Time-to-market pressures are spawning new business requirements, as companies are driven to produce products in tighter timeframes and with lower budgets, yet with flawless functionality. Many are turning to development testing to complement traditional software testing methods, such as quality assurance (QA) testing and security audits – testing software code as it is written, to reduce development risks, time and costs.
In this slideshow, Dennis Chu, senior product manager for Coverity, outlines the 10 commandments of development testing.
Click through for the 10 commandments of development testing, outlined by Dennis Chu, senior product manager for Coverity.
According to the National Institute of Standards and Technology (NIST), the annual cost of poor software quality in the U.S. is $60 billion. As a result, 80 percent of software development budgets are dedicated to fixing defects found late in the development cycle – e.g., in the QA phase. A defect found in QA is traditionally 10X the cost to fix than if it had been found earlier in the cycle. What’s more, defects found post-release are 30X the cost of finding and fixing them while the code is being written, in the implementation phase.
As the complexity of software increases, and as development teams grow and code ownership changes, a solid test automation-based development process becomes increasingly critical. By automating software testing processes, new issues and regressions are detected sooner, thereby minimizing time required to triage and fix them. This serves to both accelerate development velocity and free up QA cycles.
Industries across the board – including medical, automotive and manufacturing – are increasingly relying on complex software to innovate as well as improve the quality, reliability and efficiency of their products. This in turn has created an explosion in the number of lines of software code written. For example, the Chevy Volt includes 10 million lines of code. As the amount of software continues to increase, organizations need to stay up-to-date on the latest solutions that can help them successfully adopt development testing.
The business impact of software defects has never been greater and it includes everything from market delays and unhappy customers to product recalls. Avoiding these impacts requires a new level of transparency into the quality, security and complexity of code, regardless of who creates it. By having better transparency, organizations can pinpoint the exact location of risks in a project. Also, having better visibility and control over the risk in the software enables development teams to consistently deliver high-quality products, respond to changes faster and make more informed data-driven decisions to help drive business growth.
Static code analysis, which analyzes software without actually executing the code, is used by developers worldwide to improve the quality and security of their software. A foundational part of a development testing solution, it can not only locate defects in the code but also provide crucial guidance to help developers understand the proper remediation required.
When first adopting development testing, teams should establish a baseline of the state of their code quality, security and comprehensiveness of tests. They should then ensure that no new defects or gaps are introduced into the code base, and ensure all critical code from that point forward is free of defects and sufficiently tested. Teams should then create a plan to eliminate the legacy defects and backlog of critical code that is missing tests.
Often, there is a disconnect between an organization’s security and development teams, which can lead to serious software vulnerabilities down the road. Developers aren’t security experts, and most security professionals aren’t developers. Developers aren’t trained to think about security concerns – their job is to write as much code as possible. Organizations that introduce a formalized application security policy build a bridge between the two teams, integrating security earlier in the development process and introducing a common ‘language’ that helps build understanding between development and security teams.
For development testing to be most effective, it must be fully integrated into the standard development lifecycle tools in place so that there is minimal impact to the existing workflow. Analysis should be automatically tied to the nightly or continuous builds, issues detected seamlessly and assigned based on SCM activity, and results surfaced naturally in the desktop IDEs.
As more companies integrate externally developed software components into their custom developed code, the potential for failures and risks increases. As the use of open source software becomes more prevalent and the dependence on outsourced teams increases, verifying the consistency, completeness and correctness of software created outside your organization will help to ultimately assure the quality and security of your end products.
Different groups and levels across an organization have different priorities and responsibilities. As important as it is to implement the right tools, it’s equally important to ensure the proper processes or stage gates are in place to enable these functions to be more productive and act in union to achieve a common goal of delivering more software, better and faster.