Best Practices of Static Code Analysis in the SDLC

Best Practices of Static Analysis in the
SDLC

Part 1
November 2010

Agenda

1. House Keeping - Certification Overview
2. Very Brief Parasoft Introduction
3. Today’s Agenda

Parasoft Proprietary and Confidential

House Keeping - Certification

2 – 45 minute live interactive sessions focused on Static
Analysis using best practices for development, testing, and
management

Session 1: Best Practices of Static Analysis
Fri, Nov 12, 11:00am - 12:00pm PST / 2:00pm – 3:00pm EST
Fri, Nov 19, 11:00am - 12:00pm PST / 2:00pm - 3:00pm EST

Materials published day after on-line session
Final exam (multiple choice) on-line
Certificate of completion from Parasoft Corporation


Important Note

This course is not designed to
Teach how to do security
Review (in depth) the reasons “why” we
should have solid software
Cover how-to use any specific tools

This course is designed to
Explain available SA techniques and what
they’re used for
Help avoid common pitfalls
Provide in-depth examples of selected best
practices and teach you how to optimize them
for the software development environment


About Parasoft

Founded in 1987
27 Patents for automated quality processes
Build quality into the process
Static Analysis tools since 1994


Parasoft Capabilities

Technologies
Quality Policy Management
Task Management
Code Analysis – Pattern Based
Code Analysis – Flow Based
Code Analysis - Metrics
Code Review
Unit Testing Framework
Memory Error Detection
Runtime Analysis
Message/Protocol Testing
Application Behavior Emulation
Functional Testing
Load Testing


Agenda for this session

Define static analysis
Define “false positives”
Static analysis for Security
Static analysis for defect prevention
Static analysis for process improvement


What IS Static Analysis?

Variety of methods
Peer Review / Manual Code Review / Code Inspection
Pattern-based code scanners
Flow-based code scanners
Metrics-based code scanners
Compiler / build output


What is: Peer Code Review

What:
A human review process provides checks and balances
for finding and preventing human mistakes.
Why:
Find defects early
Find real functional problems
Increase breadth of understanding
Increase productivity


Peer Code Review

Review policies
Coder / reviewer pairs
QA reviewer / test review
Frequency
Scope
Pre commit vs. post commit review
Automation potential
A system to enforce the review policy
Track un-reviewed changes
Facilitate non-blocking communication


Methods of Code Review

Code Review “in a room”
Wastes time
Developers are inhibited
Using an automated infrastructure
consistent


Determining Reviewers

Who reviews whom
How close are they in the code?
Increase code understanding


What is: Pattern-Based SA

What:
Identify specific patterns in the code
Why:
Find bugs
Ensure inclusion of required items
Security
Branding
Prevent Problems
Improve Developers


Pattern-Based Static Analysis

Quick scan to list possible problems
Fixing violations prevents certain classes of
errors
Each source file is analyzed separately
Static analysis categories include:
Logical Errors
API Misuse
Typographical Errors
Security
Threads and Synchronization
Performance and Optimization


What is: Data Flow Analysis

What:
Simulate execution to find patterns
Why:
Find real bugs


Data Flow Analysis

Simulate hypothetical execution paths
Detect possible errors along those paths
Data flow analysis error categories include:
Exceptions
Optimization
Resource Leaks
API misuse
Security


What is: Code Metrics

What:
Measurement of code based on various statistics
Why:
Understanding code
Possible problems


Code Analysis Perceptions

“Static analysis is a pain”
False positives has varying definitions
I don’t like it
It was wrong


Pattern based false positives

True false positives generally rule deficiency
Context
Does this apply here and now?
In-code suppressions to document decision


Flow Analysis False Positives

False positives are inevitable
Finds real bugs
Flow analysis is not comprehensive


Static Analysis for Security

Flow analysis finds low-hanging fruit
Flow won’t guarantee security
SA prevents security problems
Input validation is key


Static Analysis for Prevention

It’s quicker to deal with false positives than bugs
Flow analysis finds complicated problems
Runtime analysis should match flow analysis
Rules should be chosen based on real problems


SA for Process Improvement

Flow analysis won’t find everything
Flow rules have corresponding pattern-based
rules
Prevent the potential rather than chase paths


House Keeping - Certification

2 – 45 minute live interactive sessions focused on Static
Analysis using best practices for development, testing, and
management

Fri, Nov 12, 11:00am - 12:00pm PST / 2:00pm – 3:00pm EST
Fri, Nov 19, 11:00am - 12:00pm PST / 2:00pm - 3:00pm EST
Process infrastructure
Workflows
Choosing the best configuration
And more
Materials published day after on-line session
Final exam (multiple choice) on-line
Certificate of completion from Parasoft Corporation


Q&A

Questions


Further Reading

Automated Defect Prevention (Huizinga & Kolawa)
…Principles and processes to improve the software
development process.

Effective C++ / More Effective C++ (Meyers)
…Definitive work on proper C++ design and programming.

Effective Java (Bloch)
…Best-practice solutions for programming challenges.

Design Patterns (Gamma, Helm, Johnson, Vlissides)
…Timeless and elegant solutions to common problems.


Best Practices of Static Code Analysis in the SDLC

More Related Content

What's hot (20)

Viewers also liked (13)

Similar to Best Practices of Static Code Analysis in the SDLC (20)

Recently uploaded (20)

Best Practices of Static Code Analysis in the SDLC