Developers are always under pressure to increase code output, but without the proper controls and tooling in place, rushing through the development process can lead to problems down the road.
Things like static code analysis (SCA) tools offer a way to verify quality, security, and compliance without adding too much extra time to the process. According to a webinar from Perforce, just because a developer has access to a tool, however, doesn’t mean they are using it 100% effectively.
In the webinar, Rod Cope, chief technology officer at Perforce Software, shared five things development teams can be doing to increase their development output using these tools:
Use SCA to check security of code
According to Cope, a lot of organizations lack the time, focus, and proper tools to prevent attacks. Further, most attacks are related to trust issues, such as cross-site scripting, SQL injection, or unvalidated inputs.
“Static code analysis can help by not requiring any additional time. You just run the tool,” said Cope.
Use SCA to enforce industry and coding standards
SCA tools can be used to enforce key standards, such as DISA STIG, CWE, MISRA, CERT, SAMATE, OWASP, DO-1788, FDA validation, and more.
Cope recommends that even companies that are not in an industry that requires compliance with one of these standards still should pick one and follow it. “We found it’s a best practice to adopt one of these standards so at least you’re following something and you know these standards are good, reliable, proven in the industry,” he said.
Integrate SCA and CI into your development process
This helps cut down on testing time because as developers write code it gets scanned and verified in the context of the rest of the code. As a result, any security or compliance issues get caught immediately, rather than closer to the end of the process, which would require developers to have to go back in and rework the code.
According to Cope, development teams using daily builds experience a 90% increase in output and a 36% reduction in defect rate when testing at each check-in point.
In order to work successfully in a CI environment, SCA tools need to be automated, scalable, efficient by only analyzing the affected code, and able to report only the relevant information for a given context, Cope explained.
Use SCA to validate legacy and open-source software
Cope added that all open-source components that are in use should be scanned by the SCA tool as well.
He also recommended that companies who make use of contractors to write code ask those contractors to run SCA on that code and report the results.
“The more you scan upfront the cheaper it is and faster it is to fix those defects and to avoid issues,” said Cope.
Use SCA to help developers improve code quality
SCA isn’t just a scanner for finding bugs; it can also be used as an educational tool. Developers can learn from the results to improve the way they write code by learning about common programming errors, security vulnerabilities, and standards.
“As they create errors and the tool tells them what they did wrong, a good tool also tells them how to do it right, how to fix it, what is the underlying issue, how to avoid those issues in the future, how to write better clean code with fewer vulnerabilities,” said Cope.
For more information watch the webinar “5 Ways to Improve Developer Output.”