The Challenges of Source Code Analysis

<h1>The Challenges of Source Code Analysis</h1>Author: <a title="Andrew Yang" href="http://www.articlesbase.com/authors/andrew-yang/97862.htm">Andrew Yang</a> What are the challenges of SCA SCA in practice is far from perfect.  Simply buying a tool doesn’t solve any problems. Almost certainly making a tool available to your team is not going to result in adoption. In fact, it rarely does. Think of the old adage: “you don’t go to a hardware store to buy a drill, you go to buy holes.”  When you purchase an SCA tool you are buying fixed defects and addressed vulnerabilities.  The tool, by itself, will get you only small part of the way there.  The biggest challenges we’ve seen from hundreds of deployments are: •    Lack of integration into the process •    Misconfiguration and setup of technology to match business goals •    Lack of trust in what the tool is reporting •    Lack of management support •    Lack of commitment •    Insufficient staffing in number and in expertise •    Lack of ownership When you purchase an SCA tool, your work has only just begun.  Just as with most other tools, after the license and support costs, there are tangible and intangible costs to operate the tool effectively from both a technical and process standpoint.  These investments have to be made otherwise, the tool will sit on the shelf, nobody will use it and the purchase will have been a waste.  Luckily, these costs are not generally large and most of the issues can be addressed with some good planning and allocation of the right resources and budget. Belief in the tools value It is very difficult to calculate the ROI on an SCA tool.  By definition, you are fixing problems before they go out into the field, and so it is difficult to predict the full extent of what the benefit would have been if you hadn’t used the tool.  Several companies have tried to measure a tool’s value by correlating found results to past defects with some success.  Results have varied greatly depending upon the codebase and the methodology used to analyze the results.  Most see a big benefit but are not able to quantify it well. In addition, SCA tools provide at best, educated guesses and therefore can be incorrect.  This should be fully expected.  For example, SCA tools have limited ability to account for environmental assumptions like configuration settings or usage constraints. False positives (incorrectly flagged defects) or irrelevant (“that will never happen” issues) can cause users to lose confidence in it.  Defect reports pile up or worse yet, valid bugs are incorrectly marked as false because the developer didn’t trust the tool enough to investigate the report in enough detail.  SCA reported defects then become low priority and remain unaddressed.  Bugs and vulnerabilities you could have caught in development instead slip through into production. The initial usage of the tool is an important time when lasting impressions are formulated.  Many SCA tools report problems equally with little guidance as to what is higher priority than others.  To be fair, priority is different for every organization and is usually comprised of severity of effect, how likely it will occur in production and how it affects functionality of the product.  Therefore it is typically not calculated. To the developer using the tool with a large pile of bug reports, they don’t know where to begin.  SCA tools do not prioritize well. In software development organizations, there is a constant battle between what is urgent and what is important.  SCA tools fit more under the important category and are often deprioritized from daily activities in an environment where everything is urgent.   Some organizations unfortunately are more reactive than proactive. If everything is urgent, then in general you are understaffed.  If people are pulled onto different projects and can never accomplish their goals, then you have not made a serious commitment to SCA.  Get ready to put the SCA tool on the shelf. Changing behavior is hard Most organizations who use SCA require the software developer who owns the code to fix the problems reported.  Getting participants to change their process is never easy.  Extra steps are never welcome.  Expect resistance from a vocal minority. If the tool is not easy then it won’t get used.  It has to be baked into the process.  The tool has to be easy to use and the users trained.  In addition, individuals have to feel that it adds value to their job.  Incentives and consequences are extremely important.  People who use the tool to accomplish business goals should be rewarded loudly.  Likewise, there need to be penalties or consequences for not fixing problems reported from the SCA tool.  Techniques like the “wall of shame” and MBO’s help align everybody to the common goal but must be used carefully.  Displaying high bug counts can be a powerful political force but can cause undesired effects such as developers overzealously marking their defects as false or ignore’s.  You have to balance the culture with the proper checks and balances to have the right effect. Management support has to be strong and steady.  It’s hard to prioritize quality and security over features and functionality. If management doesn’t believe it is a priority, then it will never succeed.  Setting up the right process and the correct incentive structures are critically important to changing behavior.  That being said, management should always be evaluating whether an investment in a tool is required or not.  Having the right reporting in place can help management monitor the contribution SCA is making to the overall development process. Market conditions and therefore priorities change rapidly from day to day. Giving the right support Lack of ownership is a huge issue.  In addition to management support, there needs to be ownership from both a tools operation perspective and from the user perspective.  Often, a small percentage of a single resource is charged with owning the SCA tool.  Most SCA tools come preconfigured to accomplish goals that may be misaligned with your own.  Without the proper expertise and time commitment, most SCA administrators resort to using the SCA tools out of the box, resulting in higher false positives rates, incomplete code coverage, increased false negatives (where the tool should have reported a bug but didn’t) and suboptimal performance.   SCA tools are sophisticated and can be tuned to optimum capabilities for a specific codebase.  Expecting your SCA operator (who may have many other responsibilities) to be an expert administrator of the tool is unrealistic and a set up for failure.   At <a href="http://www.codeintegritysolutions.com" target="_blank" title="Code Integrity Solutions">Code Integrity Solutions</a>, we've seen many companies gain the most value from SCA by allocating expert staff with “static analysis” in their titles.  They, in turn, took years to develop the level of proficiency that transform their organizations into big quality and security success stories.About the Author: Andrew Yang works for Code Integrity Solutions (<a target="_blank" href="http://www.codeintegritysolutions.com),">http://www.codeintegritysolutions.com),</a> a professional services provider specializing in source code analysis. Code Integrity Solutions is a partner of Coverity.Article Source: <a href="http://www.articlesbase.com/">ArticlesBase.com</a> - <a href="http://www.articlesbase.com/programming-articles/the-challenges-of-source-code-analysis-938173.html" title="The Challenges of Source Code Analysis">The Challenges of Source Code Analysis</a>

