Static Code Analysis: a Buyer’S Guide
Total Page:16
File Type:pdf, Size:1020Kb
WHITE PAPER STATIC CODE ANALYSIS: A BUYER’S GUIDE KEY DECISION CRITERIA FOR SELECTING TOOLS TO DEVELOP EMBEDDED SOFTWARE THAT IS MORE RELIABLE, SAFE, AND SECURE. www.programmingresearch.com TABLE OF CONTENTS OVERVIEW ..................................................................................................................... 3 WHAT IS STATIC CODE ANALYSIS? ............................................................................. 4 BENEFITS OF STATIC CODE ANALYSIS ...................................................................... 4 Reduces Risks Associated with Large, Complex Code Bases .............................. 4 Improves Security and Reduces Vulnerabilities..................................................... 4 Enhances Reliability and Safety ............................................................................ 5 Streamlines Processes .......................................................................................... 5 Saves Time and Reduce Costs through Early Detection and Remediation ........... 5 CHALLENGES OF SOURCE CODE ANALYSIS ............................................................ 6 Static Analysis is Not Dynamic .............................................................................. 6 Too Much Noise and Too Many False Results ...................................................... 6 Too Many Errors To Fix ......................................................................................... 7 Diffculties with Process Integration ....................................................................... 7 Lack of Buy-In and Motivation ............................................................................... 7 BEST PRACTICES .......................................................................................................... 8 Use Static Analysis for Progress Not Punishment ................................................. 8 Use Coding Standards ........................................................................................... 8 Prioritize Code Analysis ......................................................................................... 9 Address Your Results ............................................................................................ 9 Tune Your Analysis ................................................................................................ 9 HOW TO CHOOSE A STATIC CODE ANALYSIS SOLUTION ...................................... 10 Requirement 1: Integration with Development Platforms and Processes ............ 10 Requirement 2: Test Accuracy ............................................................................. 11 Requirement 3: Actionable Diagnostic Output ..................................................... 12 Requirement 4: Ease of Use ................................................................................ 12 Requirement 5: Standards Compliance Checking ............................................... 13 Requirement 6: Workfows and Reporting ........................................................... 13 CONCLUSION ............................................................................................................... 14 © 2016 PROGRAMMING RESEARCH LTD 2 OVERVIEW The Internet of Things (IoT) is no longer a far off concept; it’s here now. Modern society has become en- tirely dependent on software-based technology. Mobile phones have replaced alarm clocks and cameras, GPS has replaced paper maps, and the list goes on. New products and new markets are being rapidly created based on software innovations, offering unforeseen benefts to consumers and increased revenues for manufacturers. Delivering these new products, however, presents a unique set of challenges in software and product development. Software security, reliability, and safety are the criteria that will determine suc- cess or failure for many businesses. Developers employ a wide range of tools to build embedded software, including tools for analyzing, design- ing, documenting, and editing code, as well as tools for compilation, debug, test, optimization, and verifca- tion. The tools used within an embedded software development environment are the single biggest factor in determining the productivity and effectiveness of developers. Among the most vital of these tools are those tools used to eliminate software bugs – the most expensive, time consuming, and high-risk aspect of product development. Numerous studies have shown that signifcant cost savings can be achieved through static analysis of soft- ware code, particularly early in development. Further, static analysis contributes to improved performance, more effcient utilization of development staff, and a general reduction in downstream bottlenecks. This paper describes the importance of static analysis to delivering quality embedded software as well as the advantages static analysis provides in ensuring embedded applications perform well in production. It also covers the limitations of static analysis tools, highlighting the need for establishing and maintaining the proper processes and organizational support to ensure success and maximize value. Further the paper outlines several best practices for source code analysis and key capabilities to look for in a static analysis solution. Without the right tools and processes in place, simply automating code review activities will likely not deliver the desired results. Understanding how to apply the right tools and practices to make the most of source code analysis is fundamental to static analysis-based inspection and vital to ultimately delivering reliable, safe, and secure software. © 2016 PROGRAMMING RESEARCH LTD 3 WHAT IS STATIC CODE ANALYSIS? Static code analysis is the process of evaluating a system or component based on its form, structure, con- tent, or documentation. From a software assurance perspective, static analysis addresses weaknesses in program code that might lead to vulnerabilities; this type of analysis may be manual, as in code inspections, or automated through the use of one or more tools. Automated static code analyzers check source code for specifc defects as well as for compliance with various coding standards. BENEFITS OF STATIC CODE ANALYSIS Static code analysis enables development and testing teams to make signifcant advances in conducting more effcient and more realistic large-scale code reviews. Automating code analysis and documentation also enables organizations to realize major reductions in development cost and time. REDUCES RISKS ASSOCIATED WITH LARGE, COMPLEX CODE BASES As software becomes more critical to delivering product value, code bases are rapidly growing and becoming more complex. Code is being developed across the globe by both internal and outsourced development teams. New code is combined with large legacy code bases that are being reused and modifed for current applications. While reusing code can reduce costs, it can also increase complexity and the risk of defects. And while outsourcing development has advantages, it too adds more variability and complexity to a project. Static analysis tools address this complexity and its associated risk on several fronts. First, they enable organizations to analyze millions of lines of code in a small fraction of the time it would take a team of developers. Second, they analyze code before it is reused in a project and as it is added to a project. Third, they provide a way to enforce development standards across both internal and external development teams. IMPROVES SECURITY AND REDUCES VULNERABILITIES The growing reliance on embedded software raises the importance of security considerations during software design. Buffer overfows, resource leaks, insuffcient encryption, insecure interfaces, and other defects and security issues remain too common in embedded systems. As more devices are deployed and connected to the Internet of Things, the number of entry points for hackers is increasing dramatically. Static analysis helps ensure coding consistency and is an effective means of fnding the most common security defects including buffer overfows and resource leaks among others. © 2016 PROGRAMMING RESEARCH LTD 4 ENHANCES RELIABILITY AND SAFETY Engineers developing highly complex, safety-critical software systems in automotive, aerospace, medi- cal, and an increasing number of consumer products must ensure reliability and quality of those systems. Many systems that rely on software to operate safely and consistently undergo rigorous testing once they are built. These practices typically align with ISO 9001/CMMI and standards and practices specifc to the certifcation of high integrity software systems such as SAE ARP4754. Static analysis tools can be used to minimize software defects that lead to disastrous system failures, injuries, or even fatalities. Static analysis is particularly useful to measure code complexity and verify compliance with coding standards (such as MISRA C) on DO-178C, ISO 26262, and other projects; demonstrate that the software will not fail due to certain types of runtime errors; and assess the effects of making changes to the application while helping to determine if changing code in one area may impact the reliability or functionality of code in another. STREAMLINES PROCESSES Static analysis provides feedback to help developers adopt better programming habits, enabling them to write better code faster. Tools that provide well-documented feedback to remediate a potential issue and can pinpoint the precise line of code on which the