It’s common knowledge that fixing bugs early in the software development life cycle (SDLC) is much faster and less costly than doing it later. However, did you know that developers prefer finding and fixing bugs as they code rather than getting a list of identified issues even just one day later?
To understand why this is the case, it’s helpful to consider how developers code and the mental effort of context switch. If developers must stop what they’re working on and address a different code issue a day later, it’s not only disruptive and time-consuming, it can adversely affect their productivity and willingness to fix issues. A research paper titled “Scaling Static Analyses at Facebook” found that providing fast issue feedback as part of code review (during a pull request) was critical to catching bugs early and getting high fix rates.
The paper also noted that relevance and developers’ familiarity with the specific code issues mattered as well. The researchers found that assigning 20 to 30 issues to developers after a nightly build resulted in very few, if any, of the issues being fixed. But providing them with analysis results quickly as part of a normal code commit/review process resulted in a fix rate of over 70%. The type of static application security testing (SAST) analysis and false positives rate was the same in both cases; it was the speed of issue feedback that had the greatest impact on fix rate.
Now imagine shifting even further left. If developers could find and fix code issues before they commit their code, wouldn’t that be even better?
Rapid Scan SAST (powered by the new Sigma analysis engine) provides lightning-fast results in seconds for most projects, while developers are coding.
It’s easy to use, has a low false positive rate, and there’s no setup required. Simply point Rapid Scan SAST to a directory or Git repository and it provides relevant actionable feedback in the command line or within the Code Sight™ IDE plugin for use with Microsoft Visual Studio Code (available August 2021). Security checker support for Java, JavaScript, and Typescript is currently available, with more languages on the way. And broad support for markup languages makes it easy to scan infrastructure as code applications (e.g., Terraform, Kubernetes, CloudFormation).
API and configuration checkers are also included to help identify API misuse and vulnerable configurations in settings files. Rapid Scan SAST is ideal for developers who want fast analysis feedback while they are coding, with every code commit/review, or with a full CI build. It offers support for multiple analysis output formats (SARIF, JSON, console) as well as GitHub Actions, and GitLab CI support provides pipeline scan automation and issue management. It’s also possible to assign issues to a policy file to automatically break builds as needed.
Rapid Scan SAST is complementary to Coverity® and is now available to all Coverity customers. Use Rapid Scan SAST to get fast feedback as you are coding and for your normal code review workflows. And use Coverity for your nightly builds.
Coverity provides comprehensive analysis and has the broadest support for security compliance standards (e.g., OWASP Top 10, CWE Top 25, and PCI DSS) as well as code quality, safety, and reliability standards (e.g., MISRA, CERT C/C++, CERT Java, DISA STIG, ISO 26262, ISO/IEC TS 17961, AUTOSAR, and Nvidia CUDA). Coverity supports a broad set of languages and frameworks, integrations for industry-standard SCMs, CI build servers, and issue trackers, and it provides comprehensive reporting for on-premises as well as cloud-hosted development with Coverity on Black Duck Polaris™ Platform.
No need to choose; leverage the strengths of each: Rapid Scan SAST is best for blazing-fast analysis feedback at developers’ desktops, as they code. Coverity is best for deep, comprehensive static analysis and in situations where standards compliance, language and integration support, and comprehensive reporting and policy management features are required.