Software QA FYI - SQAFYI

Automatic Source Code Review is Development Tools' Next Frontier

By: Peter Coffee

Automatic source code review—comparing a programmer's work against a growing library of coding standards—is the new frontier of development tool sets. Integrating both general and task-specific rules of readability, reliability and security into the coding process is becoming a top priority of those responsible for equipping development teams.

Convenient means of customizing and extending those rule bases should also be on the list of criteria applied by those who make an organization's tool-buying decisions. Clear and consistent support for those standards—throughout the development life cycle—is the larger goal that managers should strive to attain.

A limited form of software standard checking is performed every time a developer runs the tool chain that converts human-readable source code into machine-executable form. That minimal check, however, merely asks, in effect, "Is there at least one valid program that corresponds to this sequence of symbols?" An affirmative answer isn't enough to earn admission into the trusted code base at any organization that relies on software for critical functions—especially as enterprise applications are required to satisfy a lengthening list of stakeholders and other interested parties .

A valid program can still be vulnerable to common attacks, or subject to misinterpretation by a future maintenance programmer, or likely to stumble over a weakness in the programming language or its run-time environment. Increasingly, developers and especially large development teams are therefore codifying larger and richer bodies of knowledge and practice in ways that permit rapid and accurate verification by automated tools.

One current effort that offers informative guidance to software tool buyers is the SAMATE (Software Assurance Metrics and Tool Evaluation) project at the National Institute of Standards and Technology. The engineers involved in SAMATE released a project plan in May that considers possible application of tools at several stages of a software project, beginning at requirements capture and extending through post-deployment end-to-end scanning for possible vulnerabilities.

At the heart of the resulting SAMATE taxonomy is the life-cycle stage labeled "assessment, auditing, and acceptance," where automated code scanning and code review aids can be brought to bear. The project site lists a number of source code scanning tools that address different levels of standards compliance. The identified products, some proprietary and some open source, run the gamut from the narrowly focused task of preventing out-of-bounds array access in C++ programs to much broader policy enforcement tools such as those from Parasoft, Fortify Software and Programming Research Group.

To get a sense of what it means to promote higher software quality by verifying compliance with coding standards, a developer can browse a document such as Programming Research Group's "High-Integrity C++ Coding Standard Manual". Its suggested strictures prohibit the use of poorly defined portions of the language, language features often used incorrectly by programmers and parts of the language known to be affected by errors in some compilers.

Full article...

Other Resource

... to read more articles, visit

Automatic Source Code Review is Development Tools' Next Frontier