VDC Research has released their report Standardizing Safety & Security with Static Analysis. Among the many interesting findings revealed in their survey, which profiled 539 embedded/IoT engineers, was that software projects in full compliance with coding standards are eight times more likely to be ahead of schedule than those where no standards were applied.
Doesn’t this seem counter-intuitive?
How could adding the requirement for enforced compliance to a coding standard accelerate the development schedule? Wouldn’t an extra layer of process and requirements lengthen the development time compared to teams without one?
In a world where demand for delivery is ever increasing, how can we better understand this finding to help improve the schedule for your team?
How compliance accelerates your development schedule
1. Coding standards cultivate a culture of excellence where objectives and outcomes are clear for all team members.
Whether you are onboarding junior developers or managing a team of veteran coding warriors, coding standards are independent, documented, broadly understood, and achievable in a clear and demonstrable fashion. It no longer depends on one person’s “style” or understanding of what is ideal or what the current team culture is. Team members can be brought on faster or moved between teams more seamlessly – particularly if they have previous industry standards experience.
Over time, coding practices become more efficient as the team learns to code to the standard in a unified and systematic way. The culture shifts from being one of “make it work now” to “build it for the future.” Future releases become easier and more achievable with a common foundation and standard.
This is not just true of software development, but also of other industries. BSI reports that 75% of businesses that achieved the more general ISO 9001 certification saw a boost in their operational performance.
2. Industry-accepted standards were developed for a reason. They identify not only issues to avoid, but also best practices, which can make your team more efficient.
External coding standards like MISRA, CERT, and DISA-STIG were developed in coordination with literally hundreds of experts with thousands and thousands of years of collective experience in the field, and in research. The standards identify not only security vulnerabilities and potential defects to avoid, but also advise on recommended styles and practices. In the case of MISRA, these include best practices rules that have been evaluated for effectiveness. These standards continue to be revised, updated, and expanded to cover new issues and scenarios.
Your team can benefit from industry-leading wisdom and the work of thousands of experts to refine your coding practices and produce code of the highest security and reliability. Following these best practices allows you to produce more effectively and faster, and avoid issues outlined in reason #3.
3. Full compliance, with enforcement, avoids costly common errors early in the development process, which in turn avoids rework and last-minute delays.
How crushing is it to be “almost there” with a release, only to discover a defect or security vulnerability that stops your team in its tracks? Even worse, these are often commonly understood and identifiable defects that were not caught in code review, unit tests, or other QA processes. This inevitably requires a return to development and a restart of the process to fix the defect prior to release.
Alternatively, what are the risks of a defect in your software being delivered to your customer? Once identified, will it require your team to drop their current work for an “all hands on deck” effort to patch or update the product? Or will the consequences be even more dire, in the case of safety critical or highly visible industries? Derailed sprints can delay schedules significantly.
Learn from the lessons of the past – or be doomed to repeat them.
4. Standards compliance creates a positive feedback loop of reduced defects in the field, greater competitive advantage with a standards adherence (MISRA, ISO 26262, AUTOSAR), and decreased time to market for new products.
Teams crave to work on innovative new features for dynamic and expanding products. Whether your product is required to comply with a standard or not, committing to a recognized coding standard is a competitive advantage that allows you to open doors to new customers. As software issues and security vulnerabilities become more visible and higher profile, customers are seeking to reduce risks and find reliable partners that share their commitment.
When you deliver more reliable and industry-compliant code, with fewer defects in the field, your team will be able to deliver new features and new products faster. This in turn will improve brand reputation and create more opportunities. Thus, the feedback loop begins.
For many years, the medical device industry was motivated to seek out coding standards for this very reason, relying heavily on the MISRA-C standards. Over time, we have now seen the emergence of industry-specific standards like the FDA recognition of UL2900 for security in medical devices and IoT networking.
5. Standards aren’t meaningful unless they are broadly and systematically enforced. Full compliance requires more than just code review and unit tests. There are tools to enforce and evaluate variances: static code analysis.
Using recognized standards allows you to seek out tools and processes that can enforce and evaluate how your team is complying to a known standard. If you rely uniquely on internal standards or guidelines, how can you ensure these standards are enforced over millions of lines of code?
Enforcing standards is not about punishing developers or playing “gotcha”; it is about harnessing the power of compliance and ensuring that your organization can fully realize the gains offered by this approach. Improvements in delivery, quality, and security can only be achieved with an examination of every line of code, something that is challenging when dealing with legacy projects or large-scale development.
Static code analysis is a powerful method to evaluate and enforce coding standards, particularly when taxonomies related to industry standards like MISRA, CERT, and CWE come out of the box and can be easily set up within your existing workflow.
Measurement and reporting become the key to tracking defects in the field, adherence to the standard, and the corresponding gains in productivity. Then you can truly evaluate the ROI of full compliance to standards.
As the VDC report concluded, “Until a significantly higher percentage of development teams utilize static code analysis testing, particularly on projects facing compliance mandates, on-time schedule performance will remain poor across the embedded industries.”
Take the next step to accelerate delivery
When viewed through the lens of these five key principles, adding compliance to your development process does not seem so counter-intuitive after all. It is no surprise that those practicing and enforcing standards compliance see significant advantages in code delivery, avoiding many of the pitfalls experienced by their competitors.
In this context, we have seen the significant expansion of teams implementing coding standards, even in the absence of specific requirements to be compliant. Perhaps it is time for you to consider the standard that would be most relevant to your industry and the best enforcement methodology. It may be the most significant step you make this year to ramp up your delivery schedule.