Tips For Success
How can you ensure a successful deployment? Here are some hard-won tips from our experience:
- Define an initial issue policy. You may decide to only deal with the most severe issues for the first project cycle.
- Get the global mechanics working. Many of the tools require license managers and centralized result servers.
- Attack one product at a time. Get it working with one group and then move on to the next.
- Identify SMEs. Every product needs at least one subject matter expert. Large products that are broken into major components will naturally need a SME for each one. Be sure that the SME and his or her manager understand the ongoing responsibilities and time commitment.
- Train SMEs. Make them designated experts.
- Work with SMEs. Help them to do build and tool integration for their product or component.
- Train developers. The SME should guide how the tool is integrated into the team's development process.
- Perform initial analysis on existing code and defer all issues. Don't discuss the large quantity of issues with the developers. If any ask, explain to them that they've been set aside and will be considered in a future product cycle.
- Deliver help from SMEs to developers as required. During the first days of the roll-out, the SME should monitor the developers' work. Developers should be analyzing the code often, at least before they submit a completed unit of work into the product build. Just as a developer wouldn't check in a unit of code that doesn't compile, they won't want to check in a unit that still has static code analysis issues.
- Run the build analysis often. If the developers are doing their job and addressing issues as they come up then no issues should be found at this stage.
- Review deferred issues. After the process is running smoothly and the tool is a routine part of work, review deferred issues and plan whatever remediation is needed for future releases.
The Right Tool For You
There are numerous open source and commercially available static code analysis tools on the market. When choosing one, the place to start is with language support. Some tools like AdaCore's CodePeer and Green Hills' DoubleCheck support a single language. Other static code analysis tools support multiple languages.
But language support isn't the only consideration. When ACI Worldwide was in the market for a static code analysis tool two and a half years ago, we identified five vendors -- Coverity, Fortify Software, Klocwork, Ounce Labs, and Veracode. Veracode was eliminated immediately because it only offered code analysis as a service, and we wanted a tool that could be used in-house and provide developer training. Each of the other four vendors performed an in-house proof-of-concept on a large C++ program (2,500 KLoCs) and a large Java program (600 KLoCs).
Coverity was eliminated because, at the time, the tool provided excellent quality checking but had limited security checking. Conversely, we eliminated Ounce Labs because it focused almost exclusively on security, assuming that the prospect already had quality checkers, which wasn't the case for us.
Fortify Software and Klocwork were comparable in their ability to find important quality and security issues. However, Klocwork's licensing model made it less expensive for us. Klocwork used the FlexLM license manager with floating licenses, whereas Fortify Software had a dedicated code contributor model. Since we have development centers spread around the globe in different time zones, we're able to share the licenses very effectively around the clock, so Klocwork was the right fit for us.
Final Analysis
Overall, static code analysis has proven to be a valuable tool for ACI Worldwide. For a reasonable cost per developer, we're finding serious bugs more comprehensively and earlier in the development process. In addition, the Klocwork suite we chose provides a way to connect experienced senior developers with junior developers. The tools include extensive help files that refer developers having difficulty with an issue to a more experienced developer to get advice -- always a valuable interaction.
Bottom line: Static code analysis tools help incorporate security and quality awareness into the fabric of the entire development organization. Finding bugs earlier and avoiding security breaches is invaluable to any software development effort.