What are the challenges of SCA
SCA in practice is far from perfect. Simply buying a tool doesn’t solve any problems. Almost certainly making a tool available to your team is not going to result in adoption. In fact, it rarely does.

Think of the old adage: “you don’t go to a hardware store to buy a drill, you go to buy holes.” When you purchase an SCA tool you are buying fixed defects and addressed vulnerabilities. The tool, by itself, will get you only small part of the way there. The biggest challenges we’ve seen from hundreds of deployments are:

•   Lack of integration into the process
•   Misconfiguration and setup of technology to match business goals
•   Lack of trust in what the tool is reporting
•   Lack of management support
•   Lack of commitment
•   Insufficient staffing in number and in expertise
•   Lack of ownership

When you purchase an SCA tool, your work has only just begun. Just as with most other tools, after the license and support costs, there are tangible and intangible costs to operate the tool effectively from both a technical and process standpoint. These investments have to be made otherwise, the tool will sit on the shelf, nobody will use it and the purchase will have been a waste. Luckily, these costs are not generally large and most of the issues can be addressed with some good planning and allocation of the right resources and budget.

Belief in the tools value
It is very difficult to calculate the ROI on an SCA tool. By definition, you are fixing problems before they go out into the field, and so it is difficult to predict the full extent of what the benefit would have been if you hadn’t used the tool. Several companies have tried to measure a tool’s value by correlating found results to past defects with some success. Results have varied greatly depending upon the codebase and the methodology used to analyze the results. Most see a big benefit but are not able to quantify it well.

In addition, SCA tools provide at best, educated guesses and therefore can be incorrect. This should be fully expected. For example, SCA tools have limited ability to account for environmental assumptions like configuration settings or usage constraints. False positives (incorrectly flagged defects) or irrelevant (“that will never happen” issues) can cause users to lose confidence in it. Defect reports pile up or worse yet, valid bugs are incorrectly marked as false because the developer didn’t trust the tool enough to investigate the report in enough detail. SCA reported defects then become low priority and remain unaddressed. Bugs and vulnerabilities you could have caught in development instead slip through into production.

The initial usage of the tool is an important time when lasting impressions are formulated. Many SCA tools report problems equally with little guidance as to what is higher priority than others. To be fair, priority is different for every organization and is usually comprised of severity of effect, how likely it will occur in production and how it affects functionality of the product. Therefore it is typically not calculated. To the developer using the tool with a large pile of bug reports, they don’t know where to begin. SCA tools do not prioritize well.

