Why Every Developer Needs Static Analysis Tools

SCA FTW! WHY DEVELOPERS NEED STATIC ANALYSIS TOOLS Pwn Here's a no-brainer: You need to produce safe, reliable code that's free of security weaknesses and critical defects. With static analysis tools, you got this. Static analysis (noun, synonym: source code analysis/SCA) automatically detects weaknesses in computer software without executing the programs built from that software and enables developers to check-in clean code. SOFTWARE DEFECTS = LAUNCH DELAYS + RECALLS + BRAND DAMAGE + EXPENSE + SERIOUS HARM THERAC-25 RADIATION TOYOTA PRIUS THERAPY MACHINE ARIANE 5 FLIGHT 501 400K+ VEHICLES RECALLED PATIENTS SUFFER FROM MASSIVE $370M ROCKET SELF-DESTRUCTS DOSES OF RADIATION DEFECTS ARE HARD TO FIND: COST OF DEFECTS: THE GLOBAL ECONOMY SPENDS $312 BILLION ANNUALLY*** Most applications have DEV & MAINTENANCE BUDGET 22.4 SECURITY RISKS* Without tools like static analysis or a code review process, programmers are less than 50% EFFICIENT in finding bugs in their own software** 50¢ OF EVERY DOLLAR spent on software development and maintenance goes towards finding and fixing bugs**** 50% EFFICIENCY 50¢ STATIC ANALYSIS HELPS YOU FIND CRITICAL WEAKNESSES & COMPLY WITH KEY CODING STANDARDS SAMATE OWASP CERT -Buffer overflow -Concurrency violations -Un-validated user input -Dereferencing NULL pointers MISRA CWETM DISA STIGS -Injection issues -Concurrency errors -Cross-site scripting FDA DO-178B -Endian incompatibilities -Use of uninitialized data -Memory and resource leaks ISO-26262 PCI SAVE TIME. SAVE MONEY. SAVE YOUR SANITY. Software developers spend half their programming time finding and fixing bugs*** 85% X TRADITIONAL APPROACH (a.k.a. Lather, Rinse, Repeat) S16K -Write code of defects created -Check it in during coding, not found until testing -25 hrs -QA points out mistakes -Fix code -Check it in again PRODUCTION $1,000 -QA finds more mistakes -12.5 hrs VMODERN APPROACH TEST Ihr (a.k.a. Get It Right the First Time) $25 -Write code -Fix mistakes as you go -Check-in clean code ● • -Write more code INTEGRATION BUILD -15 min Coding System Post Test Release IMPLEMENTATION $16,000 spent to repair defects found after release***** With SCA tools, you can fix issues at your desktop while you're coding and before check-in Find bugs sooner, move on to other things 3,532 Ibs. of bacon DEVELOPERS: WHAT'S IN IT FOR ME? DEV MANAGERS: WHAT'S IN IT FOR ME? 1. Keep QA off your back by avoiding the lather-rinse-repeat cycle 1. Narrow the gap between your rock star coders and the newbs 2. Be a better developer by learning from your mistakes 2. Decrease risk by ensuring issues are fixed early in the dev cycle 3. Check-in clean code and move on to other things 3. Boost productivity by reducing the time spent on dealing with code defects 4. Avoid being the guy who codes a serious defect that gets into the wild 4. Keep improving your code base by tracking and reporting on code security, quality and complexity metrics DEPLOY SCA, REWARD YOURSELF WITH A CRONUT! * 2013 Global Application Security Risk Report https://www.aspectsecurity.com/uploads/downloads/2013/06/Aspect-2013-Glob al-AppSec-Risk-Report.pdf ** Capers Jones, 2012 http://sqgne.org/presentations/2012-13/Jones-Sep-2012.pdf *** Cambridge University Study States Software Bugs Cost Economy $312 Billion Per Year http://markets.financialcontent.com/stocks/news/read/23147130/Cambridge_U niversity_Study_States_Software_Bugs_Cost_Economy_$312_Billion_Per_Year **** Capers Jones, 2012 http://www.ifpug.org/Documents/Jones-SoftwareDefectOriginsAndRemovalMet hodsDraft5.pdf *****Applied Soft ware Measurement, Capers Jones, 1995 k klocwork Klocwork helps developers create more secure and reliable software with on-the-fly source code analysis tools. Learn more and register for a free trial at: www.klocwork.com/WhySCA EXAMPLES: PERSON HOURS REQUIRED TO REPAIR DEFECTS IN THIS STAGE****