the Enterprise
byPerforce
 
How To Master Your Mega Backlog
byPerforce
 
Easier Requirements Management Using Diagrams In Helix ALM
byPerforce
 
How to Organize Game Developers With Different Planning Needs
byPerforce
 
What's New in Helix ALM 2019.4
byPerforce
 
Regulatory Traceability: How to Maintain Compliance, Quality, and Cost Effic...
byPerforce
 
Understanding Compliant Workflow Enforcement SOPs
byPerforce
 
Scale Kanban Beyond Team Level
byPerforce
 
Should You Break Up With Your Monolith?
byPerforce
 
Achieving Software Safety, Security, and Reliability Part 2
byPerforce
 
Achieving Software Safety, Security, and Reliability Part 3: What Does the Fu...
byPerforce
 
Going Remote: Build Up Your Game Dev Team
byPerforce
 
Free Yourself From the MS Office Prison
byPerforce
 
Hybrid Development Methodology in a Regulated World
byPerforce
 
Achieving Software Safety, Security, and Reliability Part 1: Common Industry ...
byPerforce
 
How to Scale With Helix Core and Microsoft Azure
byPerforce
 
How to Spark Joy In Your Product Backlog
byPerforce
 
Shift to Remote: How to Manage Your New Workflow
byPerforce
 

Recently uploaded

PDF
DevOps Monitoring Tools: The 2025 Guide to Performance & Observability
byalexendrascott01
 
PDF
Everything You Ever Wanted to Know About Quarkus and LangChain4j
byMarkus Eisele
 
PDF
DSD-INT 2025 DevOps - Automated testing and delivery of Delft3D FM - van West...
byDeltares
 
PDF
Bring AI and build AI agents into your Jakarta EE Apps with LangChain4J-CDI
byBuhake Sindi
 
PDF
How Device, OS, and Network Variability Affects App Experience - And How to T...
bykalichargn70th171
 
PPTX
Building AI agents in Java - Devoxx Belgium 2025
byJulien Dubois
 
PDF
inSis suite - Laboratory Information Management System
byKondapi V Siva Rama Brahmam
 
PDF
DSD-INT 2025 MeshKernel and D-Grid Editor - Stout
byDeltares
 
PDF
Microservices Architecture Benefits For Mobile Development.pdf
bydavidjohansen1597
 
PPTX
Presentation on AWS Cloud RDS Deep dive
byBimal Jain
 
PDF
BCA 1st Semester Fundamentals Solved Question Paper 44121
byKuvempu University
 
PPTX
Understanding-ROM-RAM-Cache-and-Buffer-Memory.pptx.pptx
bylata2850
 
PDF
Presentation Empowerment Technology in ICT
byoryoseiii
 
PDF
Fundamental of Information Systems introduction.pdf
byYeabsraLakew
 
PDF
DSD-INT 2025 Next-Generation Flood Inundation Mapping for Taiwan - Challenges...
byDeltares
 
PPT
Presentation on TCL/TK scripting language
byBimal Jain
 
PDF
Internship Project Training Report-3.pdf
byPawank36
 
PDF
DSD-INT 2025 Hydrodynamic and Morphodynamic Modeling with Delft3D FM for an I...
byDeltares
 
PDF
DSD-INT 2025 Coupling SFINCS to a flood risk model to evaluate the effects of...
byDeltares
 
PDF
DSD-INT 2025 The Sinterklaas Storm in the Southwest of the Netherlands - Wope...
byDeltares
 
DevOps Monitoring Tools: The 2025 Guide to Performance & Observability
byalexendrascott01
 
Everything You Ever Wanted to Know About Quarkus and LangChain4j
byMarkus Eisele
 
DSD-INT 2025 DevOps - Automated testing and delivery of Delft3D FM - van West...
byDeltares
 
Bring AI and build AI agents into your Jakarta EE Apps with LangChain4J-CDI
byBuhake Sindi
 
How Device, OS, and Network Variability Affects App Experience - And How to T...
bykalichargn70th171
 
Building AI agents in Java - Devoxx Belgium 2025
byJulien Dubois
 
inSis suite - Laboratory Information Management System
byKondapi V Siva Rama Brahmam
 
