In this article, I’ll discuss some of the reasons why static analysis is a must-have technology for achieving your software security and quality goals. I’ll also share some insights from one of our valued customer’s static analysis deployment journey.
One of the best ways to differentiate yourself in the crowded business-critical software space is to provide safe, secure, and reliable products that meet your customers’ expectations. But delivering defect-free software is challenging, especially if your project leverages complex constructions to optimize performance, contains millions of lines of code, and is being touched by several developers. This is why many businesses, such as G3 Technologies, a wireless telecommunication organization that delivers custom-tailored tools and solutions, rely on static analysis as part of their development policy. Download the G3 Technologies case study to learn more.
Static analysis helps organizations achieve their software security and quality goals by checking the code against programming patterns known to make the software vulnerable to errors and security exploits. Static analysis code checkers look for constructions that can lead to memory leaks, code maintainability issues, and other problems and flag the constructions as violations. For example, many checkers will report a violation if “goto” or “jump” statements are used because they add complexity to the program logic, which increases the likelihood of software-crashing errors.
Code checkers (also called static analysis rules) are based on sets of guidelines, such as MISRA C 2012, CWE Top 25, or OWASP Top Ten, which have become standards for many industries. For their static analysis deployment, G3 took advantage of Parasoft’s native support for all major programming guidelines. Parasoft, furthermore, enables you to customize which checkers are used to analyze your code, giving you the ability to use mix and match checkers from several standards so that you can tailor analysis to your code.
G3 employs over 1000 Parasoft static analysis rules as part of their continuous integration process, help the company ensure that production code is free and clear of common programming problems. Within the first six months of deploying Parasoft static analysis tools, G3 addressed approximately 50,000 violations, some of which were critical bugs, such as type conversion issues, unused variables, and null pointer dereferences.
While it’s always valuable to find software defects, finding them early in the development lifecycle is how organizations derive the most value from their static analysis investment. The following chart shows cost of finding defects relative to the Software Development Life-cycle (SDLC).
In their case study, G3 highlights the value of finding errors in the coding stage. Leveraging static analysis enabled G3 to find programming errors before the software hits production, saving costs associated with retesting, recertifying, and redeployment. Most importantly, though, early defect detection keeps G3 in good standing with their customers. Their proactive approach to catching as many bugs as possible early on enables the company to quickly deliver the high-quality software their customers have come to expect, while avoiding costs associated with late-stage defect detection.
It’s flabbergasting that some companies forego static analysis in their projects. In one of my previous roles as a Project Manager of services, I was contracted by a customer to perform unit testing on three software subsystems. The software had approximately 111,000 lines of C and C++ code. After a couple of months of testing and over 620 defects identified, I decided to perform static analysis on the code as an experiment. I discover that over 80% of the defects identified through unit testing had been found in a matter of an hour by way of performing static analysis. The cost savings to the client would have been substantial had they adopted static analysis and complemented it with unit testing.
Kudos if you have deployed or are about to deploy static analysis. Any steps you take to improve the safety, security, and reliability of your code will be appreciated by your users. And while we applaud all efforts to improve the software of the world, you should take into consideration what’s important to your organization before deciding on a static analysis provider.
It should go without saying that deep, thorough, and accurate code analysis is the minimum requirement for any static analysis solution. Some vendors, though, focus their static analysis technology on specific aspects of development, such as security. In contrast, Parasoft’s approach is to build quality and security into the application. In fact, one of the reasons G3 left their previous static analysis provider in favor of Parasoft is that their previous vendor was narrowing their focus away from overall software quality and toward a hyper-focus on security.
Implementation differences aside, we recommend looking for static analysis provider that demonstrates a willingness to partner with you on your static analysis journey. G3 has found their partner in Parasoft because we are committed to working with G3 for the foreseeable future. Their previous vendor was unreceptive to working with G3 to improve their static analysis solution. They recognized that collaborating with a static analysis tool provider on enhancements not only helps them more effectively analyze code, it also ensures that the vendor is available to help G3 deliver high-quality product long into the future. Download the G3 Technologies case study to learn more.
Static analysis is the cornerstone part of any software quality and security policy. The quality practice helps organizations find software defects at the earliest possible stage, which reduces the overall cost of quality over the software development lifecycle. Not all static analysis providers are the same, though. If you are exploring static analysis solution or are looking for a new partner, consider how the provider’s implementation approach, willingness to partner, and support for programming guidelines align with your software quality and security goals.
Parasoft is proud and honored to provide the static analysis technology helping G3 Technologies continue delivering high-quality software while meeting their rigorous release schedule. Parasoft’s software testing solutions and our collaborative relationship with G3 has made Parasoft a key technology partner, ensuring that G3 software applications are developed right the first time. Parasoft has also been incorporated within G3’s continuous integration process, guaranteeing that software does not go into production until all identified defects have been resolved. You can read G3’s customer success story by following this link: G3 Technologies Case Study
Sr. Technical Product Marketing Manager for Parasoft’s embedded testing solutions. He has expertise in the SDLC and test automation of embedded real-time, safety and security critical applications, and software compliance to industry standards.