Tools for Static Code Analysis Success
Static Code Analysis for Security, Reliability, and Performance
This is the first in a series of interviews in which Adam KolawaParasoft CEO and Automated Defect Prevention: Best Practices in Software Management (Wiley-IEEE, 2007) co-authordiscusses why, when and how to apply essential software verification methods such as static code analysis and unit testing.
In this interview, Kolawa discusses why, when, and how to apply three different types of static analysis: pattern-based static code analysis, data flow static analysis, and code metrics analysis. Read on to learn how static code analysis can help your team ensure that code meets uniform expectations around security, reliability, performance, and maintainabilityand how to get started as painlessly as possible.
What do you mean by static code analysis?
I mean statically analyzing code to monitor whether it meets uniform expectations around security, reliability, performance, and maintainability. Done properly, this static code analysis provides a foundation for producing solid code by exposing structural errors and preventing entire classes of errors. At Parasoft, weve found that the most effective static code analysis encompasses pattern-based static code analysis, data flow static analysis, and code metrics analysis.
Lets take a closer look at those three breeds of static analysis. First off, pattern-based static code analysis. What is it and why is it valuable?
By pattern-based static code analysis, I mean scanning the source code and checking whether it has patterns known to cause defects or impede reuse and agility. This involves monitoring compliance to coding standard rulesrules for preventing improper language usage, satisfying industry standards (MISRA, JSF, Ellemtel, etc.), and enforcing internal coding guidelines.
If you nip these issues in the bud by finding and fixing dangerous code as it is introduced, you significantly reduce the amount of testing and debugging required later onwhen the difficulty and cost of dealing with each defect increases by over an order of magnitude.
Many categories of defects can be prevented in this manner, including defects related to memory leaks, resource leaks, and security vulnerabilities. In fact, simply using static code analysis to enforce proper input validation can prevent approximately 70% of the security problems cited by OWASP, the industry-leading security community.
Whats data flow static analysis and why is it valuable?
Data flow static analysis statically simulates application execution paths, which may cross multiple units, components, and files. Its like testing without actually executing the code. It can automatically detect potential runtime errors such as resource leaks, NullPointerExceptions, SQL injections, and other security vulnerabilities. This enables early and effortless detection of critical runtime errors that might otherwise take weeks to find.
While static code analysis is an error prevention practice, data flow static analysis is an error-detection practice. Like all error-detection practices, its not 100% accurate and you cant expect that it will uncover each and every bug lurking in your application.
The main difference between static code analysis and data flow static analysis is that with pattern-based static code analysis, you can absolutely guarantee that certain classes of defects will not occur as long as you find and fix the coding constructs known to cause these defects. With data flow static analysis, you are identifying defects that could actually occur when real application paths are exercisednot just dangerous coding constructs. But you have to realize that you will inevitably overlook some bugs, and might have a higher ratio of false positives than you encounter with static code analysis.
If data flow static analysis cant find all the bugs, how do you automatically detect the remaining bugs?
Unfortunately, you cant. Parasoft has spent 20 years investigating how and why errors are introduced into software applications. Weve found that only certain types of errors can be detected automatically. Most bugs are related to poorly-implemented requirements, missing requirements, or confused users, and cannot be identified without involving human intelligence. There is no silver bullet. With continuous regression testing using a robust set of technologies, you can automatically determine when a modification impacts application behavior, then leverage human intelligence to determine if the change was intentional or not. However, thats the topic of another paper.
The fascinating thing about data flow static analysis is that its the only automated technology I know of that can actually help you find missing requirements...
To read more, download the complete "Static Code Analysis" paper as a PDF.
To learn more about Parasoft's static analysis, visit our Static Code Analysis page.