In the continuing drive to address quality and security earlier in the software development lifecycle (SDLC), two thought leaders in the automated source code analysis market -- Klocwork and Ounce Labs -- are
Klocwork Inc. today announced the availability of Klocwork Insight, designed to bring to the developer's desktop the capabilities of system-wide source code analysis (SCA). With Klocwork Insight, developers can find cross-system bugs within their local builds. The new release also offers a collaborative, peer-to-peer environment where developers can view the current, entire system from their workspace. Klocwork Insight also includes a new declarative language that allows developers to easily add custom checkers to the library to meet their unique requirements.
Gwyn Fisher, Klocwork's CTO, describes Klocwork Insight as phase two of automated source code analysis. With phase one, he said, "you analyzed the entire system in one go, and it would tell you something useful about the source code. But we lost contact with the developer; everything went downstream from the developer. It was something the auditor used to blame the right developer. You had ongoing quality management and improvement, but it stopped being the developer's friend."
Now, Fisher said, "With Insight, we're taking a huge step toward the reinvention of the space, delivering it as a developer-enablement tool, and away from being a downstream audit tool."
Previously, developers were "a step removed from the centralized integration build," he said. "Now we've connected those two camps -- there's no distinction of what the developer can see on the desktop or if they've checked in code. They're connected into the integration build environment. Each defect they find is locally maintained through the same lifecycle as if it were found centrally."
And with the peer-to-peer capability, "on the desktop, we can enable collaborative discussion around each defect. Each developer is connected to the project in a more concentrated manner," Fisher said.
Vishwanath Venugopalan, an analyst with The 451 Group, said that until now, when this analysis was done in the developer's workspace, a developer would get only the analytics based on the code he was working on by himself.
"There's definitely value in analyzing the entire software system development and working with other developers," Venugopalan said. "It's injecting the results of the analysis of the system into the developer workspace so the analytics can color the developer's further work in the workspace."
The advantage, he said, "is developers can know where they stand with respect to their contributions to the entire system. With that information they can make sure that certain code quality issues don't bubble up to the system level; they can fix it directly in the workspace."
By pushing the process out to desktop, Fisher said, "you still do the integration build, but now instead of building nightly you could do the integration build analysis less frequently because you're not dependent on that. So the infrastructure costs of managing source code containment are reduced drastically, the cost of defect containment is reduced drastically, and you're helping developers take responsibility for code they're checking in."
Ounce Automation Server announced
For its part, Ounce has enhanced its source code analysis product by adding the Ounce Automation Server to "provide seamless integration of security into build environments wherever developers choose to implement it within the SDLC." The Ounce Automation Server provides the ability to automatically scan, define, publish and report on the security of application code during development.
Ounce is also providing support for the Apache Maven project management and automation software with the Ounce/Maven Plug-In, which allows developers to initiate Ounce scan operations, generate a report of scan results, and publish and save reports. On top of that, Ounce is contributing the Ounce/Maven Plug-in to the open source community.
"The key thing development teams need is for source code analysis to work within the existing SDLC infrastructure," said Claudia Dent, Ounce's senior vice president of marketing. "Developers don't need extra work. They want to do the right thing and adhere to best coding practices for security, but their plate overfloweth."
Security needs to be "presented in a way that is part of the daily lifecycle, say when they're getting a bug track report, etc.," she added.
To drive security earlier into the SDLC, "there is movement more from the security experts to the developers," Dent said. "QA is starting to get more involved, as there's more automation in doing security testing. The first instances of source code analysis produced a lot of noise. It takes a security expert to weed through that noise. QA or developers don't have the time or the skill. The way Ounce surfaces the results, it's making it easier for other people in the organization to participate, including QA and development."
While Ounce Labs' approach to source code analysis has its roots in security and risk analysis, and Klocwork's approach focuses on quality, in their own ways all the vendors in this space are reaching out to the developer, Venugopalan said.
"It's becoming painfully apparent that it's expensive to let these issues fester; it's expensive to roll out unacceptable code and fix it later," he said.