DSD-INT 2025 MeshKernel and D-Grid Editor - Stout
byDeltares
 
Microservices Architecture Benefits For Mobile Development.pdf
bydavidjohansen1597
 
Presentation on AWS Cloud RDS Deep dive
byBimal Jain
 
BCA 1st Semester Fundamentals Solved Question Paper 44121
byKuvempu University
 
Understanding-ROM-RAM-Cache-and-Buffer-Memory.pptx.pptx
bylata2850
 
Presentation Empowerment Technology in ICT
byoryoseiii
 
Fundamental of Information Systems introduction.pdf
byYeabsraLakew
 
DSD-INT 2025 Next-Generation Flood Inundation Mapping for Taiwan - Challenges...
byDeltares
 
Presentation on TCL/TK scripting language
byBimal Jain
 
Internship Project Training Report-3.pdf
byPawank36
 
DSD-INT 2025 Hydrodynamic and Morphodynamic Modeling with Delft3D FM for an I...
byDeltares
 
DSD-INT 2025 Coupling SFINCS to a flood risk model to evaluate the effects of...
byDeltares
 
DSD-INT 2025 The Sinterklaas Storm in the Southwest of the Netherlands - Wope...
byDeltares
 

5 Ways to Accelerate Standards Compliance with Static Code Analysis

  • 1.
    Klocwork by Perforce© 2019 Perforce Software, Inc. 5 Ways to Improve Developer Output with Static Analysis ROD COPE | CHIEF TECHNOLOGY OFFICER , PERFORCE SOCTWARE
  • 2.
    klocwork.com2 | Klocworkby Perforce © 2019 Perforce Software, Inc. What We’ll Cover 1 2 3 4 5 A brief History of Testing What is Static Code Analysis Why Static Code Analysis is Beneficial Beyond the Scope of Static Code Analysis Static Code Analysis Best Practices 6 Q&A
  • 3.
    A Brief Historyof Testing
  • 4.
    klocwork.com4 | Klocworkby Perforce © 2019 Perforce Software, Inc. History of Testing 1970s and 1980s 1990s 2000s 2010s • Debugging is the same as testing • All I need is unit testing • How did we survive without automated testing? • DevOps is awesome!
  • 5.
    klocwork.com5 | Klocworkby Perforce © 2019 Perforce Software, Inc. Risks and Challenges Regardless of industry or product, all software developers share the same risks and challenges. These include: • Human errors • Software issues • Hardware issues • Shorter time to release • More complex software
  • 6.
    What is StaticCode Analysis
  • 7.
    klocwork.com7 | Klocworkby Perforce © 2019 Perforce Software, Inc. Static Code Analysis Myths and Facts Static Code Analysis Myths Static code analysis is a glorified complier. Static code analysis for “junior” developers. Testing is for QA, not developers. Static Code Analysis Facts Unlike compilers, static code analysis find deep inter-procedural and inter-module issues across the entire codebase. Static code analysis helps all developers become more effective, with large sets of checkers, knowledge of entire code base (including legacy code), and rapid results. Fixing errors before check-in/build is easier, cheaper, and causes less rework.
  • 8.
    klocwork.com8 | Klocworkby Perforce © 2019 Perforce Software, Inc. How Static Code Analysis Works Static Code analysis performs tests that developers don’t (or wont) write. D I F F E R E N T T Y P E S O F A N A L Y S I SR E Q U R I E S S O U R C E C O D E • Must be able to compile code. • No changes to existing build flow. • Analyzes each path of your code. • Inter-procedural. • Inter-file.
  • 9.
    klocwork.com9 | Klocworkby Perforce © 2019 Perforce Software, Inc. Examples of How Static Code Analysis Works • Static code analysis is similar to a spell. For example: • “he went to the store.” (DEFECT: “he” should be capitalized) • “He went to the store.” (FIXED) • However, static code analysis is more sophisticated. For example: • “Sally purchased two baskets of fruit at the store. When she got home she put the three baskets of fruit on the counter.” (DEFECT: she only purchased two baskets of fruit) • “Sally purchased two baskets of fruit at the store. When she got home she put the two baskets of fruit on the counter.” (FIXED)
  • 10.
