Why Developers Need Static Analysis Tools

WHY DEVELOPERS NEED SCA FTW! STATIC ANALYSIS TOOLS Pwn Here's a no-b rainer: You need to produce sa fe, reliable code that's free of security weaknesses and critical defects. With static analysis tools, you got this. Static analysis (noun, synonym: source code analysis/SCA) automatically detects weaknesses in computer software without executing the programs built from that software and enables developers to check-in clean code. SOFTWARE DEFECTS = LAUNCH DELAYS + RECALLS + BRAND DAMAGE + EXPENSE + SERIOUS HARM THERAC-25 RADIATION THERAPY MACHINE TOYOTA PRIUS ARIANE 5 FLIGHT 501 40 OK+ VEHICLES RECALLED PATIENTS SUFFER FROM MASSIVE $370M ROCKET SELF-DESTRUCTS DOSES OF RADIATION DEFECTS ARE HARD TO FIND: COST OF DEFECTS: THE GLOBAL ECONOMY SPENDS $312 BILLION ANNUALLY*** Most applications have DEV & MAINTENANCE BUDGET 22.4 SECURITY RISKS* Without tools like static analysis or a code review process, programmers are less than 50% EFFICIENT in finding bugs in their own software** 50¢ OF EVERY DOLLAR spent on software development and maintenance goes towards finding and fixing bugs**** 50% EFFICIENCY 50¢ STATIC ANALYSIS HELPS YOU FIND CRITICAL WEAKNESSES & COMPLY WITH KEY CODING STANDARDS SAMATE OWASP CERT -Buffer overflow -Concurrency violations -Un-validated user input -Dereferencing NULL pointers MISRA CWET DISA STIGS -Injection issues -Concurrency errors -Cross-site scripting -Endian incompatibilities FDA DO-178 B -Memory and resource leaks -Use of uninitialized data ISO-26262 PCI SAVE TIME. SAVE MONEY. SAVE YOUR SANITY. Software developers spend half their programming time find ing and fixing bugs** 85% X TRADITIONAL APPROACH (a.k.a. Lather, Rinse, Repeat) $16K -Write code of defects created -Check it in during coding, not found until testing 25 hrs -QA points out mistakes -Fix code -Check it in again -QA finds more mistakes PRODUCTION $1,000 125 hrs VMODERN APPROACH TEST 1 hr $25 (a.k.a. Get It Right the First Time) -Write code -Fix mistakes as you go INTEGRATION BUILD Coding System Test -Check-in clean code • 15 min Post Release -Write more code IMPLEMENTATION $16,000 spent to repair defects found after release***** With SCA tools, you can fix issues at your desktop while you're coding and before check-in Find bugs sooner, move on to other things 3.532 Ibs.of bacon DEVELOPERS: WHAT'S IN IT FOR ME? DEV MANAGERS: WHAT'S IN IT FOR ME? 1. Keep QA off your back by avoiding the lather-rinse-repeat cycle 1. Narrow the gap between your rock star coders and the newbs 2. Be a better developer by learning from your m istakes 2. Decrease risk by ensuring issues are fixed early in the dev cycle 3. Check-in clean code and move on to 3. Boost productivity by reducing the time spent on dealing with code defects other things 4. Avoid being the guy who codes a serious de fect that gets into the wild 4. Keep improving your code base by tracking and reporting on code security, quality and complexity metrics DEPLOY SCA. REWARD YOURSELF WITH A CRONUT! * 2013 Global Applicat ion Security Risk Report https://www.aspectsecurity.com/uploads/downloads/2013 /06 /Aspect-2013-Glob al-AppSec-Risk-Report.pdf ** Capers Jones, 2012 http://sqgne.org/presentations/2012-13Jones-Sep-2012.pdf *** Cambridge University Study States Software Bugs Cost Economy $312 Billion Per Year http:/markets.financiacontent.com /stocks/news/read/23147130/Cambridge_U niversity_Study_States Software_Bugs_Cost Economy_$312 Billion_Per_Year **** Capers Jones, 2012 http://www.ifpug.org/Documents/Jones-Soft wareDefect OriginsAnd RemovalMet hodsDraft5.pdf *****Applied Software Measurement, Capers Jones, 1995 k klocwork Klocwork helps developers create more secure and reliable software with on-the-fly source code analysis tools. Learn more and register for a free trial at: www.klocwork.com/Why SCA EXAMPLES: PERSON HOURS REQUIRED TO REPAIR DEFECTS IN THIS STAGE****