Embed Size (px)
Citation preview
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 1GENIVI is a registered trademark of the GENIVI Alliance in the USA and other countries. Copyright © GENIVI Alliance 2016.
Rapid software testing and conformance with static code analysisOctober 2016
Walter CapitaniProduct Management, Rogue Wave Software
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 2
What we do
Rogue Wave helps organizations simplify complex software
development, improve code quality, and shorten cycle times
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 3
Company snapshot
Founded:1989
We are the largest independent provider of cross-platform software development tools and embedded components
Our capabilities cover different languages, code bases, and platforms. We meet development where – and how – it
happens.
Headquarters:Louisville, CO
Employees:350
Offices Worldwide:11
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 4
Used by 3,000 customers in over 57 countries across diverse industries to develop mission-critical applications and software
Financial Services Telecom Gov’t / Defense Technology Other Verticals
We enable mission-critical workloads
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 5
Rapid software testing and conformance with static code analysis
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 6
SOFTWARE NOW TO BLAME FOR 15 PERCENT OF CAR RECALLS
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 7
How can static code analysis improve software quality?
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 8
What are the factors affecting software quality, complexity, and security?
• Greater use of software in vehicles• Pressure to release on time (or as soon as possible!)• Market demand for new features• Greater use of third-party libraries
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 9
How can static code analysis improve software quality?
• Find common issues in code– Buffer overflows (security exploit or program crashes)– Null pointer dereferences (your program crashes)– Memory leaks (processor runs out memory and locks up)– Uninitialized data usage (data injection)– Platform/OS specifics (privilege escalation, etc…)– Concurrency (deadlock)
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 10
How does static code analysis work?
• Automatically inspects source code to find potential defects
• Different types of analysis– Walks down every path of your code– Inter-procedural– Inter-file
• SCA runs the tests that your developers don’t (or won’t) write
• SCA will find defects that other testing won’t
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 11
How can static code analysis find bugs my testing doesn’t?
• Traditional testing tools require reproduction of the exact runtime conditions that cause the issue to occur
• This in turn requires developers to write specific tests that will exercise the code in the specific way that reveals the defect at runtime– This is time-consuming for developers– Even comprehensive testing may not trigger the specific runtime conditions that cause the
defect
• Static code analysis helps by finding defects that are hard to find with the human eye– These defects are mot generally found by code review– Many are traditionally found with dynamic testing after a failure has occurred in testing or the
field – but its too late!
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 12
Source code analysis benefits: security & quality
• Significantly reduces the cost of reliable, secure software• Complements existing testing approaches• Automated and repeatable analysis
• Enforces key industry standards• DISA STIG, CWE, MISRA• CERT, SAMATE• OWASP, DO-178B, FDA validation• ...and more
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 13
Continuous static code analysis
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 14
The faster you find a defect, the less costly to fix
1X 3X 5X 10X
100X
Requirements Design Coding Testing Maintenance
$139 $455 $977
$7,136
$14,103
Time Detected
Co
st t
o Fi
x
SpecificationDesign
CodeUnit Test
System Test
UAT
Release
Co
st t
o Fi
x
Lifecycle Stage
Co
st t
o Fi
x
Development Unit Tests QA Testing Production
Time
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 15
Traditional analysis done after compile/build
Development CycleEdit & Save
Compile & Test
Check In Build Analyze
& Fix
• Late stage “rework” reduces tool adoption• Timelines compromised• Issues are more expensive to fix
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 16
Why not perform analysis earlier in the cycle on the desktop?
Eliminates new defects from being checked back into the team level build
No extra work for developers In-context checking and fixes Continuity of development flow
Edit & Save
Analyze& Fix
Compile & Test
Check In Build
Development Cycle
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 17
What about defects found during integration?
Edit & Save
Analyze& Fix
Compile & Test
Check In
Developer 1
Edit & Save
Analyze& Fix
Compile & Test
Check In
Developer 2
Time
Integrate
Check In
Compile & Test
Check In Lots of issues
found here!
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 18
Continuous static code analysis
Edit & Save
Analyze& Fix
Compile & Test
Check In
Developer 1
Edit & Save
Analyze& Fix
Compile & Test
Check In
Integrate
Developer 2
Time
IntegrateIntegrate
Check In
Compile & Test
Edit & Save
Analyze& Fix
Edit & Save
Analyze& Fix
Compile & Test
Check In
Check In
Integrate
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 19
Continuous static code analysis
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 20
Continuous static code analysis
• Improves the predictability of software release schedules• Improves the quality and security of release software• Reduces the cost of finding and fixing software defects
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 21
Walter Capitani, Product Manager, KlocworkRogue Wave Software
Thank you!
