In our recent webinar, 5 ways to accelerate standards compliance with static code analysis, SCA experts Walter Capitani of Rogue Wave Software and Christopher Rommel of VDC Research reviewed the results of the latest VDC Research paper on the trends, techniques, and best practices for standards compliance within embedded software teams. We received a lot of questions during the webinar, far more than what we could tackle in the Q&A. This post is the first in a series answering your questions on static code analysis.
Given the unique aspects of platforms within the product space versus the traditional business application space, how advanced are the static analysis technologies in their ability to identify the unique security issues and risks related to the product landscape?
Many static code analysis tools are targeted at the general application space, and many are focused on security – which is great – but they tend not to put a lot of emphasis on the actual platform of the software. This means they’re not very aware of what compilers and operating systems are being used, and they look largely for generic defects and security vulnerabilities to the application no matter where it runs. SCA tools designed for the embedded space put more emphasis on the platform and how the software is going to be run and executed, which makes a huge difference in how defects are found and which defects are found. Additionally, tools that find issues related to industry coding standards help embedded software achieve high marks for quality and security.
What percentage of the code base or application does a static analysis product cover compared to other security testing methodologies?
Because static code analysis tools look at the actual source code, they cover one hundred percent of the visible code base. Let’s compare this to, for example, dynamic security testing methodologies, which includes fuzzers and penetration tests. These methodologies depend on executing code paths that will be run when the actual test tool is run. If the code path is executed, the tool might find the defect, but if there’s a gap in those tools, or if the code path is not executed, a defect could sit in the code, ready to be exploited by someone who has knowledge of the code, or exploited under circumstances that couldn’t be predicted when the code was released.
Can you use static analysis tools for object oriented design?
There is no reason you can’t use it. No matter the design techniques you’re using for your software – including auto-generated code, for example – there’s no guarantee that the code will perform properly in a safety-critical environment. Adopting an SCA tool that looks at auto-generated code, other kinds of template code, and your own proprietary code, is a very important step in guaranteeing secure, high-quality code.
Can the tool do static code analysis on MATLAB auto-generated code, and should static analysis be performed on MATLAB autocode?
Yes, and yes. There is no reason not to use an independent SCA tool on auto-generated code. Depending on the use of that code, you may want to flag and inspect issues that violate certain coding rules before you send that code off into the world.
How does static code analysis differ from test-driven development?
The two techniques complement one another. Static code analysis plays a valuable role, given its ability to test earlier in the development cycle than other, traditional testing means. With test-driven development, one of the key elements is that tests must be written by a developer. SCA performs the tests that developers don’t want to write or don’t have time to write. Test-driven development confirms that the product does what it is supposed to, and SCA confirms that it works the way you want it to.
Keep checking the Rogue Wave blog for more posts answering your questions on static code analysis. And if you haven’t already, be sure to watch the on-demand version of the webinar.