Computer code is commonly embedded in technology we use every day. Fifty years ago, only professionals and serious hobbyists delved into programming. In the age of the internet, coding has become commonplace. Most technology depends on quality computer code to operate safely and effectively.
There are two main methods software developers use to test computer code, static and dynamic analysis. Static analysis reviews the code before execution and looks line by line for problems. Program compilers, for example, use static analysis to find and return errors and warnings to the developer to correct. Dynamic analysis runs tests while the software is operating, looking for operational problems over an entire system. Of the two, static analysis is more effective in error detection and it provides the greatest benefit to the software development process.
An automatic analysis that executes when software is “checked in” to the project database is the best way to ensure periodic and consistent static software tests. Automating the testing allows greater consistency and the assurance that even without direct programmer involvement, the static analysis executes.
Automated Static Analysis Benefits
Early and Frequent Code Checking
Most projects require more than one developer. Even at the same company, using the same standards, and working on the same project, each programmer codes differently and that introduces code flaws. Periodic static checking will find the flaws and allow their correction during the development cycle.
While static analysis is a tool for code review, it is also a tool for improving the quality assurance process. Certain mistakes show up repeatedly in code and static analysis identifies repeated errors easily. Product quality increases as well as the quality of future software projects. Companies can use the data to update their programming standards, which eliminates common errors and increases the speed of project completion.
Static analysis is first a corrective tool for the code directly and is second a teaching tool for programmers. Setting aside five minutes at the start of every project meeting to review error metrics is beneficial to everyone. Over time, this leads to error reduction and to more efficient and profitable software development.
In parallel to the error collection above, automated static analysis provides feedback to individual developers on the project team. For example, it is possible to use the automated system to email the developer responsible for the faulty code. The automatic feedback allows the programmer to improve their coding skills in the long term and in a more private manner than peer code reviews.
Periodic feedback for developers is a key benefit. However, the feedback works both ways. Customizing the analysis tool is important from the start. Using comments and suggestions from developers to update the analysis tool only increases its benefit by conforming it to the needs of the software team.
Create Secure Code
Internet security is a big deal. Most computer code is not started from scratch. Using portions from past projects shortens development time and makes project execution easier. Unfortunately, commonly used fragments of code sometimes create security vulnerabilities used by hackers. If a fragment of code is vulnerable, automatic static analysis can find similar code blocks on developing programs. The final product is a safer, more secure computer program.
The Best Way to Ensure Quality Code
Static code analysis is arguably the best way to ensure code quality from the very start of a development project. It checks the code thoroughly line by line and gives developers the opportunity to correct flaws before the software goes live. While manual analysis is possible, the best method for static analysis is periodic automatic checks on full programs and code fragments.
The automated analysis provides dependable, periodic feedback to project developers. Constant feedback allows them to correct code as part of the development process and it reduces the checking time. Overall, it leads to improved company procedures and code practices. These process improvements lead to higher quality products, more efficient project execution and finally to the greatest benefit of all, higher profits for the company.
How to Learn More
For more information on static analysis and code review in general, consider the following suggested reading:
- Code Complete by Steve McConnell is a book that covers code development and review. It is good for beginners and experienced programmers alike as a reference.
- Secure Programming with Static Analysis by Brian Chest and Jacob West is a detailed book about static analysis and its applications.
- Static Code Analysis by John Carmack is an article that discusses the author’s experience with static analysis and several of the tools he chose to try.
Static Analysis Tools
If you have decided to implement static analysis, there are many single and multi-language tools available.. Here is a short list of somemulti-language tools and the languages they check:
- Checkmarx SAST – C, C#, Python, Ruby, .NET, Java, and several more
- HP Fortify Software – C, C++, Java, JSP, Visual Basic 6, T-SQL, PL/SQL, and others
- Veracode – C, C++, .NET, Java, PHP, Ruby on Rails, COBOL , and many more
- IBM Security AppScan – C, C++, .NET, Java, Classic ASP, Perl, and COBOL