    klocwork.com10 | Klocworkby Perforce © 2019 Perforce Software, Inc. How Static Code Analysis Can Help • Buffer Overflows: Security exploit or program crashes. • Null Pointer Dereferences: Your program crashes. • Memory Leaks: Processor runs out of memory and locks up. • Uninitialized Data Usage: Data injection. • Platform/OS Specifics: Privilege escalation. • Concurrency: Deadlock. • Coding: Ensuring that the code matches the guidelines. • Security: Ensuring that the code free of common vulnerabilities. • Safety: Ensuring that the code minimizes the risk. C O D E I S S U E S S T A N D A R D S C O M P L I A N C E
  • 11.
    klocwork.com11 | Klocworkby Perforce © 2019 Perforce Software, Inc. Traditional Testing Versus Static Code Analysis • Tradition testing tools require reproduction of the exact runtime conditions that caused the issue to occur. • Requires tests specifically tailored to the code. • Time consuming process. • Not always accurate and reliable. • Static code analysis finds defects early, that aren’t easily identified by manual code reviews. • Comprehensive and reliable. • Identifies coding errors and vulnerabilities before they become and issue.
  • 12.
    Why Static CodeAnalysis Helps
  • 13.
    klocwork.com13 | Klocworkby Perforce © 2019 Perforce Software, Inc. Static Code Analysis Identifies Defects Early in the Process $139 $455 $977 $7,136 $14,103 Requirements Design Coding Testing MaintenanceTime Detected Specification Design Code Unit Test System Test UAT Release Lifecycle Stage Development Unit Tests QA Testing Production Time 1X 3X 5X 10X 100X Requirements Architecture Construction System Test Post Release CosttoFixCosttoFix CosttoFix
  • 14.
    klocwork.com14 | Klocworkby Perforce © 2019 Perforce Software, Inc. Static Code Analysis Improved Productivity • Increases development productivity. • No test cases, stubs, or complex set up. • Runs your code “as is”. • Example productivity benefits: • Lawrence Livermore: $200K savings on 360K LOC project. • Harris: $60K in six months on 10-person pilot project. • LMCO: 1 critical defect per developer per year gives ROI. • ACCESS Co. : 20% bug reduction (C/C++, IoT). • OpenSpan: Achieved CWE Top 25 compliance.
  • 15.
    klocwork.com15 | Klocworkby Perforce © 2019 Perforce Software, Inc. Static Code Analysis Ensures Quality and Safety Boeing The Boeing 787 Dreamliner had a software bug which caused “total loss of electrical power” after 248 days. Department of Corrections A software error that calculates prison sentences caused more then 3,200 U.S. prisoners to be released roughly 49 days early.
  • 16.
    klocwork.com16 | Klocworkby Perforce © 2019 Perforce Software, Inc. Static Code Analysis Identifies Bugs • NEST “smart” thermostat software update caused complete battery drain, shutting off heat during January. • Matt Rogers, NEST co-founder said, “the bug took a few weeks to show up.” • The bug affected 2.5 million smart thermostats in U.S. alone.
  • 17.
    Beyond the Scopeof Static Code Analysis
  • 18.
    klocwork.com18 | Klocworkby Perforce © 2019 Perforce Software, Inc. Where Static Code Analysis Can’t Help • Verify runtime behavior. • Static tools are what they say — “static”. • Code is not executed. • Verify code matches design. • Does not verify that behavior is as expected. • Can detect issues that leads us to discover design flaws, such as unreachable code. • Prove whether or not a system will work. • Static code analysis results are not accepted as final word for safety-critical systems. However, they do point us in the right direction.
  • 19.
    klocwork.com19 | Klocworkby Perforce © 2019 Perforce Software, Inc. • May report defects that aren’t a problem. • These are known as false positives. • False positives are not something to be afraid of. • Is this a problem? • Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo. (POTENTIAL DEFECT: repeat words) • This is actually grammatically correct: Bison from Buffalo, New York, who are intimidated by other bison in Buffalo, NY also happen to intimidate other bison in Buffalo, NY. Limitations of Static Code Analysis
