Thursday, April 23, 2009

Blitz Blog: Quality Assurance Through Code Analysis

Today I read through a Parasoft whitepaper published on searchsoftwarequality.com, and I found it to be a great approach to static code analysis.

FULL DISCLOSURE: I write articles and am a “Software Testing Expert” for searchsoftwarequality.com. However, I do not blog positively if I don’t believe in the posting.

Parasoft is the manufacturer of an application security static code analysis tool. Of course, the white paper’s intention is to sell copies of their tool. Can’t fault them for 1) believing in their product and 2) wanting to pay the bills.

What I really like about this article is the approach they take to SCA. They are not pushing it as the end-all, be-all of code quality. They are very realistic about SCA, in fact, stating that it’s often over-used and, once over-used, ignored. Companies implementing SCA must be careful about it—don’t enable a rule unless you really want to enforce it.

At the same time, they make a strong point about the value of SCA. It can really help a team drive quality upstream. Some policies an engineering team might want to use, for example, contribute to code readability while other contribute to security (dynamically-built SQL statements vs. parameterized queries anyone?).

As an Agile engineer, I do take issue with their heavy-handed ‘management enforcement’ method. Agile teams need to adopt policies as needed. Cross-company Agile team representatives might establish company-wide policies and enforcement, but the Agile team itself should arrive at the bulk of the policy definitions.

One thing I like to see is the implementation of SCA directly in the build process – ie, no build if the code fails with errors, and a team-wide email on warnings. This is the best way to enforce policies (but teams need to be selective about policies, so they don’t overwhelm or ‘over-stay their welcome’).

Anyhow, blitz blog. Highly recommended reading!

http://go.techtarget.com/r/6673725/7930283/1

5 comments:

  1. HI..
    I found this Article very useful for me. Its so clear in delivering the key points and i had seen ur referral link its so good. you can get some source for tools and article related to software testing from macrotesting www.macrotesting.com its a good site for software testing. All the points in your post are post are so good please post more articles it will be very useful for Testers like me.

    Thank you....

    ReplyDelete
  2. Very useful information. The way of writing is very simple and layman also understand the concept easily.

    ReplyDelete
  3. Analyzing code as part of the entire qa process is a good idea and I think SCA is useful like you said, but agile teams are supposed to be creating their own rules right? isn't that what agile is? So maybe some simple rules rather than a corporate heavy hand is more appropriate.

    ReplyDelete


  4. SWIFT Interview questions on

    http://testwithus.blogspot.in/p/swift.htm

    For selenium solution visit
    http://testwithus.blogspot.in/p/blog-page.html

    For QTP interview questions

    http://testwithus.blogspot.in/p/qtp-questions.html

    www.searchyourpolicy.com

    ReplyDelete