Gwyn Fisher is the CTO of Klocwork, a leading developer of source code analysis software and expert in static code analysis software. At Klocwork, he is responsible for guiding the company’s technical direction and strategy. With nearly 20 years of global technology experience, Gwyn brings a valuable combination of vision, experience, and direct insight into the developer perspective
Automated source code analysis (SCA) technology is designed to locate and describe areas of weakness in software source code. Those weaknesses may be security vulnerabilities, logic errors, implementation defects, concurrency violations, rare boundary conditions, or any number of other types of problem-causing code. Source code analysis is distinct from more traditional dynamic analysis techniques, such as unit or penetration tests, since the work is performed at build time using only the source code of the program or module in question. The results reported are therefore generated from a complete view of every possible execution path, rather than some aspect of a necessarily limited observed runtime behavior.
The underlying technology associated with SCA is called Static Analysis and the current generation of technology solutions is capable of providing sophisticated, high-value analysis that will identify critical bugs and security vulnerabilities in code that can potentially cause system crashes, hacker exploits or affect the overall reliability of mission-critical software. As a result of recent innovations in this domain, organizations that develop mission-critical software are adopting SCA technology as a standard milestone of their integration build during pre-quality assurance (QA) activities. This has proven to be a useful stage at which to perform static analysis and has provided benefit in terms of accuracy and comprehension. However, build-time analysis suffers from an inherent weakness: code has already been committed to a source branch, so by the time a bug is discovered it is already impacting other members of the development organization and other elements of the system.
Professional software development organizations are now looking to better integrate static analysis technology into their software development processes and to implement this capability as early as possible in the software development process rather than strictly as a build milestone activity. Reduced costs, better QA efficiency, and significantly improved software products are all benefits to organizations that are able to move high-quality source code analysis and software quality tool to the earliest point in the coding phase: the developer’s desktop.
This paper examines the evolution of source code analysis from developer desktop to integration/build and beyond, and describes how Klocwork Insight uses revolutionary new technology to be the first to take the next step in that evolution.
First Generation Source Code Analysis: A Developer’s Tool
The technology behind source code analysis – static analysis – c static analysis - has been around almost as long as modern software development practices. Fundamentally, the technology is a derivative of the compilation process, and for almost 30 years tools such as lint have been available to developers to run against their code.
Second Generation Source Code Analysis: The Comeback Kid
Realizing the limits of the first generation of source code analysis technology, a new generation of tools emerged in the early 2000s. These tools extended the analysis beyond syntactical and semantic analyses to include sophisticated inter-procedural control- and data-flow analysis and new approaches for pruning false paths, estimating the values that variables will assume, and simulating potential runtime behavior.
Third Generation Source Code Analysis: Klocwork Insight
Klocwork Insight is the first source code analysis product that allows developers to take control of the analysis process while also benefiting from the accuracy and value of centralized analysis - with none of the downstream auditing that second-generation techniques required.
About Klocwork
Klocwork is an enterprise software company providing automated source code analysis products that automate security vulnerability and quality risk assessment, remediation and measurement for C, C++ and Java software. More than 200 organizations have integrated Klocwork's automated source code analysis tools into their development process, thereby:
- Reducing risk by assuring their code is free of mission-critical flaws
- Reducing cost by catching issues early in the development cycle
Freeing developers to focus on what they do best - innovate
- Related Videos
- Related Articles
- Ask / Related Q&A
ECommerce Integration Developing for Microsoft Dynamics GP Notes
By: Andrew Karasev | 07/01/2010When you have legacy in-house programmed ecommerce web application in production with shopping cart, credit card payment interface, B2B or B2C items catalogs and promotional pricing - which does the job - likely that you will favor the idea to leave it there and try the way of ecommerce integration connectors to your Microsoft Dynamics GP Corporate ERP application.
BGI completes labeling portfolio with PTI-compliant traceability software solution from TraceGains
By: Thomas Cutler | 07/01/2010BGI completes labeling portfolio with PTI-compliant traceability software solution from TraceGains
8 Hidden Secrets Of Mozilla FireFox
By: HeLLZ RuLLZ | 07/01/2010The best thing about Firefox is that just when you think you know everything there is to know about the browser, something new comes along and surprises you. Here are few hidden tips and tricks. Maybe these are old hat and you know them already. Or maybe you had no idea these could be done. Lets see how many of these you know already.
Attributes of the Best Registry Cleaner
By: minping peng | 07/01/2010The main reason for computer speed problem is the corruption of the windows registry. And we firmly recommend cleaning the registry by software-registry cleaner. Because registry is so complicated that, we don’t recommend people to clean it manually, if they are not professional.
Remote Office Manager 4.1
By: Aledensoft | 07/01/2010Remote Office Manager 4.1 is fast and secure remote control software that enables you to access a remote computer from multiple locations in real time as if you were using its own keyboard and the mouse. Remote Office Manager 4.1 includes Windows 7 support, file transfer, multi-user text chat, Windows security, Kerberos authentication, 256-bit AES encryption, telnet access, multiple monitors support. Remote Office Manager 4.1 fully supports: Windows 7/Vista/XP/2003/2000 (64-32bit editions).
Fine Tune Your PC
By: John Russell | 07/01/2010The next time your change the oil in your car, think of your personal computer. You flush the oil in your car to get rid of the gunk and sediments that have slowly been deposited over time. Your computer tends to have a lot of deposits that come from a variety of sources.
Disabling the Windows Live Messenger Is Just a Simple Procedure
By: taamiv | 07/01/2010The Windows Live Messenger previously known as Windows Messenger is already preinstalled with the usual range of Windows operating systems. However, there are many users who still prefer using the other instant messaging software instead of Windows Live Messenger software.
A Trick to Remove Windows Live Messenger from Your System
By: taamiv | 07/01/2010You don't have to be tech savvy in order to uninstall Windows live messenger. It is the most popular chat application and comes installed on all computers. Windows Live messenger is a great way of keeping in touch with our dear ones and colleagues. However, trying to uninstall this program can be a little tricky. If you are trying to uninstall it by the usual protocol employed in uninstalling most programs, this method does not work with Windows live messenger.
Agile Development - A Brief Introduction
By: Gwyn Fisher | 31/07/2009 | SoftwareAgile is based upon a number of guiding principles that all Agile teams follow. For the purposes of this discussion, three principles - or values - are of particular interest:
The Evolution of Source Code Analysis
By: Gwyn Fisher | 24/11/2008 | SoftwareSince the early 1980s, source code analysis has evolved from isolated desktop analysis to broad system-level analysis with constant progress being made in terms of the accuracy of the analysis and criticality of bugs that can be found. Each approach has benefits and drawbacks but the process of evolution has led to two important discoveries.
Automated Source Code Analysis
By: Gwyn Fisher | 24/11/2008 | SoftwareAs a developer considering using automated source code analysis, or a development manager considering providing such analysis tools for a group of coders, it should be obvious from the previous sections of this document what kind of problems can found and how this might apply in day-to-day situations.