Automated source code analysis (SCA) technology is designed to locate and describe areas of weakness in software source code. Those weaknesses may be security vulnerabilities, logic errors, implementation defects, concurrency violations, rare boundary conditions, or any number of other types of problem-causing code. Source code analysis is distinct from more traditional dynamic analysis techniques, such as unit or penetration tests, since the work is performed at build time using only the source code of the program or module in question. The results reported are therefore generated from a complete view of every possible execution path, rather than some aspect of a necessarily limited observed runtime behavior.
The underlying technology associated with SCA is called Static Analysis and the current generation of technology solutions is capable of providing sophisticated, high-value analysis that will identify critical bugs and security vulnerabilities in code that can potentially cause system crashes, hacker exploits or affect the overall reliability of mission-critical software. As a result of recent innovations in this domain, organizations that develop mission-critical software are adopting SCA technology as a standard milestone of their integration build during pre-quality assurance (QA) activities. This has proven to be a useful stage at which to perform static analysis and has provided benefit in terms of accuracy and comprehension. However, build-time analysis suffers from an inherent weakness: code has already been committed to a source branch, so by the time a bug is discovered it is already impacting other members of the development organization and other elements of the system.
Professional software development organizations are now looking to better integrate static analysis technology into their software development processes and to implement this capability as early as possible in the software development process rather than strictly as a build milestone activity. Reduced costs, better QA efficiency, and significantly improved software products are all benefits to organizations that are able to move high-quality source code analysis and software quality tool to the earliest point in the coding phase: the developer’s desktop.
This paper examines the evolution of source code analysis from developer desktop to integration/build and beyond, and describes how Klocwork Insight uses revolutionary new technology to be the first to take the next step in that evolution.
First Generation Source Code Analysis: A Developer’s Tool
The technology behind source code analysis – static analysis – c static analysis - has been around almost as long as modern software development practices. Fundamentally, the technology is a derivative of the compilation process, and for almost 30 years tools such as lint have been available to developers to run against their code.
Second Generation Source Code Analysis: The Comeback Kid
SEARCHFEED
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment