Evaluate software code
Selection of a modern static analysis tool
Software is playing an increasingly important role in production. The quality of the code is crucial for production processes, which is why attention should already be paid to defects and malfunctions during development. Modern static analysis tools can help, but there are a few things to consider when selecting them. By Arthur Hicken
When it comes to the quality of software, there is no getting around static code analyses, especially for safety-critical software. Roughly speaking, there is hardly any difference between all static analysis tools. They examine code without executing it, uncover defects and error-prone code parts in the software and generate warnings and reports. They are usually integrated into the development environment and CI/CD/build systems. However, if you want to successfully integrate a coding tool into daily development and get the most out of your investment, it is worth examining the options carefully.
Decision-makers often simply follow a uniform pattern: they let the tools in question process the same code, then compare the results and select the tool that reports the most rule violations. This is not a true evaluation, because the winner of this battle is not necessarily the tool that is best suited to setting up a sustainable and scalable static analysis process in a company. In fact, many key factors that make the difference between implementing a successful static analysis approach and another failed attempt are easily overlooked.
Needs analysis and current status
Before you start looking for a tool, you should take a clear look at the company and check the following things:
What is needed? In order for the static analysis to be successful, it must first be determined what it should actually achieve:
- Which critical points should it address?
- Do conformity requirements have to be met?
- Is the security aspect of the applications an issue?
- What is already being done in this regard?
- Who evaluates the analysis reports and must act on their basis?
Where does the company stand now? It is important to know which problems the tools are intended to solve and whether they fit the company:
- Is the current development process sufficiently stable, reproducible and streamlined to serve as a solid foundation for static analysis?
- What have been the results of previous evaluations or implementations of static analysis tools?
Criteria for the selection process
Selecting a static analysis tool for practical use and long-term integration into the development process requires effort and planning. Instead of a purely technical review, it is much more important to examine how well the tool fits into the company. It is also worth evaluating the provider who sells and supports the tool.
Criteria for evaluating the tools
The following criteria must be taken into account in the technical assessment of the tools in question:
- Coverage of the required guidelines,
- Quality of the built-in checkers for the required guidelines,
- Coverage of the standards specified by the industry or the company,
- Depth and breadth of analysis,
- practical ways to reduce the "noise", i.e. the rule violations reported by the checkers but which can be ignored,
- acceptable number of false positives and how to deal with them,
- acceptable number of false negatives,
- Effort to adapt the built-in checkers to the company policy,
- Effort to add new, individual checkers for special requirements
- Supported complexity level for new, specific checkers
Considerations regarding the provider
Just as important as choosing the right tool is choosing the right vendor, because the buyer inevitably enters into a relationship with the vendor. Behind the most successful tool deployments is always a vendor that is committed to helping the organization achieve its business objectives, overcome challenges and drive adoption of the tool. During the evaluation process, it is important to test the providers in several qualification and evaluation rounds:
- Are the provider's scaling, growth and foresight capabilities in line with the organization's own requirements and objectives?
- Does the provider have a coherent strategy for deployment across the organization and for evolving as the organization's needs change?
- What are the provider's best practices for using its tool?
You should also be aware of the provider's reputation on the market:
- Which companies are already using the tool?
- What do the case studies say about deployment, use and benefits of the tool?
- What do industry experts say in test reports, reviews and awards?
Quality or quantity: coverage counts
A common question is: How many checkers does the product have? This implies that the quality of a tool depends on how many different errors it detects - and is an inadequate assessment criterion, especially for static analysis tools. Rather, a user of static analysis tools should be concerned with how well the respective tool covers different error types and coding standards and how well-founded its analysis is. The key question is therefore: How well does a tool cover the types of coding problems that are relevant to your own company?
An example: Coverage of MISRA C, C++ and CERT C
Even though coding standards such as MISRA originally come from the automotive sector, they are increasingly being used in other areas where functional safety is important. In addition to SEI CERT C, this is either demanded by the market or used to eliminate risks from in-house software development. Regardless of the individual application, however, these standards are always used to evaluate static analysis tools.
The claimed coverage of the individual standards leaves some room for interpretation because the standards do not define exactly how a tool claims coverage. It is therefore worth taking a closer look and making sure which specific capabilities could be important for your own use case. For example, if the project requires MISRA C, the capabilities of the individual tools should be considered in detail.
