The list of factors developers must consider in the coding process is extensive, encompassing everything from basic style or readability guidelines to advanced security safeguards. Accordingly, checking code with static analysis tools is often best done in multiple phases or layers, with each taking a different focus.
In a recent post on the company’s blog, Etsy’s Nick Galbreath explained how his engineering team uses three tiers of static analysis when writing its PHP code – a process that can be applied to any development project. Coders use simple, ongoing static analysis checks to first scan for careless errors, syntax problems and messy writing. Galbreath noted that syntax errors should never go to production, so his developers run a quick scan on any file after making changes. As the business’ development team grows, static analysis scans are also helpful for maintaining consistent coding style and ensuring readability.
The next layer of source code analysis Etsy uses is a formal check that performs a global scan of the entire code base. Regularly doing such scans can help identify undeclared or twice-declared variables, unknown functions and more, Galbreath noted.
“Since it’s so fast, we can put the static analysis as a pre-commit hook that prevents bugs from even being checked in,” he wrote. “Which it does almost every day.”
Finally, the company performs security checks such as scanning its source repository for viruses and using static analysis tools to scan for commonly misused functions involving cryptography, random numbers and process management.
Adding more layers
In a presentation from the 2009 NDIA Systems Engineering Conference, Paul Croll, a fellow at IT consultancy CSC, outlined a similar three-phase process drawn from industry recommendations. He suggested development teams run all available static analysis tools to minimize false positives and negatives, and he noted coders should take the time to examine every warning returned. Code should be evaluated from the beginning of the development process and re-evaluated at every milestone.
Like Galbreath, Croll advised developers to include security checks in their review process. He recommended, in particular, looking for common vulnerability patterns such as buffer overruns, SQL injection and cross-site scripting weaknesses. Both static analysis and manual code review should specifically address the top 25 programming errors listed in the MITRE database, he noted. Manual review is the key third step for guaranteeing a thorough evaluation of code.
“Such code review should start at the entry point for each module under review and should trace data flow through the system, evaluating the data, how it’s used, and if security objectives might be compromised,” Croll wrote.
While the specific layering of checks is likely to vary by organization, companies that choose to implement a multi-tiered static analysis plan – particularly one complemented by manual code review – are likely to be best positioned against risks of all types. The use of such tools can encompass everything from identifying critical vulnerabilities to cleaning up syntax, depending on the process project teams adopt.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.