Sunday, September 19, 2021

Why Static Code Analysis is Important? Pros and Cons

In the last few years, Software code quality and security have gone from being a “nice to have” to a necessity, and many organizations, including investment banks, are making it mandatory to pass static code analysis tests, penetration testing, and security testing before you deploy your code in production. Static analysis tools like findbugs and fortify are getting popular every passing day and more and more companies are making fortify scan mandatory for all new development.  For those unaware of what static code analysis is, static code analysis is about analyzing your source code without executing them to find potential vulnerabilities, bugs, and security threats.

Static code analyzer looks for patterns, defined to them as rules, which can cause that security vulnerability or other code quality problems, necessary for production quality code. But like every other technology, static analysis has its set of advantages and disadvantages, which is also the best way to judge any technology.

Static code analyzers are not a new thing, and they are here for a long time, but as a senior Java developer or Team lead, you have a responsibility to set up processes like automated code analysis, continuous integration, automation testing to keep your project in a healthy state and promote best development practices in your team.

In my opinion, unit testing, code review, and static code analysis make a nice combo, along with continuous integration. In this article, we will learn some pros and cons of static code analysis, to let you decide, whether the static analysis is important or not.

I am already convinced with pros, and we are using fortify scanning in all our projects, and have seen benefits of that, but it's not all good, it's also time-consuming.

When your tool alerts you with false positive, you start taking them lightly and then it becomes a habit to treat everything as false positive, which eventually take away all benefits of static code analysis. You need to be disciplined enough, not to fall on that trap.





Benefits of Static Analysis in Software Development?

There are many good reasons to use static code analysis in your project, one of them is a thorough analysis of your code, without executing them. Static analysis scans ALL code. If there are vulnerabilities in the distant corners of your application, which are not even used, then also static analysis has a higher probability of finding those vulnerabilities.

The second benefit of using static code analysis is you can define your project-specific rules, and they will be ensured to follow without any manual intervention. If any team member forgets to follow those rules, they will be highlighted by a static code analyzer like fortify or findbugs.

The third major benefit of static code analysis is they can find the bug early in the development cycle, which means less cost to fix them. All these advantages of static code analyzers can be best utilized only if they are part of the build process.

On the other hand tools like manual testing or penetration testing can only provide you a limited amount of false-positive than a static code analyzer. Though both this and pen testing are seen as an alternative to each other, they are not, instead they complement each other.

Pen testing is actually more realistic than static code analysis because test cases are provided by the user and they are more close to real-world use case scenarios, while static code analysis, only looks for patterns, which can cause bugs.

If there is no pattern, it doesn't mean no bugs, so ideally you need to do both pen testing and static code analysis to push your application into production.

Why Static Code Analysis is good, pros and cons



Why Static Analysis is Bad? Cons of Static Analysis in Software Development

Though Static code analysis is useful, it also has few disadvantages. The biggest problem of static analysis is that they produce too many false positives. Those are warnings, which are sometimes safe to ignore and not really an issue. This creates a lot of work for developers, which then taking them as low priority and eventually stop fixing them. 

One way to minimize false positives is to tune the rules they used for scanning and analyzing your code. After the initial triage, you suppress false positives and create custom rules to make the scan more context-specific. If you’re using the HP Fortify tool, you can write a custom rule to eliminate those false positives in the future. 

This is actually true for any tool, you need to little bit customize it to suit your environment. Static analysis shouldn't be a one-shot scan, it should be used continually throughout development and testing. Another problem with static code analyzers is that they take too long to run and after some time developers never bother to run them. 

You can minimize this problem by making static code analysis part of your build process, and not an optional, good-to-do alternative. Second thing, you must review and write custom rules, so that it won't take too long to execute. 

Given build process need to do too many things these days e.g. clean, compile, package, static analysis, unit testing, and deployment, even small-time added in each step, eventually increases the total build time.




That's all about Why static code analysis is important and Why should your project use a static code analyzer as part of the build process. Projects, where security is the ultimate requirement, must employ static code analysis, as it's very good to find potential vulnerabilities early. 

Modern-day static code analyzers like the findbugs and fortify are really good at looking at source code to find coding errors and programmers' mistakes. Findbugs also has an eclipse plugin, so if your project is not using static analysis, you can at least do that at your level, this will help you to write better code and become a better programmer

Code quality is also improved by using this tool, but it doesn't make penetration or security testing optional. In the end, you need both static and dynamic analysis to make your project production-ready.


Other Programming Articles you may like

Thanks for reading this article so far. If you like this article, then please share it with your friends and colleagues. If you have any questions or feedback, please drop a note.


4 comments :

Vinod Kumar Kashyap said...

Hey,

SonarQube is also a great tool for code analysis

Thanks,
Vinod

javin paul said...

@Vinod, indeed, thanks for suggesting SonarQube. Have you used it in your project?

Anonymous said...

static code analysis benefits are:
1.can get warned of anti-patterns in the code.
2. information about the source code.
3. helpful in call-graphs, and class diagrams.

Ajay Paul said...

Fortify and static is quite different. Fortify takes care of security vulnerabilities. Static analysis is more refactoring the code to be more readable both from design and scalable perspective.

Post a Comment