Brendan Harrison, director of marketing, Klocwork Inc., was kind enough to sit down with me for a behind-the-scenes look at Klocwork and Insight.
ED: Can you give a little overview and history of Klocwork and Insight?
BH: Klocwork is an enterprise software company providing automated source-code analysis software products that automate security vulnerability and quality risk assessment, remediation, and measurement for C, C++, and Java software. Klocwork Insight is our latest software release, with the key innovation being the introduction of Connected Desktop Analysis. This revolutionary new capability enables developers to run very accurate and fast analysis within their normal desktop work environment (e.g. IDE, editor, build script, etc) that is fully integrated with the latest system context derived at integration build time. And most importantly, they can do this before they check-in their code, resulting in a cleaner code stream, lower costs downstream, and a higher quality product being shipped. More than 250 organizations have integrated Klocwork into their software development process in order to ensure their code is free of mission-critical flaws.
Q: What were some of the lessons gained from developing and using Insight?
BH: As both developers and consistent users of Insight, we noticed very quickly that as developers use Insight, and thereby droving down the volume of defects they committed to the code stream, the value we gained from our QA team increased immensely. Having testers not be worried about how to reproduce crash scenarios, or what bizarre strings might cause injection flaws, allowed those same staff to take on the role of consumer advocates in much more immediate fashion than was possible before. The bottom line here is that when you can enable developers to check in defect-free code, the leverage you gain from the rest of your organization is incredible!
ED: Can you comment on the current state of affairs of static analysis tools?
BH: Static analysis is currently going through a real evolution in terms of its ability to detect critical issues in software and how organizations are thinking about deploying and using the technology. The core technology has been around for decades—llint first arrived on the scene in the late 1970s—but it always suffered from a lack of sophistication in analysis capabilities, leading to a high rate of false positives from the tool. In the last few years, a number of research initiatives endeavored to move the analysis to the next level which involved integrating the analysis into a product's integration build infrastructure along with a number of innovations in the core analysis technology that reduced the false positives and began simulating a runtime analysis. This recent progress has led to a dramatic uptick in adoption of this technology, but now organizations are trying to figure out how to use it as a regular part of their development lifecycle and delivering that "system level" capability down to the individual developer. This is the critical innovation with Insight—delivering high-value system analysis directly to the developer so they can find bugs before they check-in their code.
ED: Has the increase of applications requiring higher levels of safety and reliability affected the importance of static analysis tools?
BH: Absolutely. High profile incidents such as the crash of the European Space Agency Ariane 5 spacecraft which self-destructed 37 seconds after launch are an example of the need for rigorous software validation. This particular incident cost the ESA $370 million and the root cause was a software bug, which as it happens could have been detected with good static analysis technology (http://en.wikipedia.org/wiki/Ariane_5_Flight_501). We're also seeing this in military/aerospace, medical devices, and a whole range of other industries that develop safety critical software. But perhaps more interesting is the rise in consumer devices and the inherent rise in software that each of us carries around every day. How much tolerance does the average consumer, whose expectation level is the dial tone, have for a device that works "most of the time." Pretty low. So whilst static analysis has always found a home in safety critical environments, we're more and more finding uptake from companies who are producing devices intended for you and I, and who need to avoid the "stupid thing just crashed again" syndrome.
ED: How have improvements in IDEs and system performance affected the adoption of static analysis tools?
BH: The growth in adoption of IDEs is in many ways independent from the adoption of static analysis, but it certainly represents a clear trend in the industry to invest in the developer and deliver better tools and automation to their desktop. That's what Klocwork Insight is all about, and our plug-ins integrate seamlessly with all of the major IDEs such as Visual Studio, Eclipse (and its variants), IntelliJ, along with many others.