Swatting bugs in code may not be as simple as hitting flies with a swatter, but officials at Klocwork believe a new tool that gives developers a systemwide view of source code is a step in the right direction.
Klocwork has combined the systemwide visibility of an audit report with the source code analysis tools developers use to sniff out bugs in code. The new product, called Klocwork Insight, is being touted by the company and analysts as a way to bring more security into the development process.
The idea is to find complex cross-system bugs within a developer's local build to ensure that such vulnerabilities are never inputted into the code stream, company officials said.
"Software developers today fix quality issues in code well after they originally write it because source code analysis typically happens late in the development cycle," said Vishwanath Venugopalan, an analyst with The 451 Group. "By injecting insight about issues identified at the system level into the developer's work space, Klocwork Insight saves developers an additional step and makes it more likely that quality issues are attended to as code is being written."
Venugopalan called Klocwork's approach to the issue unique in the market, even as many vendors look to push source code analysis earlier into the development cycle.
By using tools at the system level, the developer is taken out of the tool he or she normally uses, said Gwyn Fisher, chief technology officer of Klocwork.
"What we want to do is take advantage of the developer's workflow," Fisher said.
The product's new reporting interface aggregates information on what is found by Klocwork and then fixed on the desktop, and provides a breakdown by component, team or geography. Developers can also completely customize the analysis of C, C++ and Java for any code base using a new declarative language. The language allows developers to extend Klocwork's built-in library by adding their own checkers to meet their unique organizational, regulatory or code base requirements.
"There have always been source code analysis tools available that a developer can run on the desktop, but the value of these tools has been limited since they lack the sophisticated systemwide context that is required for accurate results," Klocwork CEO Mike Laginski said in a statement. "Conversely, a solution that only runs at the system level is viewed as an audit tool by developers and doesn't give them the ability to find and fix problems before they check-in their code. Our customers have asked us to deliver the best of both worlds and Klocwork Insight does just that."
In the end, the best way to enhance the security of a software system is to enhance it when code for the system is written, Venugopalan said. Software developers face many pressures, but paying attention to source code analysis tools that inject information into an integrated development environment imposes little overhead, he said.
"Moreover, this upfront effort may save them from having to diagnose and fix a security issue during critical times, including production outages," he said. "The market can serve software developers better in two ways: by truly understanding the complex cross-functional workflows in the application development life cycle and by producing intelligent tools that help software developers but also stay out of their way."