Static analysis tools use very sophisticated process flow and dataflow analysis. The quality and security issues they identify are often complex and involve obscure logic problems, which is why these tools can be so valuable.
Static source code analysis tools analyze 100% of the source code, far more than any external test tools.
For organizations that must comply with the Payment Card Industry Data Security Standard or Payment Application Data Security Standard, these tools fulfill code review requirement. They also produce valuable metrics, including kilo-lines of code (KLoCs),file counts, and “churn”— that is, the number of files that have changed between two regular builds.
Introducing static code analysis and the requisite tools into the development process isn’t always painless, however. ACI Worldwide found many subtle pitfalls in their efforts to roll out this approach company-wide. The tool changes the way many people work and must become a part of the organization and its culture.
For instance, static code analysis tools usually require careful integration into the project build process.
These tools also must be integrated into developers’ daily work. Again, tool makers offer both command-line versions of the tools as well as plug-ins for many of the popular integrated development environments such as Eclipse and Visual Studio.
Most importantly, the tools require that the code base have a subject matter expert (SME) who can also provide the same service for the tools. That person will answer questions not just about how the tool operates but also about the issues that the tool is finding—including identifying when the tool is generating a false positive. The SME will provide training and support to other developers, a fairly heavy workload for the first few weeks, until everyone is familiar with the static analysis tool. After that, that part of the workloads hould settle down to several hours a week.
The biggest challenges with static code analysis tools are problems in existing code. At ACI Worldwide, all the issues from an initial build on existing code are immediately deferred and hidden from sight. That way developers don’t get overwhelmed and can stay focused on ensuring that new problems aren’t introduced into the code.
At some point in the future, product planners and the senior development staff review the deferred issues, prioritize and group them, and decide when remediation can be factored into the planning for a future release. There’s no perfect approach, and businesses must always make hard decisions about whether to counter a vulnerability or assume the risk.
Static code analysis proved to be a valuable tool for ACI Worldwide, as it allowed them to find serious bugs more comprehensively and earlier in the development process.
In addition, the Klocwork suite we chose provides a way to connect experienced senior developers with junior developers. The tools include extensive help files that refer developers having difficulty with an issue to a more experienced developer to get advice—always a valuable interaction.
Klocwork helps companies like ACI Worldwide to identify more bugs earlier in the development process. See for yourself how Klocwork will help you achieve the same goal.