SlideShare a Scribd company logo

How to Select a Static Analysis Tool

P
Parasoft_Mitchell

Static Analysis helps developers prevent and eliminate defects—using thousands of rules tuned to find code patterns that lead to reliability, performance, and security problems. Over 15 years of research and development have gone into fine-tuning Parasoft's rule set. For more information about Static Analysis please click on the link below. http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547

Technology
1 of 21
Download to read offline
How to Select a Static Analysis Tool 2011
Agenda for this session Define static analysis Layout strategy for evaluating and choosing a static analysis tool that will actually work in the field List possible evaluation criteria Parasoft Proprietary and Confidential
About Parasoft Founded in 1987 27 Patents for automated quality processes Build quality into the process Static Analysis tools since 1994 Parasoft Proprietary and Confidential
Parasoft Capabilities Technologies Quality Policy Management Task Management Code Analysis – Pattern Based Code Analysis – Flow Based Code Analysis - Metrics Code Review Unit Testing Framework Memory Error Detection Runtime Analysis Message/Protocol Testing Application Behavior Emulation Functional Testing Load Testing Parasoft Proprietary and Confidential
What IS Static Analysis? Variety of methods Peer Review / Manual Code Review / Code Inspection Pattern-based code scanners Flow-based code scanners Metrics-based code scanners Compiler / build output Parasoft Proprietary and Confidential
First things first More organizations are adopting formal policies regarding static analysis Many companies use a bake-off to choose tools Bake-offs are not very useful to select the best tool Parasoft Proprietary and Confidential
Assess Your Needs What pains do you plain to address? FDA, MISRA, PCI, etc. Is your current development process stable, repeatable, and streamlined? Have you tried static analysis before? Why did it fail – how can you prevent a repeat How is your organization structured? Corporate wide config or varied by group/project Will analysis apply to all projects? New Code? Legacy? Where do you want to be in the future? Parasoft Proprietary and Confidential
Compile Candidate List Get recommendations Perform due diligence Even if the tool comes highly recommended Even if the tool has been used by someone in the group Your code, process, culture, and environment are unique Keep the big picture in sight Parasoft Proprietary and Confidential
Explore Vendors You’re committing to a relationship with a vendor What is their vision? What best practices do they have? Do they have a coherent strategy for the enterprise If they don’t have best practices you’ll need to develop them Reputation Who uses tool? Case studies Parasoft Proprietary and Confidential
Talk with Vendors Evaluations are disruptive – get data upfront Are your visions in sync with vendor? Explain what problems you want to solve? Find out if they think static analysis will resolve it Can they set objective criteria to assess success Describe your environment How have they helped others like you? Explain your vision for deployment and adoption for the next 2-3 years Do they believe its feasible? Parasoft Proprietary and Confidential
Handling vision mismatch Vendor should accept requests that fit their general business If they vendor disagrees with your strategy do they have a convincing explanation and alternative? Does the vendor bend over backward? Even for unreasonable requests? Parasoft Proprietary and Confidential
Pilot Top Candidates Setup test bed and run preliminary tests Familiarize yourself with the tool Identify obstacles Be ready to assist those doing the actual pilot Select one group Real project – not static legacy code Engineers who like new things Parasoft Proprietary and Confidential
Work with pilot users Don’t just give pilot users the program and expect useful results Explain How to use it in your workflow What parts of the application to test What code should be tested What to look for while using the tool Parasoft Proprietary and Confidential
Pilot tasks Pilot users should have a list of tasks How did the tool make their lives better? What could make it even better? How did the tool make their lives worse? How bad was the learning curve? Parasoft Proprietary and Confidential
Compare Post-pilot Candidates Zero in on required functionality Evaluate vendors response to requests and issues Judge what the relationship will be like Parasoft Proprietary and Confidential
Evaluation Criteria: Rules Number of built-in rules you’re really willing to enforce Quality of built-in rules you’re really willing to enforce Depth and breadth of analysis Feasible means to reduce noise Few to no false positives Tolerable number of missed negatives Ease of adjusting built-in rules Ease of adding custom rules Level of complexity possible in new rules Vendors plan for adding new rules Parasoft Proprietary and Confidential
Evaluation Criteria: Workflow IDE integration Batch mode Violation reporting / review mechanism Automated assignment of errors to responsible developers Legacy code identification and support Rule severity customization Ability to suppress violation reporting Automated violation correction Parasoft Proprietary and Confidential
Evaluation Criteria: Scalability Scalable usage model Ease of updating the rule set team-wide or organization wide Ability to support tiered rule sets Extensibility – API Support for additional languages and verification methods (unit test, code review, etc) Speed of analysis (end-to-end) Parasoft Proprietary and Confidential
Evaluation Criteria: Vendor Product stability Having some issues is inevitable Defect reports Feature requests Overall support Parasoft Proprietary and Confidential
The 2 Most Important Questions Will our engineers really adopt it and use it? Can you make the tool work on real code with zero noise? Will it scale? Is the work-flow practical? Is this a long-term solution? Evaluations consume a lot of time and effort Don’t settle for “it’s good enough” Will it help reach your corporate goals? Time spent now will reward you later Avoid continuous product evaluations Parasoft Proprietary and Confidential
Q&A Parasoft Proprietary and Confidential

