5 reasons why static analysis is important for business
- What is static analysis?
- Working with a static analyzer
- Benefits of introducing static code analysis
- Here are a few more useful links:
This article goes through five key reasons why static analysis is beneficial to software companies. This may help you decide whether to explore code analysis methodology and then integrate it into your company's development process.
What is static analysis?
Static code analysis is an automated process of detecting errors and potential vulnerabilities. With human assistance, a software tool analyzes the source code of a program. Since static analysis tools check the source code, the approach belongs to white-box testing.
In a typical code review, the development team examines the code. Code review is a tried-and-true way of spotting bugs and sharing experience with other developers. However, it has a drawback — the high cost.
A developer can use a static analysis tool to check their code before passing it to teammates for review. If you check it in advance, you can fix many bugs and dangerous spots. This will free up time for your team to focus on finding higher-level bugs and debating architectural solutions.
Working with a static analyzer
The static analysis tool checks the source code and issues a list of warnings. Then the developer examines these warnings and chooses where to change the code and where not to.
This process cannot be fully automated since the analyzers do not fix code for the following reasons:
- Static analyzers sometimes issue false positives. Although the code is valid, the tool may find it incorrect. Only a human can understand whether a warning is correct or not.
- Even when an error is obvious, static analyzers lack sufficient data to provide a solution. Only someone who understands how the program should function can fix it.
- Some warnings issued by static analyzers are just informative and indicate a code smell. It's up to the developer to decide whether it is necessary to refactor the code and how to make it clearer for their colleagues and the analyzer.
The scenarios for working with a static analyzer are fairly diverse. Developers can run static analysis manually from an IDE or automatically after the project is built. There's also an option to start the analysis for files that are added to the version control system. You can run the overnight project build, and in the morning, developers will get warnings on their code. Other scenarios or their combinations are also possible. It all depends on the team and their preferences.
All that matters is that static analysis must be used regularly as part of the development process.
Benefits of introducing static code analysis
Static analysis, like any other testing approach, requires time to be introduced and applied into the development process. Take unit tests as an example — it takes time to write and maintain them. However, writing unit tests, as well as applying static analysis, will eventually save the team resources on software project support and development.
From a management standpoint, there are five reasons why static analysis benefits the software development process:
- Reduces bug-fixing time and costs;
- Enhances security via early detection of potential vulnerabilities;
- Frees up resources for solving business problems;
- Provides quality control;
- Supports various coding standards.
Let's discuss these benefits in more detail.
1. Reduces bug-fixing time and costs
The earlier you find errors, the cheaper they are to fix. Developers can use static analysis while writing code — this is the earliest stage when you can find an error.
According to 'Code Complete' by Steve McConnell, the average cost of finding and fixing bugs during the testing stage is ten times higher than fixing bugs while writing code. If an error is detected after the release, the cost of fixing it skyrockets.
2. Enhances security via early detection of potential vulnerabilities
It's even worse if code contains not just bugs but zero-day vulnerabilities. If an attacker discovers vulnerabilities in a company's products, a company could suffer great reputational and financial losses. The graph below depicts the average costs of eliminating security defects at various stages of the software lifecycle.
Figure 1. The relative cost of fixing the vulnerability according to the IBM System Science Institute.
Static analyzers that check code for potential vulnerabilities are called SAST solutions (Static Application Security Testing). PVS-Studio is an example of a SAST tool.
3. Frees up resources for solving business problems
Static analyzers automatically identify flaws at the code-writing stage, freeing up resources that may be employed to solve business challenges.
Figure 2. Static analysis helps reduce work-in-progress (WIP) and the number of urgent bug-fixing tasks.
Here's a quote from the book 'Kanban: Successful Evolutionary Change for Your Technology Business' by David J. Anderson:
Capers Jones reports that in 2000, during the dot-com bubble, he evaluated the quality of programs for North American teams. The quality ranged from six errors per function point to less than three errors per 100 function points — 200 to one. The midpoint is approximately one error per 0.6–1.0 functional point. Thus, teams usually spend more than 90% of their efforts on fixing errors. There is also direct evidence of this. In late 2007, Aaron Sanders, one of the first followers of Kanban, wrote on the Kanbandev mailing list that the team he worked with spent 90% of the available productivity on bug fixes.
Striving for inherently high quality will have a serious impact on the performance and throughput of teams that make many errors. You can expect a two to fourfold increase in throughput. If the team is initially lagging behind, then focusing on quality allows you to increase this indicator tenfold.
Static analysis reduces the density of errors in a program. Analyzers find errors and issue warnings that help simplify your code. Clear code is easier to maintain and there's less chance of making new errors when changing it.
4. Provides quality control
Managers may want to know the answers to the following questions:
- A large number of new employees joined the team this year. Did that negatively affect the code quality?
- We are going to implement X. How do we know if this would positively affect the code quality?
These questions can be answered with the help of warning density graphs based on the results of static analysis. If the number of warnings per 1000 lines of code increases, the quality decreases. For example, you can use the SonarQube platform to build this kind of graph.
5. Supports various coding standards
The code must comply with the standards of the particular industry. For example, MISRA C, MISRA C++, and AUTOSAR C++ 14 Coding Guidelines are used when developing systems that require security and fault tolerance.
It's extremely tedious and inefficient to manually check the code for compliance with a specified coding standard. Static analyzers can do that much faster.
By introducing static analysis into the development process, you get some extra power to provide a high level of quality, reliability, safety, and security for your software projects' code.
Our team develops a SAST tool — PVS-Studio. We have extensive experience assisting businesses in integrating static analysis into their development process. Feel free to contact us if you have any questions concerning static analysis. I hope we can assist your business enhance its software development processes.
Here are a few more useful links:
- Introduce Static Analysis in the Process, Don't Just Search for Bugs with It.
- How to introduce a static code analyzer in a legacy project and not to discourage the team.
- SAST in Secure SDLC: 3 reasons to integrate it in a DevSecOps pipeline.
- List of tools for static code analysis.
- Philosophy of Static Code Analysis: We Have 100 Developers, the Analyzer Found Few Bugs, Is Analyzer Useless?