THE PARADOX OF SOFTWARE DEVELOPMENT:
It is somewhat paradoxical that many industries use software to automate and improve the delivery of products, yet the way software is often developed lags behind in the use of automation. Static analysis offers the promise of automation to improve the safety, security and reliability of software dramatically. However, purchasing a static analysis tool alone will not guarantee better software. All successful organizations rely on the coordination of people, process, and technology to efficiently deliver quality products and software development is no different. . A successful automation strategy should focus on the following considerations with respect to people, process and technology.
A successful automation strategy should focus on the following considerations with respect to people, process and technology.
People can be the single biggest obstacle to implementing a static analysis strategy and platform and a wider focus on quality.
Ideally the priority should be to employ the best people with the right attitude. But there are practical considerations: the world has a limited pool of software delivery talent available, and the best people attract significant premiums. Not every company can afford the best. This is one key reason why as well as attempting to hire the best people you can afford, you should also put in place a “quality culture” that is backed by supportive processes, strong motivational drivers and the right incentives, rewards and punitive measures (should performance fail to live up to requirements).
Software quality, and the early resolution of defects, should be goals that are rewarded over and above more obvious measures such as the number of function or feature points supported by the software code. Making this transition requires “top-down” commitment from executive management, together with empowerment and resolve within the development team. A clear understanding of individuals’ responsibility and accountability will be essential to driving any changes to the software delivery process. Unrealistic deadlines will make it even harder to succeed, even with a static analysis tool.
PROCESS AND METHODS
In the absence of consistent processes, development teams fail to learn from past mistakes or successes, ending up repeatedly reinventing the wheel. As a result quality and success is rarely duplicated and the opportunity for predictability is lost.
It is important to employ the right processes (processes that can be customized to meet the particular needs of your organization) that will help drive quality in software delivery from the outset, whether static analysis is being executed at the developer level or centrally at the build level. For example, carrying out risk analysis at the beginning of a development project might highlight situations to guard against, which can then be used as defect criteria. Support for using best practices for ensuring quality within software development will be vital, as will a process and framework for measuring and reviewing the success of such methods so that further improvements can be discovered and implemented.
Two common software development methods that have been widely reported as being incredibly effective in maximizing software quality are:
- Using formal inspections of designs, code and other deliverables to prevent and remove software defects.
- Using software quality assurance groups and software quality process frameworks like Capability Maturity Model® Integration (CMMI) and Six Sigma.
There is also a case for the use of agile development methodologies that embody the concept of short iterations of development and shipping or deploying often to quickly ascertain customers’ needs and acceptance. Reducing the number of function points delivered and having short delivery cycles will help to lessen the load of potential defects – allowing for a more manageable and effective defect removal process.
The sophistication of any static analysis exercise depends on the number of analysis rules/patterns for different code environments/languages that are supported by a tool. A good static analysis tool platform should be capable of supporting in depth analysis of the programming language. It should also incorporate defect rules specific to different requirements /approaches (e.g. security vs. safety vs. performance.) and industry or regulation policies (e.g. MISRA-C) either directly or by leveraging existing policy or rules resources.
Getting The Right Combination:
The pressure to deliver more software faster has never been greater, and the risks of delivering unreliable and insecure embedded software have profound business implications. Automated static code analysis
can improve the scale and accuracy of testing efforts while saving time and lowering costs. However, static analysis testing by itself cannot meet all the challenges facing development organizations. In practice, static analysis testing is most effective when combined with best practice policies and processes.
For more information on how to improve code security check out the white paper ADDRESSING SECURITY VULNERABILITIES IN EMBEDDED APPLICATIONS USING BEST PRACTICE SOFTWARE DEVELOPMENT PROCESSES AND STANDARDS and start protecting your applications