best practices of static code analysis in the sdlc
DESCRIPTION
Static Analysis helps developers prevent and eliminate defects—using thousands of rules tuned to find code patterns that lead to reliability, performance, and security problems. Over 15 years of research and development have gone into fine-tuning Parasoft's rule set. For more information about Static Analysis please click on the link below. http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547TRANSCRIPT
Best Practices of Static Analysis in the SDLC
Part 1November 2010
Parasoft Proprietary and Confidential
Agenda
1. House Keeping - Certification Overview2. Very Brief Parasoft Introduction 3. Today’s Agenda
Parasoft Proprietary and Confidential
House Keeping - Certification
2 – 45 minute live interactive sessions focused on Static Analysis using best practices for development, testing, and management
Session 1: Best Practices of Static Analysis Fri, Nov 12, 11:00am - 12:00pm PST / 2:00pm – 3:00pm EST Session 2: Best Practices of Static AnalysisFri, Nov 19, 11:00am - 12:00pm PST / 2:00pm - 3:00pm EST
Materials published day after on-line sessionFinal exam (multiple choice) on-lineCertificate of completion from Parasoft Corporation
Parasoft Proprietary and Confidential
Important Note
This course is not designed to Teach how to do securityReview (in depth) the reasons “why” we should have solid softwareCover how-to use any specific tools
This course is designed to Explain available SA techniques and what they’re used forHelp avoid common pitfallsProvide in-depth examples of selected best practices and teach you how to optimize them for the software development environment
Parasoft Proprietary and Confidential
About Parasoft
Founded in 198727 Patents for automated quality processesBuild quality into the processStatic Analysis tools since 1994
Parasoft Capabilities
TechnologiesQuality Policy ManagementTask Management Code Analysis – Pattern BasedCode Analysis – Flow BasedCode Analysis - MetricsCode ReviewUnit Testing FrameworkMemory Error DetectionRuntime AnalysisMessage/Protocol TestingApplication Behavior EmulationFunctional TestingLoad Testing
Parasoft Proprietary and Confidential
Agenda for this session
Define static analysisDefine “false positives”Static analysis for SecurityStatic analysis for defect preventionStatic analysis for process improvement
Parasoft Proprietary and Confidential
What IS Static Analysis?
Variety of methodsPeer Review / Manual Code Review / Code InspectionPattern-based code scannersFlow-based code scannersMetrics-based code scannersCompiler / build output
Parasoft Proprietary and Confidential
Parasoft Proprietary and Confidential
What is: Peer Code Review
What:A human review process provides checks and balances for finding and preventing human mistakes.
Why:Find defects earlyFind real functional problemsIncrease breadth of understandingIncrease productivity
Parasoft Proprietary and Confidential
Review policiesCoder / reviewer pairsQA reviewer / test reviewFrequencyScopePre commit vs. post commit review
Automation potentialA system to enforce the review policyTrack un-reviewed changesFacilitate non-blocking communication
Peer Code Review
Methods of Code Review
Code Review “in a room”Wastes timeDevelopers are inhibited
Using an automated infrastructureconsistent
Parasoft Proprietary and Confidential
Determining Reviewers
Who reviews whomHow close are they in the code?Increase code understanding
Parasoft Proprietary and Confidential
Parasoft Proprietary and Confidential
What is: Pattern-Based SA
What:Identify specific patterns in the code
Why:Find bugsEnsure inclusion of required items
SecurityBranding
Prevent ProblemsImprove Developers
Parasoft Proprietary and Confidential
Pattern-Based Static Analysis
Quick scan to list possible problemsFixing violations prevents certain classes of errorsEach source file is analyzed separatelyStatic analysis categories include:
Logical ErrorsAPI MisuseTypographical ErrorsSecurityThreads and SynchronizationPerformance and Optimization
Parasoft Proprietary and Confidential
What is: Data Flow Analysis
What:Simulate execution to find patterns
Why:Find real bugs
Parasoft Proprietary and Confidential
Data Flow Analysis
Simulate hypothetical execution pathsDetect possible errors along those pathsData flow analysis error categories include:
ExceptionsOptimizationResource LeaksAPI misuseSecurity
What is: Code Metrics
What:Measurement of code based on various statistics
Why:Understanding codePossible problems
Parasoft Proprietary and Confidential
Code Analysis Perceptions
“Static analysis is a pain”False positives has varying definitions
I don’t like itIt was wrong
Parasoft Proprietary and Confidential
Pattern based false positives
True false positives generally rule deficiencyContext
Does this apply here and now?In-code suppressions to document decision
Parasoft Proprietary and Confidential
Flow Analysis False Positives
False positives are inevitableFinds real bugsFlow analysis is not comprehensive
Parasoft Proprietary and Confidential
Static Analysis for Security
Flow analysis finds low-hanging fruitFlow won’t guarantee securitySA prevents security problemsInput validation is key
Parasoft Proprietary and Confidential
Static Analysis for Prevention
It’s quicker to deal with false positives than bugsFlow analysis finds complicated problemsRuntime analysis should match flow analysisRules should be chosen based on real problems
Parasoft Proprietary and Confidential
SA for Process Improvement
Flow analysis won’t find everythingFlow rules have corresponding pattern-based rulesPrevent the potential rather than chase paths
Parasoft Proprietary and Confidential
Parasoft Proprietary and Confidential
House Keeping - Certification
2 – 45 minute live interactive sessions focused on Static Analysis using best practices for development, testing, and management
Session 1: Best Practices of Static Analysis Fri, Nov 12, 11:00am - 12:00pm PST / 2:00pm – 3:00pm EST Session 2: Best Practices of Static AnalysisFri, Nov 19, 11:00am - 12:00pm PST / 2:00pm - 3:00pm EST
Process infrastructureWorkflowsChoosing the best configurationAnd more
Materials published day after on-line sessionFinal exam (multiple choice) on-lineCertificate of completion from Parasoft Corporation
Q&A
Questions
Parasoft Proprietary and Confidential
Parasoft Proprietary and Confidential
Further Reading
Automated Defect Prevention (Huizinga & Kolawa)…Principles and processes to improve the software development process.
Effective C++ / More Effective C++ (Meyers)…Definitive work on proper C++ design and programming.
Effective Java (Bloch)…Best-practice solutions for programming challenges.
Design Patterns (Gamma, Helm, Johnson, Vlissides)…Timeless and elegant solutions to common problems.