Agile, Scrum and DevOps are hot topics in software development but are teams really achieving the goals of these new approaches? Management isn’t convinced, a recent survey of company CIOs shows that executives consider it a “fad,” blaming the lack of visibility into project success (or failure) and lack of planning. However, success stories abound but software development teams often struggle as they adopt new approaches. Automation is a key component to making agile and iterative development work. In order to have successful sprints or iterations, the security and quality of each deliverable must be acceptable. In this post, the role of static analysis as part of an agile development toolset is discussed as is the importance of meeting security and quality goals in each sprint.
- Manifesto for Agile Software Development
- Agile development an 'IT fad' that risks iterative failure
- New research turns the agile vs waterfall debate on its head
One of the key parts of the Agile Manifesto is working software over comprehensive documentation. Moreover, the agile principles state “[w]orking software is the primary measure of progress.” The implication here is twofold; working software is a key goal for each iteration and is a superior way of demonstrating what and how the software operates (instead of lengthy design documents, for example). At the end of each iteration, deliverables need to have acceptable levels of security, functionality, stability and performance, factors that cannot be left to later iterations. Security and other non-functional requirements are ignored in favor of features which has disastrous consequences as the product matures.Agile Struggles with Security and Quality
In any development approach the goal is to deliver high quality software that meets the customers’ expectations. Agile development is more resilient to changes in scope and improves the relationship between developer and customer; however, rapid iterations can create a backlog of defects and security vulnerabilities. In fact, security is often not seen as important in early iterations, which can have undesirable consequences. Eventually, the backlog of quality and security issues must be dealt with and can create similar pain to the development team as a waterfall approach. This means agile development teams need to focus on security and quality in each iteration which means thorough quality processes – reviews and inspections and thorough testing.
Automation is important to making testing work in an agile development project by increasing testing productivity, providing intelligence on where to test (isolating impact of new features) and collating results. Static analysis augments this by detecting bugs before they enter the project, at the developer’s desktop, and detecting highly impactful bugs and security vulnerabilities in the whole project and in third party and legacy code.How Static Analysis Improves Agile Development
Static analysis helps agile projects by decreasing the backlog of defects by either finding them in existing code, in newly developed code or during build and integration cycles. In addition, static analysis can find security vulnerabilities and other bugs that are often missed or too complex to find with testing. Here’s some examples of the benefits that static analysis brings to agile development:
- Continuous source code quality and security assurance: Static analysis is often applied initially to a large codebase as part of its initial integration; however, where it really shines is after an initial code quality and security baseline is established. As each new code block is written (file or function), it can be scanned by the static analysis tools and developers can deal with the errors and warnings quickly and efficiently before checking code into the build system.
- Tainted data detection and analysis: Analysis of the data flows from sources (i.e. interfaces) to sinks (where data gets used in a program) is critical in detecting potential vulnerabilities from tainted data. Any input, whether from a user interface or network connection, if used unchecked, is a potential security vulnerability. Code injection and data leakage are possible outcomes of these attacks which can have serious consequences.
- Third-party code assessment: Most projects are not greenfield development and require the use of existing code within a company or from a third party. Performing testing and dynamic analysis on a large existing codebase is hugely time consuming and may exceed the limits on the budget and schedule. Static analysis is particularly suited to analyzing large code bases and providing meaningful errors and warnings that indicate both security and quality issues. GrammaTech's CodeSonar binary analysis can analyze binary-only libraries and provide similar reports as source analysis when source is not available. In addition, CodeSonar's binary analysis can work in a mixed source and binary mode to detect errors in the usage of external binary libraries from the source code.
- Coding standard enforcement: Static analysis tools analyze source syntax and can be used to enforce coding standards. Various code security guidelines are available such as SEI CERT C and Microsoft's Secure Coding Guidelines or MISRA C and C++.
The move to iterative and agile development methods has been a net positive to the software industry but teams still struggle with security vulnerabilities and code quality. Static analysis has an important role to play in improving the outcome of agile development methods by augmenting existing automation and by uncovering bugs that might have been missed altogether.
Like what you read? Download our white paper "Enhancing Code Reviews with Static Analysis" to learn more.