In software development organizations, there is a constant battle between what is urgent and what is important. SCA tools fit more under the important category and are often deprioritized from daily activities in an environment where everything is urgent. Some organizations unfortunately are more reactive than proactive. If everything is urgent, then in general you are understaffed. If people are pulled onto different projects and can never accomplish their goals, then you have not made a serious commitment to SCA. Get ready to put the SCA tool on the shelf.

Changing behavior is hard
Most organizations who use SCA require the software developer who owns the code to fix the problems reported. Getting participants to change their process is never easy. Extra steps are never welcome. Expect resistance from a vocal minority.

If the tool is not easy then it won’t get used. It has to be baked into the process. The tool has to be easy to use and the users trained. In addition, individuals have to feel that it adds value to their job. Incentives and consequences are extremely important. People who use the tool to accomplish business goals should be rewarded loudly. Likewise, there need to be penalties or consequences for not fixing problems reported from the SCA tool. Techniques like the “wall of shame” and MBO’s help align everybody to the common goal but must be used carefully. Displaying high bug counts can be a powerful political force but can cause undesired effects such as developers overzealously marking their defects as false or ignore’s. You have to balance the culture with the proper checks and balances to have the right effect.

Management support has to be strong and steady. It’s hard to prioritize quality and security over features and functionality. If management doesn’t believe it is a priority, then it will never succeed. Setting up the right process and the correct incentive structures are critically important to changing behavior. That being said, management should always be evaluating whether an investment in a tool is required or not. Having the right reporting in place can help management monitor the contribution SCA is making to the overall development process. Market conditions and therefore priorities change rapidly from day to day.

Giving the right support
Lack of ownership is a huge issue. In addition to management support, there needs to be ownership from both a tools operation perspective and from the user perspective. Often, a small percentage of a single resource is charged with owning the SCA tool. Most SCA tools come preconfigured to accomplish goals that may be misaligned with your own. Without the proper expertise and time commitment, most SCA administrators resort to using the SCA tools out of the box, resulting in higher false positives rates, incomplete code coverage, increased false negatives (where the tool should have reported a bug but didn’t) and suboptimal performance. SCA tools are sophisticated and can be tuned to optimum capabilities for a specific codebase. Expecting your SCA operator (who may have many other responsibilities) to be an expert administrator of the tool is unrealistic and a set up for failure.

At Code Integrity Solutions, we've seen many companies gain the most value from SCA by allocating expert staff with “static analysis” in their titles. They, in turn, took years to develop the level of proficiency that transform their organizations into big quality and security success stories.

Andrew Yang works for Code Integrity Solutions (http://www.codeintegritysolutions.com), a professional services provider specializing in source code analysis. Code Integrity Solutions is a partner of Coverity.

Rate this Article:

0 / 5 stars - 0 vote(s)

Re-Publish

Article Source: http://www.articlesbase.com/programming-articles/the-challenges-of-source-code-analysis-938173.html

Article Tags: coverity, source code analysis, static analysis, bugs, quality, security, consulting, professional services, expert, code analysis

Related Articles
Related Q&A

Latest Programming Articles
More from Andrew Yang

Mono: Its uses in Dot Net

By: Tyler Moon | 17/12/2009
Mono is a free and open source scheme led by Novell (previously by Ximian) to produce an Ecma standard compliant, .NET-compatible set of tools, along with a C# compiler and a Common Language Runtime. Mono supports Linux, BSD, UNIX, Mac OS X, Solaris and Windows operating systems.

Outsourcing: The Best Way to Make Profit in iPhone Application Development Business

By: Arun Kumar | 17/12/2009
iPhone application development has turned into a specialized software application development exploits for most of the software development firms out there. The massive popularity of the iPhone from Apple has helped the software development firms eat big profits by venturing into the lucrative world of iPhone application development for various functions – business, entertainment, music, gaming, web access etc.

Development for Microsoft Dynamics GP, formerly known as Great Plains: Dexterity, eConnect, eCommerce programming

By: Andrew Karasev | 16/12/2009
Microsoft Dynamics Corporate ERP and CRM family of products includes Dynamics GP (formerly known as Great Plains Dynamics, eEnterprise, Great Plains Select on Pervasive SQL and Ctree), AX (formerly known as Axapta), NAV (known as Navision), SL (Solomon), Microsoft Dynamics CRM (this is CRM application, it might be part of Corporate ERP, but technically it is just CRM).

