Explanation of How Klocwork inSpect Usage Can Impact a Typical Development Shop:
Klocwork inForce should be installed on each of the developer's computers so that they can check their source code before check in time. The build manager should have inSpect installed on the build machine in order to check the code for errors only discoverable at code integration time. Finally, the tester may want to check the complete source code for bugs and areas of unnecessary complexity not found in previous checks.
Klocwork inForce can be executed from the command line allowing it to be scripted into each build or integrated into the IDE for easy source code analysis. Using the command line feature the developer can create a script to run with each build which would cover a subset of the options to find security bugs, implementation bugs and coding rules violations. Running the subset of options on the developer's machine before check in will speed up development and testing time because the developer can fix the bugs immediately instead of having to wait for a complete test cycle.
The build manager can run in depth code analysis on the complete source tree to get metrics, architecture and interface reports using inSpect. These reports can help the build manager get a better understanding of the complexity of the complete application.
Metrics report the complexity of the application and point out places within the code that should possibly be split up into multiple sections, which may cause problems later on, or that may be difficult to maintain in later versions. The architecture report allows the build manager to discover overall design rules violations. Interface reports return information regarding the interface and maintainability of an application.
Klocwork inSpect's bug finding ability is both the most interesting and most used feature in the product. Klocwork inSpect can find many implementation bugs and security flaws, which the build manager can use to create bug reports to send back to the developer to fix. Klocwork inSpect will generate a large report that will outline each of the errors it finds in the source code. The error will include the category of problem, line number and any other information that inSpect may be able to discover that will help a developer fix the bug.
Testers can run the complexity and metrics reports to get insight into where the most complex functions lie which may lead them to implementation or security bugs after build time. The tester should attempt to test the complex function in the final build of the application as much as possible because it is easy for a developer to forget to insert error checking code or an important code path in complex functions.
The tester may be able to exploit an implementation or security bug that the developer and build manager did not feel needed to be fixed. This critical testing will give insight into the severity of the bug and why it should be fixed.| <<Previous | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | Next>> |
Provided by: Security Innovation, The Application Security Company