Software Quality Assurance: Leveraging SCA and SAST Tools

by | Jan 30, 2015 | AppSec Classroom, Tool Studies

Software applications have become incredibly complex. In addition to increased user expectations for more functionality, ease of use, higher performance, and seamless integration with other systems; software applications must also include the proper safeguards to protect valuable information assets.

This complexity has made the Software Quality Assurance (SQA) process not only a necessity, but also increasingly more difficult. As software progresses further along in the development lifecycle it becomes that much more difficult to repair issues. Therefore, it is essential to develop an SQA process that is tightly aligned with the software development lifecycle to prevent defects and omissions early in the process. With test-driven development, test cases can be established throughout the entire software development process preventing errors and security weaknesses.

The first step of a sound Software Quality Assurance process is to set goals for quality. These goals need to be measureable. Establishing metrics that are both from the developer’s and the user’s perspective can help ensure quality issues are not over looked. From there, processes, procedures and documentation standards must be set.

Although we would like to develop the perfect application, and often customers expect it, with today’s complex software solutions, perfection just isn’t possible. Everyone makes mistakes. Even with a QA team to review and test for quality issues, exceptions and errors slip through the cracks and it is virtually impossible to test every piece of code. Furthermore, customers use software applications in different ways and run them on different platforms, increasing the complexity and difficulty of uncovering all the weaknesses.

Therefore, developers must prioritize quality improvements based on where they can expect the most return. Cost and time considerations to make an improvement must be weighed against the return, such as higher customer satisfaction; or not making the improvement and causing a potential security breach.

The more automated the SQA process, the better. By leveraging automated Source Code Analysis (SCA) tools, issues in code can be more quickly identified and reported, enabling developers to efficiently prioritize the weaknesses and repair those with the biggest impact.

Not all SCA tools are the same. They each focus on specific programming languages and go through the source code testing for a wide range of quality and security issues. So, it is not suggested to use just one SCA tool, but to select a number of tools that test for different types of weaknesses that are important to the specific product being reviewed and, thus, will cover a wider area of code.

Some of the vendors with tools that focus on Software Quality Assurance, include: Parasoft, Coverity, GrammaTech, and CAST. These companies provide solutions that help to improve the efficiency of the development team while also enhancing the quality of the software application. By automating the testing process, developers can reduce the risk of releasing a software application with potential vulnerabilities.
Code Dx’s software assurance solution enables organizations to easily combine, normalize and prioritize the results of multiple static code analysis tools and efficiently mitigate quality and security issues. For more information on Code Dx, contact us at [email protected] or at (631) 759-3993.

Download a Free Trial and Start Testing Your Code Today!