  • 20.
    Static Code AnalysisBest Practices
  • 21.
    klocwork.com21 | Klocworkby Perforce © 2019 Perforce Software, Inc. #1. Use SCA to Check the Security of Your Code SURVEY: Out of 1700 developers, 80% of them incorrectly answered key questions surrounding the protection of sensitive data. Organizations can have difficulty preventing attacks because of: Lack of time. Lack of focus. Lack of proper tools. Most breaches result from input trust issues, such as: Cross-site scripting. SQL injection. Unvalidated input.
  • 22.
    klocwork.com22 | Klocworkby Perforce © 2019 Perforce Software, Inc. SCA Found Heartbleed S C A R E P O R T
  • 23.
    klocwork.com23 | Klocworkby Perforce © 2019 Perforce Software, Inc. #2. Use SCA to Enforce Industry and Coding Standards • Significantly reduces the cost of compliance. • Complements existing testing approaches. • Enables automated and repeatable analysis. • Enforces key industry standards. Including: • DISA STIG • CWE • MISRA • CERT • SAMATE • OWASP • DO-178B • FDA validation • And more
  • 24.
    klocwork.com24 | Klocworkby Perforce © 2019 Perforce Software, Inc. #3. Integrate SCA and CI Into Your Development Process • Continuous Integration: • Continuous merging and testing of developer changes into the mainline code. • Test thosechanges to verify they work with other changes. • Test new code as it is completed to catch issues early. • Benefits of CI: • Improves quality and productivity: • 90% increase in LOC output per programmer when performing daily builds. • 36% reduction in defect rate with integration/regression testing at each check-in. • Increases the benefits of an Agile software development methodology.
  • 25.
    klocwork.com25 | Klocworkby Perforce © 2019 Perforce Software, Inc. SCA and CI
  • 26.
    klocwork.com26 | Klocworkby Perforce © 2019 Perforce Software, Inc. Keys to Successful CI To work in a true CI environment, SCA tools must be designed to be: A U T O M A T E D S C A L A B L E E F F I C I E N T R E L E V A N T Support the most important CI build management systems. Require minimal resources and deploy across multiple agents. To reduce feedback time, only analyse the affected code. Report on only the information that is required for the given context.
  • 27.
    klocwork.com27 | Klocworkby Perforce © 2019 Perforce Software, Inc. #4. Use SCA to Validate Legacy/OSS Integrate Test Open Source COTS Contractors Legacy ISV Your Product $$$$ Cost to Fix Defects
  • 28.
    klocwork.com28 | Klocworkby Perforce © 2019 Perforce Software, Inc. #5. Use SCA to Help Developers Improve Code Quality • SCA is an Educational Tool: • Common programmatic errors. • Security vulnerabilities. • Standards compliance. ONCE A DEFECT IS REPORTED,UNDERSTAND WHY IT’S A DEFECT AND HOW TO FIX IT.
  • 29.
    klocwork.com29 | Klocworkby Perforce © 2019 Perforce Software, Inc. Summary 1 2 3 Use SCA to check the security of your code. • Enables you to find vulnerabilities early. Use SCA to enforce industry and coding standards. • Reduces the cost of compliance. Integrate SCA and CI into your development process. • Makes analysis automated, fast, and scalable. 4 5 Use SCA to validate legacy code/OSS. • Enables you to check entire code base before release. Use SCA to help developers improve code quality. • Features a built-in training tool on the desktop.
  • 30.
    klocwork.com30 | Klocworkby Perforce © 2019 Perforce Software, Inc. • Support for CI via continuous static code analysis (CSCA). • Desktop on-the-fly analysis as well as traditional server analysis. • Helps to ensure compliance with MISRA, OWASP, FDA, CWE, DISA, and other industry and coding standards. • Hundreds of built-in checkers that go beyond just the industry standards. • Unique analysis engine that detects a thorough and comprehensive range of defects. • Widest compiler support. • Custom checker studio for extensibility. • Support for process certification (ISO 26262). Klocwork Continuous Static Code Analysis
  • 31.