Recommended

TEA Presentation V 0.3
TEA Presentation V 0.3TEA Presentation V 0.3
TEA Presentation V 0.3Ian McDonald
 
Parasoft Concerto A complete ALM platform that ensures quality software can b...
Parasoft Concerto A complete ALM platform that ensures quality software can b...Parasoft Concerto A complete ALM platform that ensures quality software can b...
Parasoft Concerto A complete ALM platform that ensures quality software can b...Engineering Software Lab
 
Hariprasad NEttem
Hariprasad NEttemHariprasad NEttem
Hariprasad NEttemhari nettem
 
Software Architecture: Test Case Writing
Software Architecture: Test Case WritingSoftware Architecture: Test Case Writing
Software Architecture: Test Case WritingSitdhibong Laokok
 
Parasoft fda software compliance part1
Parasoft fda software compliance part1Parasoft fda software compliance part1
Parasoft fda software compliance part1Engineering Software Lab
 
Suraj Nakul Gawas-QA Lead
Suraj Nakul Gawas-QA LeadSuraj Nakul Gawas-QA Lead
Suraj Nakul Gawas-QA LeadSuraj Gawas
 
Jason nguyen resume
Jason nguyen resumeJason nguyen resume
Jason nguyen resumeJason Nguyen
 
Resume-Raghu - QA
Resume-Raghu - QAResume-Raghu - QA
Resume-Raghu - QAraghu s
 

Recommended

TEA Presentation V 0.3
TEA Presentation V 0.3TEA Presentation V 0.3
TEA Presentation V 0.3Ian McDonald
 
Parasoft Concerto A complete ALM platform that ensures quality software can b...
Parasoft Concerto A complete ALM platform that ensures quality software can b...Parasoft Concerto A complete ALM platform that ensures quality software can b...
Parasoft Concerto A complete ALM platform that ensures quality software can b...Engineering Software Lab
 
Hariprasad NEttem
Hariprasad NEttemHariprasad NEttem
Hariprasad NEttemhari nettem
 
Software Architecture: Test Case Writing
Software Architecture: Test Case WritingSoftware Architecture: Test Case Writing
Software Architecture: Test Case WritingSitdhibong Laokok
 
Parasoft fda software compliance part1
Parasoft fda software compliance part1Parasoft fda software compliance part1
Parasoft fda software compliance part1Engineering Software Lab
 
Suraj Nakul Gawas-QA Lead
Suraj Nakul Gawas-QA LeadSuraj Nakul Gawas-QA Lead
Suraj Nakul Gawas-QA LeadSuraj Gawas
 
Jason nguyen resume
Jason nguyen resumeJason nguyen resume
Jason nguyen resumeJason Nguyen
 
Resume-Raghu - QA
Resume-Raghu - QAResume-Raghu - QA
Resume-Raghu - QAraghu s
 
Neha_Maggu
Neha_MagguNeha_Maggu
Neha_MagguNeha Maggu
 
navin_CV
navin_CVnavin_CV
navin_CVNAVIN RAY
 
Introduction to Parasoft C++TEST
Introduction to Parasoft C++TEST Introduction to Parasoft C++TEST
Introduction to Parasoft C++TEST Engineering Software Lab
 
Beginner guide-to-software-testing
Beginner guide-to-software-testingBeginner guide-to-software-testing
Beginner guide-to-software-testingbiswajit52
 
TDD vs. ATDD - What, Why, Which, When & Where
TDD vs. ATDD - What, Why, Which, When & WhereTDD vs. ATDD - What, Why, Which, When & Where
TDD vs. ATDD - What, Why, Which, When & WhereDaniel Davis
 