Ajax - What Is It and How It Works

By: Elias Rizos | 16/12/2009
Ajax stands for Asyncronous JavaScript and XML and is known for making web applications function as fast (or faster) than desktop applications. Let's talk about what a typical web application looks like. For instance, a Google search:

Benefits of Professional SEO Services

By: Agile Axis | 16/12/2009
Search Engine Optimization (SEO) helps to promote a website over Internet. The work of SEO is to increase the quality and quantity of visitor for a particular site.

Where to hire a professional and expert PHP programmer?

By: Agile Axis | 16/12/2009
Hypertext processor programming (PHP) is the most commonly used web-scripting program nowadays. This software was developed in 1995. Originally PHP stood for Personal Home Page.

Software Consulting in India

By: Agile Axis | 16/12/2009
In this world of relentless competition, if you fail to provide service by the committed time, your business will have to suffer great loss.

Introduction Overview to SharePoint Development

By: David | 16/12/2009
The resources needed to run SharePoint on a devleopment server requires planning and this article will highlight the requirements in setting up SharePoint Development environment

The Challenges of Source Code Analysis

By: Andrew Yang | 26/05/2009 | Programming
SCA in practice is far from perfect. Simply buying a tool doesn’t solve any problems. Almost certainly making a tool available to your team is not going to result in adoption. In fact, it rarely does. Think of the old adage: “you don’t go to a hardware store to buy a drill, you go to buy holes.” When you purchase an SCA tool you are buying fixed defects and addressed vulnerabilities. The tool, by itself, will get you only small part of the way there. The biggest challenges we’ve seen are...

Organizing Volunteers – Yes You Can!

By: Andrew Yang | 21/01/2009 | Causes & Organizations
Millions watched the new United States president, Barack Obama be sworn into office in Washington DC. One of the major themes of his campaign and presidency is the concept of community service – the idea that America can make significant progress when all of us pitch in. No idea is too small – whether it be organizing a neighborhood cleanup or arranging meal service for the elderly in the neighborhood. Every little bit helps and makes us all stronger.

A First Time Triathlete's Guide to What's Important for Preparing for Your First Triathlon

By: Andrew Yang | 26/11/2008 | Sports & Fitness
I did my first triathlon at the Marin Triathlon in 2008 and wanted to share my experiences for any other potential first time triathletes. It was a greatly rewarding experience that still gives me goose bumps just thinking about it. I think most anyone can do a triathlon if they put their mind and body to it. In researching a triathlon, you’ll be bombarded with information. I want to share how I did it and what I found out was important to me.

Five Easy Ways for Your Group to Save Paper and Move to the Digital Age!

By: Andrew Yang | 25/11/2008 | Environment
Most groups are run using the most rudimentary of tools (like paper, postage, envelopes) While there’s something satisfyingly real about using physical pieces of paper, it not only is bad for the environment, but also makes it difficult for the organizer to get things done efficiently.

How to Create Your Own Family Website

By: Andrew Yang | 24/11/2008 | Home & Family
Families are growing increasingly apart in this day and age with immediate family members busy with their own schedules and extended family being separated by many miles. Increasingly, many families are creating family websites to help increase communication, plan events like a reunion and have fun. We'll discuss how you can set up your own family Website in minutes.

Tips for Organizing a Youth Soccer Team to Success

By: Andrew Yang | 24/11/2008 | Soccer
When leading a soccer team, the organization of the sports team can often be the least fun part. You have to balance your players needs, with your coach's needs, with your league's requirements and finally, with the parent's needs. With such a large cast of characters with sometimes competing interests, organizing this chaos isn't easy. Here are just a few organizing (non-coaching) tips to help you get organized and to help ensure your soccer team accomplishes its goals.

Plan a Picture Perfect Thanksgiving and Christmas Holiday Family Get-together

By: Andrew Yang | 24/11/2008 | Holidays
Thanksgiving and Christmas are times where many families get together to give thanks for all the things we should appreciate in out lives. It’s also one of the few great times to strengthen the ties that bind our families. With families increasingly getting geographically dispersed and with people’s increasingly busy schedules reducing the amount of time families spend together, it’s no wonder that making the most of your reunion or get-together is a priority for many families.