More and more development teams are standard-
izing on static code analysis tools to improve testing
efficiency and build better code. Are they more trouble
than they're worth? Here's the real story.
What do static code analysis tools do?
They find bugs so you don't have to. It's as
simple as that. SCA boils down to three things:
better code at check-in, less costly development
cycles and shorter time-to-market. Why? Because you
don't have to worry about finding these bugs.
How efficient are they?
There are two ways to think about this. First, it's
easy to save time on finding the most common
defects (null pointer use, buffer overflow, unreach-
able code, etc.) through automation. Second, finding
the most complex problems is best solved by proven
algorithms that understand inter-procedural depen-
dencies and cover every execution path better than
any person can.
What's a good example of SCA?
Consider a function that dereferences a pointer
set by another function. Manual unit testing
of either function in isolation may not reveal that the
pointer being dereferenced could be NULL. Static
code analysis, on the other hand, would find the prob-
lem. Going further, consider the same situation but
having the two functions developed by two different
teams. The chances of the NULL pointer dereference
reaching the customer becomes higher if the test
coverage isn't there. Again, SCA covers everything.
Capers Jones of Namcook Analytics found that,
without tools and processes like static code analysis,
developers are less than 50 percent efficient at finding
bugs in their own software.
What about false positives?
Static analysis tools emphasize reducing false
negatives rather than false positives, so that
you get the most rigorous coverage possible. It's
critical then, to allow easy tuning of the analysis to
account for the unique rules of your project and
include or exclude code (such as macros or condition-
ally compiled code) appropriately.
We're great programmers already, why waste
time with SCA?
SCA follows a strict set of rules and never gets
tired, allowing developers to focus on the right things.
A busy developer may miss an issue or think that it'll
never happen. How many times have you miscounted
loop iterations or got lost when tracing conditional
logic? Because static code analysis understands the
entire state space of your software, it never gets lost
or assumes a problem is too insignificant.
Development timelines are short, how do I fit
The best SCA tools aren't standalone products,
rather ones that allow you to work within your exist-
ing environments (such as your command line or IDE).
Even better, they give you feedback at the earliest
possible point: as you're typing code. This way, the
tool fits you.
Overall, how do I get the best measure of
security and reliability in my code?
Modern SCA pushes code quality onto the desk-
top, as code is written, well before it's checked in. But
it's just one piece of the puzzle. Combine it with deep
scanning tools for open source software and visual
debugging for multi-CPU apps and you'll have a bullet-
proof analysis strategy for efficient and reliable testing.
Sponsor Adver tisement
T E C H FAQ
toolkit isn't as
hard as you
Effective code analysis doesn't mean absolute paralysis
Challenge more misconceptions about static code analysis:
Read the Myths About Static Code Analysis white paper