Testing in agile
Testing in agileTesting in agile
Testing in agilesachxn1
 
Unosquare SlideShare Presentation
Unosquare SlideShare PresentationUnosquare SlideShare Presentation
Unosquare SlideShare PresentationMichael Barrett
 
Do The Right Thing - Empowering Your Test Teams
Do The Right Thing - Empowering Your Test TeamsDo The Right Thing - Empowering Your Test Teams
Do The Right Thing - Empowering Your Test TeamsSmartBear
 
Mastering BDD - Eran Kinsbruner Workshop Quest 2018
Mastering BDD - Eran Kinsbruner Workshop Quest 2018Mastering BDD - Eran Kinsbruner Workshop Quest 2018
Mastering BDD - Eran Kinsbruner Workshop Quest 2018Perfecto Mobile
 
Pariksha testing services
Pariksha testing servicesPariksha testing services
Pariksha testing servicesparikshalabs.com
 
Top 10 Qualities of a QA Tester
Top 10 Qualities of a QA TesterTop 10 Qualities of a QA Tester
Top 10 Qualities of a QA TesterStacey Brown-Sommers
 
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the ProblemsTakanori Suzuki
 
Running Realistic Load Tests: Answers to the Most Important Questions - Yours!
Running Realistic Load Tests: Answers to the Most Important Questions - Yours!Running Realistic Load Tests: Answers to the Most Important Questions - Yours!
Running Realistic Load Tests: Answers to the Most Important Questions - Yours!SmartBear
 
Experience from specification_by_examples
Experience from specification_by_examplesExperience from specification_by_examples
Experience from specification_by_examplesLarry Cai
 
Test plan
Test planTest plan
Test planMahfuz1061
 
Caps Professional Services Diagnostic
Caps Professional Services DiagnosticCaps Professional Services Diagnostic
Caps Professional Services Diagnosticlebenworld
 
ATDD in practice
ATDD in practiceATDD in practice
ATDD in practiceAndrei Marukovich
 
07 Outsource To India Independent Testing
07 Outsource To India Independent Testing07 Outsource To India Independent Testing
07 Outsource To India Independent TestingoutsourceToIndia
 
9 yrs of Testing Exp_STB and DSL gateway products
9 yrs of Testing Exp_STB and DSL gateway products9 yrs of Testing Exp_STB and DSL gateway products
9 yrs of Testing Exp_STB and DSL gateway productsPrakash S M
 
Jitendra_Sharma_S
Jitendra_Sharma_SJitendra_Sharma_S
Jitendra_Sharma_Sjitendra shrama
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCParasoft_Mitchell
 
Parasoft fda software compliance part2
Parasoft fda software compliance part2Parasoft fda software compliance part2
Parasoft fda software compliance part2Engineering Software Lab
 

More Related Content

What's hot

Beginner guide-to-software-testing
Beginner guide-to-software-testingBeginner guide-to-software-testing
Beginner guide-to-software-testingbiswajit52
 
TDD vs. ATDD - What, Why, Which, When & Where
TDD vs. ATDD - What, Why, Which, When & WhereTDD vs. ATDD - What, Why, Which, When & Where
TDD vs. ATDD - What, Why, Which, When & WhereDaniel Davis
 
Testing in agile
Testing in agileTesting in agile
Testing in agilesachxn1
 
Unosquare SlideShare Presentation
Unosquare SlideShare PresentationUnosquare SlideShare Presentation
Unosquare SlideShare PresentationMichael Barrett
 
Do The Right Thing - Empowering Your Test Teams
Do The Right Thing - Empowering Your Test TeamsDo The Right Thing - Empowering Your Test Teams
Do The Right Thing - Empowering Your Test TeamsSmartBear
 
Mastering BDD - Eran Kinsbruner Workshop Quest 2018
Mastering BDD - Eran Kinsbruner Workshop Quest 2018Mastering BDD - Eran Kinsbruner Workshop Quest 2018
Mastering BDD - Eran Kinsbruner Workshop Quest 2018Perfecto Mobile
 
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the ProblemsTakanori Suzuki
 
Running Realistic Load Tests: Answers to the Most Important Questions - Yours!
Running Realistic Load Tests: Answers to the Most Important Questions - Yours!Running Realistic Load Tests: Answers to the Most Important Questions - Yours!
Running Realistic Load Tests: Answers to the Most Important Questions - Yours!SmartBear
 
Experience from specification_by_examples
Experience from specification_by_examplesExperience from specification_by_examples
Experience from specification_by_examplesLarry Cai
 
Caps Professional Services Diagnostic
Caps Professional Services DiagnosticCaps Professional Services Diagnostic
Caps Professional Services Diagnosticlebenworld
 
