Static Analysis and the Software Development Life Cycle

Regardless of an organization’s development methodology, static analysis can serve as an early warning system to identify possible defects that may cost orders of magnitude more to correct later in development. The figure below depicts a typical software build process employed during the software development life cycle (SDLC) and shows how static analysis can be integrated with this process.

As shown in the figure, the stages of development for which static code analysis is most suitable are the developer desktop and the central build. Providing static analysis at the developer desktop level allows individual developers to test their code locally, enabling them to identify and repair defects prior to checking in their code. The obvious benefit of this is that programming errors can be caught at their source by the developers themselves. Using static analysis during the central build process allows integrated analysis of the entire software system as an aggregate and helps ensure that the different modules of the system work together as intended.

The major argument against static analysis is that it is expensive, requires too much effort, and generates many false positives and false negatives. However, when integrated with the SDLC, the benefits of static analysis far outweigh the limitations. Studies show that when used correctly, static analysis can improve individual developer productivity by as much as 12.5% by automating the time-intensive task of identifying hard-to-find defects.⁸ The productivity improvement is a direct result of reduced effort spent debugging field-reported defects as a result of removing more defects earlier in the development process. This reduction in effort allows developers to focus on delivering more product functionality by spending less time manually searching for customer-reported problems.⁹

Static analysis has also helped accelerate the speed of development cycles between 10 and 15%. This acceleration is made possible through similar savings in time created by automating the defect-detection process for development organizations.¹⁰ According to a recent International Data Corp. study, by leveraging technologies such as static analysis, dynamic analysis, and others, development organizations could realize a savings of as much as 32% if all software defects were eliminated prior to release.¹¹ Benefits such as these can yield a significant return on investment for the software developer by lowering development costs, improving developer productivity, reducing quality assurance costs, and accelerating time to market for new features and products.

References

8.V Lakshmi Narasimhan, “A Risk Management Toolkit for Integrated Engineering Asset Maintenance,” in Proceedings of the World Congress on Engineering Asset Management (WCEAM), July 2006.

9.M Mantle and B Chelf, Gracenote and Coverity customer case study; available from Internet: www.coverity.com/html/research-library.html.

10.J Cooper and B Chelf, ip.access and Coverity customer case study; available from Internet at www.coverity.com/html/research-library.html.

11.M Ballou, Improving Software Quality to Drive Business Agility (Framingham, MA: International Data Corp., 2008).