(This article was written by Lisa Morgan and originally appeared in the January 2017 issue of SD Times magazine)
When developers and QA engineers test code, they have to imagine what may go wrong in production. Even if they do a code review or read through the code, there are always bugs that are very difficult to detect. To ensure those bugs can be identified and remediated quickly, software teams are embracing Rogue Wave’s Klocwork, an automated static code-analysis tool that ensures every line of code, every function or method call, and every parameter has been checked so errors can be fixed before a build completes.
“Developers and QA people don’t have the time and focus to test every single line of code in an application. With Klocwork, you have an automated way to do it so you can ensure that nothing slips through the cracks,” said Rod Cope, CTO of Rogue Wave Software. “It’s important that quality and security issues don’t sneak in because developers are working at 2:00 a.m. to meet a deadline. Klocwork always has your back.”
Deliver higher-quality code faster
As teams add more features to their code, deliver it faster, and adhere to stricter standards, finding and fixing security flaws becomes more difficult. The vulnerabilities can result in data breaches and application crashes which could have been prevented early in the software life cycle. Klocwork identifies many hard-to-find issues in code such as buffer overflows or buffer overruns, memory leaks, deadlocks, multithreading code issues, and compliance issues. Using Klocwork, developers can avoid security exploits such as Heartbleed while improving software quality and the economics of software delivery.
For example, Lawrence Livermore Labs saved $200,000 on a small project, and Harris, a defense contractor and an IT services provider, saved $60,000 on a pilot project. One customer identified 20% more bugs in its IoT code. Another experienced a 90% increase in the lines of code per developer when integrating Klocwork with its Continuous Integration solution and running the analysis.
“Klocwork almost doubles the capacity of your team. If you add all the efficiency gains up, it’s like doubling your engineering team without hiring people,” said Cope.
A recent Rogue Wave survey found that most developers are responsible for securing the software they produce because their companies lack the appropriate security personnel. Another survey found that 80% of developers responding admitted they don’t know how to secure software.
“Everybody needs help with security because it’s such a big problem,” said Cope. “We can automate that so our customers can be sure that their apps are properly secured regardless of whether a junior developer or senior person is writing the code.”
Security isn’t the only challenge, however. Developers are doing more types of testing than ever while software delivery cycles continue to accelerate. If errors can be identified prior to a build, less testing will be required later, remediation costs will decrease dramatically, and software can be delivered faster.
“Today’s development teams are only writing 10% to 20% of the code in their app, and the rest comes from open source, contractors, offshoring, and on-shoring. Other parties are writing code that’s used in the apps,” said Cope. “Static code analysis can test all that code—not just the code your team has control over.”
Build quality into Continuous Integration
The best way to build quality into Continuous Integration processes is to ensure seamless integration of the testing tool and the Continuous Integration solution. Klocwork provides that integration.
Some Rogue Wave customers have made static code analysis part of the build and test flow, so a build will fail if a security defect is identified during the code analysis scan. When such an issue has been identified, Klocwork notifies the developer who created it so the issue can be remediated before the code is checked into the main line.
Klocwork also notifies developers of errors they’re introducing as they write code so they can be fixed immediately. For example, if a developer types in an erroneous syntax that introduces a security vulnerability, a red squiggle will appear below the offending code. That way, the developer can correct the error in context rather than waiting for the code to go through a QA cycle, getting familiar with the code again, and then resolving the issue.
“Klocwork makes static code analysis hassle-free for developers. It enables them to prevent errors upfront rather than fixing them later,” said Cope. “For years, developers have been told that fixing bugs earlier in the life cycle saves time and money. Not everyone knows that static code analysis takes the guesswork out of testing so higher-quality software can be delivered faster.”
Learn more at roguewave.com.