Programmers Learn to Check Code Earlier for Holes 212
Carl Bialik from WSJ writes "Many companies are teaching programmers to write safer code and test their security as software is built, not afterward, the Wall Street Journal reports. This stands in contrast to an earlier ethos to rush to beat rivals with new software, and, of course, brings tradeoffs: 'Revamping the software-development process creates a Catch 22: being more careful can mean missing deadlines.' The WSJ focuses on RIM and Herb Little, its security director, who 'uses Coverity every night to scan the code turned in by engineers. The tool sends Mr. Little an email listing potential red flags. He figures out which problems are real and tracks down each offending programmer, who has to fix the flaw before moving on. Mr. Little has also ramped up security training and requires programmers to double-check each others' code more regularly.'"
static_analysis++ (Score:5, Interesting)
Static analysis is great stuff. I've worked on an open source Java static analysis tool, PMD [sf.net], for the past few years and I've gotten lots of feedback from folks who have used it to find all sorts of things in their code. Just a quick scan for unused variables can yield some excellent results, and the copy/paste detector works quite nicely too. And there's a book, too! [pmdapplied.com]
Coverity's doing a nice job with their tech marketing, too - l think a couple of open source projects are using the stuff they found to clean things up. At least, there's been a fair amount of traffic on the Ruby [ruby-lang.org] core list about some things Coverity's scan found. Good times...
Well I learned that at Uni (Score:5, Interesting)
Where did these people learn to code?
Re:Well I learned that at Uni (Score:5, Interesting)
Re:I hold any bet (Score:3, Interesting)
The problem is that we all, as consumers, already accept this kind of shit as acceptable. I wish I knew a way to reverse this, but realistically, I don't see this mindset changing any time soon.
Re:Thinly veiled ad? (Score:4, Interesting)
I'm all for tools like this. YOu can find a billion text editors on sourceforge.net but very few good programmers tools. Just this smells like an add for me.
Re:This just in: (Score:1, Interesting)
Every different category of data structure had to be described, outlined, and an example given. This was in entry level courses. The Data Analysis and Definitions part of our assignments were pages long, while the code was rarely more than a paragraph or two.
Now people wonder why I love just putting in comments about the variables, inputs, and functions. Apparently they don't do much in a lot of places.
Re:static_analysis++ (Score:1, Interesting)
Out of curiosity, what do you do when you can't even prove whether the algorithm halts? Like
Re:static_analysis++ (Score:3, Interesting)