Static Analysis helps developers prevent and eliminate defects—using thousands of rules tuned to find code patterns that lead to reliability, performance, and security problems. Over 15 years of research and development have gone into fine-tuning Parasoft's rule set.
For more information about Static Analysis please click on the link below.
http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547
2. Agenda
1. House Keeping - Certification Overview
2. Very Brief Parasoft Introduction
3. Today’s Agenda
Parasoft Proprietary and Confidential
3. House Keeping - Certification
2 – 45 minute live interactive sessions focused on Static
Analysis using best practices for development, testing, and
management
Session 1: Best Practices of Static Analysis
Fri, Nov 12, 11:00am - 12:00pm PST / 2:00pm – 3:00pm EST
Session 2: Best Practices of Static Analysis
Fri, Nov 19, 11:00am - 12:00pm PST / 2:00pm - 3:00pm EST
Materials published day after on-line session
Final exam (multiple choice) on-line
Certificate of completion from Parasoft Corporation
Parasoft Proprietary and Confidential
4. Important Note
This course is not designed to
Teach how to do security
Review (in depth) the reasons “why” we
should have solid software
Cover how-to use any specific tools
This course is designed to
Explain available SA techniques and what
they’re used for
Help avoid common pitfalls
Provide in-depth examples of selected best
practices and teach you how to optimize them
for the software development environment
Parasoft Proprietary and Confidential
5. About Parasoft
Founded in 1987
27 Patents for automated quality processes
Build quality into the process
Static Analysis tools since 1994
Parasoft Proprietary and Confidential
7. Agenda for this session
Define static analysis
Define “false positives”
Static analysis for Security
Static analysis for defect prevention
Static analysis for process improvement
Parasoft Proprietary and Confidential
8. What IS Static Analysis?
Variety of methods
Peer Review / Manual Code Review / Code Inspection
Pattern-based code scanners
Flow-based code scanners
Metrics-based code scanners
Compiler / build output
Parasoft Proprietary and Confidential
9. What is: Peer Code Review
What:
A human review process provides checks and balances
for finding and preventing human mistakes.
Why:
Find defects early
Find real functional problems
Increase breadth of understanding
Increase productivity
Parasoft Proprietary and Confidential
10. Peer Code Review
Review policies
Coder / reviewer pairs
QA reviewer / test review
Frequency
Scope
Pre commit vs. post commit review
Automation potential
A system to enforce the review policy
Track un-reviewed changes
Facilitate non-blocking communication
Parasoft Proprietary and Confidential
11. Methods of Code Review
Code Review “in a room”
Wastes time
Developers are inhibited
Using an automated infrastructure
consistent
Parasoft Proprietary and Confidential
12. Determining Reviewers
Who reviews whom
How close are they in the code?
Increase code understanding
Parasoft Proprietary and Confidential
13. What is: Pattern-Based SA
What:
Identify specific patterns in the code
Why:
Find bugs
Ensure inclusion of required items
Security
Branding
Prevent Problems
Improve Developers
Parasoft Proprietary and Confidential
14. Pattern-Based Static Analysis
Quick scan to list possible problems
Fixing violations prevents certain classes of
errors
Each source file is analyzed separately
Static analysis categories include:
Logical Errors
API Misuse
Typographical Errors
Security
Threads and Synchronization
Performance and Optimization
Parasoft Proprietary and Confidential
15. What is: Data Flow Analysis
What:
Simulate execution to find patterns
Why:
Find real bugs
Parasoft Proprietary and Confidential
16. Data Flow Analysis
Simulate hypothetical execution paths
Detect possible errors along those paths
Data flow analysis error categories include:
Exceptions
Optimization
Resource Leaks
API misuse
Security
Parasoft Proprietary and Confidential
17. What is: Code Metrics
What:
Measurement of code based on various statistics
Why:
Understanding code
Possible problems
Parasoft Proprietary and Confidential
18. Code Analysis Perceptions
“Static analysis is a pain”
False positives has varying definitions
I don’t like it
It was wrong
Parasoft Proprietary and Confidential
19. Pattern based false positives
True false positives generally rule deficiency
Context
Does this apply here and now?
In-code suppressions to document decision
Parasoft Proprietary and Confidential
20. Flow Analysis False Positives
False positives are inevitable
Finds real bugs
Flow analysis is not comprehensive
Parasoft Proprietary and Confidential
21. Static Analysis for Security
Flow analysis finds low-hanging fruit
Flow won’t guarantee security
SA prevents security problems
Input validation is key
Parasoft Proprietary and Confidential
22. Static Analysis for Prevention
It’s quicker to deal with false positives than bugs
Flow analysis finds complicated problems
Runtime analysis should match flow analysis
Rules should be chosen based on real problems
Parasoft Proprietary and Confidential
23. SA for Process Improvement
Flow analysis won’t find everything
Flow rules have corresponding pattern-based
rules
Prevent the potential rather than chase paths
Parasoft Proprietary and Confidential
24. House Keeping - Certification
2 – 45 minute live interactive sessions focused on Static
Analysis using best practices for development, testing, and
management
Session 1: Best Practices of Static Analysis
Fri, Nov 12, 11:00am - 12:00pm PST / 2:00pm – 3:00pm EST
Session 2: Best Practices of Static Analysis
Fri, Nov 19, 11:00am - 12:00pm PST / 2:00pm - 3:00pm EST
Process infrastructure
Workflows
Choosing the best configuration
And more
Materials published day after on-line session
Final exam (multiple choice) on-line
Certificate of completion from Parasoft Corporation
Parasoft Proprietary and Confidential
25. Q&A
Questions
Parasoft Proprietary and Confidential
26. Further Reading
Automated Defect Prevention (Huizinga & Kolawa)
…Principles and processes to improve the software
development process.
Effective C++ / More Effective C++ (Meyers)
…Definitive work on proper C++ design and programming.
Effective Java (Bloch)
…Best-practice solutions for programming challenges.
Design Patterns (Gamma, Helm, Johnson, Vlissides)
…Timeless and elegant solutions to common problems.
Parasoft Proprietary and Confidential