#fortify software

Being in charge of a software engineering organization, it always concerns me whether the software developed in my organization stands the test of quality from the perspective of the end users. This is always a challenge due to the inherent nature of measuring software quality. Obviously, there are metrics available to measure the quality but there is this one test what can bring the software and ultimately systems to a grinding halt. How does one find as many issues and come up with tests before the software goes out on the field? Static analysis is a extremely powerful tool which provides you with the set of issues in the software even before the software is run. The mechanisms for static analysis have significantly improved over the years and is now becoming a mandatory tool in the software engineer's arsenal. My first hand experience with Coverity Prevent has been extremely rewarding and it is worth considering to use it as part of any company's software engineering process. Some of the representative issues it will find even before you run your program for the first time are: 1. Locking erros 2. NULL pointer dereference 3. Use after free 4. Double free 5. Array indexing errors 6. Stack overrun 7. Heap overrun 8. Return pointers to local variables 9. Insecure use of user data 10. Uninitialized variables 11. Invalid use of negative values 12. Underallocations of dynamic data 13. Memory leaks 14. File handle leaks 15. Network resource leaks 16. Unused values 17. Unhandled return codes 18. Use of invalid iterators 19. Race conditions Some other vendors who provide similar static analysis tools are Fortify Software, GrammaTech, Klocwork and The Mathworks. Software is playing a critical role in all aspects of technology now. It is imperative that software makers adopt all tools available to provide the necessary software integrity to enjoy the technology we are so much dependent on. A nice blog on software integrity provides good information they have used at their company.