07 Outsource To India Independent Testing
07 Outsource To India Independent Testing07 Outsource To India Independent Testing
07 Outsource To India Independent TestingoutsourceToIndia
 
9 yrs of Testing Exp_STB and DSL gateway products
9 yrs of Testing Exp_STB and DSL gateway products9 yrs of Testing Exp_STB and DSL gateway products
9 yrs of Testing Exp_STB and DSL gateway productsPrakash S M
 

What's hot (20)

Neha_Maggu
Neha_MagguNeha_Maggu
Neha_Maggu
 
navin_CV
navin_CVnavin_CV
navin_CV
 
Introduction to Parasoft C++TEST
Introduction to Parasoft C++TEST Introduction to Parasoft C++TEST
Introduction to Parasoft C++TEST
 
Beginner guide-to-software-testing
Beginner guide-to-software-testingBeginner guide-to-software-testing
Beginner guide-to-software-testing
 
TDD vs. ATDD - What, Why, Which, When & Where
TDD vs. ATDD - What, Why, Which, When & WhereTDD vs. ATDD - What, Why, Which, When & Where
TDD vs. ATDD - What, Why, Which, When & Where
 
Testing in agile
Testing in agileTesting in agile
Testing in agile
 
Unosquare SlideShare Presentation
Unosquare SlideShare PresentationUnosquare SlideShare Presentation
Unosquare SlideShare Presentation
 
Do The Right Thing - Empowering Your Test Teams
Do The Right Thing - Empowering Your Test TeamsDo The Right Thing - Empowering Your Test Teams
Do The Right Thing - Empowering Your Test Teams
 
Mastering BDD - Eran Kinsbruner Workshop Quest 2018
Mastering BDD - Eran Kinsbruner Workshop Quest 2018Mastering BDD - Eran Kinsbruner Workshop Quest 2018
Mastering BDD - Eran Kinsbruner Workshop Quest 2018
 
Pariksha testing services
Pariksha testing servicesPariksha testing services
Pariksha testing services
 
Top 10 Qualities of a QA Tester
Top 10 Qualities of a QA TesterTop 10 Qualities of a QA Tester
Top 10 Qualities of a QA Tester
 
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
5WCSQ - Quality Improvement by the Real-Time Detection of the Problems
 
Running Realistic Load Tests: Answers to the Most Important Questions - Yours!
Running Realistic Load Tests: Answers to the Most Important Questions - Yours!Running Realistic Load Tests: Answers to the Most Important Questions - Yours!
Running Realistic Load Tests: Answers to the Most Important Questions - Yours!
 
Experience from specification_by_examples
Experience from specification_by_examplesExperience from specification_by_examples
Experience from specification_by_examples
 
Test plan
Test planTest plan
Test plan
 
Caps Professional Services Diagnostic
Caps Professional Services DiagnosticCaps Professional Services Diagnostic
Caps Professional Services Diagnostic
 
ATDD in practice
ATDD in practiceATDD in practice
ATDD in practice
 
07 Outsource To India Independent Testing
07 Outsource To India Independent Testing07 Outsource To India Independent Testing
07 Outsource To India Independent Testing
 
9 yrs of Testing Exp_STB and DSL gateway products
9 yrs of Testing Exp_STB and DSL gateway products9 yrs of Testing Exp_STB and DSL gateway products
9 yrs of Testing Exp_STB and DSL gateway products
 
Jitendra_Sharma_S
Jitendra_Sharma_SJitendra_Sharma_S
Jitendra_Sharma_S
 

Similar to How to Select a Static Analysis Tool

Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCParasoft_Mitchell
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareParasoft
 
Important skills a Tester should have
Important skills a Tester should haveImportant skills a Tester should have
Important skills a Tester should haveKanoah
 
1 Ibm Solo Pruebas 2009
1 Ibm Solo Pruebas 20091 Ibm Solo Pruebas 2009
1 Ibm Solo Pruebas 2009Pepe
 
Exploratory testing using heuristics
Exploratory testing using heuristicsExploratory testing using heuristics
Exploratory testing using heuristicsMichelle Lagare, CSM
 
Neotys PAC 2018 - Gayatree Nalwadad
Neotys PAC 2018 - Gayatree NalwadadNeotys PAC 2018 - Gayatree Nalwadad
Neotys PAC 2018 - Gayatree NalwadadNeotys_Partner
 
Better Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousBetter Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousParasoft
 
