Virtualization Technology News and Information
VMblog Expert Interview: Karthik Lalithraj of OverOps Discusses the Merits of Static and Dynamic Code Analysis

interview overops lalithraj 

Recent research has cited that developers spend up to 60 percent of their time finding and fixing bugs in software. With the popularity of the agile development process and more organizations using a CI/CD approach, enterprises are looking for more ways to increase the quality of their software and optimize their development team's time. To better understand ways to do this, I had a conversation with Karthik Lalithraj, principal solutions architect for OverOps which focused on the differences between static and dynamic code analysis and why use one over the other.

VMblog:  What is Static Code Analysis and what does it address?

Karthik Lalithraj:  Static code analysis is a method of debugging done by examining an application's source code before a program is run. This is usually done by analyzing the code against a given set of rules or coding standards. These often address code vulnerabilities, code smells and adherence to commonly accepted coding standards, including common developer errors which are often found by Code Peer Reviews.

VMblog:  Where in the SDLC would we find Static Code Analysis?

Lalithraj:  Static analysis is usually incorporated at any stage after the code development phase and before Unit/Component/Integration testing phases. In some cases, CI/CD pipelines incorporate static analysis reports as a quality gate for code promotion. Among other benefits, the ability to identify weaknesses in the code and to adhere to strict development standards help reduce potential production issues. These also provide Test Coverage reports that describe the degree to which the code has been exercised.

VMblog:  What is Dynamic Code Analysis and what does it address?

Lalithraj:  Dynamic, or runtime, code analysis is the method of debugging by examining an application during or after a program is run. Since the source code could be run with a variety of different inputs, there isn't a given set of rules that can cover this style. These address runtime vulnerabilities that occur due to variations in business context. This is critical to testing your code for production-like scenarios that could occur.

VMblog:  Where in the SDLC would we find Dynamic Code Analysis?

Lalithraj:  Dynamic analysis can be used in multiple places. In production, dynamic code analysis provides information to help troubleshoot production incidents quickly. In pre-production, dynamic code analysis prevents bad code from going into production. Dynamic analysis can be used in conjunction with CI/CD tools as a quality gate for code promotion. In production, dynamic code analysis helps provide visibility to application issues, reducing MTTI and MTTR for production incidents.

VMblog:  Are both types of analysis necessary, or will one suffice?

Lalithraj:  Both static and dynamic analysis are critical to ensuring code is production-ready. Each one analyzes the code for something different. A good way to think of it is in the context of baseball. Static code analysis is analogous to practicing your baseball swing with a practice net and a pitching machine. There are minimal surprises. After a few swings, you know exactly where the ball is going to be every time. This is critical as it helps to work on fundamentals and to make sure that you have good form.

Dynamic code analysis is like practicing your swing against a live pitcher with variation in the types and locations of each pitch. It tests not only your fundamentals, but your ability to react to different, unexpected situations. When done in production, it's like perfecting your swing at the bottom of the 9th with the bases loaded.

Dynamic code analysis covers production scenarios that static analysis doesn't, allowing users to observe and monitor application reliability in real time based on real code situations which is a more powerful approach in my opinion.

Both forms of batting practice are necessary to get your swing ready for game day, but each helps prepare you in a slightly different way.

VMblog:  Any final thoughts?

Lalithraj:  Static and dynamic code analysis are complimentary. When utilized together, it provides a feedback loop from production errors all the way back into the developers, providing impactful insight as part of a Continuously Reliable lifecycle process.


Published Monday, April 06, 2020 7:33 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<April 2020>