Rich Cerruto, Vice President of Coverity Inc Asia Pacific Operation, said software bugs may cause major consequences. Related media reports in recent years include: software error messages to infusion pumps at a company caused 560 deaths; Bombardier's share price plummeted after software flaw caused new product delay; 560 million Skype users were impacted by an outage caused by software problems; and similar problems also led to over US$100 million loss for JPMorgan.
Moreover, according to a survey conducted by Forrester in May 2011, 49% of the interviewed said software defects are the major cause for shipment delay and recalls; 46% said software defects will reduce customer satisfaction; 38% said this will result in security holes; 36% emphasized that this will hurt corporate reputation. "As software has become a source of corporate competitiveness and is closely correlated to business operation, any software defects may lead to corporate crisis instantly," Cerruto elaborated on the importance of detecting and fixing software defects.
Debugging is actually quite difficult due to complex software supply chains
However, architectures and sources of software applications are rather complex now. For example, a smartphone often involves applications from various enterprises, which may include consumer application platforms (such as Google, App Store, Open Source, Java, etc), device manufacturers (Ericsson, RIM, HP, Motorola, Samsung), operating system providers (Android, Symbian, Linux, Windows, Chrome OS), device drivers developers (Nvidia, AMD) and chip/microprocessor vendors (Intel, Texas Instruments, Qualcomm, Infineon, Marvell).
A complex software supply chain would only increase chances for software defects, added Cerruto. Due to vague accountability, it's hard to track back and submit evidence once a problem occurs and everybody is passing the buck. The most common response would be, "I'm happy to fix it if it's my codes." The problem gets worse as it's hard to maintain same software quality among various upstream suppliers who are not subject to consistent standards of management and control.
Cerruto believes there are several reasons behind poor software quality and the subsequent security problems: most enterprises have long lacked the ability to define and enforce management policies on code quality and safety; code development teams fail to adopt suitable measures against possible quality/safety crisis after codes are distributed into software supply chains; OEM makers are unable to see where security/quality crisis lies in each component unit from an all-dimension perspective of software supply chains; and software security examination is independent of standard development process and decoupled from the work of developers.
The following situation is quite common: testing often starts late in the development cycle so once defects or safety problems are found, it often takes a lot of time to readjust/revise the software and the costs will increase, said Cerruto.
Using static testing with Coverity's automatic defect detection tools is the best way
The solution is to test and fix codes as early as possible in each stage of software development. A 2002 survey by NIST showed that when testing was held late in the integration and system testing stage, it would take 10 times as much time and cost as in the requirements and design stage. However, Cerruto added, vendors should not test in an aimless manner when they decide to go on with the testing.
It is better to use static testing together with Coverity's automatic defect detection tools, Cerruto stressed. As traditional testing methods cannot offer path coverage, many defects are inevitably neglected. However, static testing can test all paths without executing the codes, which means developers can locate defects in a more comprehensive and systematical way. Even codes in rarely executed paths can be tested.
In addition to lowering cost and reducing uncertainty about development schedules caused by unexpected defects, security-wise it is safer for products as hackers won't find any channels to invade and steal information, he said.
Cerruto continued that static testing with Coverity automatic defect detection tools consists of three stages: the first is to build as development tools will collect information on how codes are compiled and will build a virtual environment in order to understand the company's standard building process. Usage of compilers will also be transparentized. It will help to have a grip on all original files and parameters related to compilation such as definitions of macro and command line options.
Based on this, developers can test and analyze each path passing the codes via blocks known as "checkers." Checkers will try to discover each actual defect in the codes, such as computer crashes, memory corruption, memory leak and any other problems that can cause serious errors. It is not just checking if the code format is correct.
Real code defects can be found with low chances of system miss
In the last stage, testing results, including the location and root causes of the defects, are presented and explained before being saved in databanks so that developers within the enterprises can manage and share triage of the defects across the teams. This will boost enterprises' efficiency in the process of fixing defects.
For example, some companies have the so-called "Coverity Fix Day" each week during which all developers will leave all their daily work behind and focus on the analysis, discussion and removal of defects. Some defects are the most critical and placed first to be fixed. Old defects are put on the to-do list for later fixing.
With the help of Coverity automatic defect detection tools, all types of defects, in C/C++ or Java/C#, can be found quickly, including resource leaks, null pointer dereferences, concurrency issues, integer handling issues, improper use of APIs, control flow issues, memory-corruptions, memory-illegal access and security best practices violations.
Automatic defect detection tools often miss when testing code defects. It can be a waste of time for developers and deter people's interest in learning tools. In a more serious scenario, it can hurt enterprises' credibility on tool analysis and prevent the tools from delivering its inherent performance.
Coverity has always been devoted to eliminating mis-detection, said Cerruto. Compared to tools from competitors, Coverity tools offer precise and fast analysis results with an error rate below 10-15%. Moreover, defects found are often serious ones that can cause code problems, not just superficial problems such as conflicting formats. It will not only prompt developers to master the tools as soon as possible and also save their time from being wasted in vain.
Even when they are analyzing massive codes, Coverity automatic defect detection tools can achieve balance in terms of broadness, depth and scalability. In view of that, leading brands such as LG, Synopsys, RSA, L3 communications, Honeywell, NEC, Medtronic, Juniper, BMC Software, Samsung, SEGA and Sony have become Coverity's partners and users.
Rich Cerruto, Vice President of Asia Pacific Operations, Coverity
DIGITIMES' editorial team was not involved in the creation or production of this content. Companies looking to contribute commercial news or press releases are welcome to contact us.