360logica At A Glance
360logica At A Glance360logica At A Glance
360logica At A Glanceguestf2e1db
 
How to run an Enterprise PHP Shop
How to run an Enterprise PHP ShopHow to run an Enterprise PHP Shop
How to run an Enterprise PHP ShopJim Plush
 
Top Tips to a Successful eDiscovery Software Demo
Top Tips to a Successful eDiscovery Software DemoTop Tips to a Successful eDiscovery Software Demo
Top Tips to a Successful eDiscovery Software DemoMark Walker
 
Lifecycle of a FAST Search Implementation
Lifecycle of a FAST Search ImplementationLifecycle of a FAST Search Implementation
Lifecycle of a FAST Search ImplementationPerficient, Inc.
 
Software Testing - Beginners
Software Testing - Beginners Software Testing - Beginners
Software Testing - Beginners Hima Bindu Kosuru
 
! Testing for agile teams
! Testing for agile teams! Testing for agile teams
! Testing for agile teamsDennis Popov
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
DevOps 2017 Conf: evolving from automated to continuous
DevOps 2017 Conf: evolving from automated to continuousDevOps 2017 Conf: evolving from automated to continuous
DevOps 2017 Conf: evolving from automated to continuousArthur Hicken
 

Similar to How to Select a Static Analysis Tool (20)

Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLC
 
Parasoft fda software compliance part2
Parasoft fda software compliance part2Parasoft fda software compliance part2
Parasoft fda software compliance part2
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
 
Heuristics of performance testing
Heuristics of performance testingHeuristics of performance testing
Heuristics of performance testing
 
The Future of Testing
The Future of TestingThe Future of Testing
The Future of Testing
 
Important skills a Tester should have
Important skills a Tester should haveImportant skills a Tester should have
Important skills a Tester should have
 
1 Ibm Solo Pruebas 2009
1 Ibm Solo Pruebas 20091 Ibm Solo Pruebas 2009
1 Ibm Solo Pruebas 2009
 
Exploratory testing using heuristics
Exploratory testing using heuristicsExploratory testing using heuristics
Exploratory testing using heuristics
 
Tec314
Tec314Tec314
Tec314
 
Neotys PAC 2018 - Gayatree Nalwadad
Neotys PAC 2018 - Gayatree NalwadadNeotys PAC 2018 - Gayatree Nalwadad
Neotys PAC 2018 - Gayatree Nalwadad
 
Better Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to ContinuousBetter Software East 2016: Evolving Automated to Continuous
Better Software East 2016: Evolving Automated to Continuous
 
360logica At A Glance
360logica At A Glance360logica At A Glance
360logica At A Glance
 
How to run an Enterprise PHP Shop
How to run an Enterprise PHP ShopHow to run an Enterprise PHP Shop
How to run an Enterprise PHP Shop
 
Top Tips to a Successful eDiscovery Software Demo
Top Tips to a Successful eDiscovery Software DemoTop Tips to a Successful eDiscovery Software Demo
Top Tips to a Successful eDiscovery Software Demo
 
Lifecycle of a FAST Search Implementation
Lifecycle of a FAST Search ImplementationLifecycle of a FAST Search Implementation
Lifecycle of a FAST Search Implementation
 
Software Testing - Beginners
Software Testing - Beginners Software Testing - Beginners
Software Testing - Beginners
 
Top Tips for eDiscovery Software Demo iControl ESI
Top Tips for eDiscovery Software Demo iControl ESITop Tips for eDiscovery Software Demo iControl ESI
Top Tips for eDiscovery Software Demo iControl ESI
 
! Testing for agile teams
! Testing for agile teams! Testing for agile teams
! Testing for agile teams
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
DevOps 2017 Conf: evolving from automated to continuous
DevOps 2017 Conf: evolving from automated to continuousDevOps 2017 Conf: evolving from automated to continuous
DevOps 2017 Conf: evolving from automated to continuous
 

Recently uploaded

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Recently uploaded (20)

