KLOCWORK|WHITE PAPER|JANUARY 2014

Static code analysis is better at the desktop

Next-generation features to produce more secure and reliable code

Developers work under a lot of constraints to create the best possible software they can: design complexities, limited resources, shrinking deadlines, and more. On top of this, there are many types of security and reliability defects that occur in software projects. Sometimes obvious, more often subtle, nding and xing these defects early in the software development lifecycle (SDLC) saves time and money. Today, most static code analysis (SCA) tools nd issues too late, only after code has been checked in, and force developers to work outside their familiar workows. The next generation of SCA tools offer automatic detection of issues as developers code and integrate more directly into developer workows.

Why static code analysis?

Software user experience is a key differentiator, a way to gain a competitive edge, especially when todays end users have extremely low tolerance for insecure or unreliable software. That means that while developers are using software to push the innovation envelope, they must also ensure that the software always works, from the rst time its deployed to every time its updated. In this environment, where code complexity and exposure points for security breaches are growing exponentially, traditional testing methods are no longer effective in ensuring code security and reliability. The cost of software defects is very high: A Cambridge University study states that software defects cost the worldwide economy $312 billion annually A Capers Jones study (PDF) states that 50 cents of every dollar goes towards nding and xing defects

This is where source code analysis can help. At its core, the automated analysis of software nds security vulnerabilities, standards violations, and programmatic errors using techniques that are comprehensive and repeatable, giving developers the ability to produce more secure and reliable code. Since these techniques work directly with code, issues are found earlier in the software development lifecycle, making it easier to x and less costly overall.

Figure 1 shows the relationship between identifying defects and the cost to repair them across the software development lifecycle.
$16,000 85%

% of Bugs

% Defects introduced in this phase % Defects found in this phase Cost to repair defect in this phase

$1000 $250 $25 Coding $100 Unit Test Function Test System Test After Release

Figure 1 | Cost of xing software defects over time1

Although the benets of early defect detection are widely understood, the typical belief is that static code analysis is performed outside the control of developers, happens only after code is checked in, and forces developers to wait for results. On-the-y, desktop static code analysis addresses all of these concerns.

The desktop is familiar

Every developer wants to seek and destroy weaknesses in their code as early as possible, with minimal distraction. This means issues need to be identied quickly and presented in a way that developers are familiar with, so they can be xed and released on schedule. Unfortunately, most SCA tools arent designed with the size and complexity of modern development teams in mind. In order to effectively analyze inter-procedural control and data ow dependencies, analysis engines must be centralized and provided an unltered view of the entire code base. In this set up, defects are identied only after individual code updates are checked in. At this relatively late stage, the cost of identifying defects increases and developers may have already moved on to something else. Fixing defects becomes a problem of team management rather than empowering developers directly. Bringing SCA out of the centralized build and onto the developer desktop allows even earlier detection of defects and enables developers to x issues before they become a problem. Building on previous SCA techniques and architecture, the next generation of tools integrates the analysis into familiar development environments, such as Microsoft Visual Studio or Eclipse, and presents results in a way thats similar to what developers already see from the compiler. In this way, developers can harness the power of SCA checkers that are engineered to detect security vulnerabilities, reliability issues, standards violations, and other programming bugs that are beyond the scope of compilers. Figure 2 shows an example of how this looks within a typical IDE.

Figure 2 | Static code analysis results presented within Microsoft Visual Studio
1

Applied Software Measurement: Global Analysis of Productivity and Quality, Capers Jones, 2008

Static code analysis is better at the desktop | Klocwork White Paper | 2

Project awareness
Presenting results at the desktop is only part of the story, especially when the analysis is only as effective as the amount of code it covers. Most SCA tools analyze code in isolation from developers, using centralized repositories that can lead to a fragmented process where individual developers believe their code is correct but the team must wait until after check-in for complete condence. The next generation of static code analysis engine has full awareness of the project and its developers. Using one server to track the entire code base, analysis results at the system level are automatically synchronized with analysis results at the local desktop. This ensures that the local projects of every developer are analyzed within the context of the entire system, including control and data ow interactions between the latest classes and functions outside the developers view. With this analysis architecture, developers are able to control the security and reliability of their code before check-in and before any other type of static code analysis technology can be applied. This is truly the earliest point in the software lifecycle that complete source code analysis can be introduced, giving developers more condence that their code works within the overall system.

On-the-y is faster
Even with the ability to present local and system-wide analysis results at the desktop, the defect identication process can be faster. Taking a cue from modern IDEs and harnessing the processing power of todays computers, static code analysis can run in real-time, nding issues as code is being written. This on-the-y analysis is similar to the live compilers found in todays IDEs, giving instant and continuous feedback on security vulnerabilities and reliability defects being introduced into the code. Figure 3 shows how a potential defect is presented on-the-y in a typical IDE thats integrated with this type of capability.

Figure 3 | On-the-y desktop analysis showing instantaneous results

Presenting analysis results this way gives developers two things they want: rapid identication of issues in a development environment theyre familiar with.

The workow works

Bringing static code analysis onto the desktop, within IDEs that are familiar to developers, and displaying results as they type, makes xing defects a natural part of the development workow, just like a compiler. This evolution of SCA enables developers to create the most secure and reliable code they can, without waiting for a centralized build analysis and not depending on another team to report results. This approach reduces the number of problems reported later in the

Static code analysis is better at the desktop | Klocwork White Paper | 3

development cycle and minimizes the time developers need to go back and forth xing issues. This boosts productivity and reduces costs, as shown in Figure 4.
On-the-y Analysis Build-Only Analysis cost of defects

No. of Code Defects Found

Design

Implement

Build

Unit Test

Check-in

System Build

System Test & QA

Release

Software Development Life Cycle Phase

Figure 4 | On-the-y desktop analysis nds more defects earlier in the lifecycle

Desktop analysis is better

Development teams and individual developers want to create good code that users can rely on. Good static analysis tools provide the opportunity to nd and x problems early and quickly, so less effort is spent on creating software thats free from vulnerabilities and critical defects. The next generation of static analysis tools builds on this premise and does so in a way thats familiar to developers, making adoption easier. Giving individual developers the ability to resolve coding issues at the moment theyre introduced leads to more secure and reliable code across the entire development team.
Learn more about how Klocwork helps you develop secure and reliable software. Visit the Klocwork Developer Network to see a list of checkers available and examples that show you the best way to remedy security vulnerabilities, even if youve never heard of them before. See how easily you can write secure, reliable code by signing up for a free trial of Klocwork Insight today!

About Klocwork
In the world of AppSec, developers and the rms that employ them demand tools that provide a competitive edge. Klocwork meets these demands with compelling desktop tools that enable developers to produce secure, reliable software more easily and quickly. Klocworks unique SCA tool provides accurate, reliable analysis as developers write their code, identifying potential security vulnerabilities and reliability issues before they are submitted to the software build. Additional desktop tools simplify code review, refactoring and architectural analysis. More than 1,100 customers, including the biggest brands in the automotive, consumer electronics, gaming, medical technologies, military and aerospace, mobile device and telecom sectors rely on these tools everyday to make their software more secure and reliable. Creating applications they are proud of. Find out more at www.klocwork.com Klocwork is a registered trademark of Klocwork Inc. in the United States and other countries. All other names are trademarks or registered trademarks of their respective companies.

IN THE UNITED STATES: 15 New England Executive Park Burlington, MA 01803

Klocwork Inc. All rights reserved.

IN CANADA: 30 Edgewater Street, Suite 114 Ottawa, ON K2L 1V8

t: 1.866.556.2967 f: 613.836.9088 WWW.KLOCWORK.COM