Life for a web application developer is far from being rosy. Not only do they have to meet unrealistic deadlines consistently, they have to outperform developers from other companies, as well as their own colleagues. Add it to it the constant pressure of knowing that a flawed application can cause the company to lose millions. When constantly under such pressure, even the tiniest bit of help a developer gets can go a long way. One of the tools that make life for a web developer a bit easier is source code analysers. Although use of both, dynamic and static, code analysers is widespread, the static code analyser definitely remains the sweetheart of web application developers.
No one wants to read millions of lines of code
Since the early days of programming, manual code review practices have been modified to reflect the increasing complexity of programs and applications. However, in the present day, the scale at which programming is done means that manual code reviews are not a viable option any more. Even the simplest web applications contain millions of lines of source code. No matter how effective, even the best manual code review methods, including paired programming, cannot keep up with the amount of source code that needs to be reviewed. It is possible to review the codes manually, but it certainly isn’t plausible; such a gargantuan effort will take a lot of time and will probably drive the code reviewers close to the brink of insanity. Automated static code analysers will do the same task in a jiffy.
Thoroughly scans the source code for all flaws and errors
In a manual review process, it is possible to miss out on flaws within the code that can cause a lot of problems later on. Similarly, dynamic code analysers can only scan the bit of the code that is used by the application during testing or interaction; there is no guarantee that all the lines of code will be test meticulously. Unlike its dynamic counterpart, static code analysers can go through every single character and variable in the source code while running in the background.
The most common complaint with the first static code analysers was that they generated a lot of noise, i.e. the flagged anything that did not meet specific guidelines, even if they weren’t errors. The latest static code analysis tools can be customized by developers to ignore certain aspects and drastically cuts down on the amount of noise.
Won’t break the bank
As far as cost is concerned, static code analysers definitely have dynamic analysers beat. Not only does a dynamic code analyser cost a lot, the company has to hire professionals specially trained to operate the dynamic analysers. On the other hand, static code analysers are much cheaper. In fact, application developers often have access to free static code analysis tools that do an excellent and thorough job.
Dynamic code analysis is helpful, but cannot be termed as dependable when not used in conjunction with a static code analyser. As far as code review is concerned, static code analysis tools are still the king of the hill.
Guest post written by Tom Rhoddings who works with the team at Checkmarx providing source code analysis and security solutions.