The following evaluation of various open source and commercial solutions shows the coverage of MISRA and CERT C (table). It is not surprising that open source solutions only offer moderate coverage, as the intention behind them was never to follow such standards. But even the various commercial tools that claim to support these standards only meet this requirement to a limited extent; because what counts is simply the coverage of the standard and not the number of checkers needed to support the standard.
If a test suite is used to measure the coverage of a standard, the coverage of the test suite itself must also be taken into account. The following figure on the coverage of Juliet CWE Top 25 (2011), for example, lists the CWE IDs (Common Weakness Enumeration) and indicates whether they are covered by tests in the Juliet C/C++ and Java test suites. It is immediately apparent that the test suite does not completely cover the important CWEs (Top 25) - and this applies to many test suites.
Open source solutions
When it comes to using open source tools for a static analysis solution, an obvious question arises. With FOSS (Free Open Source Software) there are some crucial things to consider. An evaluation must include the cost of missing key features, services and support. Details on the costs and benefits of FOSS in general can be found here - including aspects such as support, activity and longevity of the project and scalability. FOSS solutions may not be an option if industry standards are important within your organization and external audits are commonplace.
Questions to be answered
For the results of a pilot project, the evaluation and final decision making should focus on answering the following key questions:
- Will the team really accept and use the solution? No matter how good a tool is, it is worthless if it cannot be used, if the developers do not accept it or if it disrupts the progress of the project too much. When considering whether something will be accepted, you should not only examine the tools, checkers and integrations, but also the provider with its support, service and training offerings.
- Does the tool solve the problems that the company and the team are working to solve? The use of new technologies requires a focus on the problems to be solved, rather than simply expecting the static analysis to solve them.
- Are the expectations for the new technology to solve the problem realistic? It is important to quantify success and return on investment. It is also important to determine in advance how success will be measured - in terms of lost time, missed releases or field support cases.
- Is it a long-term solution? Evaluations take time and commitment from the team, and complete deployments take even more. Settling for a tool that "will do for now" may save money in the short term, but can prove to be extremely costly in the long run.
Assessments of static analysis tools often end up with only a superficial evaluation of the results, although an additional technical evaluation is undoubtedly important. The assessment must go beyond these results and include the bigger picture and long-term perspective. It is advisable to assess how well the tools manage the results, including easy-to-use visualization and reporting features. Teams should understand exactly how well each tool supports the claims made in areas such as coding standards in order to achieve a sustainable return on investment.
The author
Arthur Hicken has worked at Parasoft for over 25 years in the field of software security and test automation, contributing to research into new methods and techniques (including five patents) while helping customers improve their software practices.
You might also be interested in
From risk to resilience
NIS2 significantly increases the requirements for industrial security concepts. In addition to cyber resilience, physical access protection is becoming increasingly important.
read more...Security Operations Center module
When cyber attacks reach production
Adlon is further developing its Security Operations Center and adding another module to the existing Managed SOC for Microsoft 365 environments (based on Managed XDR): Managed SOC Advanced.
read more...Lifecycle management and safe IO-Link communication
At SPS, Pilz will be presenting solutions that combine safety and security in production. The focus is on the digital Myzel Lifecycle Platform, a SaaS offering for the management of machinery and personnel over the entire lifecycle.
read more...The basics of warehouse safety
Safety in the warehouse primarily relates to the employees. However, goods must also be transported safely and transport equipment must not be damaged.
read more...Environmental containers and fire protection
Companies can choose from a wide range of environmental containers for storing chemicals and other hazardous substances.
read more...Secure focus on access
To ensure comprehensive safety, holistic safety concepts for safety and industrial security on machines are required. Authorizations and access must be clearly regulated.
read more...Added value through safety and productivity
Machine malfunctions can have serious consequences and put people's health at risk. Functional safety therefore plays a central role in industry. With control and inverter technology including integrated safety functions from ABB, plant operators...
read more...Protect Ethernet interfaces
Pilz is expanding its portfolio of operating and signaling devices with the control element PIT oe ETH. It is equipped with an Ethernet port that can be activated and protects freely accessible Ethernet interfaces in industry against unauthorized...
read more...Protective tool in everyday life
Cybershield is a company founded in 2021 with a focus on operational technologies and has set itself the goal of significantly advancing IT security in the OT sector and supporting customers.
read more...