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

How to Select a Static Analysis Tool

  • 1. How to Select a Static Analysis Tool 2011
  • 2. Agenda for this session Define static analysis Layout strategy for evaluating and choosing a static analysis tool that will actually work in the field List possible evaluation criteria Parasoft Proprietary and Confidential
  • 3. About Parasoft Founded in 1987 27 Patents for automated quality processes Build quality into the process Static Analysis tools since 1994 Parasoft Proprietary and Confidential
  • 4. Parasoft Capabilities Technologies Quality Policy Management Task Management Code Analysis – Pattern Based Code Analysis – Flow Based Code Analysis - Metrics Code Review Unit Testing Framework Memory Error Detection Runtime Analysis Message/Protocol Testing Application Behavior Emulation Functional Testing Load Testing Parasoft Proprietary and Confidential
  • 5. What IS Static Analysis? Variety of methods Peer Review / Manual Code Review / Code Inspection Pattern-based code scanners Flow-based code scanners Metrics-based code scanners Compiler / build output Parasoft Proprietary and Confidential
  • 6. First things first More organizations are adopting formal policies regarding static analysis Many companies use a bake-off to choose tools Bake-offs are not very useful to select the best tool Parasoft Proprietary and Confidential
  • 7. Assess Your Needs What pains do you plain to address? FDA, MISRA, PCI, etc. Is your current development process stable, repeatable, and streamlined? Have you tried static analysis before? Why did it fail – how can you prevent a repeat How is your organization structured? Corporate wide config or varied by group/project Will analysis apply to all projects? New Code? Legacy? Where do you want to be in the future? Parasoft Proprietary and Confidential
  • 8. Compile Candidate List Get recommendations Perform due diligence Even if the tool comes highly recommended Even if the tool has been used by someone in the group Your code, process, culture, and environment are unique Keep the big picture in sight Parasoft Proprietary and Confidential
  • 9. Explore Vendors You’re committing to a relationship with a vendor What is their vision? What best practices do they have? Do they have a coherent strategy for the enterprise If they don’t have best practices you’ll need to develop them Reputation Who uses tool? Case studies Parasoft Proprietary and Confidential
  • 10. Talk with Vendors Evaluations are disruptive – get data upfront Are your visions in sync with vendor? Explain what problems you want to solve? Find out if they think static analysis will resolve it Can they set objective criteria to assess success Describe your environment How have they helped others like you? Explain your vision for deployment and adoption for the next 2-3 years Do they believe its feasible? Parasoft Proprietary and Confidential
  • 11. Handling vision mismatch Vendor should accept requests that fit their general business If they vendor disagrees with your strategy do they have a convincing explanation and alternative? Does the vendor bend over backward? Even for unreasonable requests? Parasoft Proprietary and Confidential
  • 12. Pilot Top Candidates Setup test bed and run preliminary tests Familiarize yourself with the tool Identify obstacles Be ready to assist those doing the actual pilot Select one group Real project – not static legacy code Engineers who like new things Parasoft Proprietary and Confidential
  • 13. Work with pilot users Don’t just give pilot users the program and expect useful results Explain How to use it in your workflow What parts of the application to test What code should be tested What to look for while using the tool Parasoft Proprietary and Confidential
  • 14. Pilot tasks Pilot users should have a list of tasks How did the tool make their lives better? What could make it even better? How did the tool make their lives worse? How bad was the learning curve? Parasoft Proprietary and Confidential
  • 15. Compare Post-pilot Candidates Zero in on required functionality Evaluate vendors response to requests and issues Judge what the relationship will be like Parasoft Proprietary and Confidential
  • 16. Evaluation Criteria: Rules Number of built-in rules you’re really willing to enforce Quality of built-in rules you’re really willing to enforce Depth and breadth of analysis Feasible means to reduce noise Few to no false positives Tolerable number of missed negatives Ease of adjusting built-in rules Ease of adding custom rules Level of complexity possible in new rules Vendors plan for adding new rules Parasoft Proprietary and Confidential
  • 17. Evaluation Criteria: Workflow IDE integration Batch mode Violation reporting / review mechanism Automated assignment of errors to responsible developers Legacy code identification and support Rule severity customization Ability to suppress violation reporting Automated violation correction Parasoft Proprietary and Confidential
  • 18. Evaluation Criteria: Scalability Scalable usage model Ease of updating the rule set team-wide or organization wide Ability to support tiered rule sets Extensibility – API Support for additional languages and verification methods (unit test, code review, etc) Speed of analysis (end-to-end) Parasoft Proprietary and Confidential
  • 19. Evaluation Criteria: Vendor Product stability Having some issues is inevitable Defect reports Feature requests Overall support Parasoft Proprietary and Confidential
  • 20. The 2 Most Important Questions Will our engineers really adopt it and use it? Can you make the tool work on real code with zero noise? Will it scale? Is the work-flow practical? Is this a long-term solution? Evaluations consume a lot of time and effort Don’t settle for “it’s good enough” Will it help reach your corporate goals? Time spent now will reward you later Avoid continuous product evaluations Parasoft Proprietary and Confidential